Computer Crime Investigation

Anyone who has an Internet account knows that an ISP is a subscription service that provides the user with access to the Internet. What most people, including many crooks and policemen, don’t know is that the ISP has a record of everything that happens on the Internet; the customer has it. This is good news for investigators. The bad news is that these records are digital information that has a very limited existence. In other words, if you are investigating a cybercrime involving the Internet, you better move fast. How fast depends on the policy of the ISP in question. Large ISPs often keep their data for up to 30 days, but this is not true in all cases. Data storage is a major cost center for ISPs, and some ISPs save money by dumping data very quickly. We once sent a subpoena to an ISP asking for their records and their response was, “Sorry. We only keep our records for 30 minutes.”

Since ISPs prefer to dump data rather than store it, one of the most important weapons in a cybercrime investigator’s arsenal is a letter requesting that the ISP preserve the data until the investigator obtains a subpoena, warrant, or court order requiring the ISP to hand over its records. The preservation letter does not legally require the ISP to hand over its records. But many ISPs will cooperate with a request to preserve data. Once you have the records from the ISP, you’re probably in business. The auction thief had to give out personal information, such as their physical address, to subscribe to the service. Yes, they may use false information and fake credit cards, but that information can also be valuable. Once you have the suspect’s address and name, there’s a chance another agency will be involved in your investigation. Cybercrimes aren’t like in-person physical crimes. The victim is often in a different state than the suspect. And this means that you work in the Chennai Police Department and suddenly you may have to serve a warrant in Bangalore. Experienced cyber cops say that jurisdictional disputes are rare occurrences during cyber crime cases and other agencies may cooperate in your investigation.

Investigating these computer crimes and collecting appropriate evidence for criminal prosecution can be an extremely difficult and complex issue, as the data is intangible and often ephemeral in nature, especially in a networked environment. Criminals often leave no traces. Sometimes evidence is destroyed by the penetration of viruses, computer investigations also take a lot of time, as large amounts of data have to be scanned for crime detection and evidentiary purposes. Investigations also involve interaction with victims. Victims may be experts and sometimes even the perpetrators of the crime themselves.

Administrative mechanism

As stated earlier the problem in investigating computer crime is more technical, economic and structural than legal. The first cyber crime police station was opened in Bangalore to deal with cyber crimes. After Bangalore, Mumbai, Delhi and Hyderabad have also set up cyber police stations to deal with cyber crime. Cyber Crime Investigation Cell (CCIC) of Central Bureau of Investigation (CBI) is also one of the special investigation bodies. Apart from offences punishable under Chapter XI of IT Act 2000, this cell has jurisdiction all over India. It also has the power to investigate other high-tech crimes. CCIC functions under the overall guidance of Special Director, Joint Director, Economic Offences Wing II and immediate supervision of Deputy Inspector General of Special Investigation Cell III. Presently this cell is headed by a Superintendent of Police, three Inspectors and a Sub-Inspector besides other supporting staff.

Anonymity of Cyberspace

Anonymity in cyberspace is a major concern for the global community. With the advent, development and use of information and communication technologies (ICTs), criminal activities have also increased. With regard to cyberspace, identity is easily wrapped in anonymity. Once the identity of the sender of a message is anonymous, cyberspace provides the public with the means to carry out extensive criminal activity with little chance of arrest. On the other hand, anonymity in cyberspace allows whistleblowers and political activists to express views critical of employers and the government enables entrepreneurs to obtain and share technical information without alerting their competitors, and allows individuals to express their views online without fear of retaliation and public hostility. Anonymity is one of the well-known gifts of cyberspace; it helps in a greater flow of information. But still this freedom is being misused and this is leading to criminal activities in the cyber world. After a long process of investigation, the criminal is traced with his identity on the Internet which proves to be inauthentic and leaves the authorities clueless. Now the time has come to regulate this freedom in the interest of the society.

Cognizable and Non-Cognizable Cases

Cognizable offences are those cases where the police can arrest without a warrant. All cognizable cases include criminal offences. Murder, robbery, theft, rioting, forgery etc. are some examples of cognizable offences. Non-cognizable offences are those criminal offences which are relatively less serious. Examples of non-cognizable offences include public nuisance, simple hurt, assault, mischief etc. The consistent and firm distinction between cognizable and non-cognizable cases is made, this will apply mutatis mutandis to computer crime investigations. The punishment prescribed under the IT Act will also ensure the same. This decision will also have an impact on the investigation of cyber crime and the powers of the concerned investigating officer. The police can arrest a person accused of offences under the IT Act punishable with imprisonment of three years or more without a warrant. However, Section 80 of the IT Act is an exception to this. Under Section 80(1), the DY IT SP can arrest any person notwithstanding the above distinction if the offence is committed in a public place.

Technological Development

In the not too distant past, a developing nation was seen as one that lacked access to modern technology. Today, increasing globalisation means that faster communications; market forces and fewer import restrictions can help make new technology available to any useful location. The greatest impact has come from ICTs – computers, mobile telephones and satellite communications – at the core of the modern information society. Wide inequalities in access still exist, both due to economic reasons and deficiencies in physical infrastructure. For example, one of the main reasons for slow internet penetration in Africa is the reliance on slow, expensive and often unreliable copper wire connections rather than high-speed fibre optic cabling. A Foresight project on Cyber Trust and Crime Prevention was completed in the UK in 2004. The project explored the applications and implications of the new generation of ICTs in various sectors and the possibilities and challenges they bring to future crime prevention. These areas included the robustness and dependability of identity and authentication systems, security and information assurance, and privacy and surveillance.

Duty of Active Cooperation

In traditional systems of evidence collection, two instruments are relied upon by the investigating agencies to make investigation and evidence collection effective, viz. duty to surrender seizable items and duty to testify. Duty to surrender is covered under Section 91 of CR PC which obliges a person in possession of document or any such matter to surrender it when the court issues summons or when an investigating officer directs by an order in writing. Further Section 100(1) imposes a duty on persons in charge of the place where investigation is being conducted to provide access to such place and to assist the authorities in every possible manner. Duty to testify is another important instrument of active cooperation. CR PC contains provisions for power of the investigating officer to require attendance of witnesses and their examination. In the United Kingdom too, under the Police and Criminal Evidence Act, 1984, the duty is imposed on the person that the constable can demand any information contained in the computer.

Duty of intermediaries

Intermediaries operating in the real world who facilitate the use of the virtual world have a duty of active cooperation under the CR PC but this is not enough. Consider a situation if a telecom company or intermediary does not maintain the type of records for which a search warrant has been issued and a warrant allowing very broad retrieval would excessively intrude on the privacy of third parties. In practice most cyber café owners do not maintain proper records of their customers, this creates problems during investigations. Moreover they cannot be asked to produce records. Therefore the law should impose some duty on these intermediaries to maintain records of their customers.

Investigating Cybercrimes

This five-day, hands-on course is designed to prepare investigators to investigate cybercrimes. The course is designed as an introductory course, providing information on the different types of cybercrime, planning and preparing for a cybercrime activity, methods and tools used to investigate cybercrime, as well as managing a computer crime scene. The course uses instructor-led discussion and instruction, and is reinforced through a number of exercises and practical exams. The course concludes with a practical exam scenario in which students must apply the skills learned throughout the week. Investigating cybercrimes is complex. Evidence is often in intangible form. Its collection, appreciation, analysis, and preservation present unique challenges to the investigator. The increased use of networks and the growth of the Internet have added to this complexity. Using the Internet, it is possible for someone sitting in India to steal computer resources in Brazil using a computer located in the United States as a launch pad for their attack. Distributed attacks are also not uncommon. The challenges in such cases are not only technical but also jurisdictional.

Of late, we are facing cybercrimes more and more, as many of us have switched to the fourth mode of communication. The Internet has been separated from the previous modes such as gesture, speech and writing. The Internet has opened up avenues of commerce, trade and communication like never before. It is this network that carries billions of transactions daily. These transactions are usually transactions of money, images, information and videos. Volume of transactions—the huge volume makes the Internet not only an easy tool for exchanging information but also an ideal hub for crimes. Cybercrime being driven by technology keeps evolving continuously and ingeniously, making it difficult for investigators to cope with the changes. Criminals are always one step ahead in the sense that they create or come up with technology to commit a particular crime and then law enforcers counter such techniques or technologies.

Lack of expertise

The basis of credibility of a person who is considered to be knowledgeable in a field or subject due to his study, training or experience in the subject matter. The police lack the basic skills required to investigate computer crimes, making it difficult to investigate unless training is provided or experts are appointed for investigation. This problem was also highlighted by the Malimath Committee and it recommended that proper training is necessary for police officers. It also recommended that special cells should be set up to investigate high-tech crimes like cyber crime. Even a separate intelligence network should be established. We do not have experts in our investigation process, so we now have to recruit cyber forensic experts. Law enforcement departments at the state and local levels in the US are hiring computer forensic experts. Regarding experts, author John R. Vacca has mentioned some requirements that they should be able to meet: (1) data seizure; (2) data duplication and preservation; (3) data recovery; (4) document search; (5) media conversion; (6) expert witness services; (7) Computer Evidence Service Options and (8) Other Miscellaneous Services.

Lack of funds and resources

This is a real problem that is seen in every other jurisdiction, even in developed countries. It is a big problem in India too, where policemen are not equipped with proper gadgets and weapons even to deal with routine crimes and criminals, hoping in the field of computer crimes seems like a utopia. Unless adequate funds are available, we cannot get advanced technologies, advanced laboratories, proper gadgets and even training of officers.

Lack of sensitivity

The magnitude of the response of a financial instrument to changes in underlying factors. Financial instruments like stocks and bonds are constantly affected by many factors. Sensitivity takes into account all the factors that affect a given instrument in a negative or positive way, in order to try to know how much a certain factor will affect the value of a particular instrument. These activities are also being encouraged due to the lack of sensitivity of the investigating officers. The police often say, “We have to deal with much more important cases of murder, rape, robbery”. Practically the police do not take up computer crime cases on priority. They either go unclaimed or come with a delay giving the criminals enough time to wipe off the traces of their crime.

Legal framework

The United Nations General Assembly has adopted UNCITRAL’s Model Law on Electronic Commerce by resolution A/RES/S1/162 dated 30-07-1997. To give effect to this, the Indian Parliament passed the Information Technology Act 2000 (hereinafter sometimes abbreviated as the IT Act). According to the McConnell International Survey, India is one of the 10 countries out of 52 countries surveyed that have substantially updated their cybercrime laws. The legal framework for investigating computer crime in India is present in the IT Act 2000 as well as the Code of Criminal Procedure, 1973. All the basic principles of our criminal procedural law apply mutatis mutandis to computer crimes.

Local jurisdiction

Jurisdiction is the authority of a court to hear a specific case. For a criminal case to be valid, the court in which the case is being tried must be correct. Criminal jurisdiction is based on certain factors: the place of the crime, the type of case, and the subject matter. The rule of local jurisdiction will also apply in case of investigation of an offence under the IT Act. Chapter XII of the Cr PC provides that a case is to be investigated by the police officer in charge of a police station. In cases of offences under the IT Act, the DY SP having jurisdiction over the police station within the local limits of which the offence or part thereof has been committed shall investigate the case.

Mechanisms for online surveillance

Information technology, and the Internet in particular, have brought about fundamental changes in the way our society functions. Perhaps the most fundamental of these changes is in the ways we communicate; while the ability of computers to store and process data has expanded exponentially, it is, arguably, the rise of instant, global data transfers that has had the most far-reaching impact. E-mail, instant messaging, and peer-to-peer file transfers, combined with the digitization of content, have transformed the way we view the world, our means of accessing information, and the nature of our social networks. Because of the general-purpose nature of computing and telecommunications, applications of these technologies are inevitably undesirable, illegal, and socially unacceptable. There are crimes that are unique to the Internet, such as hacking or distributed denial-of-service attacks against websites, but in many cases the Internet provides a new medium for more traditional crimes: blackmail, fraud, or the dealing of stolen property such as credit cards.

Surveillance will involve a conflict between privacy and government interest. Surveillance is often considered a violation of cyber privacy, but the recent past shows how cyberspace has failed to regulate itself which in turn invites some control and regulation by the government to monitor criminal activities in cyberspace. Surveillance is a preventive step as it will reduce the chances of cybercrime and also help in detecting crimes as early as possible. Surveillance can reduce low-level organized crime or opportunistic crimes in cyberspace, which actually covers a large portion of cybercrimes. But high-level organized cybercrime cannot be prevented through surveillance, so it has its own limitations.

Online First Information Report

Recently a system of filing FIRs online was introduced in India. This system can prove beneficial in dealing with computer crimes quickly. Online FIRs will immediately bring the matter to the attention of law enforcement agencies and hence will help a lot if spontaneous steps are taken to detect the crime.

Power of Interception

Power of Interception is one of the fundamental powers that the investigating authority should have in case of cybercrimes. The IT Act provides these powers, but not to the investigating authority. In case of interception, the usual requirement of physical presence of the investigator in case of search is impracticable. Search has to be deployed for static information and data interception is facilitated to move. However, the demarcation between search and interception should be clearly made to avoid confusion.

Power to investigate extra-territorial offences

The IT Act has been given extra-territorial effect, and if an offence is committed under the Act then the person will be liable regardless of nationality or regardless of the territorial limits of India, if the offence involves a computer or computer system or computer network located in India. So now the police has got the power to investigate a crime even if the offence is committed outside without the operation of another country where the investigation is to be conducted.

Preventive action

Cr PC provides powers for preventive action. It broadly applies to cognizable offences. A person can be arrested in a private or public place and prevented from committing a cognizable offence. These provisions also apply to offences under the IT Act and under section 78 a similar action can be taken under the IT Act (i.e. only by the Dy. SP). Section 80 of the IT Act provides for preventive action and provides special powers and any person can be arrested on reasonable suspicion. However, this applies only to public places and will apply irrespective of the fact whether the offence committed in a public place is cognizable or non-cognizable.

Jurisdiction Problems and Lack of International Cooperation – Operations

The Internet has given computer crimes an international flavour and hence the central issue in all cybercrimes is jurisdiction. Criminals often deliberately exploit this lack. The first step for effective investigation is to check if there exists any bilateral or multilateral legal instrument between countries to facilitate evidence collection, often called Mutual Legal Assistance Treaty (MLTA). Time is saved in case of MLTA (the European Convention on Cybercrime is a good example) and the absence of such an arrangement leads to delays, which can be fatal to the investigation process. The peculiarities of legal systems further complicate the investigation problem, an act which may be a crime in one jurisdiction may not be a crime in another legal system, or may demand a lesser sentence or vice versa.

There are also administrative problems in conducting investigations on foreign soil, seizing material and collecting evidence. During investigation, remote cross border searches/investigations are also possible, but this may violate sovereignty, property or privacy protection, even without physically crossing the border, so caution is required. In this regard, the European Convention on Cyber Crime provides that no violation shall occur if a system is open to public access, or otherwise the consent of the person who has the legitimate right to disclose the data is obtained. Extradition in the absence of a treaty is a problem, which may hamper the investigation process, as sometimes the accused may provide vital clues or factual information in the case. In the Indian scenario, we do not have such bilateral or multilateral treaties. So far we have not felt the need for it, but such an arrangement is required in future.

Recommendations of the Expert Committee

An Expert Committee was constituted by the Central Government. The committee has recommended that Section 80 of the Information Technology Act, 2000, which gives sweeping powers to investigating officers to search public places and even seize desired material, be deleted as it provides sweeping powers vulnerable to misuse and to protect the privacy of individuals.

Though, the author believes that such power is necessary for conducting search and investigation in respect of every crime, as speed is of the essence in computer crime cases, if such deterrent power is not given keeping in view the nature of computer crime then it would be detrimental to the investigation process and prosecution. Without this power, if the search to be conducted is a non-cognizable offence, then the investigating officer would have to conduct the search, as some of the offences under the IT Act are non-cognizable in nature though they require prompt action. Denial of such power is not a solution, but, the power properly channelized and secured is the need of the hour. Regulation of Investigatory Powers Act (RIPA) in UK was passed in the year 2000, this can be taken as a clue to guide the investigation process in cases of computer crimes.

Recommendations of Malimath Committee

The Malimath Committee on reforms in the criminal justice system gave some recommendations which are very relevant in the context of investigation of computer crimes— 1. Investigation: The Committee recommended that every State Crime Branch should have a special cyber crime squad. 2. Intelligence Network: It further recommended that concrete steps should be taken to institutionalize a criminal intelligence system and the main function of such a body would be to collect, collate and disseminate information about major criminal gangs operating in the country involved in cyber crimes and other organized crimes. It would have a computerized data base, which would be accessible to all state police forces/central agencies. 3. Training of Officers: The Committee overwhelmingly recommended that facilities should be developed to provide training in modern subjects such as forensic accounting and information technology for cyber crime.

Search and Seizure

Over the past decade, personal computers have become an important source of evidence in criminal cases. Computers record and store a remarkable amount of information about what users write, see, hear and do. In an increasing number of cases, searching a suspect’s personal computer is a necessary step in the investigation. The tricky issue for courts—and of interest to scholars—is how the Fourth Amendment should regulate this process. How does the Fourth Amendment govern the steps an investigator takes when obtaining evidence from a personal computer? At the moment, the answer is surprisingly unclear. Lower courts have just begun to consider this question, resulting in a number of tentative and often contradictory opinions, many of whose answers remain unresolved.

The CR PC lays down the procedure for search and seizure under sections 91 to 103. Section 80 under the IT Act empowers the Dy. SP to enter and search any public place and arrest any person on reasonable suspicion without a warrant. The provision further provides that the CR PC shall apply in respect of entry search or arrest under the Act. It was this provision for warrantless search in public places that created a stir during the discussion on the Bill just before it became law. However, the provision was passed without being touched. The purpose of such a clause is clearly to take prompt preventive action, so as to control the misuse of public internet access systems like cyber cafes. This provision is not applicable to search and seizure in private places. It is to be noted that both the powers of investigation and this special power of search are given to a relatively high-ranking police officer, i.e. the Dy. SP or above, and this is done with the acknowledgement that these wide powers must be exercised responsibly. The procedure under Cr PC is inadequate with respect to computer crimes as it should provide for the procedure to be followed for search and seizure, such as seizing the system, making copies of files, etc. This should be specifically laid down due to the ambiguity surrounding computer-related evidence and the volatility of computer files.

Search Warrant

Search warrants may be issued under Section 93 of Cr PC. The warrant may be specific or general, as the case may be. Warrants issued in cases of computer crime investigation may also be opposed on technical grounds. The warrant issued may seek specific information relating to a particular computer crime, however to collect that information from computer equipment, that equipment or a part of it may need to be seized and then detailed expert examination of the entire record and material stored in the storage device which would also include information which is irrelevant but may be sensitive in nature, for example personal in nature relating to reputation, or trade secrets, or records of other economic activities. Its seizure may violate the right to privacy.

The question therefore arises as to how to issue specific warrants relating to the case, or how to counter objections regarding privacy violation. Another problem may arise in case of search without warrant in any public place under section 80 of IT Act, as per our procedural criminal law principles when search is done without warrant, the prosecution should be only of specific search and there should be reasonable ground for belief which should be reduced in writing. In Germany all material obtained as per German provisions relating to surveillance is kept under judicial control and police is allowed access to material which is relevant to them. To address this problem in UK, the government made changes in Criminal Justice Police Act, 2001. This Act gives power to law enforcement agencies to remove material, including material outside the scope of warrant, where it is not reasonably practicable.

Some Common Mistakes that are Fatal in Investigations

The lack of technical knowledge and special forensic skills in the investigating officers leads to many mistakes during these investigations. Some of the common mistakes are described below.

1. Investigators often make the mistake of working with the same computer on which the investigation is going on. Even turning on this computer should be avoided as far as possible as it may contain traps to destroy information in case of an attempt to login with the wrong password.

2. Investigators usually allow the user or owner to access the compute for his help, which may allow them to destroy potential evidence right under the nose of the investigators. To avoid such possibilities, it is necessary to make reserve copies before giving anyone access to the computer under investigation.

3. For the purpose of checking the presence of viruses and program traces in the computer, it is necessary to load the computer from a previously prepared diskette or stand hard disk, not from its operative system, but from all information transmitters, i.e. CDs, DVDs, hard disks, diskettes should be checked. An expert should perform such work with the help of special software.

4. The extracted material is handled properly and protected from subsequent mechanical or electromagnetic damage.

5. A record of all procedures applied to computer-based evidence should be made and preserved, to allow an independent third party to check those procedures and obtain the same results.

Special Investigation

As a result of the recommendations of the Police Commission 1902, the Criminal Investigation Department (CID) was created in Madras Presidency on 18 August 1906 with a sanctioned strength of 1 Deputy Inspector General of Police (DIG), 6 Inspectors, 6 Sub-Inspectors, 12 Head Constables and 12 Constables. The purpose of the CID was to deal with inter-district criminals, professional criminals and tribes addicted to crime. In the year 1929, the CID was split into Special Branch CID and Crime Branch CID. The CB CID was placed under the overall charge of the Inspector General of Police and under the direct supervision of the DIG Railways, CID and Eastern Range. An Assistant Inspector General of Police Crime Branch was deputed to assist the DIG. The working strength of the CB CID comprised 1 Superintendent of Police, 4 Inspectors, 4 Sub-Inspectors, 6 Head Constables and 19 Constables. The exception given in section 78 of the IT Act is that investigation of offences under the IT Act can be conducted only by a police officer not below the rank of Dr. SP. However, this exception is limited to investigation only but so far as other aspects are concerned, the authority mentioned under Cr PC will have the power, for example a constable will have the power to arrest or any police officer in charge will have the power to arrest. The Act has removed the difficulty of fixing criminal liability on companies in respect of offences committed under IPC, as a result of which the applicability of Cr PC has been extended to such offences. However, it is pertinent to note that special investigation is sought only in cases of offences committed under IT Act whereas all other computer crimes covered under IPC will invite the normal conservative investigation procedure.

Read Also:

1550300cookie-checkComputer Crime Investigation

Name	Domain	Purpose	Expiry	Type
_ga	altechbloggers.com	Google Universal Analytics long-time unique user tracking identifier.	2 years	HTTP
IDE	doubleclick.net	Google advertising cookie used for user tracking and ad targeting purposes.	2 years	HTTP

Name	Domain	Purpose	Expiry	Type
_ga_GSZLHBGB35	altechbloggers.com	---	2 years	---
jetpack_post_subscribe_modal_dismissed	www.altechbloggers.com	---	1 days	---