Cyber Forensic Investigation Report

Submitted By:
Name: Ivneet Singh
ID: TP023861
Intake: UC3F1010IT(ISS)
Module: Data Recovery

Submitted To:
NOR AFIFAH BINTI SABRI
(Lecturer)

Contents
Computer Evidence Analysis Report...............................................................................................5

Case Background....................................................................................................................5
1
 Investigation Outlines:..........................................................................................6

FIRST INFORMATION REPORT...............................................................................7

PROPERTY SEARCH AND SEIZURE FORM...........................................................................10

Request for Service........................................................................................................................12

Chain of Custody Form.................................................................................................................13

Investigation Report..........................................................................................................14

Chain of Custody Form.................................................................................................................16

Investigation Report..........................................................................................................17

Chain of Custody Form.................................................................................................................19

Investigation Report..........................................................................................................20

Cyber Forensic Analysis................................................................................................................23

Evidence device 1:................................................................................................................23

Evidence Device 2:...............................................................................................................35

Evidence device 3:................................................................................................................41

Computer evidence assessment checklist......................................................................................46

Cyber forensic Analysis Report.....................................................................................................47

Computer Evidence Analysis Checklist........................................................................................48

Detailed Case:................................................................................................................................49

Introduction...........................................................................................................................49

Background of the issue........................................................................................................49

Details of the Cyber Forensic carried out by team........................................................................50

Evidence Analysis.................................................................................................................50

COMPLAINT TO ASJUDUCATING OFFICER.........................................................................52

Legal Issues...................................................................................................................................55

Information Theft..................................................................................................................55

2
 Applicable Law...................................................................................................56

COMPUTER EVIDENCE ANALYSIS REPORT

Case Background
An internal investigation would be conducted in Detag Industries, a company that manufactures
fuel cell batteries that is used by thousands of companies worldwide. This investigation is
required because one of their research assistant in the R&D lab, Mr. Robert is suspected of
leaking out confidential information to their major competitors, Rift, Inc. This occur right after
they noticed that their clients are no longer re-ordering these fuel cell batteries, which were once
unique to them and instead, from Rift, Inc.
After a thorough investigation conducted on the reason this is occurring, it has been established
that a CD that contains many confidential information had been taken out from the research and
development laboratory without any authorization. Through the use of the surveillance camera
video, it had shown that this offence had been committed on the 26 th of April 2008 at around
4:45pm by Mr. Robert. Due to this, Mr. Robert is suspected of committing 2 crimes which are,
accessing this confidential information without authorization and also, leaking out that
information.
To proceed with the investigation, a USB flash drive was seized from Robert Saunders. To help
with this investigation, an investigation team consisting of IT security and forensic experts had
been approached. A USB flash drive and laptop was later seized from Robert Saunders
possession for further investigation. Both these were taken into custody by company and were
handed over to the investigation team for analysis. The leader of the investigation team, David
Keen has requested you to analyze the USB flash drive and laptop and provide a report on your
findings.

3
Investigation Outlines:
While investigating the cybercrime cases; need to follow the process outlined below:

1. The filled request of service (RFS) is obtained from the client (Detag). The RFS helps the
team to understand what the client expects from the investigation. In the RFS, the client
describes the crime and request team to investigate it.
2. Then team appoints a lead investigator (Mr David) for the case. The lead investigator
meets the client to discuss the investigative avenues and potential evidence being sought
in the investigation. The lead investigator and the investigation team for each case are
appointed with great care and caution. The technical requirements of the investigation are
primary basis for the selection of the team and the lead investigator.
3. The relevant information, media, documents etc. are then received from the client. The
chain of custody form in respect of each of these items is duly filled in by team of
investigators.
4. The chain of custody form in respect of each device is meticulously updated throughout
the investigation. One copy of the chain of custody form in respect of each device is
handed over to the client at the end of the investigation.
5. Where possible the media (USB and hard drive) is imaged. The original media is returned
to the client and the image is retained for investigation.
6. The images are authenticated using MD5 and /or SHA1 hash function. Detailed cyber
forensic analysis and investigations are carries out in a secure and confidential manner by
skilled professionals.
7. The findings of the analysis and investigation are properly documented and relevant
reports are submitted to the court.

4
 FIRST INFORMATION REPORT

(Under Section 154 Cr.P.C)

1. District : New Delhi P.S: Green Lawns Year:2008 FIR No: 29

Date: 27th April 2008

2. (1) Act Information Technology Act, 2000 Section 66

(2) Act Information Technology Act, 2000 Section 43

3. (a) Occurrence of offence:

Date from: 26th April 2008 Date to: 26th April 2008
Time from: 1400 hours Time to: 1645 hours

(b) Information received at P.S.:

Date: 27th April 2008 Time: 1000 hours

(c) General Diary Reference: Entry No. 29A/D Time: 1000 hours

4. Type of Information: Oral

5. Place of Occurrence:
(a) Direction and distance from Police Station : North /3.0 KM
Beat number: 2284
(b) Address : New Delhi / North Delhi INDIA
(c) In case , outside the limit of this police station , then
Name of Police Station District

5
 6. Compliant / Informant:
(a) Name : Mr. Harrison
(b) Father’s / husband name: Mr. Martin
(c) Date / year of birth : 11 / 09/ 1959
(d) Nationality: INDIAN
(e) Passport No: G560934 Date of Issue: 12/12/1990
Place of Issue: New Delhi
(f) Occupation: IT professional
(g) Address: Brown Road , Green Bihar , New Delhi INDIA

7. Details of known / suspected / unknown accused with full particulars

Name: Mr. Robert Company: DeTag
Sex: Male Occupation: Research Assistant
Age: 35 years

8. Reasons for delay in reporting by the complainant / informant

Not applicable

9. Particulars of properties stolen

Not applicable

10. Total value of property

Not applicable

11. Inquest Report / U.D. case no. , If any

12. First information contents
On 26th April 2008, Mr. Robert was suspected for leaking the private and confidential
information from the DeTag Company. A video surveillance tape was proven as evidence
which states that Mr. Robert was copying the confidential information of the company on
the compact disks. The video was taken on 26th April 2008 at 4:45 PM.

6
 13. Action taken:
Since the above information reveals commission of offence(s) u/s as mentioned at
item No.2:
(1) Registered the case and took up the investigation or
(2) Directed :Mr. Karan Saxena
Rank: Asst. Commissioner of Police No.: IPS2334
(3) Refused investigation due to or
(4) Transferred to police station District on point of jurisdiction.

F.I.R read over to the complainant / informant, admitted to be correctly recorded and copy
given to the complainant / informant, free of cost

R.O.A.C Signature of Officer in charge

Police Station Name: Karan Saxena
Rank: Asst. Commissioner of Police
No. IPS2334
14. Date and time of dispatch to the court : 28th April 2008 , 1000 hours

7
 PROPERTY SEARCH AND SEIZURE FORM

(Search / Production / Recovery u/s 51/102/165 Cr.P.C)

1. District : New Delhi P.S: Green Lawns Year:2008 FIR No: 29

2. Act & sections : Section 66 of the information Technology Act,2000

3. Nature of property seized: Stolen / Unclaimed/ unlawful possession / Involved /

Intestate.

4. Property Seized / recovered:

(a) Date: 28th April 2008
(b) Time: 1100 hours
(c) Place: 14 Alex Street , New Delhi
(d) Description of the place : DeTag Company , New Delhi

5. Person from whom seized / recovered:

Name: Mr Harrison Father’s name: Mr Joe
Sex: Male Age: 42 years
Address: DeTag Company, New Delhi
Professional receiver of stolen property: Yes / No

6. Witness:

(1) Name: Savita Kulkerni

Father’s / husband name: Gokul Kulkerni
Age: 43 years Occupation: IT professional
Address: 123, LIM SIM , New Delhi

8
 (2) Name: Abhijeet Nayaran
Father’s / husband name: Venkat Narayan
Age: 35 years Occupation: IT professional
Address: 270, Green Avenue road, New Delhi

7. Action taken/ recommended for disposal of perishable property

Not Applicable

8. Action taken / recommended for keeping of valuable property

Deposited with computer storage room at New Delhi District Court

9. Identification required : Yes / No

10. Details of property seized / recovered

(1) Toshiba Laptop Model no – A48756876 having serial number 95535353BF
(2) Kingston USB Flash Drive Model No - M9724ZP/A having serial number
MHY2250BH
(3) Video Tape Model No - TDK E249 NHS having serial number 223-442-2060

11. Circumstances / grounds for seizure

The above laptop, USB flashes drive and video tape is suspected to have been plan and
commit offence by the accused in Case no.29 registered with Green Lawns Police
Station.

12. The above mentioned properties were seized in accordance with the provisions of law in
the presence of the above said witnesses /* and a copy of the seizure from was given to
the person / the occupant of the place from whom seized.

9
 13. The properties mentioned above were packed and / or sealed and the
signature of the above said witnesses obtained thereon or on the body of the
property.

REQUEST FOR SERVICE

RFS No. Date:

IN-PNQ/03-08/084 28th April 2008
Client name and address
DeTag Company , New Delhi, INDIA
Client’s authorised representative

Name Email Phone Fax

Mr Harrison [email protected] 9812288990 011-604690
Background of the case
On 26th April the Detag company found the suspect Mr Robert working as assistant
researcher in research and development department for leaking out the DeTag Company
confidential information to their competitors. From the video surveillance tape they found
that Mr Robert copied the confidential information from the company laptop onto the
compact disk.
Details of the media
(1) Toshiba Laptop Model no – A48756876 having serial number 95535353BF
(2) Kingston USB Flash Drive Model No - M9724ZP/A having serial number
MHY2250BH
(3) Video Tape Model No - TDK E249 NHS having serial number 223-442-2060

Have the computer(s), media etc. mentioned above been accessed / examined prior to
being handed over to the team? If yes give details.
The Laptop, USB flash drive and Video Tape has been seized from the suspect. Thereafter
there has been no access / examination of the media listed above.
Services requested from team
Analyse the seized hard disk from the laptop, Kingston flash drive and video surveillance
tape to recover evidence related to undisclosed information.

For internal use only (Please leave blank)

Case received on : Case received by : Referred by:

28th April 2008 Mr David Mr Harrison

Tax Porn Financial Cyber Priority 1 2 3 4 5 6 7 8 9 10

10
 Chain of Custody Form

Lead Investigator:
Mr David

Case number Evidence number

IN-PNQ/03-08/084 HDD-01

Date and time of confiscation / recovery:

28th April 2008 [1425 hours]

Person from whom confiscated / recovered:

Mr Robert

Place of confiscation / recovery

DeTag Company , New Delhi , INDIA

Details of prior access / investigation:

NIL

Description of media: TOSHIBA LAPTOP HARD DISK

Model no: M9724ZP/A Capacity:160 GB
Manufacturer: TOSHIBA Jumper: Master
Serial no: 95535353BF Interface: IDE
Dimensions: 10cm * 14.5 cm *2.5 cm LBA Add. Sec.: 78,242,976
Unusual marks, if any:
None

Chain of custody
Date and Time Released by Released to Purpose of change of custody
29th April 2008 Mr David Mr Thomas Creation of Image
1005 hours Computation of hash value
29th April 2008 Mr Thomas Mr David For returning to client
1245 hours
29th April 2008 Mr David Mr Harrison Returned to Client
1430 hours

11
 Investigation Report

The MD5 Hash Value of the HDD-01 [Case: IN-PNQ/03-08/084] as computed by using winhex
14.4 SR2 software (hereafter referred to Winhex) licenced to the investigation team is:

MD5 HASH (128 Bit) = 1F4E08B0FAECC667EC2DC500BD118AEE

Computing MD5 (128 Bit) HASH VALUE

Computing SHA-1 (160 Bit) HASH VALUE

SHA-1 HASH (160 Bit) = DE4C8CD227F6A0B4A1E1D08DF95034381F15388E

12
The image of evidence number HDD-01 was created by Mr David using winhex. The images
were named as USB-01. The MD5 Hash and SHA1 Hash Value of the image as computed using
Winhex is:
MD5 HASH (128 Bit) = 1F4E08B0FAECC667EC2DC500BD118AEE
SHA-1 HASH (160 Bit) = DE4C8CD227F6A0B4A1E1D08DF95034381F15388E

Chain of Custody Form

Lead Investigator:
Mr David

13
 Case number Evidence number
IN-PNQ/03-08/084 USB-01

Date and time of confiscation / recovery:

28th April 2008 [1425 hours]

Person from whom confiscated / recovered:

Mr Robert

Place of confiscation / recovery

DeTag Company , New Delhi , INDIA

Details of prior access / investigation:

NIL

Description of media: USB Flash Drive

Model no: A4875687 Capacity:512 MB
Manufacturer: Kingston Jumper: N/A
Serial no: MHY2250BH Interface: N/A
Dimensions: 36.4 x 25.6 x 5.7mm LBA Add. Sec.: N/A
Unusual marks, if any:
Without cover; some scratches on the top and covered with cello tape from the edges.

Chain of custody
Date and Time Released by Released to Purpose of change of custody
29th April 2008 Mr David Mr Thomas Creation of Image
1500 hours Computation of hash value
29th April 2008 Mr Thomas Mr David For returning to client
1745 hours
29th April 2008 Mr David Mr Harrison Returned to Client
1930 hours

Investigation Report

The MD5 Hash Value of the USB-01 [Case: IN-PNQ/03-08/084] as computed by using winhex
14.4 SR2 software (hereafter referred to Winhex) licenced to the investigation team is:

MD5 HASH (128 Bit) = 2A0A9A93069AC2A8A5C6EF4BCB615BA4

14
 Computing MD5 (128 Bit) HASH VALUE

Computing SHA-1 (160 Bit) HASH VALUE

SHA-1 HASH (160 Bit) = 3D1598FD832247EFCD58DE76E943DF190E46E10B

15
The image of evidence number USB-01 was created by Mr David using winhex. The images
were named as USB-01. The MD5 Hash and SHA1 Hash Value of the image as computed using
Winhex is:

MD5 HASH (128 Bit) = 2A0A9A93069AC2A8A5C6EF4BCB615BA4

SHA-1 HASH (160 Bit) = 3D1598FD832247EFCD58DE76E943DF190E46E10B

Chain of Custody Form

Lead Investigator:
Mr David

Case number Evidence number

IN-PNQ/03-08/084 VHS-01

16
 Date and time of confiscation / recovery:
th
28 April 2008 [1425 hours]

Person from whom confiscated / recovered:

Mr Harrison (Detag executive)

Place of confiscation / recovery

DeTag Company , New Delhi , INDIA

Details of prior access / investigation:

NIL

Description of media: Video Tape

Model no: TDK E249 NHS Capacity: 24 hours
Manufacturer: RTI Jumper: N/A
Serial no: 223-442-2060 Interface: N/A
Dimensions: 7 3/8 x 4 1/16 x 1 LBA Add. Sec.: N/A
Unusual marks, if any:
Without cover; some scratches on the top and covered with cello tape from the edges.

Chain of custody
Date and Time Released by Released to Purpose of change of custody
29th April 2008 Mr David Mr Thomas Creation of Image
1500 hours Computation of hash value
29th April 2008 Mr Thomas Mr David For returning to client
1745 hours
29th April 2008 Mr David Mr Harrison Returned to Client
1930 hours

Investigation Report
The MD5 Hash Value of the USB-01 [Case: IN-PNQ/03-08/084] as computed by using winhex
14.4 SR2 software (hereafter referred to Winhex) licenced to the investigation team is:

MD5 HASH (128 Bit) = 83A16902A0D4F9C98A62E7C3B6F1B0BC

17
Computing SHA-1 (160 Bit) HASH VALUE

18
SHA-1 HASH (160 Bit) = FB404B61CFFD01254C47B7676FCE24320F396F88

The
image
of

19
 evidence number USB-01 was created by Mr David using winhex. The images were
named as USB-01. The MD5 Hash and SHA1 Hash Value of the image as computed
using
Winhex is:

MD5 HASH (128 Bit) = 83A16902A0D4F9C98A62E7C3B6F1B0BC

SHA-1 HASH (160 Bit) = FB404B61CFFD01254C47B7676FCE24320F396F88

20
 CYBER FORENSIC ANALYSIS

Objective
To determine if the laptop and USB flash drive contain any evidence to show Mr. Robert was
involved in the crime affecting Detag Company.

Evidence device 1: Toshiba Laptop Model no – A48756876 (Hard Drive)

Evidence Device 2: Kingston USB flash drive 512 MB Model no- M9724ZP/A
Evidence device 3: Video surveillance tape – TDK E249 VHS

Evidence device 1: Toshiba Laptop Hard drive

I then began analysis of the said file name HDD-01.
(1) We opened the image file using winhex using the “specialist > Interpret Image File
Disk” Option (Illustrated Below)

21
 (2) We then viewed the contents of the image file in the directory browser of
Winhex (Illustrated below)

(3) On previewing the data of the image I found that there are many files and folders which
contain the company confidential information. Some of these files and folders were
recovered by me using Winhex.

Contents of Local Disk (C)

Local Disk (C) \Windows\Desktop

Local Disk (C) \Windows\System 32

22
Local Disk (C) \Windows\Internet Logs

23
Contents of Local Disk (D)

24
 Local Disk (D) \DeTag

(4) The detailed analysis for the hard drive is being conducted from which the files were
recovered.

(5) The total number of 59 files recovered contained confidential information regarding
Detag Company.

(6) 11 roots folders were recovered from the image which contained many sub folders for
windows system files.

(7) Further investigation was taken and I found the 7 PDF files for E-tickets and travelling
information of Mr Robert on the desktop which he might be planning to move out of the
country very soon.

(8) Total files and folders recovered from the image mentioned below:

 18 .PDF files
 11 root folders
 22 .Txt files
 4 sub folders

25
  12 .docx files
 7 xls files

(9) Four document files were password protected which was recovered using licenced
forensic software.

Details of the files recovered from Mr Robert Laptop Hard Drive

Files recovered from local drive (C)

Analysing files recovered from desktop:

The files recovered from desktop shows that Mr.Robert was planning to move to Malaysia very
soon. From the files recovered we found some E-tickets booked by Mr.Robert to Malaysia. Some
of the tour and travellers information was also available in these files

Analysing the URL History

26
 Monday, March 24, 2008
Star-Jobs Online: We’ve shifted to MyStarJob.com

Jobs in Malaysia | careerjet.com.my

Best Jobs Malaysia :: Malaysian job search, job bank, employment and recruitment

JobsMalaysia.gov.my - Gerbang Kerjaya Interaktif Anda

Jobs in Malaysia, Selangor Jobs & Kuala Lumpur Jobs - JobsDB Malaysia

Jobs in Malaysia, Malaysia jobs | Kerja & jawatan kosong - JobStreet.com

jobs in malaysia - Google Search

Malaysia Airline (MAS) Online Booking Tickets

Malaysia airline tickets - Reservation, booking , best prices, system and comparison of airline
systems

Cheap Flights, Airline Tickets, Cheap Plane Tickets, Cheap Airfare – CheapOair

Malaysia Airlines

airticket booking - Google Search

airticket booking in malaysia - Google Search

Malaysia Hotels - Online hotel reservations for Hotels in Malaysia

Booking.com: Hotels in Malaysia. Book your hotel now!

hotel booking in malaysia - Google Search

How to rebuild a Li-Ion battery pack

Cell Phone Batteries

damage battery cells - Google Search

Google RIFT - Home - Dynamic Fantasy MMORPG

rift - Google Search

detag - Google Search

27
 DE TAG INDUSTRY SDN BHD - Electronic Article Surveillance ( EAS )
DE TAG INDUSTRY SDN BHD - Electronic Article Surveillance ( EAS )

indian immigrants - Google Search

Bureau of Immigration

Battery Cells

Battery (electricity) - Wikipedia, the free encyclopedia

battery cells - Google Search

Gmail: Email from Google

Yahoo! Mail: The best web-based email!

MATTA Portal

MALAYSIA CENTRAL: Travel & Tours Agents, Tour Operators, Holidays, Sightseeing &
Reservation

From the URL history of Mr.Robert laptop highlighted above shows that he was planning to
move out of the country to Malaysia to work over there as some of the links also shows that
Mr.Robert was applying for jobs in Malaysia. From one of the links Mr.Robert also searched for
their rival company RIFT.

Analysing Internet Cookies

28
 From the internet cookies we found that Mr.Robert had been looking forward toward
the RIFT Company. This may be possible that Mr.Robert might be contacting
someone from the company to sell the Detag Company private and confidential information.

Analysing the files recovered from local drive (D)

29
The files and folder illustrated above are recovered from the local drive (D) from Mr.Robert
laptop hard drive which contains files mentioned below:

No. Name Type

1. 22 Battery .pdf
2. Agentlic .pdf
3. Battery .pdf
4. it_security_policy .pdf
5. Lead_Acid_Battery .pdf
6. Microsoft Word - IT SecAuditStd .pdf
_ITRM SEC502-00_ amend 2008 02 21
7. MSDS-Battery-Wet-Acid .pdf
8. sme_loans business plan .pdf
9. software_license_101 .pdf
10. Topic 2 - Battery Cell Balancing - What .pdf
to Balance and How
11. V79 Cell Battery .pdf
12. 41602903 .xls
13. QuoteRequestForm .xls
14. SealedLeadAcidCrossRef .xls
15. Solar-Panel-Battery-Sizing .xls
16. A guide to Lead Acid batteries .doc
17. Battery_guide .doc
18. fanancial analysis of honda atlas .doc
19. HSA_Tax_Reporting_for_2008 .doc
20. kamapril2005_235 .doc

30
 21. NICADS .doc
22. Nor_ok_nat .doc
23. PAYEinfo .doc
24. Profile .doc
25. pub_249 .doc
26. SQB0022APC_33A_65AR_80BC_125 .doc
BMP

The files mentioned in the table above contained much confidential information about the
company and per company executives this information was not accessed to Mr.Robert.
So now Mr.Robert had unauthorized access to the company’s private and confidential
data.

Analysing the files found Local Drive (D)/Detag

The files illustrated above were found in the Detag folder in local drive (D). The
properties of the Detag folder were marked as hidden. So we recovered the hidden folder
and changed the permissions and properties of this folder. On analysing these files we
found that these files were password protected. So using the licensed forensic tools we
were able to recover the passwords and gain access to the information in the files.

Customer_details.xls

31
Detag_cli.docx

Financial _review.xls

32
 Ordersheet.xls

Details of files

No. Name Type Password

1. Customer_ details .xls accessedin
2. Financial_ review .xls accessedin
3. ordersheet .xls accessedin
4. Detag_cli .doc accessedin

Evidence Device 2: Kingston USB flash drive 512 MB Model no- M9724ZP/A

33
 We then began analysis of the said file name USB-01.
(1) We opened the image file using winhex using the “specialist > Interpret
Image File Disk” Option (Illustrated Below)

(2)
(2)
(2)
(2)
(2)
(2)
(2)
(2)
(2)
(2)
(2)
(2)
(2)
(2)
(2)
(2)
We then viewed the contents of the image file in the directory browser of Winhex (Illustrated
below)

(3) On analysing the image I found that there are many files and folders deleted. These files
and folders were recovered by me using Winhex.

34
(4) The .Trash – root folder contains 38 files and 3 folders.

(5) Deleted files and folders were recovered from the USB.

(6) The folder Detag, Comp_Prof also contains 25 scanned documents regarding Detag
company information.

Detag Folder Files Recovered

35
Details of the files recovered from Detag folder from Mr Robert USB

No. Name Type

1. Images .jpg
2. it-infrastructure-security-policy .png
3. lee2 (1) .gif
4. lee2 .gif
5. Legaldemand .png
6. Letter .gif
7. Mold .jpg
8. ocr-2 .jpg
9. Paper_Journal_Entry_001 .jpg
10. Pdfconverted .png
11. policy-papers_oehrlein_2-2010 .jpg
12. Schillings-threat-letter1(crop) .gif
13. Sidebar .jpg
14. ura21apr08-02 .gif

Comp_Prof folder files recovered

36
 Details of the files recovered from Comp_Prof folder from Mr Robert USB

No. Name Type

1. 09_12_sb .jpg
2. 546c0a5e2e5fab4b59c8d0ca107d3640 .jpg
3. 5271 .png
4. 618633 .png
5. 18578442 .png
6. Butler .gif
7. china-trademark-infringement- .gif
lawsuit-213x300
8. clarkeletter2-1 .jpg
9. Fedex .gif
10. images (1) .jpg
11. images (2) .jpg

Battery_cell folder
This folder does not contain any file or image.

Details of other files recovered from Mr Robert USB

37
 Details of the other files recovered from Mr Robert USB

No. Name Type

1. battery cell .gif
2. battery_cell_diagram (1) .jpg
3. battery_cell_diagram (2) .jpg
4. battery_cell_view .jpg
5. c74dd42838fb339040f26117f582a269.image.750 .jpg
x497
6. def52a726f340a528e58602fa43d60ab .jpg
7. detagBanner .png
8. lithf2 .gif
9. New Text Document .txt
10. Nicad .gif
11. powerex_d_cell_rechargeable_battery_350 .jpg
12. Rifts-trademark .jpg

The analysis of the USB flash drive results in the recovery of 38 files of evidentiary /
investigative value. These included:
1. Total 25 scanned images of the documents (such as legal papers of the company,
upcoming research details of the company, new product launch) pertaining to the
company most confidential data.
2. 3 folders which contained details of budget of the company financial details.
3. 11 Images that contained formulas and designs of battery cells from which some traces of
Rift Company was also included like their logo (Image number 12 illustrated in table
above).
4. 1 text file which states the email [email protected] , may be this email belongs to rift
company employees.

38
 The files mentioned above have been copied onto 3 CD ROMs. One CD ROM has
been achieved by the team. Two CD ROMs have been handed over to the client with final report.

Evidence device 3: Video surveillance tape – TDK E249 VHS

I then began analysis of the said file name VHS-01.
(1) I opened the image file using winhex using the “specialist > Interpret Image File Disk”
Option (Illustrated Below)

39
40
 (2) I then viewed the contents of the image file in the directory browser of
Winhex.

(3) On analysing the video I found that Mr Robert was stealing the information from the
research and development department from the supervisor head office. (Images
Illustrated below).

Image 1:

Image 2:

41
 Image 3:

Image 4:

Image 5:

42
 Image 6:

Image 7:

43
 Image 8:

The analysis of the video results in evidentiary / investigative value. These included:
The video states that Mr. Robert was stealing the Detag Company information from the research
and development department.
The video and files mentioned above have been copied onto 3 CD ROMs. One CD ROM has
been achieved by the team. Two CD ROMs have been handed over to the client with final report.

44
 COMPUTER EVIDENCE ASSESSMENT CHECKLIST

Activity Date
The “RFS” was obtained from the client Yes
28th April 2008
Details of the case were obtained from the client Yes
28th April 2008
The cybercrime investigator met with the client and discussed the Yes
investigative avenues and potential evidence being sought in the 28th April 2008
investigation

Computer and other devices were received from the client Yes
28th April 2008
The evidence was marked and photographed Yes
28th April 2008
Chain of custody was properly documented Yes
28th April 2008
BIOS information documented Yes
28th April 2008
Image file created and mathematically authenticated Yes
28th April 2008

CYBER FORENSIC ANALYSIS REPORT

Report of cyber forensic analysis of hard disk from Toshiba laptop described as under
Model No: K5UFHYG
Capacity: 160GB

45
 Serial No: 45V7GQW34545Q

Report of cyber forensic analysis of USB flash drive described as under

Model No: M9724ZP/A
Capacity: 512 MB
Serial No: MHY2250BH

Report of cyber forensic analysis of USB flash drive described as under

Model No: TDK E249 NHS
Capacity: 300 MB
Serial No: 223-442-2060
This contains the image of the above mentioned files.
Report no.: DeTag / 052008/02 DT. 1st May, 2008

COMPUTER EVIDENCE ANALYSIS CHECKLIST

Activity Date
The forensic machine was prepared with operating system and forensic Yes
st
and investigation software programs. 1 May, 2008

46
 The image files from the evidence devices were copied onto Yes
st
the forensic machine and examined 1 May, 2008

Deleted files were recovered Yes

1st May, 2008
File data was recorded Yes
1st May, 2008
Keyword text searches were conducted and hits were reviewed. Yes
1st May, 2008
Graphics files were opened and viewed Yes
1st May, 2008
Passwords for password protected files were recovered Yes
1st May, 2008
Encryption keys were recovered Yes
1st May, 2008
Unallocated and slack space was searched Yes
st
1 May, 2008
Relevant files (of evidentiary / investigative value) were copied onto a Yes
st
CD ROM 1 May, 2008

DETAILED CASE:

Introduction
On 26th April 2008, Mr. Harrison of DeTag Company requested Mr. David lead investigator of
the team to conduct a detailed investigation of the media (previously retrieved by the team) and
the image of the computer hard disk of Mr. Robert laptop.
Mr. Harrison has declared that he is the person legally entitled to hand over the said laptop,
surveillance tape and USB flash disk. The said laptop and video tape is owned by DeTag
Company a company registered under the company Act, 1956 and having office at DeTag Ltd.
Park Street INIDA. The said company authorized Mr. Harrison to hand over the said laptop,
surveillance tape and USB flash drive to investigation team for the said cyber forensic analysis.

47
 Background of the issue
Note: The information below forming the background of the issue is as provided by Mr.
Harrison. The said information has not been verified or cross checked by the investigators or
DeTag company employees.
According to Mr. Harrison
1. The company Detag came to know that many of their clients are no longer re-ordering
from them.
2. The company Detag thinks that may be some confidential information is being leaked out
of the company to their competitors.
3. So, internal investigation was conducted to find the suspect.
4. The DeTag Company suspects the unauthorized access to their confidential information.
5. Authorized officials of DeTag suspects that the said unauthorized access and information
theft was carried out by Mr. Robert.
6. Mr. Robert is being working in the research department as an assistant.
7. Authorized officials of Detag therefore requested investigations team to conduct a cyber-
forensic analysis of the above mentioned laptop, video tape and USB flash drive and any
other relevant information obtained from the hard disk.
DETAILS OF THE CYBER FORENSIC CARRIED OUT BY TEAM

The entire cyber forensic analysis was carried out by Mr. David investigation team. The laptop
and other devices and relevant software used for the cyber forensic analysis are regularly used to
store and process information. Throughout the material part of the said cyber forensic analysis,
the said laptop, USB flash drive and video tape was operating properly. The objective of the
investigation was to analyze the devices and find the relevant evidence. The analysis of the
laptop computer and USB flash drive and Hard disk results in the recovery of 97 files of
evidentiary / investigative value. These included: files of the documents (such as legal papers of
the company, upcoming research details of the company, new product launch) pertaining to the
company most confidential data. 4 password protected Microsoft excel files which contained
details of budget of the company financial details. 18PDF files containing airline E-tickets.

48
 These tickets had been booked online using Mr. Robert which shows that he is
planning to move out for country very soon containing the airline tickets.

Evidence Analysis
Based on the results above, it is proven that Mr. Robert Saunders has been viewing these
confidential files without authorization. This is proven when some confidential files were found
in his laptop hard drive where it is believed that to view those files later, also, he had transferred
the files into his thumb drive. There were some E-tickets on the desktop which shows that Mr.
Robert was planning to move out of the country very soon. Mr. Robert Saunders is therefore
guilty for viewing these files without authorization. Mr. Robert Saunders is also found guilty for
committing another crime which is, transferring these confidential files out to unauthorized
people. As confidential files have been found in his USB flash drive and also, some files were
retrieved back, it is proven that Mr. Robert Saunders had used this USB Flash Drive to transfer
these files out from his laptop to unwanted sources.

By obtaining the information on Mr. Robert Saunders’s time of logging in to Laptop, the
investigator is also able to find him guilty of committing this crime. This is so because, as
mentioned earlier, a CD was brought out of the R&D laboratory on the 26 th of April at about
4:45pm based on video evidence of Mr. Robert Saunders’s records. It is believed that he had
committed the crime of taking out the CD which contains confidential information during this
period. Besides that, it has also been proven that he did leaked these files out using his thumb
drive and also viewing these files without authorization using his laptop as seen from the date
and time the files were accessed. Some of the recovered files also show that Mr. Robert is being
communicating with some one of the employee named “Hennry” working in Rift Company. This
information was gathered from the evidence found in the USB which states email address
[email protected].

49
 COMPLAINT TO ASJUDUCATING OFFICER

UNDER INFORMATION TECHNOLOGY ACT - 2000

1.
Name of the complainant Mr. Harrison (Detag Company)

E-mail address [email protected]

Telephone No. 98122356788

Address for correspondence New Delhi , Green Bihar , INDIA

Digital Signature Certificates N.A

If any

2.
Name of the respondent Mr. Robert

50
 E-mail address [email protected]

Telephone No. 9814207338

Address for correspondence Green Avenue , New Delhi , INDIA

Digital Signature Certificates N.A

If any

3.
Damages claimed: Rs. 10,00,000/-

Fee deposited Rs 13000/-

4.
Complaint under Section 66 and 43 of IT Act
Section / Rule / Direction / Order etc.
Time of Contravention 4:45 PM 26th April 2008

5.
Place of Contravention: New Delhi

6.
Cause of action: The complainant alleges that the respondent
has conducted unauthorized access to company
confidential data and leaking out the
information to their rivals.

7.
Brief facts of the case: 1. The complainant is an IT professional
working as team member in board of

51
 directors of DeTag.
2. The respondent is also an IT
professional working in DeTag
company in research and development
department as research assistant.
3. On 26th April while internal
investigation in the company was going
they found that Mr. Robert stole the
companies’ private and confidential
material by copying it on CD-ROM.
4. From the video surveillance tape found
that 4:45PM on 26th April Mr. Robert
was copying the information on the
CD.
5. Then the company head decided to log
an official complaint against Mr.
Robert and also seized the laptop and
USB which was provided by company
to Mr. Robert.
6. Now further investigation was carried
out by the cyber crime department.

52
 LEGAL ISSUES

Information Theft
Acts penalized Publishing or transmitting the obscene
electronic material or confidential material
Causing damage to obscene and confidential
material
Dishonestly sending or receiving any stolen
computer resources or communication device
knowing or having reason to believe the same
to be stolen.
Punishment Imprisonment upto 3 years and / or fine upto
Rs 1,00,000/-
Punishment for attempt Imprisonment upto 18 months and / or fine
upto Rs 1,00,000/-
Punishment for abetment Imprisonment upto 3 years and / or fine upto
Rs 1,00,000/-
Whether cognizable? Yes
Whether bail able? Yes
Whether compoundable? Yes
However it shall not be compound if the crime
affects the socio economic conditions of the
country or has been committed against a child
below the age of 18 years or against a woman.
Investigation authorities Police officer not below the rank of inspector
Controller
Officer authorized by controller under section
28 of Information Technology Act
Relevant court Magistrate of the first class
First appeal lies to Court of session

Applicable Law
Mr. Robert obtains the information using hacking or social engineering. Then uses information
for benefit of own business.
Usual motives: Illegal financial gain
Before 27 October , 2009 After 27 October , 2009
Sections 43 & 66 information Technology Act Section 43,66 & 66B of the information
and section 426 of Indian Penal Code Technology Act and section 426 of Indian
Penal Code

53
 Applicable Law
Mr. Robert obtains the information by hacking or social engineering and threatens to
make information public unless victim pays him some money.
Usual Motives: Illegal financial gain
Before 27 October , 2009 After 27 October , 2009
Sections 43 & 66 information Technology Act Section 43,66 & 66B of the information
and section 384 of Indian Penal Code Technology Act and section 384 of Indian
Penal Code

Applicable Law
A disgruntled employee (Mr. Robert) steals the information and passes it to the victim’s rival and
also posts it to numerous websites and newsgroup.
Usual Motives: Revenge.
Before 27 October , 2009 After 27 October , 2009
Sections 43 & 66 information Technology Act Section 43,66 & 66B of the information
and section 427 of Indian Penal Code Technology Act and section 427 of Indian
Penal Code

54