Alok Gupta

Alok Gupta
• Experience: 25+ years in the Information and

Communications Technology (ICT) industry
• Serial Entrepreneur , Founder & Managing Director,
Pyramid Cyber Security & Forensic, a boutique
Digital Forensic and specialised Information Security
solution and services provider
• Past member of the National Committee on
Information Technology for Confederation of Indian
Industries (CII)
• Advised several Enterprises and Government
agencies leverage use of ICT and Information
Security to compete and grow in the global economy.
• Member of IMS Law advisory committee
• Founding member DSCI Cyber Forensic Forum
• Writes Columns, frequently quoted in IT, Security &
Forensic media , regularly speaks at several events,
workshops, seminars and forums in India and
Internationally
Disclaimer!
• Everything I state here is
my opinion and is based on
my research and
experiences
• I am sure that some of you
will already know most of it
so do not get angry!
Pyramid Cyber Security & Forensic

FIVE TRENDS
Session
Outcome

Take away from this Session
By the end of this session you will be able to:
• Learn about the various digital frauds, threats &
cybercrimes affecting us.
• Understand the role of digital investigation & forensics in
prevention, detection and reporting of digital frauds,
breaches, threats and crimes.
• Understand usage of digital forensic tools and
techniques in fraud prevention, continuous monitoring
and forensic investigations
• Learn how to investigate using Digital Forensics
techniques
• And the rest I will leave it to your imagination...
FIVE TRENDS
Frauds

Fraud
Sad as it may seem, fraud will
always take place wherever there is
an opportunity. The feeding frenzy of
fraud will not abate unless fraud
prevention is embraced and
instituted at all levels of a company,
especially in the executive suite
As stated by Martin Beigelman, Certified Fraud Examiner, Director of Financial Integrity, Microsoft

Types of Frauds…The List is endless
• Bait and switch • Fraud upon the court
• Banking fraud • Health fraud
• Benefit fraud, committing fraud to get • Identity theft
government benefits • Insurance fraud
• Counterfeiting of currency, documents • Intellectual property theft
or valuable goods • Investment frauds, such as Ponzi
• Confidence tricks schemes and Pyramid schemes
• Creation of false companies • Marriage fraud
• Embezzlement, taking money which • Moving scam
one has been entrusted with on behalf • Religious fraud
of another party • Rigged gambling games
• False advertising • Securities frauds such as pump and
• False billing dump
• False insurance claims • Tax fraud
• Forgery of documents or signatures, • Tax Evasion….
• Franchise fraud

Most Crimes have Digital in it
• Crime related to e-Mail, Instant • Telecommunications Fraud
Messaging, & Chat • Gambling
• Hacking, Illegal Internet • Divorce, Domestic Violence
Activity • Child Pornography , Sexual
• Computer & Network Intrusion Exploitation & Adult Sexual
• Threats, Harassment and Assault
Defamation • Murder and Death
• Extortion and/or Black Mail Investigation
• Copyright Infringement • Employee or Employers
• Software Piracy Misconduct
• Intellectual Property Theft • Employee Compliance &
• Identity Theft Workplace Policy Violations
• Online Auction Fraud • Theft, Robbery and/or Burglary
• Credit Card and other • Now Terrorism
Financial Frauds & Schemes

Profile of a Fraudster
1. Typically Male (31 & 45)
2. Intelligent
3. Egotistical
4. Inquisitive
5. Risk taker
6. Rule breaker
7. Hard worker
8. Under stress
9. Greedy
10. Financial need
11. Disgruntled or a complainer
12. Big spender
13. Overwhelming desire for personal
gain
14. Pressured to perform
15. Close relationship with suppliers

Warning Signs and Red Flags
The most common
behavioral red flags
displayed by
perpetrators:
Living beyond one’s
means or
Experiencing financial
difficulties
“Wheeler-dealer” attitude
Divorce/family problems
Irritability, suspiciousness or defensiveness
Addiction problems
Refusal to take vacations

FIVE TRENDS
The Digital
world
around us

We are all surrounded by Digital Today
Social Media
Gadgets &
Gizmos
Compute &
Communicate
Pyramid Cyber Security & Forensic Entertainment

So is our Industry and Infrastructure
Power Stations Oil & Gas Telecom
Airports Defence Software

Other Digital Devices

New Stuff!

What is technology doing to us!
• Government, Enterprises and individuals are
increasingly becoming dependent on IT, internet
and telecommunication (Technology) to
efficiently run, manage and grow.
• At the same time the need to keep the
information, data and networks safe and secure
from intrusions and frauds from internal as well
external perpetrators is growing hastily due to
extensive use of technology and growing
specialised computer skills
•
Digital Crime & Frauds: Growing!
• Fraudsters & Criminals are
exploiting the global recession by
luring in susceptible victims through
the promise of easy money
• While governments have their
attention diverted by the economy,
the door is left open for
cybercriminals to continue targeting
bank balances and potentially
damage consumer confidence,
which is essential to the economic
recovery.“

FIVE TRENDS
Economic
Offences

FIVE TRENDS
No Dacoity
No Guns
New Age
Frauds!

Financial Frauds Growing!
154 firms come under scanner

for financial fraud
Saradha Group, Saradha chit fund scam,
Rose Valley group, Vaishnavi Corporate
Communication, Speak Asia, Reebok
India, Alchemist Infra
Credit Card Frauds
Lost or stolen card:48%

Identity theft:15%
Skimming:14%
Counterfeit card:12%
Phishing:6%
Others:5%
Credit Card Fraud: Air tickets
• Case
• More than 15000 credit cards were fraudulently used to book Air
ticket through the Internet.
• Total fraud INR 17 Crore.
– The fraud had come to light after the of credit card holders
approached the Card Issuing Bank saying they had never
booked a ticket.
– The airline had charged the amount to the bank, which in turn,
had passed on the tab to its customers.
• Investigation
– The gang had booked tickets online using credit card numbers
obtained from restaurants, hotels, shopping malls and other retail
outlets.
– The tickets were booked from cyber cafes in Mumbai, Delhi,
Chennai, Kolkata and Bangalore
Additional Reader

Ponzi Scheme
• A Ponzi scheme is a
fraudulent investment
operation that pays returns
to its investors from their
own money or the money
paid by subsequent
investors, rather than from
profit earned by the
individual or organization
running the operation

How does it work!
• Investors are enticed to invest in this fraudulent
scheme by the promises of abnormally high
profits.
• However, no investments are actually made by
the so called "investment firm”.
• Early investors are paid returns with the
investment capital received from subsequent
investors.
• The system eventually collapses and investors
do not receive their promised dividends and lose
their initial investment.
The Ponzi Tree

Speak Asia Fraud
The firm allegedly duped over 24

lakh investors through an online
business survey.
The firm asked investors to
pay Rs 11,000, submit their survey
report through internet, and
promised 500% return on each
investment.
Chit Fund Fraud!
The group
collapsed in April
2013, causing an
estimated loss of
INR 200–300 billion
(US$4–6 billion to
over 1.7 million
depositors

The Stock guru couple!
Lokeshwar Dev Jain and

his wife Priyanka Saraswat
Jain defrauded Indian
Citizens for more than Rs.
1,100 Crore.

The Great Indian Counterfeiter!
• Abdul Karim Telgi convicted for
printing counterfeit stamp paper
in India in India
• Appointed 300 agents who sold
the fakes to bulk purchasers,
including banks, insurance
companies, and share-broking
firms.
• Size of Fraud: INR 200 billion
• Sentenced to 30 years rigorous
imprisonment

FIVE TRENDS
Digitized Document
Fraud

41
Type of DDF
The three major type of DDF are:
1. Generating duplicate copy of a document.
• Scan and Reproduce
• Currency
2. Scan – Change – Print.

• Scan – Edit – Print
• Transcripts
3. Scan – Add – Print.

• Scan – Add– Print
• Bank Cheque
What do you need to fake?
Counterfeit Currency
Fake Currency Note of Rs.
100 and 500 Denomination
Fake Postal Stamps of

Denomination of Rs. 1, 2 and
5.
Cheque Frauds
Degrees & Marksheets

Other Commonly Used Documents
Fake Registration Certificates
of Vehicles
The examples are baffling

for law-enforcement
agencies, society and the
Fake Driving License. economy!!!!!!!
Fake Food Coupons
Fake food
coupon racket
busted, 4 held
in Mumbai,
damage 30
Lakhs

P1 P1
Original
S1
S2
S1 S2
P2 P2
Laser Laser
Original
Laser
Laser Printer
Inkjet
Laser Inkjet
FIVE TRENDS
Malware

Malware Basics
• Malware, is a malicious
software used or created to
disrupt computer operation,
gather sensitive information,
or gain access to computer
network and mobile
systems.
• Malware can appear in the
form of code, scripts, active
content, and other software.
52
The Malware Museum
• Viruses
• Worms
• Trojans
• Spyware/Adware/Ransomware
• Bots / Robots / Agents
• Backdoor / Trapdoor
• Zombie
• Porn Diallers
• Key loggers
• Exploits
• Bug
• Rootkits
Type of Cyber Malware & attack mode
Mobile Malware Trends
• Mobile ❑ Automated
Pickpocketing Repackaging
• Mobile botnets
❑ Browser Attacks
• Malvertising
55
❑ Vulnerable Smart
Devices
Newer Threats: Could be Embedded
● Unsolder Chip and extract externally using specialized tools

Analyze Suspicious Files Online
Conventional Arms Shop
Digital Arms Shop
Price range :$20,000 to more than

$250,000.
FIVE TRENDS
Digital
Forensics

Digital Forensics
• Digital Forensics is a branch of
forensic science pertaining to
legal evidence found in
computers and digital storage
media.
• The goal of digital forensics is to
explain the current state of a
digital artefact.
• The term digital artefact can
include any system, device or
document which can store or
transmit digital information.

Digital Forensics: Pre- Event
Predictive in nature
• Driven by Intelligence collected through the use of
technology.
• Network monitoring and forensics pick up indicators and
triggers before the actual event takes place
• Generate intelligence inputs for agencies to investigate
further.
• Regular monitoring and collecting evidence through
‘packet' level forensics
• Analysis help isolate patterns based on previously known
‘suspicious' entities or on new ones-identifying and
investigating ‘triggers‘ for future analysis and threat
assessment.

Digital Forensics: Post Event
Deals with the forensic science of all the equipment
containing digital evidence such as computers, laptops,
palmtops, mobile phones, satellite phones, GPS devices,
etc.
• Generates information and evidence chain that then
facilitates the legal process.
• Provides necessary breakthroughs and insights of how
criminals and terrorists mask their identities
• Detailed post-event forensics is the critical component of
intelligence gathering.

Digital Forensics: Goals
• Identification of potential digital evidence
– Where might the evidence be? Which devices did
the suspect use?
• Preservation of evidence
– On the crime scene…
– First, stabilize evidence…prevent loss and
contamination
– Careful documentation of everything—what’s hooked
up, how it’s hooked up…
– If possible, make identical, bit-level copies of
evidence for examination
Digital Forensics: Goals
• Careful extraction and examination of evidence
– Directory and file analysis
• Presentation of results of investigation (if
appropriate)
– “The FAT was fubared, but using a hex editor I changed the first
byte of directory entry 13 from 0xEF to 0x08 to restore
‘HITLIST.DOC’…”
– “The suspect attempted to hide the Microsoft Word document
‘HITLIST.DOC’ but I was able to recover it by correcting some
filesystem bookkeeping information, without tampering with the
file contents.”
• Legal: Investigatory needs meet privacy
Digital Forensics: Constraints
• Order of volatility
– Some data is more volatile
– RAM > swap > disk > CDs/DVDs
– Idea: capture more volatile evidence first
• Chain of custody
– Maintenance of possession records for all
– Must be able to trace evidence back to
original source
– “Prove” that source wasn’t modified
FIVE TRENDS
Digital
Forensic
Investigation
Case Study

Case Studies
• Corporate investigations
– Case 1: Intellectual Property theft
• Mail Server, Laptops
– Case 2: Defamation
• Desktops, Email Investigation, Network Forensics
– Case 3: Insurance Claim Verification
• Audio Video Forensics, Recovery
• Law Enforcement Agency
– Case 3: Sustected Terrorism
• Steganography, Deleted data recovery

Sources of Digital Evidence
• Computers & Mobiles
– Email
– Digital images
– Documents
– Spreadsheets
– Chat logs
– Video and Audio files
– Illegally copied software or other copyrighted material
• Applications
– ERP, CRM, SFA, CAD…
• Cloud
– Drop box, Face book, Google Drive etc.
Shivraj Puri

Employee Digital Activity Monitoring & Investigation
Monitor, Detect & Track
• Emails sent to unrelated internal recipients

• Confidential corporate information being sent to suspicious third
parties
• Internal freelancing by employees
• Corporate fraud and espionage by using sensitive keywords in
sensitive web searches and employee chats
• Confidential customer and lead database uploads before resignation
• Job search, resume uploads, predict attrition and resignations
• Unproductive or inappropriate internet activities of employees on
social media, gaming, video streaming, chatting, pornography,
unlawful web searches etc.
• Control emails, attachments and web file uploads
• Control file copy onto USB,CD-DVD media
Digital Forensics: Computer & Mobile
Forensics
• Identification of potential digital evidence
– Where might the evidence be? Which devices did the suspect
use?
• Acquisition & Preservation of evidence
– Stabilize evidence, prevent loss, contamination or manipulation
– Make identical, bit-level copies of evidence for examination
• Recovery, Search & Analysis
– Recovery of deleted data
– Discovery of when files were modified, created, deleted,
organized
– Which storage devices were attached
– Which applications were installed, even if they were uninstalled
by the user
– Which web sites a user visited
Electronic Discovery
• Search emails, attachments, embedded images,

archives, headers and metadata
• Group and trace email conversations
• Search and bookmark relevant information using
keywords, date ranges, email addresses or any other
identifying information
• Preview email, cell phones and data files for
investigation and electronic discovery
• Identify relationships among custodians, documents and
topics.
Where did we find the evidence?
• Undeleted files, expect some names to be incorrect
• Deleted files
• Windows registry
• Print spool files
• Hibernation files
• Temp files (all those .TMP files in Windows!)
• Slack space
• Swap files
• Browser caches
• Alternate or “hidden” partitions
• On a variety of removable media (floppies, ZIP, tapes,
…)
Digital Forensics Investigation
• What’s possible?
– Recovery of deleted data
– Discovery of when files were modified,
created, deleted, organized
– Can determine which storage devices were
attached to a specific computer
– Which applications were installed, even if they
were uninstalled by the user
– Which web sites a user visited…
Anti Forensics
• What’s not…
– If digital media is completely (physically)
destroyed, recovery is impossible
– If digital media is securely overwritten,
recovery is very, very complicated, or
impossible
You will be surprised to know…
• Deleted files aren’t securely deleted
– Recover deleted file + when it was deleted!
• Renaming files to avoid detection is
pointless
• Formatting disks doesn’t delete much data
• Web-based email can be (partially)
recovered directly from a computer
• Files transferred over a network can be
reassembled and used as evidence
You will be surprised to know…
• Uninstalling applications is much more difficult than it
might appear…
• “Volatile” data hangs around for a long time (even across
reboots)
• Remnants from previously executed applications
• Using encryption properly is difficult, because data isn’t
useful unless decrypted
• Anti-forensics (privacy-enhancing) software is mostly
broken
• “Big” magnets (generally) don’t work
• Media mutilation (except in the extreme) doesn’t work
• Basic enabler: Data is very hard to kill
Maintain Chain of Custody

Digital Forensic Investigation Process
❶ ❷ ❸ Data
Data Capture
Identification
Project
Planning ❹
Report Data
Generation ❼ ❻ Processing
❺
Data Data
Display Analysis

FIVE TRENDS
Physical
World

Tangible: This is what we can lay
our hands on
Preservation: Imaging
• When making copies of media to be
investigated, must prevent
accidental modification or
destruction of evidence!
• Write blocking: A good plan.
• Tools for imaging:

– Dossier
– Tableau
– Encase & FK
FIVE TRENDS
Computer
Forensics

Specialized Computer Forensic Acquisition Devices
Forensic Write
First Responder Kit Blocker Kit
Forensic Falcon
Forensic Bridges
Hard Disk Doctor
FIVE TRENDS
Mobile
Forensics

Specialized Mobile Forensic Devices
Oxygen Mobile
Complete Mobile Forensic
Forensic Toolkit

Mobile Forensics
Physical
extraction,
decoding and
analysis – Call
history, SMS
messages,
contacts, calendar,
email, chat, media
files, geo tags,
passwords,
location
information (WiFi,
cell tower) GPS
fixes etc.
BlackBerry, iOS, Android, Nokia, Symbian,
Microsoft Mobile, Palm, phones
manufactured with Chinese chipsets and
more 89
FIVE TRENDS
Digital
Forensic
Analysis

Where’s the Evidence?
• Undeleted files, expect some names to be incorrect
• Deleted files
• Windows registry
• Print spool files
• Hibernation files
• Temp files (all those .TMP files in Windows!)
• Slack space
• Swap files
• Browser caches
• Alternate or “hidden” partitions
• On a variety of removable media (floppies, ZIP, tapes,
…)
Digital Forensic Analysis
Triage Examiner
Encase & FTK

Online DFS: Live Computer Investigation
FIVE TRENDS
Virtual & Cloud
Forensics
Online, Internet Content & VoIP
Forensics

Virtual Forensics
Virtual Environment Examples Technology/
Techniques
Social Network Sites Face Book Hidden PHP scripts into

Orkut Social Network Page API.
Linked In
Database storage
IM Chat Session Gmail Chat Session Real-time MS-DOS prompt (Network

MSN Chat Session Statistics) commands.
Yahoo Chat Session
E-mail Google email View emailed messages’ source

Hotmail email code, to see IP address information.
Yahoo email
Websites/Portals Custom developed Websites Applets

Internet Content Monitoring and
Forensics Analysis

Online Forensic Investigation
Corporate System Under Investigation
Multi-Users Headquarters
Servers
Investigator
(Browser interface)
Corporate Manufacturing Locations

NOC (or other secure location) Network
OnLineDFS Application
Any Location: & Data Store
• Corporate
• Field Location
• Law Enforcement
• Service Provider
• Home Office, Hotel, etc.
Note: Browser interface and System Under Investigation
OnLineDFS application Co-reside Regional
Offices
wired/wireless/mobile
System Under Investigation

Cloud Forensics
Cloud Forensics: The application of Digital Forensic Science
in Cloud Computing models
Challenges
•Multi-tenancy
•Resource Sharing
•Multiple Jurisdictions
•Electronic Discovery
•Third Party Dependency
•The Velocity of Attack Factor
•Malicious Insider
•Data Deletion
•Hypervisor-level Investigation
•Proliferation of Endpoints

Do we have an ability to
Decode & Reconstruct !

Decoding and Reconstruction
• Email: POP3, SMTP, IMAP
• Webmail (Read and Sent), Yahoo Mail (Standard and
Beta/2.0), Windows Live Hotmail, Gmail, Giga Mail etc.
• IM/Chat : Windows Live Messenger-MSN, Yahoo, ICQ,
AOL, QQ, Google Talk, IRC, UT Chat Room, Skype call
session/duration
• File Transfer – FTP, P2P, Bittorent, eMule/eDonkey,
Gnutella, Fasttrack
• HTTP Link, Content, Reconstruct, Upload/Download,
Video Stream
• Online Game: Maplestory, RO, Kartrider, Fairyland,
Hero, Wonderland etc.
• Telnet/BBS
• VOIP: Yahoo Messenger – reconstructed back to GIPS
format
• Webcam: Yahoo and MSN Messenger
Raw Data Decoding and Reconstruction.

Comprehensive Analysis

Voice Over IP Forensics
VOIP Protocols supported:
* SIP (The most common VOIP protocol used worldwide)
* H.323
Audio CODECS supported:
Voice call (VOIP) sessions can be captured, recorded (in “wav” file format) and played
back with popular voice media player. Current available and supported Audio CODECS
developed by Decision & Pyramid include:
- G.729
- G.711-a law and G.711-u law
- G.723
- G.726
- ILBG
Point to Point Communication

SIP Server Architecture Relay
Sample Information retrievable:
Caller Gateway Called Audio

Caller No. Called No. Duration Caller Port Called Port Conversation Protocol
Date/Time (IP) Gateway (IP) Codec
Session 1

FIVE TRENDS
Honey pot Forensics

Attack before they harm
you!

There are Gangs out there!

Honey pot Forensics
“A honeypot is a
fictitious vulnerable IT
system used for the
purpose of being
attacked, probed,
exploited and
compromised.”
Benefits of deploying Honeypot
• Identification and classification:
– Find out who is attacking you and classify them.
• Evidence:
– Once the attacker is identified all data captured may be used in a
legal procedure.
• Increased knowledge:
– By knowing how you are attacked you are able to enlarge your
ability to respond in an appropriate way and to prevent future
attacks.
• Research:
– Operating and monitoring a honeypot can reveal most up-to-date
techniques/exploits and tools used as well as internal
communications of the hackers or infection or spreading
techniques of worms or viruses.

Honeypot Forensics
• During a forensic investigation follow
a clear and well-defined methodology:
– Acquire the evidence without modifying
or damaging the original (and eventually
without leaving any traces of your
actions behind!)
– Check integrity of recovered data and
verify recovered data and original is
identical
– Analyze the data without modifying it

FIVE TRENDS
Steganography
Cool and Covert

Steganography

Use of Steganography
E-mail Scenario
Internet
Firewall Firewall
External
Insider
Recipient
Pyramid Cyber Security & Forensic 111

Use of Steganography
WWW Scenario
External
Insider
User

Steganography Example
Pixel 1 Pixel 2 Pixel 3

Pixels not to scale
Carrier Image
Add the letter “W” to a 24-bit image file:
W = 01010111 (ASCII)
R G B R G B
[10000100 10110110 11100111] [10000100 10110111 11100110]
[10000101 10110111 11100111] [10000101 10110110 11100111]
[10000101 10110110 11100111] [10000101 10110111 11100111]
Original Altered

Effect of change on first pixel:
Original Values Altered Values

1 0 0 0 0 1 0 0 1 0 0 0 0 1 0 0
1 0 1 1 0 1 1 0 1 0 1 1 0 1 1 1
Original
1 1 1 0 0 1 1 1 Altered
1 1 1 0 0 1 1 0

Carrier Image Altered Image
Altered image contains text of 110-page extract from
a terrorist training manual
(With room for another 72,094 characters!)
Image Size (768 X 1,024) = 786,432 pixels Payload Size = 37,025 words
= 2,359,296 bytes = 222,818 characters (w/spaces)
Carrying capacity = 294,912 characters

What is hidden in this word Document?
Using our Steganography Analysis
Services you will discover this:
(Simulated Cure For Cancer)
© 2004-2008 Backbone
Pyramid Security.Com,
Cyber Security Inc. All rights reserved.
& Forensic 117
What is hidden in this image?
(PDF file containing the

Manual)

What is hidden in this image?
(Simulated Child Pornography)

FIVE TRENDS
High
Performance
Password &
Crypto Analysis

GPU based High Computing Password Recovery
GPU & CUDA ready

Rack based Password
Recovery System

FIVE TRENDS
Emails, ediscovery
and Link Analysis

Phishing & Whaling
-----Original Message-----
From: Income Tax Department of India [mailto:ggitds@accounts.net]
Sent: 01 October 2009 04:28
To: account@orange.fr
Subject: Income Tax Department of India - Tax Refund (5416533) 82050.00 Rs
<http://i36.tinypic.com/2qi431j.gif>
Dear Income Tax Department of India customer,
After the last annual calculation of your fiscal activity we have determined that you are
eligible to receive a tax refund of 82050.00 Rupees.
Please submit the tax refund form and allow us 3-5 business days in order to process it.
A refund can be delayed for a variety of reasons. For example submitting invalid records
or applying after the deadline.
To access the form for your tax refund, please Click Here
<http://mail.fasteners.ru/icons/inf.html> .
NOTE!
For security reasons, we will record your ip-address and date.
Thank you,
Income Tax Department of India Online Department.

Email Investigation
• Networks View
– Quickly identify the
key custodians
– See who is
communicating

Event Map
▶ Event Map
◦ View communications in
time sequence
◦ All times are normalized
to UTC for indexing and
displayed relative to
local time.
▶ Email Thread Analysis
◦ Review entire threads
including forwarded,
cc’d, and bcc’d
messages

Data Mining & Visualization

Call Data Record Analysis

Link Analysis

Actionable Discovery

FIVE TRENDS
Voice Biometric and

Layered Voice
Analysis

Voice Biometrics…A Key Technology for Security
AGNITIO presentation
Can you identify this person?

So does Voice Biometric
Every Human Voice is Unique

Voice Biometric Tools
Forensic laboratories Law enforcement
Field investigation Intelligence agencies

Layered Voice Analysis
Using voice analysis for fraud
detection and risk assessment

FIVE TRENDS
Enterprise Fraud
Managment

Enterprise Fraud is on the Rise:
Quantity and variety growing exponentially
Loa
Card App n
Online
Credit Forgery Banking
lica
Fraud tions S
Ins
PO ud
Fra
ide
r
Counter- Identity
Feiting Theft Deposit
Fraud
New
Te Account
Ma le- Phishing
rke
tin it Check
g ed e
r
C us Fraud
Mass
Ab Takeover Smurfing
Account Int
Takeover Fr erne
au
d t
ns …and even when we deploy solutions, we
t io
r a don’t connect them in ways that allow one silo
te
Al Kiting
to know what is happening in another silo
▪ Holistic View (Fuse
Services from Multiple Apps)
- Transaction Monitoring & Anti-Money Laundering
- Enterprise Linking
- Visualization
Enterprise
Link Data
Analysis
Email
Retention &
Discovery
Fraud
EDD
AML
FIVE TRENDS
Forensic Audit &

Accounting

Forensic accounting is a specialty practice area
of accountancy that describes engagements that
result from actual or anticipated disputes or litigation.
"Forensic" means "suitable for use in a court of law”

Computer-assisted audit
tools (CAATs) help
Forensic accountants and
auditors to detect fraud

FIVE TRENDS
Information
Technology Act

IT ACT 2000 & 2008
• Enacted in the year 2000 and was implemented w.e.f.
17th October, 2000
– Important features of this Act:
– Recognition to e-transactions, digital signatures, electronic
records etc. and also recognise their evidentiary value
– Lists out various computer crimes which are technological
• The IT Act, 2000 was amended in the year 2008
– Section 43A and Section 72A were added by the amendment Act
for protection of personal data and information
– Both these provisions are penal in nature, civil and criminal
respectively

Sections 43A and 72A
• Reasonable Security Practices and procedures
and sensitive personal data or information
– Non Compliance of these rules would lead to invocation of
Section 43A of The IT Act, 2008 and liability to pay
compensation, limits of which have not been fixed
• Criminal Liability for disclosure of information in
breach of lawful contract
– Any person, or Intermediary is liable for punishment of
imprisonment for term which may extend to 3 years or fine
up to INR 5L or both

Sensitive personal data or information of a
“person” means
• Password
• Financial information such as:
– Bank account or,
– Credit card or debit card or,
– Other payment instrument details
• Physical, physiological and mental health condition
• Sexual orientation
• Medical records and history
• Biometric information
• Information received by body corporate for processing, stored or
• processed under lawful contract or otherwise;
• Call data records

Mandates for Corporate
• Privacy Policy
• Consent for collection of data
• Collection of data
• Use and Retention
• Opt Out/Withdrawal
• Access and Review of Information
• Grievance Mechanism
• Limitation on Disclosure of Information
• Limitation on Transfer of Information
• Reasonable Security Practices and Procedures
– Information Security Management System (ISMS): ISO/IEC
27001

FIVE TRENDS
Anti Forensics

FIVE TRENDS
Are Bad Guys ahead

of the Good Guys

Issues
• Computer forensics is becoming more
mainstream
• Computer users are learning more
effective methods to cover their tracks
• Programmers are writing tools to defeat
specific commercial computer forensics
products
• Computer forensics examiners are
becoming slaves to their tool(s)

What is being done
• Configuration settings – methods used to
cover tracks using “supplied” tools and
configuration settings
• Third party tools – wiping, properties
changers, registry cleaners,
steganography/encryption, etc.
• Tools and methods designed specifically
to fool computer forensics programs.

Wiping Tools & Methods
•US Department of Defense

(DoD) - Passes
•Naval Staff Office (NAVSO)-
7 Pases
•Peter Gutmann – 35 Passes

Segobit:File Property Changer

Good News/Bad News
• First the Bad News
• Using a combination of these tools on a
regular basis can defeat a computer
forensics examination
• Now the Good News
• Very few users know about “all” of these
tools and methods
• Not all tools perform as promised

FIVE TRENDS
Information Rights
Management (IRM)

Enterprises to define and implement
information usage policies. A policy is an “answer” to four
questions i.e.
• WHO can use the information

People & groups within and outside of the organization
can be defined as rightful users of the information
• WHAT can each person do

Individual actions like reading, editing, printing,
distributing, copy-pasting, screen grabbing etc.
can be controlled
• WHEN can he use it

Information usage can be time based e.g. can only be
used by Mr. A till 28th Sept OR only for the 2 days
• WHERE can he use it from

Information can be linked to locations e.g. only 3rd
floor office by private/public IP addresses
Document / Email is composed in the existing application
i.e. Word / Excel / Lotus / Open Office / …
Owner of Document protects the file
Maya’s
Computer
Information is classified and a policy can be attached to the information
to them
Information
classification
( Optional)
Information
policy
attachment
Maya’s
Computer
Policy definition could be centralized (only done by a central team),
Policy Admin
partially centralized (department level policy management)
Computer
or completely decentralized (user defined)
WHO
people /
Policy
groupsname
& within
description
WHATor
(VIEW, EDIT,
outside
PRINT,
of the )
FORWARD,…
enterprise
Internal Users
External Users
Policy Admin
Computer
Policy definition could be centralized
WHERE
Specific
computers, WHEN
specific date range,
networks,time span, …
only from
the office, …
This user has full control of document
Audit trails capture
authorized activities
AND
unauthorized
attempts
Technology is not an Issue.. World-Class Solutions
Computer &
Mobile Forensic
Acquisition
Analysis &
Reporting
Steganography
Password Recovery
SIEM,IRM
E-Discovery, CDR
Analysis,
Email Investigation
Voice Biometric
Layered Voice
Analysis
Wireless Forensics &
Anlaytics Surveillance
FIVE TRENDS
Challenges and
What to do!

Challenges
• Bad guys just have to find one vulnerability or breach
whereas good guys have to secure every thing every
time.
• Insider frauds are more difficult to detect than
outsiders
• Encryption is not making life simpler either
• Inadequate in-house manpower or skills to
investigate/examine
• Maintenance of “Chain of Custody”
• Speed at which evidence is examined
• Align your policies with IT ACT and other GR
compliances
• Multi Country Jurisdiction & Treaties
• Most of the time we think FRAUD can not happen to
us
Incidence Response Steps
• Detect the incident
• Analyse the incident
• Contain or eradicate the problem
• Provide workarounds or fixes
• Prevent re occurence
• Log events
• Preserve evidence
• Conduct a post-mortem and apply lessons
learned

How to have a Forensic Readiness?
1. Define the business scenarios that require digital evidence.
2. Identify available sources and different types of potential
evidence.
3. Determine the evidence collection requirement.
4. Establish a capability for securely gathering legally admissible
evidence to meet the requirement.
5. Establish a policy for secure storage and handling of potential
evidence.
6. Ensure monitoring is targeted to detect and deter major
incidents.
7. Specify circumstances when escalation to a full formal
investigation (which may use the digital evidence) should be
launched.
8. Train staff in incident awareness, so that all those involved
understand their role in the digital evidence process and the
legal sensitivities of evidence.
9. Document an evidence-based case describing the incident and
its impact.
10. Ensure legal review to facilitate action in response to the
incident. Pyramid Cyber Security & Forensic
Possible digital evidence sources: Almost everywhere
– Computing devices such as Desktops, Laptops, Mobile
phones, PDA’s, Tablets, Hard Drives, USB Drives, memory
cards etc.
– Equipment such as routers, switches, firewalls, servers,
and embedded devices
– Application software, such as accounting packages for
evidence of fraud, ERP packages for employee records
and activities (e.g. in case of identity theft), system and
management files;
– Monitoring software such as Intrusion Detection Software,
packet sniffers, keyboard loggers, and content checker
– General logs, such as access logs, printer logs, web traffic,
internal network logs, Internet traffic, database
transactions, and commercial transactions
– Other sources, such as, door access records, CCTV/video
footage phone logs, Telco records and network records,
call centre logs, monitored phone calls, recorded
messages;
– Back-ups and archivesPyramid Cyber Security & Forensic
Analysis: Art, Science, Experience
• Know where evidence can be found
• Understand techniques used to hide or “destroy”
digital data
• Toolbox of techniques to discover hidden data
and recover “destroyed” data
• Cope with HUGE quantities of digital data…
• Ignore the irrelevant, target the relevant
• Thoroughly understand circumstances which
may make “evidence” unreliable
Digital Forensic Capability
• Specialized Hardware based Forensic Capture/Acquisition of
Computer and Mobile Digital Evidence
• Comprehensive Search, Investigation & Analysis of any Digital
Evidence
• Field Investigation & First Response
• CD/DVD and Hard Disk recovery Solution
• email investigation and e-Discovery
• Capability to recover and break passwords
• Capability to detect Cryptography and Steganography
• Capability to do Online and Network Forensics on live network
environments
• Voice Biometric & Layered Voice Analysis
• Call Data Record and Link Analysis
• Wireless Forensics
• SIEM

The Investigation Team
– Empanelled External Digital Forensic
Investigation firm
– Corporate HR department
– Owners” of business processes or data
– Line management, Profit centre managers
– Corporate security
– System administrators, IT management
– Legal advisor
– Senior Management (potentially up to board
level if required)
– Corporate PR department (to manage any
public information about the incident)

Human Capital and Traits
• Deploy trained team of investigators & experts with
following traits (in this order)
1. Integrity
2. Technical astuteness
3. Curiosity
4. Problem solving skills
5. Analysis skills
6. Report writing skills/communication skills
7. Acquisition skills
8. Data recovery skills
9. Caution
10. Computer science background
11. Security background
• Think outside the box, look for evidence in non-traditional
locations, expand skill set to address emerging threats

Thanks for your time and
attention!
Alok Gupta
alok.gupta@pyramidcyber.com
+91-9999189650

Alok Gupta - Pyramid Presentation

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Alok Gupta - Pyramid Presentation

Uploaded by

Copyright:

Available Formats

• Experience: 25+ years in the Information and

Pyramid Cyber Security & Forensic

Pyramid Cyber Security & Forensic

Pyramid Cyber Security & Forensic

Pyramid Cyber Security & Forensic

Pyramid Cyber Security & Forensic

Pyramid Cyber Security & Forensic

Pyramid Cyber Security & Forensic

Pyramid Cyber Security & Forensic

Pyramid Cyber Security & Forensic

Pyramid Cyber Security & Forensic Entertainment

Power Stations Oil & Gas Telecom

Airports Defence Software

Pyramid Cyber Security & Forensic

Pyramid Cyber Security & Forensic

Pyramid Cyber Security & Forensic

Pyramid Cyber Security & Forensic

Pyramid Cyber Security & Forensic

154 firms come under scanner

Lost or stolen card:48%

Pyramid Cyber Security & Forensic

Pyramid Cyber Security & Forensic

Pyramid Cyber Security & Forensic

The firm allegedly duped over 24

Pyramid Cyber Security & Forensic

Lokeshwar Dev Jain and

Pyramid Cyber Security & Forensic

Pyramid Cyber Security & Forensic

Pyramid Cyber Security & Forensic

2. Scan – Change – Print.

3. Scan – Add – Print.

Fake Postal Stamps of

Pyramid Cyber Security & Forensic

The examples are baffling

Pyramid Cyber Security & Forensic

Pyramid Cyber Security & Forensic

● Unsolder Chip and extract externally using specialized tools

Price range :$20,000 to more than

Pyramid Cyber Security & Forensic

Pyramid Cyber Security & Forensic

Pyramid Cyber Security & Forensic

Pyramid Cyber Security & Forensic

Pyramid Cyber Security & Forensic

Pyramid Cyber Security & Forensic

Pyramid Cyber Security & Forensic

• Emails sent to unrelated internal recipients

• Search emails, attachments, embedded images,

Pyramid Cyber Security & Forensic

Pyramid Cyber Security & Forensic

Pyramid Cyber Security & Forensic

• Write blocking: A good plan.

• Tools for imaging:

Pyramid Cyber Security & Forensic

Pyramid Cyber Security & Forensic

Pyramid Cyber Security & Forensic

Pyramid Cyber Security & Forensic

Encase & FTK

Pyramid Cyber Security & Forensic

Social Network Sites Face Book Hidden PHP scripts into

IM Chat Session Gmail Chat Session Real-time MS-DOS prompt (Network

E-mail Google email View emailed messages’ source

Websites/Portals Custom developed Websites Applets