In the recent Mumbai attacks, the terrorists exploited a server in Russia to mask their true identities, IP (Internet protocol) addresses and routes of e-mail communications. They used channels that do not fall under the radar of suspicion and monitoring. This not only caught intelligence agencies off guard, but also highlighted the absence of technologies that could have equipped them to deal with such challenges.

Ashish Sonal, CEO, Orkash Services-a management consulting and technology services company providing custom research, market intelligence and business assurance services for emerging markets-reveals how cyber forensics technology can help tame the menace of terrorism.
i.t. A recent white paper released by Orkash, says: "The cyberspace is acting as a force multiplier for terrorist networks in India and abroad, driven by the sophisticated use and unlimited access to Internet and computer technology." What kinds of threats are emerging as a consequence?

AS Orkash's study on the changing patterns of terrorism in India highlighted that over the past 18 to 24 months, terror outfits have undergone a major overhaul of their operational and executional capabilities to orchestrate attacks in India. Terrorism is adopting a more sophisticated face, as attacks are becoming large scale and more techno-savvy.
Taking advantage of the anonymous nature of the Internet, terrorists use cyberspace for communications, geographic mapping, recruitment, fund raising and, most importantly, intelligence gathering. With increasing vigilance on the traditional channels of communications (such as tracking of e-mails and mobile phones, etc), terrorists have now resorted to using new tactics, for example, not sending e-mails but saving them as drafts in an encrypted manner. Many organised terror groups host websites and use fixed Internet sites to communicate with their partners. There have been known incidents in India where terrorists have resorted to several other innovative techniques, such as using bulletin boards and other websites that provide free uploading services, and posting steganographed picture messages to pass on ‘confidential' execution details.

i.t. What technologies are required to counter these threats?
AS The key learning for intelligence agencies is that any activity over the Internet leaves traces and communication patterns that can be tracked with a great degree of accuracy. However, the caveat here is that inflow and outflow of information has to be continuously and rigorously monitored. And here, cyber forensics plays a crucial role in investigations and intelligence gathering to curb and preempt terrorist activities. The pre- and post-event techniques of cyber forensics (supported by the evidence chain management) can help in anticipating and appropriately reacting to terrorist activities over the cyber space.

Several technological tools such as ‘trackback analysis' (Orkash's proprietary tool used for monitoring and tracking information online) and other Web-mining applications can assist in the process.

i.t. Can you explain the pre- and post-event techniques of cyber forensics in detail? How can these techniques be put to use effectively?
AS Cyber forensics is seen more as a tool used to investigate the chain of events once the crime has taken place. But it needs to be seen as a preemptive measure to stop terror incidents. Hence, a two-way consolidated model needs to be put in place to track terrorist activities and curb criminals.

Pre-event: This model is predictive in nature and is driven by intelligence collected through the use of technology. As terrorists have increased dependence on the Internet and on Web technology, they are using cyber space for planning, communications, and logistics control. Network monitoring and forensics can pick up the indicators and triggers before the actual event takes place and generate intelligence inputs for agencies to investigate further. The process encompasses regular monitoring and collecting evidence through ‘packet' level forensics, whereby packets of information moving in and going out are monitored. Subsequent analysis through data mining generates trends and patterns almost in real time for further intelligence. The analysis can help in isolating patterns based on previously known ‘suspicious' entities or on new ones-identifying and investigating ‘triggers' or any unusual developments for future analysis and threat assessment.

Post-event: This deals with the forensic science of all the equipment containing digital evidence such as computers, laptops, palmtops, mobile phones, satellite phones, GPS (global positioning system) devices, etc. In high profile cases and incidents, such as the Parliament attack at New Delhi in 2001, the Mumbai serial train blasts in 2006, and the 26/11 Mumbai attacks, cyber forensics played a decisive role in gathering e-evidence and collating the sequence of events for the prosecution of the suspects. This also provided the necessary breakthroughs and insights of how terrorists are masking their identities and executing their plans. Detailed post-event forensics is the critical component of intelligence gathering. It generates information and evidence chain that then facilitates monitoring and tracking.

i.t. One of the most disturbing trends that the Orkash study cites is the increasing use of steganography (the technique of writing hidden messages in such a way that no one apart from the sender and intended recipient realises there is a hidden message), encryption, etc, to execute terror plans. How can this be countered?
AS This is a challenging area for the investigators. There are, however, various technological tools available that can be used to analyse and mine the traffic movement of packets from ISPs (Internet service providers) for steganographic and encrypted messages. Here, the key is the integration of the technologies of business intelligence with cyber forensics to facilitate effective analysis and pattern-depiction.

In every case, it boils down to the detection of trends and patterns from the sea of data gathered from logs and packets, which is a big challenge in itself and can only be executed through technologies such as data and text mining, natural language processing, etc.

The process of analysis and intelligence creation can be further enhanced by integrating these with geographic information systems (GIS) and with the use of technologies such as link analysis, whereby the complete network and the sequence of events can be visualised. The adoption of such techniques by the Indian investigative agencies is still very minimal. They need to be more proactive, and technologies need to be implemented for detection of anomalies and unusual behaviour at an early stage so that a red flag can be raised for timely investigations.

i.t. Can cyber forensics help prevent the crimes being carried out through cyber cafés?
AS Yes, of course. In India, there are around 46 million Internet users and 200,000 cyber cafés. The Indian government has asked café owners to authenticate Internet users through their identity cards and to place CCTV (closed circuit TV) cameras in the cyber cafés. While it is a challenge for law enforcement agencies to monitor every cyber café, it is here that cyber forensics based audits and evidence gathering can play a pivotal role in dissuading criminal use of the cyber cafés. Similarly, ISPs can use that technology to monitor the traffic data of the cyber cafés to a greater degree, and develop (real time) trends and patterns at the micro level. Cyber forensics can be applied to networks, and in case of any red flags or once the IP is tracked, it can help in imaging the hard disk and track the individuals responsible for the activity. The metadata of the files or any document can be analysed and matched with the log maintained by the cyber café. Some of these measures would require policy and legal changes to ensure compliance and prevent misuse.

i.t. What kind of technical infrastructure is required by central and state investigative and intelligence agencies to deal with such tech savvy assailants? And what is the cost implication?
AS Technologically, investigative agencies in India need to scale up in terms of acquiring more advanced equipment for digital investigations. Having said that, the biggest operational challenge here is not the procurement of equipment for cyber forensics but acquiring the requisite skill set to effectively use that equipment for investigations. This calls for a two-layered training approach for the investigative agencies. At the first layer, there is an immediate need to inculcate a systematic cyber crime investigations culture, placing impetus on awareness about the amended cyber laws, their implications on cyber investigations and evidence chain management-across the ranks of the agencies. At the second layer (which is more operational in nature), the investigating officers should be trained on effective evidence chain management in digital investigations and related best practices, including monitoring and intelligence creation. At this stage, the focus is more on the integration of technologies for pattern analysis and effective intelligence gathering.
Beyond this, there needs to be centralised monitoring stations and large scale data-mining capabilities to detect trends and patterns associated with suspicious activities and known threat sources. This requires massive infrastructure, as well as the partnership between government and corporate entities.

i.t. What kinds of opportunities are emerging for tech entrepreneurs as the world recognises the need to leverage cyber forensics technology?
AS The adoption of cyber forensics tools is increasing at a rapid pace driven by the criticality of our dependence on IT infrastructure, the Internet and the increasingly pervasive nature of cyber risks. Worldwide, the need for cyber forensics in companies is also being driven by government regulations targeted at corporate governance (such as the Sarbanes Oxley Act) and extraordinary risk factors such as terrorism. An international study last year showed that by 2010, the world would face about a 40 per cent shortage in the availability of skilled cyber forensics professionals.
Additionally, the complexity of cyber risks itself is increasing at an exponential rate. This demands introduction and adoption of new technologies and the upgradation of existing technologies/capabilities for forensics. For an entrepreneur, this mismatch in demand and supply and the need for new technologies creates a range of business opportunities in the forensics domain. We are likely to see a number of start-ups emerge with R&D and high technology offerings in this space, in particular, relating to Internet-based cyber forensics. Training and the delivery of forensics services is also a high growth space, as there are just a few existing players.