INVESTIGATION

OF CYBER CRIMES

Vivek Dutt
Agenda
• Introduction to Information Technology
• Concept of Cybercrimes
• Some Terms frequently used in Cyber World
• Classification and Types of Cybercrimes
• Case Studies
• Investigation and difficulties faced
• Misuse of Mobile Phones – Investigation
thereof

4/7/2019 2
 INFORMATION
TECHNOLOGY
• Fastest Growing Technology

• Dramatic increase in computational

speed and storage capacity of
computers in recent past

• These information islands are now

connected by digital highways
through the use of advanced
communication technologies

• Thus Computer + Communication

Technology = Information
Technology

4/7/2019 3
 Contd.
• More individuals using Internet for business
transactions.
• Market is potentially great with approximately
more than 200 million people estimated to be
using the Internet worldwide
• In terms of commercial usage, it has been
estimated that global business-to-business on-
line commerce could amount to US$350 billion.
• Surveys of Internet usage have shown that
most transactions which take place on-line
involve purchases such as books, CDs, wine,
computers, and information technology
products. The potential exists, however, for
anything to be purchased electronically and we
have recently seen the establishment of a
number of on-line auction houses which deal in
much higher-value goods (e.g. ‘eBay’).

4/7/2019 4
 Contd.
• Most business transactions take place by
purchasers identifying goods and services which
they require by browsing Internet sites.

• They can pay for the products using conventional

forms of payment, such as money orders or
cheques.

• Alternatively, payment can be made by

transferring funds electronically - Credit Cards,
Debit Cards, Electronic fund transfer.

• A large number of Internet users book their

tickets (airlines tickets, railway tickets ) online.

• Has a very high potential for misuse by

criminals

4/7/2019 5
“Cyber” and “Cyber
Space”

• Cyber:- as a prefix, first appeared in

the word Cybernetics in 1948, which
was coined by Norbert Weiner in his
book of the same name
• Cyber Space:- place where people do
not meet physically but virtually;
communicate electronically, exchange
information, share valuable data and
ideas, entertain people, communicate
through email, voicemail etc;
• Neither seen nor felt; space where
serious business takes place and
happenings result in real
consequences.

4/7/2019 6
Contd.

• In Cyber Space, world has become a

global village in true sense. Physical
distance no longer a barrier for
communication connectivity.
• All traditional terms are being
prefixed with vowel “e” to indicate
electronic.
• Negative side : Lot of crimes
taking place in Cyber Space as many
Criminal elements also inhabit this
space.

4/7/2019 7
 What is Cyber
Crime?
• Commission of an illegal act
using a computer, its
systems, or applications
• Unlawful acts wherein the
computer is either a tool or
a target or both
• Any intentional act
associated in any way with
computers where a victim
suffered or could suffer a
loss

4/7/2019 8
Cyber Crime
• Crimes Perpetrated In The
Computer Environment
• Any Illegal, Unethical,
Unauthorized Behavior Relating
To The Automatic Processing
And The Transmission Of Data
• All phenomena in which
electronic data processing is
the means/object of an action
where there are grounds for
suspecting a criminal offence.”

4/7/2019 9
 Contd.

• Cyber crimes are high-tech

variations of conventional crimes
• Conventional crimes (viz.
Pornography, Frauds, forgery,
espionage, terrorism) becoming
easier with misuse of computers,
• Lack of boundaries and physical
constraints in Cyber World.

4/7/2019 10
Cyber Crime
Only about 10% of all cyber crimes
committed are actually reported and
fewer than 2% result in a conviction.
Reasons:
–Many victims are not even aware that
they have been attacked
–Businesses and financial institutions
fear loss of confidence in their
company
–Majority of cyber crime victims do
not report cyber crimes against them,
assuming that law enforcement
agencies will provide little or no
assistance...."

4/7/2019 11
Classification of Cyber
Crimes

 Computer is TARGET OF
CRIME
 Computer is a TOOL OF
CRIME
 Computer is INCIDENTAL
to commission of the
crime.

4/7/2019 12
 Computer as
Target
 Hacking (trespass)
 Cracking (burglary, Defacement of
websites)
 Malicious programs (Virus -Vital
Information Resource Under Seize, worms,
Trojan horses, Logic Bombs)
 DoS (Denial of service) attacks- Virus
 Spoofing
 Intellectual Property theft
 Hardware theft
 Cyber Stalking

4/7/2019 13
Computer As Tool

 Extortion
 Spoofing/Sniffing
 Forgery
 Pornography/ Pedophile
 Steganography
 Gambling
 Forgery
 e-Commerce offences
(Cheating)

4/7/2019 14
Computer is
Incidental

 Use of emails for communication by

terrorists/organized criminals.
 Electronic money transfer of ill-
gotten wealth.
 Electronic trading in contraband.
 Illegal lotteries
 Sale of prohibited goods through net
 Blackmailing
 Details/records of crime stored and
hidden in computers
 Computers used to research
different methods for committing a
crime

4/7/2019 15
Some Terms used in
Cyber Crimes

• Hacking • Spoofing
• Virus • Steganograph
• Worms y
• Trojan • Packet
• Logic Sniffing
Bomb • Dos Attack

4/7/2019 16
Hacking
• Hacking
– Traditionally, Hackers were computer
geeks who had vast knowledge about
Computer Hardware and Software and
were respected for their vast knowledge
– Today, Hackers are feared by most
people as they can get access to the
information that does not belong to
them and can copy, alter or erase this
information
– Hacking is a crime
• White Hat & Black Hat Hackers
– White Hat Hackers : Who hack to test
the security of systems to prevent real
damage to data
– Black Hat Hackers : Who actually hack
computers and cause damage to data

4/7/2019 17
 Virus
Vital Information Resource Under Seize

• A chunk of computer
programming code that makes
copies of itself without any
conscious human intervention.
Some viruses do more than
simply replicate themselves,
they might display messages,
install/delete other software or
files etc.
• A virus requires the presence of
some other program to replicate
itself. Typically viruses spread
by attaching themselves to
programs.

4/7/2019 18
 Virus Contd.

• Viruses are often programmed to

carry out other actions separate from
replication. These actions, or
payloads, vary from the annoying
(altering a computer's homepage) to
the damaging (deleting files). Because
viruses are computer programs, they
can do anything a normal program can
do, including deleting files, formatting
hard drives, and overwriting the
BIOS. But though many viruses do
carry such payloads, a program does
not need to have a payload in order to
be considered a virus. Some viruses do
nothing at all.

4/7/2019 19
How do Viruses
spread?
• Via floppy disks/CDs, email attachments,
material downloaded from Web
• Usually hidden inside attachments emailed
to computer users with emails usually
labeled as "I Love You" or "Anna
Kournikova Naked" -- to tempt users into
opening them. When the attachment is
opened, the virus is activated, and the
user's computer becomes infected.
• Often, viruses are programmed to spread
themselves by emailing a copy of the
attachment in which they're hidden to all
the other email addresses in an infected
computer's address book.
• Once a computer is infected, all friends and
contacts are at risk as well.

4/7/2019 20
How to avoid Viruses?
• Never open attachments until from known
source. Attachments ending with extensions
like .vbs extension (Visual Basic script) or
.exe (executable program files) real danger.
• Install and update antivirus software which
keeps database of "fingerprints" -- a set of
characteristic bytes from known viruses --
on file. It searches files and programs for
that pattern and notifies when that
signatures is detected.
• Programs that look for virus-like behavior in
programs, allowing the software to detect
completely new viruses.
• Antivirus software to be updated regularly
to update its database for new fingerprints.

4/7/2019 21
 Worm
• A worm is a malicious code
that does not infect other
programs. It makes copies of
itself, and infects additional
computers (typically by
making use of network
connections) but does not
attach itself to additional
programs; however a worm
might alter, install, or destroy
files and programs.

4/7/2019 22
 Worms
• Difference between a Worm and a
Virus?

– The main difference between viruses

and worms is the method in which they
reproduce and spread.
– A virus is dependant upon a host file or
boot sector, and the transfer of files
between machines to spread, while a
worm can run completely independently
and spread of its own will through
network connections.
– They mainly make the systems unusable
by self-replication

4/7/2019 23
 Trojan Horse

• It’s an apparently innocuous program

which is either hidden inside another
program or masquerades as something
useful to trick potential users into
running it.

• It is designed to surreptitiously
access information on computer
systems without the user's knowledge

• It usually transmits information from

host computer or is used to remotely
control the infected computer.

4/7/2019 24
Trojan Horse – Contd.
• Trojan horses can do anything
that the user executing the
program has the privileges to
do. This includes
– Deleting files that the user can
delete
– Transmitting to the intruder any
files that the user can read
– Changing any files the user can
modify
– Installing other programs with
the privileges of the user, such as
programs that provide
unauthorized network access
– Installing viruses
– Installing other Trojan horses

4/7/2019 25
Trojan Horse – Contd
• Users tricked into installing Trojan horses
like email with attachment claiming to be
computer game. When the user receives
the mail, they may be enticed by the
description of the game to install it.
Although it may in fact be a game, it may
also be taking other action that is not
readily apparent to the user, such as
deleting files or mailing sensitive
information to the attacker.
• Other forms of "social engineering" can be
used to trick users into installing or running
Trojan horses. For example, an intruder
might telephone a system administrator
and pose as a legitimate user of the system
who needs assistance of some kind. The
system administrator might then be
tricked into running a program of the
intruder's design

4/7/2019 26
How to avoid Trojan
Horses?

• Do not execute anything received in

unsolicited e-mail.
• Use caution when executing content such as
Java applets, JavaScript, or Active X
controls from web pages.
• Use firewalls and virus products that are
aware of popular Trojan horses.
• Do not rely on timestamps, file sizes, or
other file attributes when trying to
determine if a file contains a Trojan horse.
• Exercise caution when downloading
unauthenticated software.

4/7/2019 27
Logic Bomb

• A programming code added

to the software of an
application or operating
system that lies dormant until
a predetermined period of
time or event, for triggering
the code into action.

4/7/2019 28
Spoofing

• To fool. IP spoofing, for

example, involves trickery
that makes a message appear
as if it came from an
authorized IP address.

4/7/2019 29
 Steganography

• The art and science of hiding

information by embedding
messages within other
seemingly harmless messages
or pictures. This hidden
information can be plain text,
cipher text, or even images.

4/7/2019 30
 Packet Sniffing

• Sniffer is a program and/or

device that monitors data
traveling over a network.
Normally inserted in
networks, Sniffers are a
favorite weapon in the
hacker's arsenal.

4/7/2019 31
DoS Attack

• Short for denial-of-service

attack, a type of attack on a
network which aims to cripple it
by flooding it with
useless/unwanted traffic much
beyond its capacity to handle
and thereby causing a crash.

4/7/2019 32
Some Myths & facts
• Computer related crimes are highly
technical and require technical
manpower for investigation.
– Not so .. 10-20 % Technical -- 80-90 %
Conventional.
– Majority of offences are old with new
M.O.

• The offenders operate in an illusion

of being behind a wall of anonymity.
– Not always … but cyber cafes are a
hindrance.
– Computers generate lot of data without
the knowledge of ordinary user.

• Due to the geographical extent and

other factors, majority of computer
crimes still remain unsolved.
– Evidences are strong and trails are
available. Geographical extent is still a
problem.

4/7/2019 33
PROFILE OF A CYBER
CRIMINAL

• Usually Male
• Aged between 14 to 30
years.
• Well Educated
• High IQ.
• Middle Class.
• Socially Introvert.
• No personal interaction.

4/7/2019 34
Types of Financial Cyber
Crimes

• Data manipulation/Theft
• Financial theft and misuse
– Online Bank break-ins
– Stolen Credit Card information
misuse
• Forgery/ counterfeiting
– attempts to forge banknotes, Stamp
papers with use of computer,
scanner and printer whose
performance possibilities reach a
very high level nowadays.

4/7/2019 35
Types of Financial Cyber
Crimes Contd

• Frauds
– Job Frauds
– Auction Frauds
– Nigerian Letter Frauds
– On line Gambling
– On line Pornography

4/7/2019 36
 SOME CASE
STUDIES

4/7/2019 37
JOB FRAUD …. Misuse of
E-mail
• In 2001, ads in leading newspapers for
employment in German multinational DIS AG
Vermittlung.
• One Md. Firoz posed as company’s
representative in India.
• Some applicants received intimation for short
listing & were asked to meet representative in
German Embassy.
• Asked to pay Rs. 40,000/- for Visa, insurance
to be deposited in the account of Mohd Firoz
in ICICI Bank.
• Several applicants deposited money with the
Bank.
• Complaints with CBI. 10-15 persons had
deposited money.
• The bank address was fake. Tel. no. in bank
records led to an address in Hari Nagar
Ashram, Delhi.
• Premises raided. Md. Firoz not present.
Identified to be a native of Asansol.
Apprehended in Asansol.
• Case Charge-sheeted. Pending trial.

4/7/2019 38
Auction Fraud Cases….
• Indiatimes.com Auction site.
• One person posted details of Mobile phones
for auction.
• Many participated and won auctions.
• The money was to be paid in the bank
account with ICICI. After payment none got
the deliveries.
• Complaints made to India Times … no
remedy.
• Reported to CBI. Account was traced to
Madurai.
• Accused, III yr. Engg. student from
Madurai arrested.
• Son of a Contractor, living in posh area of
Madurai.
• Lust for extra pocket money.
• 3 charge-sheets filed. Pending Trial.

4/7/2019 39
Auction Frauds contd.
• www.Baazee.com-10 Sony Ericsson P900 mobile
phones were put up for auction by one seller.
• Market Price 40,000/-. Offering price 15,000/-.
Posing himself as Sony Ericsson Importer.
• Many users placed bids. Seller supplied his bank
a/c to bidders, asked to deposit money in his
account.
• Bidders deposited money, mobiles never delivered.
• Accused was traced and arrested.
• Final Yr. MBBS student at Bangalore, Malyasian
Citizen from affluent family.
• Could not pass his exams, family cut pocket
expenses.
• As alternative source of income, indulged in
cheating people.
• Later on selling Laptops through
“www.sulekha.com”.
• Chargesheeted. Pending Trial.

4/7/2019 40
Nigerian Letter Fraud
• One of the most prevalent frauds in world.

• People receive e-mails mainly from Nigerian

nationals.

• The sender introduces himself/herself as

member of the elite family of Nigeria. Claims
to be in possession of huge amount of black
money.

• Wants to channelize the same out of Nigeria.

Require help.

• Allures by offering substantial share.

4/7/2019 41
Nigerian Letter Fraud
Contd.

• Wants the target to provide his

account details for transfer of money.
• Asks for initial amount for bribing the
officers in Nigeria
– On the pretext that his/ her accounts are
sealed.
• Even provides fake communications
from the bank about the money.
• Even communicates on phones. Mails
from different parts of world.
• Once the target responses positively,
he is trapped and is asked for more
and more money on one pretext or
other.
• On realizing some victims even travel
to Nigeria but ….

4/7/2019 42
Credit Card Information Sale:
Chat Room Misuse

• Information received from FBI that

some person in India was selling Credit
Cards Information on IRC Chat Rooms
and receiving money through WU.
• Chat Logs obtained from FBI revealed
IPs which resolved to a Cyber cafes at
Pune.
• WU employee identified suspect to be
taking deliveries in various names by
replying to Secret Question. No
further trace.
• One news item on TV talked about one
Deepak Manwani for ATM Fraud which
was one of the aliases used by suspect.
Details obtained from Chennai Police.
Description matched.
• Arrested, TIP held, Confirmed. Charge-
sheeted.

4/7/2019 43
Credit Card Cloning
How it is done
H:\PPT 18-08-08\Skimming Video.mpg

4/7/2019 44
Spoofing @ Phishing- CITI
Bank Website

• E-mails were received by A/c

holders asking them to update
their CITI Bank account
information.

• Mails purportedly from Customer

Service Department of the Bank
and contained a link to CITI Bank
website.

4/7/2019 45
4/7/2019 46
Spoofing @ Phishing
• The fact
– The link is fake.
– It comes with an extension … e.g.
• www.citibank.com/5%ac8%/login.asp
– The link actually takes the person
to a mirror of actual site.
– The information punched in there
never goes to the Bank but to
another computer and gets
stored.
– Can be used by the person for
operating the accounts.

• Our case … Reported, enquired

and forwarded to Russia.

4/7/2019 47
Online Pornography
• With the increasingly easy access to
Internet, one of the most flourishing on line
trade is Pornographic sites.

• These sites flourishing more due to different

laws related to pornography in different
countries.

• Majority of developed countries do not

object to adult pornography but have
stringent laws for child pornography.

• IT Act, 2000 has provided for stringent

punishments. However, only uploading of the
pornographic content is an offence.

4/7/2019 48
Data Manipulation

• Supplementary Duty
Drawback Case
• Customs Department – IGI
Airport

4/7/2019 49
 High End Counterfeiting of
Software
Microsoft

• High-end piracy of Microsoft software,

• Searches conducted at 16 places
• Seizures of huge quantity of high end
software COA
• High-end counterfeit of Win 2000 Pro, Win
98, Win XP Pro, COAs seized
• 2 persons arrested, Information points
towards manufacturing site located outside
India, Imported from Singapore and Hong
Kong

4/7/2019 50
Rozgar.com Case

4/7/2019 51
Investigation of Cyber
Crime Case

• Unlike conventional
investigation ‘coz
– Incident taking place in
Virtual World
– Borderless/Transnational
– Issues of jurisdiction
– Lightening speed
– Appreciation of
evidence/volatile data
– Lack of trained investigators
– Lack of strict legal regime

4/7/2019 52
Contd.

– Accused feels he is
anonymous and safe
– Enormity/voluminous data to
be forensically analyzed.
– Issue of connecting the
accused with the
machine/computer
– Lack of enthusiasm in
reporting Cyber crime
– No clearly laid down rules for
Cyber World.

4/7/2019 53
Essential Requirements
for Investigation
• Immediate Reporting of
Breaches
• Adequate Tools
• Trained Investigators
• Computer Literate Witness
• Assistance of Forensic Experts
• Immediate investigation

4/7/2019 54
 How to catch the
culprits?

• When one communicate/surf through

networks, whether it is email or a
discussion group, or web browsing, his
actions are recorded and stored at
different servers through which the
communication data travels.
• These recorded data can be used to
trace offender/source computer.

4/7/2019 55
 Tracks..

• Every move and action is

recorded at some points during
any activity on the Internet.

• If someone breaks into a system

they leave what are called
tracks and leave some sort of
clue as to who did the break in.

4/7/2019 56
 Tracking though IP
Address

• Data is transmitted between

computers through network junctions
viz hubs, switches & routers.

• To ensure smooth flow of data traffic

and delivery at intended destinations
only, each computer in the network
has a unique name (IP Address or
Internet Protocol Address).

• When browsing a website you are

always giving up your IP address, which
can say a lot about who you are.

4/7/2019 57
 Internet – IP Address

• At any given instance of time, a

particular IP address is allotted to
one computer only.
• From the IP address, it is possible to
pinpoint the location of that
computer .
• In order to avoid clash of time, each
internet server get the time from a
central atomic clock with US Navy.
• ISPs are bound by the laws of the
land to keep and provide details of
internet traffic.

4/7/2019 58
Header Details -
Investigation

• To find out IP address of the sender of a

particular e-mail

• WHOIS lookup –
• www.dnsstuff.com
• www.drwhois.com
• www.completewhois.com
• www.samspade.com

• Identify the Site hosting company as

revealed in the Whois lookup

• Collect details of the subscriber to whom the

particular IP was allocated at that particular
time from the Hosting company by providing
the details of that particular IP (date, time,
time zone etc)

4/7/2019 59
 Header Details -
Investigation
• Immediately direct the hosting company to
preserve the data/log records
• The web hosting company can provide the
following information:
– IP Address assigned to the hosted site.
– Website Name
– Dates associated with service.
– Customer name, address, telephone number,
email address and credit card number.
– IP address used to register the site.
– User name assigned to the customer
– FTP access logs for the site.

4/7/2019 60
 Contd.
• The customers name, address, telephone
number, and credit card number can easily
be falsified.
• However, key information from a web host is
the registration IP address, the email
address, and the FTP access logs.
• FTP:
– File Transfer Protocol for exchanging files
over the Internet. FTP works in the same way
as HTTP for transferring Web pages from a
server to a user's browser and SMTP for
transferring electronic mail across the
Internet. FTP uses the Internet's IP
protocols to enable data transfer.
• FTP is most commonly used to download a
file from a server using the Internet or to
upload a file to a server (e.g., uploading a
Web page file to a server).

4/7/2019 61
Contd.

• IP to ISP – Phone Company – Real

subscriber
• Dynamic IP or Static IP
• Issue of GSM Mobile phones
• Issue of Cyber Café
• When a LAN Computer is used –
importance of Proxy Server and the
log it generates

4/7/2019 62
Misuse of Mobile Phones

• How Cell-phones Work?

• Areas divided into cells –Each
cell has a Base Station (Tower
+ Radio Equipment)
• ACCESS METHODS
– AMPS (Advanced Mobile
Phone Systems) & Frequency
division multiple access
(FDMA)
• Analog cell phones
• Each call on a separate frequency
– Time division multiple access
(TDMA) aka GSM
• Each call apportioned a time slot at
allotted frequency

4/7/2019 63
Contd.
• GSM: Global System for
Mobile Communications
• GSM operates in the 900-MHz
and 1800-MHz bands in Europe
and Asia and in the 850-MHz and
1900-MHz (1.9-GHz) band in the
United States.
• A different type of TDMA
– Use of encryption: Security
– Great interoperability by use of SIM
(Subscriber Identification Module)
Card

4/7/2019 64
Contd.
• Code division multiple access (CDMA)
• a unique code to each call and spreads it
over the available frequencies.
• After digitizing data, CDMA technology
spread out over the entire available
bandwidth.
• Multiple calls are overlaid on each other
on the channel, with each assigned a
unique sequence code.
• Because CDMA systems need to put an
accurate time-stamp on each piece of a
signal, it references the GPS system
for this information.
• More efficient than TDMA

4/7/2019 65
Cellular Terminology
• IMSI – Intl. Mobile Subscriber
Identifier
– Subscribers to GSM networks are
identified by an unique IMSI
(International Mobile Subscriber
Identifier). This number is sent to the
network when the user logs on, and it is
used to contact the user's home carrier
and establish the bona fides of his/her
account.
– The IMSI is stored in the SIM.
– Note that although the IMSI determines
a subscriber's telephone number by
associating the user with a specific
cellular account, the actual digits of the
IMSI have no relationship to the
telephone number. For example, if you lose
your SIM card and ask your carrier for
another, your new SIM will have a new
IMSI and the old IMSI will be invalidated
- but your telephone number will remain
unchanged

4/7/2019 66
Cellular Terminology…cont’d
• SIM - Subscriber Identification
Module
– This is a PIN-protected
smartcard which stores (among
other things)
• the subscriber's IMSI (can possibly
store more than one if the
subscriber has multiple lines on the
one SIM),
• received SMS (pager) messages,
• user phonebook entries,
• lists of preferred carriers for
roaming purposes,
• service center numbers for voicemail
and SMS, and carrier-specific
security information

4/7/2019 67
Terminology cont’d
• PIN / PIN2 and PUK / PUK2
– The PIN (Personal Identification Number) of
a SIM Card
– It is a safety mechanism
– The PIN is stored on the SIM in execute-
only memory - it cannot be read out by
external hardware. When you type in your
PIN, the phone sends it to the SIM and it is
the SIM which validates it. If you get the
PIN wrong three times in a row, the card will
be blocked and will ask for a PUK code
(Personal Unblocking Key or Provider
Unblocking Key PUK, depending on who you
ask). If you enter this code incorrectly ten
times in a row, the card will be permanently
blocked and will need replacement. The PUK
is usually NOT divulged to you when you get
the SIM - you need to call the carrier for it.
– Certain features on new SIMs are protected
by a second pin, referred to as PIN2. PIN2
is "backed up" by a second PUK code, PUK2

4/7/2019 68
 IMEI Number

• See this example 490520 30 123456 0

• The IMEI (International Mobile Equipment
Identity) is a unique 15-digit code used to
identify an individual GSM mobile telephone
to a GSM network .
• No two Mobile phones in the world are
supposed to have the same IMEI, thus it is like
a fingerprint of a mobile handset
• The IMEI can be displayed on most phones
by dialing the code *# 06 #. It is also
usually printed on the compliance plate
under the battery
• Latest problems faced
– Criminals can change IMEI by re-programming
the EEPROM
– ONLY GSM phones have an IMEI, CDMA do
not have IMEI

4/7/2019 69
 IMEI Number – What does it tell us ?

• An IMEI code is divided into four sections,

with each section separated by a space as
shown by this example: 490520 30 123456 0.
The table below describes the four items that
combine to make the IMEI number

Ite Description Example

m

TA Type Approval Code - The first six digits of 49052

C the IMEI. This code identifies the country
in which type approval was sought for the 0
phone, and the approval number. The first
two digits of the TAC represent the country
of approval.
FA Final Assembly Code - Identifies the 30
C facility where the phone was assembled. Eg
Nokia

SN Serial Number - The unique serial number of 123456

R the handset

SP Spare - Usually this digit is 0 0

4/7/2019 70
Analysis of Cellphone Call details

A Cellphone Printout looks like this…

Gives Info about criminal’s Mobile Hand

Call Called Time Time Durati IMEI Cell ID

ing No Start End on
No
981 +9111436 20-3- 20-3- 00:03: 52003 404-
00 1120 2001 2001 03 6-51- 12-
509 08:01: 08:04: 01381 00290-
32 22 25 2-1-06 2

Gives info about criminal’s location

4/7/2019 71
Sample Cellphone CDR
– Reliance Infocomm

4/7/2019 72
Sample Cellphone CDR –
Airtel Delhi

4/7/2019 73
How subscribers are
identified ?
Let us examine any Mobile Number
+91 98 100 50923
Now what does this number reveal ?
• ‘+’ is a prefix before country
code
• ’91’ here means country code for
India
• ’98’ here means the National
Destination Code
• ‘100’ here means the Cellular
Service Provider Code
• ‘50923’ here is the subscriber
number

4/7/2019 74
How mobile networks are
identified ?

• By GSM Carrier Codes

• Lets see this number which appear in
Cell ID Column of the Call details
printout

404-10-0029-2
• 404 here is the Carrier Country Code
(India is 404)
• 10 here is Mobile Carrier Network Code
(e.g Airtel in India is assigned 10)
• 0029 is the number assigned by the
Mobile Company to the “Cell Tower”

4/7/2019 75
Some GSM Carrier Codes
in India
• 404-07 - INA-TATA
• 404-10 - AIRTEL
• 404-11 - ESSAR
• 404-12 - INA-ESCOTEL
• 404-14 - MODICOM INA
• 404-19 - INA-ESCOTEL
• 404-20 - MAXTOUCH
• 404-21 - BPL MOBILE
• 404-27 - BPL MOBILE
• 404-30 - COMMAND
• 404-31 - MOBILENET
• 404-40 - SKYCELL
• 404-41 - RPG MAA
• 404-43 - BPL MOBILE
• 404-46 - BPL MOBILE
• 404-56 - INA-ESCOTEL
• 404-78 - RPG MP

4/7/2019 76
How a Mobile User’s location is
identified ?
• In the previous slide we saw the number
404-10-0029-2
• In the call details printout this number will be
written in a Column “Cell ID”
• The last digit 2 specifies the direction of
the user relative to the Cellular tower.

3
4/7/2019 77
Analysis of the Call
details

• Frequency Chart – Pivot Table

• Time duration –
called/received calls
• Typical pattern/frequency of a
particular no.

4/7/2019 78
Information Technology Act
2000

– Government of India had

enacted IT Act, 2000 to
facilitate e-commerce and e-
governance.

– It also addresses the problems

of crimes of intrusion,
pornography and source code
theft.

4/7/2019 79
 Technology Act 2000
• Tampering with computer source code ( 3
yrs. imprisonment and/or fine up to Rs. 2
Lacs)-Sec 65

• Hacking (3 yrs. imprisonment and/or fine up

to Rs.2 Lacs)-Sec 66

• Publishing obscene information-Sec 67

– 5 years imprisonment and/or fine up to
Rs. 1 Lacs on first conviction
– 10 years imprisonment and/or fine up to
Rs. 2 Lacs on subsequent conviction

4/7/2019 80
 Thank You

4/7/2019 81