Maharashtra Police Cyber Unit (Credit: Maharashtra’s Cyber Unit)

In India, the Maharashtra Police are responsible for policing some 1000 km’s, making it one of the largest police forces in the world. Beyond its vastness, Maharashtra is a patchwork quilt of cities, towns, and people. Many people live close to key cities like Mumbai, but there is also a sizable population that lives in more remote areas. Not surprisingly, crime types vary widely here from Internet-related crimes (fraud, financial crimes, child exploitation) to homicides and robberies.

Superintendent of Police, Maharashtra Cyber Unit, Dr. Balsing Rajput, oversees the labs in the 43 Cyber Police stations that support Maharashtra’s 35 police districts. (Credit: Maharashtra’s Cyber Unit)

Maharashtra’s Cyber Unit provides support to criminal investigations that involve anything relating to Digital Intelligence (DI): the data that is accessed and collected from digital sources and data types—smartphones, computers, and the Cloud—and the process by which agencies access, manage, and leverage data to more efficiently run their operations. Management of this unit is the responsibility of Dr. Balsing Rajput – Superintendent of Police, Maharashtra Cyber Unit.  

Superintendent Rajput, who joined the unit in 2016, has a PhD from the Tata Institute of Social Sciences where he studied cyber economic crimes. He oversees the labs in the 43 Cyber Police stations that support Maharashtra’s 35 police districts (more than 200,000 officers) and 10 police Commissionerate’s (in India a city of more than 5 million is designated as a “Commissionerate”).

Advancing A Broad Mission

In a recent interview, Superintendent Rajput explained that the Maharashtra Cyber Unit is unique in its mission.

This unit is mandated to:

  • Investigate and detect fraud cases in the virtual world.

  • Handle projects for the government of Maharashtra that include the implementation of cyber-lab projects, cyber police station projects, and cybersecurity projects including automatic multimodal biometric identification systems (AMBIS), anti-piracy, and anti-phishing initiatives.

  • Provide knowledge and support for the cybersecurity of important government installations.

  • Boost community awareness about cybercrimes and how to prevent them. This includes oversight of a huge social media presence that the Maharashtra Cyber Unit has built over multiple channels.

  • Train police officers in labs all over Maharashtra to improve their digital investigation and detection skills.

Superintendent Rajput has met this broad mandate with a number of important innovations, including the complete overhaul and update of existing labs and the launch of a state-of-the-art lab dedicated solely to crimes against women and children.

“The ultimate vision is to have a cyber-safe, cybercrime-free Maharashtra and ultimately, India. That is our vision….That is our mission.”

It’s a monumental task, made even more difficult by a number of hurdles.

Taking On The Challenges

Like agencies the world over, Maharashtra’s Cyber Unit faces a growing number of problems, which Superintendent Rajput divides into three parts.

Human Resources: By far Superintendent Rajput’s biggest challenge is a people problem. He simply does not have enough trained professionals with the right technical skills to stay ahead of the deluge of incoming devices (and data) that are swamping his labs. Even when people are trained up, transfers to other departments or skilled examiners leaving the police force for the private sector (where pay and benefits are very alluring) makes keeping a skilled workforce in place problematic. When they run into problems that require senior, highly skilled professionals, devices need to be farmed out to them, which slows down the investigative process. And while he needs trained cybercrime professionals in more remote locations, skilled personnel are not willing to go there.

According to Superintendent Rajput, Maharashtra’s Cyber Unit faces a growing number of problems including the need to obtain updated technology and ensure that staff is adequately trained. (Credit: Maharashtra’s Cyber Unit)

Technical Pain Points: Advances in operating systems, devices, and applications make everyday extraction exercises difficult. And the growth in encrypted devices is compounding the problem. “There are more than 5,000 different models of mobile phones,” Superintendent Rajput said. “And not every criminal uses an iPhone or a branded phone.” Chinese manufactured phones are becoming a major challenge because they don’t bear an IMEI number and they don’t use standard software or filing systems.

Gathering or imaging the data and analyzing that data, is also a challenge particularly with CCTV footage. Here again, CCTV footage generated by Chinese cameras is difficult to capture and analyze.

This is where vendor support from Cellebrite has been critical in helping to solve some of these problems.

These tools, particularly, Cellebrite UFED, are used whenever we have any kind of mobile device that is seized, or maybe we need to extract the cloud data or any other app data from the mobile device, or whatever the mobile device memory has that we need to analyze. Each district unit has these software tools, and they use them independently.”

Tooling Up To Stay Ahead

Due to the vast distances that separate the districts (Gadchiroli district is more than 900 kilometers from the Mumbai district), establishing a centralized network was not practical – there are a few network providers, and the service in many rural areas is not strong. Superintendent Rajput remedied this problem by establishing separate labs for each district.

Each lab is divided into subsets—social media analysis, mobile forensics, disk forensics, audio/video forensics, and serial IP data analysis and decryption. Each subdivision is supported by a “toolbox” of DI solutions to help them perform various tasks. Selecting the right tools for each group was studied carefully to decide which solutions were the best fit for the needs of the different groups.

“After analysis of his [the suspect] call records, images [on the phone], and the log data, the accused was prosecuted and convicted to more than seven years of jail time…And that evidence was extracted from the mobile devices using Cellebrite https://cellebrite.com/en/product/solutions/“

“We purchased a Cellebrite UFED 4PC along with Cellebrite UFED Cloud, which is a combined solution [Cellebrite] provided for us…These tools, particularly, Cellebrite UFED, are used whenever we have any kind of mobile device that is seized, or maybe we need to extract the cloud data or any other app data from the mobile device, or whatever the mobile device memory has that we need to analyze. Each district unit has these software tools, and they use them independently.”

Cellebrite UFED Cloud is used to extract cloud data or any other app data from mobile devices that needs to be analyzed. (Credit: Cellebrite)

Managing The Workflow

Dividing his lab teams into subsets allows Superintendent Rajput to look at each crime on a case-by-case basis. Incoming devices are downloaded following strict protocols with several copies of data made to provide back-ups. One set of data goes to his internal cyber-lab for analysis while the original device is sent to the Forensic Laboratory—a separate government entity that conducts their own independent analysis, which is mandated by law. This is the institution that provides the certificate of evidence to the prosecution or judiciary.

The Forensic Lab, however, takes input from Superintendent Rajput’s internal cyber-lab team, which analyzes the data and sends leads to the Forensic Lab to help steer the investigation and ensure no evidence is overlooked.

“Our lab does all kinds of permutations/combinations to find a lead, to identify what the evidence could be, what the lead could be, and where we should concentrate within that entire stack of pieces of evidence. Our analysis and its findings are internal. [We] only provide a direction (a lead), to the investigation. But the conclusions or the report of the Forensic Laboratory is [what is] directly shared with the judiciary.”

Information sharing between Superintendent Rajput’s team and crime investigators is done one-on-one. “Most of the time, our analysts and the investigating officer sit together to find out what pieces or what analyses are really important to lead the case. And that part we share.”

Maharashtra’s Cyber Unit faces a growing number of problems including the need to obtain updated technology and ensure that staff is adequately trained. (Credit: Maharashtra Cyber Unit Facebook)

Superintendent Rajput pointed to a recent murder case to illustrate how his cyber-lab team is helping to crack the toughest cases.

How DI Solved A Mystery Murder

The case revolved around the murder of a woman who evidence later revealed was involved an affair with a married man. The victim and the accused knew each other, but the police did not know initially who committed the murder because apart from recovering the victim’s mobile phone, there was nothing else to go on.

Over the course of the investigation, the real story began to unfold.

“Had it not been for such a software tool, we could not have analyzed all that data on the mobile phone of the victim. We could have only presented that mobile phone to the court, but the court could not have actually found and connected the dots between [the] logs, image files, the serial IP data, [and] actual GPS location [data].”

As it was later discovered, the male suspect initially had promised to marry the woman. He led her on, but then denied he was in love with her. The incensed woman then began pressing him, demanding an explanation for why he led her on.

Fearing he would be found out, the suspect then plotted to take her to a remote location, kill the woman, then vanish. But the victim’s family and the police were clueless as to why the murder occurred and who committed the crime. The victim’s mobile device provided the key evidence that lead to the suspect.

“Once we brought him and corroborated the evidence on his mobile and her mobile—the log files, the GPS, all of this data—then we were able to zero in on a particular suspect,” Superintendent Rajput said.

“After analysis of his call records, images [on the phone], and the log data, the accused was prosecuted and convicted to more than seven years of jail time…And that evidence was extracted from the mobile devices using Cellebrite [Solutions].

Data obtained from mobile devices including GPS locations, call records, and images is providing critical evidence in many cases. (Credit: Cellebrite)

“Had it not been for such a software tool, we could not have analyzed all that data on the mobile phone of the victim. We could have only presented that mobile phone to the court, but the court could not have actually found and connected the dots between [the] logs, image files, the serial IP data, [and] actual GPS location [data]. All of these things could not be corroborated.”

Reaching The Community Through Social Media

One of the most unique things that Superintendent Rajput and his team have built is an amazing online presence. When asked if part of the popularity of the Maharashtra Cyber Unit’s social presence is because of their ability to solve more cases quickly using DI, Superintendent Rajput replied, “Yes, surely, because people get confidence in the police. If the police are able to solve the cases, they reach out to the police, and it provides them [with] a confidence that says, ‘Yes! The police can do it.’ And it’s a reflection of police work that we are getting through their following or support of our hashtag.

“Each [Maharashtra Police] unit has a different Twitter handle, Facebook handle, and LinkedIn handle. Maharashtra Cyber has a different handle, and that’s also popular [with] more than 70,000 to 80,000 followers. The Mumbai Police have 5 to 6 million followers.

“The Mumbai Police are one the best at managing their Twitter handle…If a citizen files a query, a citizen asks for help, they have a response time of less than five minutes. So, the moment you raise a query, in less than five minutes, you receive a response. Not only a virtual response, but within five minutes, if you are in the jurisdiction of the Mumbai Police, a beat marshal, a physical policeman, comes and visits you.”

Superintendent Rajput explained that social media isn’t used to report crimes; that’s still done at the actual police station or via 911-type phone services. But using social media this way is providing an amazing connection with citizens—a connection that clearly is being embraced by the community with hashtags like #JobWellDone, #MumbaiFirst, #2020Vision.

These connections are making a huge difference in the way that communities view the Mumbai Police and their Twitter feed is full of comments by citizens talking about actual cases where the police were right there to help them.

Looking Ahead

As he looks to the future, Superintendent Rajput sees a pathway to more widely integrated program. “In the second phase, we are going to integrate all these labs together, and we’ll be having a kind of central analysis system or enterprise system,” he said. “And that will be providing remote help also, through maybe forensics or tele-forensics. So this is a good model.”

Training, of course, is critical and Superintendent Rajput is addressing that head-on. New officers are trained internally by more senior technicians. Two individuals are then chosen from each group every six months to receive additional outside training from Cellebrite, which they can then bring back to share with the team.

“There are more than 5,000 different models of mobile phones. And not every criminal uses an iPhone or a branded phone.”

Long-term training is done in three stages. New recruits get basic training. After a month they are provided with intermediate training, which provides them with more hands-on details. Advanced training focuses less on theory and more on actual case studies and analysis.

“We have trained more than 650 people in the lab in the last year,” Superintendent Rajput said proudly, which is why his teams are able to move fast and efficiently.

When asked what his vision ultimately looks like, Superintendent Rajput described it this way: “The ultimate vision is to have a cyber-safe, cybercrime-free Maharashtra and ultimately, India.” To fulfill that vision, Superintendent Rajput explained that he is working on four fronts.

“We should be a frontrunner in the prevention of cybercrimes,” he began. “We should also be at the forefront in securing our digital assets in India (and particularly in Maharashtra). We should be the advance force to fight the cyberwar in whatever way it comes. And we should be the top-notch [agency] in cyber intelligence, [and] counterintelligence in the cyber field.  That is our mission.”