INTRODUCTION

In strictest legal parlance, the usage of apt forensic tools and technical knowledge to recover the
electronic evidence within the contours of the rules of evidence, for it to be admissible before the
court of law can be defined as cyber forensics. The electronic evidence so obtained has to satisfy
the criteria of crime attribution to the perpetrator by tracing its digital footprints by preservation,
extraction, interpretation, and documentation of digital evidence. It encompasses a gamut of
overlapping arena, e.g. database forensic, wireless forensic, network forensic, disk forensic,
mobile forensic, media forensic, IP Address tracking, cloud computing, e-mail tracking etc. It
seeks to protect the subject computer system, discover all the files on the system, recover the
deleted files, reveal the content of hidden and temporary files, access the contents of the
protected or encrypted files, analyse the relevant data and provide a testimony on the basis of
analysis of the above evidence.

WHAT IS DIGITAL EVIDENCE?

Digital evidence is information stored or transmitted in binary form that may be relied on in
court. It can be found on a computer hard drive, a mobile phone, a personal digital assistant, a
CD, and a flash card in a digital camera, among other places. Digital evidence is commonly
associated with electronic crime, or e-crime, such as child pornography or credit card fraud.
However, digital evidence is now used to prosecute all types of crimes, not just e-crime.

THE PROCEDURE FOLLOWED WHILE DEALING WITH CYBER CRIMES

A complainant can approach the cyber-crime police stations, or to a police station in its absence.

Once the information reveals the commission of a cognisable offence under the IT (Amendment)
Act, 2000, the details regarding the nature/modus operandi of the cyber- crime is recorded in the
complaint, e.g., , profile name in case of social networking abuse, with the allied documents like,
server logs, copy of defaced web page in soft copy and hard copy etc.

A preliminary review of the entire scene of the offence is done to identify and evaluate the
potential evidences.
A pre-investigation technical assessment is also conducted to make the Investigating Officer
fully aware about the scope of the crime, following which a preservation notice is sent to all the
affected parties for preserving the evidence.

To ensure the integrity of the evidence, containment steps are taken to block access to the
affected machines for example, freezing the bank accounts.

When it comes to collection of evidence, the procedure for gathering evidences from switched-
off systems and live systems have to be complied with the search and seizure mandate under
Section 165, CrPC and Section 80 of the IT (Amendment) Act, 2008 and should be reflected in
the Panchanama.

Another indispensable part of the investigation would be to avert the fabrication and tampering
of the digital evidence by maintaining the chain of custody of the evidence since the time it is
seized, transferred, analysed and presented before the court of law to ensure its integrity.
Hashing is one of the most common methods used to ensure the integrity of the digital evidence
and the media content.

With regards to documentation recording the digital evidence collection, the Investigating
Officer needs to record it in Digital Evidence Collection Form.

After collecting and documenting the evidence either by forensic imaging or by storing it in
other devices like USBs, hard drives etc., the evidence is packaged, labelled, tagged and is
updated in the evidence database.

Once the digital evidence is seized, orders of the competent court may be sought to retain the
seized properties or send the digital evidence for forensic analysis.

Apart from these procedural compliances, a cyber-crime investigation would be incomplete

without analysing other external information. For instance, time zone conversions, other external
data gathered from ISPs, mobile service providers, social networking websites, financial
institutions, web-site domain etc. is collated and co-related with the lab findings for
reconstructing the case in totality.

THE PRINCIPLES OF DIGITAL EVIDENCE

Principle 1: No action taken by law enforcement agencies, persons employed within those
agencies or their agents should change data which may subsequently be relied upon in court.

Principle 2: In circumstances where a person finds it necessary to access original data, that
person must be competent to do so and be able to give evidence explaining the relevance and the
implications of their actions.

Principle 3: An audit trail or other record of all processes applied to digital evidence should be
created and preserved. An independent third party should be able to examine those processes and
achieve the same result.

Principle 4: The person in charge of the investigation has overall responsibility for ensuring that
the law and these principles are adhered to.

All digital evidence is subject to the same rules and laws that apply to documentary evidence.
The doctrine of documentary evidence may be explained thus: the onus is on the prosecution to
show to the court that the evidence produced is no more and no less now than when it was first
taken into the possession of law enforcement.

STAGES OF AN INVESTIGATION/EXAMINATION

There are six stages in cyber forensic investigation process-

1) Readiness - Prevention is important than any incident occurring. Training, understanding of

legal aspects, regular testing, verifications of software and hardware are included in forensic
readiness.
2) Evaluation - Receiving instructions, clarification of those instructions, risk analysis and
allocation of resources & roles are important aspects in evaluation stage.
3) Collection - Acquisition is the main part of the collection stage. Identifying and securing
devices which stored evidences, conducting meetings and interviews with the relevant people
who hold information relevant to the examination also be carried out during collection stage.
4) Analysis - Analysis has to be done within allocated resources and specified time frame.
Numerous tools are available for forensic analysis and examiner can be used any tool as they
wish. Dual tool verification can confirm result integrity during forensic analysis.
5) Presentation - The forensic examiner produces a report based on his/her findings and other
information based on examiner’s assumptions.
6) Review- A review stage is a simple, quick and can be start at any of the above stages. During
this stage examiner can include lessons learnt for future examinations.

LAWS RELATING TO DIGITAL EVIDENCE IN INDIA

The proliferation of computers and the influence of information technology in human lives and
the storage of information in digital form required amendments to Indian law to include the
provisions regarding the appreciation of digital evidence. In 2000, the Indian Parliament enacted
the Information Technology Act, 2000 (IT Act), which brought in corresponding amendments to
existing Indian statutes to make digital evidence admissible.

 THE EVIDENCE ACT

Although the Evidence Act has been in force for many years, it has been amended from time to
time to acknowledge important developments.

 Definition of Evidence

The definition of ‘evidence’ was amended to include electronic records under Section 3(a),
Evidence Act. Evidence is of two types: oral and documentary. The definition of documentary
evidence has been amended to include all documents, including electronic records produced for
the inspection of the court. The term ‘electronic records’ has been given the same meaning as
assigned to it in the IT Act, which provides, ‘data, record or data generated, image or sound
stored, received or sent in an electronic form or micro film or computer generated micro fiche’.

 Admissions

The definition of Admission under Section 17 is changed to include a statement, oral or

documentary, or contained in electronic form, which suggests any inference as to any fact in
issue or relevant fact.

New section 22A has been inserted into the Evidence Act which provides that oral admissions as
to the contents of electronic records are not relevant, unless the genuineness of the electronic
records produced is in question.
  Admissibility of digital evidence

New Section 65A provides that the contents of electronic records may be proved in accordance
with the provisions of section 65B. Section 65B (4) provides for the requirement of a certificate
of authenticity in order to satisfy the conditions set out above, signed by a person occupying a
responsible official position. Such a certificate will be evidence of any matter stated in the
certificate.

 Presumptions regarding digital evidence

A fact which is relevant and admissible may not have to be construed as a proved fact. The judge
has to appreciate the fact to come to conclusion that it is proved fact. The Evidence Act has been
amended to introduce various presumptions regarding digital evidence.

 Other Amendments

Several other sections relating to Gazettes in electronic form, Electronic Agreements, Digital
Signatures, Electronic Messages etc. has been introduced in the Act to cope up with the evolving
technology.

 THE BANKER’S BOOK EVIDENCE ACT, 1891

The definition of ‘banker’s book’ has been amended to include the printout of data stored in a
floppy, disc or any other electro-magnetic device under Section 2 (3), and section 2A provides
that the printout of an entry or a copy of a printout must be accompanied by a certificate.

 THE INDIAN PENAL CODE, 1860

A number of offences were introduced under the provisions of the First Schedule of the IT Act,
amended the Indian Penal Code with respect to offences for the production of documents that
have been amended to include electronic records.

JUDICIAL TREND
One of the first evolutions was seen in State of Maharashtra v. Dr. Praful B Desai1 where a
witness was allowed to be examined by means of a video conference.

The expanding extent of relevant digital materials was indicated in the case of Jagjit Singh v.
2
State of Haryana where the Speaker had disqualified a Member for defection. The Supreme
Court considered the appreciation of digital evidence in the form of transcripts of digital media
including various TV News Channels.

In the infamous case of Afsal Guru3, the Supreme Court allowed admissibility of phone records
without certificate. However, in the recent case of Anvar P. K. vs. P.K Basheer &Ors.4, the
Supreme Court overruled its decision and held that the strict compliance with section 65B is
mandatory. This outlook of the Supreme Court of India is to ensure that the credibility and
evidentiary value of electronic evidence is provided for, since the electronic record is more
susceptible to tampering and alteration.

CURRENT AND FUTURE NEEDS

Criminals are extensively using technology to commit both traditional crimes and cybercrimes.
Cyber-terrorism has become a global menace. Similarly, the economic offences committed
through the use of computers, internet, mobiles and other computer devices are on the increase.
Cybercrime has international dimensions and is the most serious form of crime related to the
drugs and cyber terrorism, etc. If we have a look at the rate of cybercrimes in India, we find that
they have increased more than 800% during past five years whereas the conviction rate is
moving on the lower side. Therefore, there is an increase both in traditional crime as well as in
cybercrimes, however, the conviction rate is lower in both the cases and the obvious reason is the
failure of the investigation and prosecution agencies to tender adequate evidence in court. It
evidences the fact that the investigation agencies are not well versed with the use of cyber
forensic tools in crime investigation.

Further, there is dearth of interface between cyber forensic tool research institutions, Forensic
Laboratories, Investigation agencies and prosecution agencies. Therefore, there is a need of

1
(2003) 4 SCC 601
2
(2006) 11 SCC 1
3
State (NCT of Delhi) v. Navjot Sandhu (2005) 11 SCC 600
4
2014) 10 SCC 473
interdisciplinary research to bridge the gap because if a satisfactory conviction rate is not
achieved it may have cascading effect causing a disorder in society and a threat to our lives,
liberties and property. The advancements in technology and their increasing use in our lives
multiples the chances of increased crime in equal proportions, if not more.

CONCLUSION

Cyber forensic tools have a large scope in crime investigation and achieving better conviction
rates. Electronic/digital evidence collected using cyber forensic tools is useful in trial of offences
and is admissible as evidence under the present law. Law enforcement agencies lack adequate
training in collection and use of evidence using cyber forensics. Thus, there is a need for the
following:

 To understand the use of cyber forensics in administration of justice.

 To examine tools used in crime investigation and studying their efficiency levels.
 To propose new system (not already recognized) used in crime investigation.
 To scientifically experimenting with the system proposed for testing its efficiency.

The changes made to Indian Law with respect to digital evidence and the positive approach of
Indian courts in recognizing and appreciating digital evidence indicate that the law with respect
to the admissibility and appreciation of digital evidence in India has to go a long way in keeping
pace with the developments globally. However, law is slow to react to technological
advancements and the present law needs to be synchronized and updated with the technological
advancements in the field of cyber forensics to ensure that the criminals are brought to book. For
the purpose, various tools and techniques used for disc and device forensics should be analyzed.
These tools and techniques can be made more useful in criminal investigation and trial. The
analysis of the provisions of law where under these Cyber Forensic tools can be used by the
investigation agencies and the courts in law enforcement should also be done. The present
relation of cyber forensics and law is of new friends, which needs to be furthered and achieved to
the level of a wedded couple.