Introduction To Digital Evidence PDF

Digital Evidence
Training Manual by Mohammad Murtaza Khan
I.T Expert / Faculty Member, Sindh Judicial Academy

Table of Contents
Chapter 1 Introduction to Digital Evidence .............................................................................................. 1
Importance of Digital Evidence ................................................................................................................. 1
The volume of Digital Evidence is increasing exponentially ................................................................. 2
Digital evidence is difficult to discard or destroy.................................................................................. 2
Digital evidence often contains informal materials that do not exist in paper form ........................... 3
Storage of Digital Data .............................................................................................................................. 3
Challenging Aspects of Digital Evidence ................................................................................................... 7
Evidence Dynamics and the Introduction of Error ................................................................................ 9
Chapter 2 Recovery and Examination of Digital Evidence ....................................................................... 12
Principles of Recovery and Examination ................................................................................................. 12
Recovery and Analysis Process ............................................................................................................... 13
Initial Assessment ............................................................................................................................... 13
Risk Assessment .................................................................................................................................. 14
The preservation and collection phase ............................................................................................... 15
The examination process .................................................................................................................... 15
The analysis phase .............................................................................................................................. 15
The report or statement ..................................................................................................................... 16
Desktop and Laptop Computers ............................................................................................................. 18
What should be seized? ...................................................................................................................... 19
Passive Data Generators as Digital Evidence Sources ............................................................................ 21
General material ................................................................................................................................. 22
Specific material .................................................................................................................................. 22
Mobile Telephones ................................................................................................................................. 23
Evidence acquired from examination of mobile phones .................................................................... 25
Data stored in phone memory ............................................................................................................ 25
IMEI (International Mobile Equipment Identification) ....................................................................... 25
Data stored in SIM cards ..................................................................................................................... 26
IMSI (International Mobile Subscriber Identity) ................................................................................. 27
MSISDN (Mobile Systems International Subscriber Identity Number) ............................................... 27
Data Retrieval from cell phones.......................................................................................................... 28
Data stored by the service provider ................................................................................................... 29
Call Detail Records .............................................................................................................................. 29
i
Preservation, Retrieval and Processing of CCTV data ............................................................................. 30
E-mails and Web-mails............................................................................................................................ 33
Websites / Forum Postings / Blogs ......................................................................................................... 34
Web Servers ............................................................................................................................................ 35
GPS ...................................................................................................................................................... 35
Image and video authentication ......................................................................................................... 35
Digital Alibi .......................................................................................................................................... 36
Chapter 3 Presentation and use of Digital Evidence in Courts ............................................................ 37
Admissibility and Acceptability of Digital Evidence ................................................................................ 38
Rule against Hearsay ........................................................................................................................... 38
Best evidence rule ............................................................................................................................... 38
The Qanun-e-Shahadat Order 1984 .................................................................................................... 39
The Electronic Transactions Ordinance, 2002 ........................................................................................ 41
Legal recognition of Electronic Forms................................................................................................. 41
Section 5.............................................................................................................................................. 42
Establishing Authorship of the Record................................................................................................ 43
Confusing Time Stamps ....................................................................................................................... 43
Continued importance of traditional evidence....................................................................................... 49
Case Study – Daniel Pearl’s Case............................................................................................................. 49
Sample qualification questions for digital evidence/forensics expert witness ...................................... 50
Some Useful Computer Terms ................................................................................................................ 51
Active Data .......................................................................................................................................... 51
Backup Data ........................................................................................................................................ 51
Bookmarks .......................................................................................................................................... 51
Cache Files........................................................................................................................................... 51
Cookies ................................................................................................................................................ 51
Embedded data ................................................................................................................................... 51
Legacy Data ......................................................................................................................................... 52
Replicant Data ..................................................................................................................................... 52
Residual Data ...................................................................................................................................... 52
Daniel Pearl’s Case Judgment ................................................................................................................. 52
JUDGMENT .............................................................................................................................................. 53
Further Details: ................................................................................................................................... 83
ii
ORDER FOR DISPOSAL OF CASE PROPERTY......................................................................................... 83
Key Terms And Concepts ............................................................................................................................ 85
iii
Chapter 1 Introduction to Digital Evidence
Criminals use mobile phones, laptop computers, and network servers in the course of committing their crimes.
In some cases, computers provide the means of committing crime. For example, the Internet can be used to
deliver a death threat via email, to launch hacker attacks against a vulnerable computer network, to
disseminate computer viruses, or to transmit images of child pornography. In other cases, computers merely
serve as convenient storage devices for evidence of crime. For example, a drug dealer might keep a list of who
owes him money in a file stored in his desktop computer at home, or a money laundering operation might
retain false financial records in a file on a network server. Indeed, virtually every class of crime can involve
some form of digital evidence.
(U.S. Department of Justice, 2009)
Digital evidence has been previously defined as any data that can establish that a crime has been
committed or can provide a link between a crime and its victim or a crime and its perpetrator. The
definition proposed by the Standard Working Group on Digital Evidence (SWGDE) is any
information of probative value that is either stored or transmitted in a digital form. Another
definition proposed by the International Organization of Computer Evidence (IOCE) is information
stored or transmitted in binary form that may be relied upon in court. However, these definitions
focus too heavily on proof and neglect data that simply further an investigation. Additionally, the
term binary in the later definition is inexact, describing just one of many common representations
of computerized data. A broader definition proposed by the Association of Chief Police Officers is
information and data of investigative value that are stored on or transmitted by a computer. A
more general definition proposed by Brian Carrier is digital data that support or refute a hypothesis
about digital events or the state of digital data.
Importance of Digital Evidence

Major shifts in the information technology landscape over the past two decades have made the
collection and analysis of digital evidence an increasingly important tool for solving crimes and
preparing court cases. As technology has become more portable and powerful, greater amounts
of information are created, stored, and accessed. Modern devices can serve as huge repositories
of personal information yet be carried in a pocket and accessed with a single hand or even voice
command. There is a clear benefit to having ample information to obtain convictions, but law
enforcement and other criminal justice partners need to balance the recovery and admissibility of
digital evidence with privacy concerns. This work discusses the rise of digital evidence, unique
challenges, and the results of a workshop held to prioritize needs in digital evidence processing.
Some of the drivers of the growing importance of digital evidence are as follows:-
1
The volume of Digital Evidence is increasing exponentially
A key difference between digital data and traditional paper records is the sheer volume of digital
data and the speed with which it is generated. It is estimated that there are over 40 million e-mail
users worldwide, sending an estimated 60 billion messages annually and creating reams of
electronic data with a mere click of a button.
E-mail is only one form of electronic evidence. Businesses, organizations, and individuals around
the world generate computerized information at amazing speeds, often in lieu of traditional paper
records and in circumstances where a paper record might not exist.
Digital evidence is difficult to discard or destroy

Another key difference between digital and paper records is the durable nature of digital evidence.
Those who wish to discard paper records may simply throw out or shred the records. On the other
hand, contrary to popular belief, hitting the delete button does not destroy the computer records.
Instead, the computer only marks the files as space that can be overwritten with new information
in the future. Deleting a file also may command a computer or a digital device to mark the record
for storage in a “back-up” or archive system, where the machine will save the record for a period
of time. Whether the information is marked for overwriting, archived, or dealt with in some other
manner, computer experts often can recover supposedly “deleted” information long after the
computer user thought it had been destroyed. Hence, digital data can appear unexpectedly, with
the potential to generate litigation or dramatically impact its results.
Case Example – Iran-Contra Affair
The Iran-Contra affair substantiates the durable nature of electronic evidence. Oliver North and
National Security Adviser John Poindexter discovered that deleting a computer file is not the
equivalent of shredding a document. In 1986 Colonel Oliver North shredded documents and
delete e-mails from his computer. The IBM Professional Office System (PROFS) was backing up
all the files.
When computer technicians searched computer back-up tapes, they discovered electronic mail
messages that had been deleted from e-mail systems used by the Executive Office of the
President of the US and the National Security Council (NSC).
2
Digital evidence often contains informal materials that do not exist in paper form
Other key differences between digital evidence and paper records are how, when, and why people
record information in electronic form. As numerous litigants and commentators have found,
people routinely use computers, particularly e-mail, to send draft, informal, or messages they
would never “put in writing.” As a result, computerized records often contain insights into “off-the-
cuff” remarks that people would never record on paper. Such remarks may often be damaging in
litigation
Digital evidence can be useful in a wide range of criminal investigations including homicides, sex
offenses, missing persons, child abuse, drug dealing, and harassment. Also, civil cases can hinge
on digital evidence. Digital records can help establish when events occurred, where victims and
suspects were, whom they communicated with, and may even show their intent to commit a crime.
Storage of Digital Data

As a start point, it will be useful for prosecutors to appreciate how data is stored and recovered
by investigators.
A computer system has a standard set of components that can be divided into three categories.
1. Input / Output components

2. Main system components
3. Data storage and retrieval components
Electronic or digital data is stored in many forms, the most prominent and in many ways the
easiest to validate is that stored on computer hard drives. Most storage devices are magnetic
equipment that can store digital data (evidence) in many forms. They are used to store files and
images for later use by the person using the computer system. There are many types of storage
devices on the market today, but the most common ones are the internal hard drive, the external
hard drive, the “thumb” drive (also known as a USB drive), removable media (such as floppy disks,
CDs and DVDs) and memory cards. Hard drives are sometimes housed inside the computer itself,
whether the computer is a desktop or laptop model. It is not advisable to remove that type of
hardware from the computer casing at the crime scene. Rather the entire computer should be
removed.
3
Hard Drives are the main data repository for non-volatile mass storage. Their storage capacity
varies. The computers you are likely to seize may contain more than one hard disk drive.
Computer systems often contain several interconnected hard disk drives to increase storage
capacity. Data are stored digitally as tiny magnetized regions, called bits, on the disk—a flat,
circular piece of metal or plastic with a magnetic coating where information is recorded. A
magnetic orientation in one direction on the disk could represent a "1," an orientation in the
opposite direction could represent a "0."
These data are arranged on the surface of the platter (disk), in sectors along a number of
concentric tracks. Sectors contain a fixed number of bytes; for example, 256 or 512, and are
grouped together into clusters. Hard drives may contain more than one platter in a stacked
assembly. The larger the capacity a hard drive has, the more platters it will use. Data are written
onto each disk surface (top and bottom) by a separate recording head. So, a hard drive with three
disks will usually have six separate recording heads.
External hard drives are usually housed in a special case, usually about the same size as the
hard drive itself, and then the case is connected to the main computer with a cable.
Thumb drives have become more popular over the last few years. They can contain a great deal
of storage space in a relatively small container. They can come in a variety of forms, but the most
common is that of a “pen” drive or “flash” drive that can be placed in a person’s pocket, or hung
around a person’s neck. They usually have some sort of “cap” to protect the connection portion
4
of the drive. Once the cap is removed, the drive can then be inserted into a USB type of connection
on the computer. The connection is usually rectangular and less than one inch in length. It is
important to note that these drives are small and can be easily hidden or disguised. For example,
they can be part of a wristwatch, wrist-band, or common-looking pen. Also, newer versions of
these drives contain a great deal of security built into them. Any attempts to obtain data from
these newer models by an inexperienced investigator will result in not only the deletion of the
data, but also the actual destruction of the drive, and therefore the evidence, itself.
Removable media have been around for a long time. They usually do not hold as much
information as hard drives and thumb drives. The common forms of such media are floppy disks,
compact disks (CDs), and digital versatile disks (DVDs). Because of their somewhat limited
capacity for storage, a user will often have several of these devices, sometimes arranged loosely
and sometimes filed in an organized manner. Like other storage devices, disks, CDs and DVDs
may contain several different types of data that could be used as evidence, such as documents,
videos and audio files.
One form of memory device is the “memory card”. These are usually rectangular and thin and can
hold a great deal of data. They can also be very small. Commonly they are used in cameras,
video recorders and music players, but they can also be found in cell phones, personal digital
assistants (PDAs) and game consoles.
Handheld devices (devices that are portable, often pocket-sized, and are used for communication,
storage of personal data, entertainment, and the capturing of images) like cellular and mobile
phones, digital cameras, digital camcorders, personal digital assistants (PDA), global positioning
systems (GPS), iPods and pagers sometimes use removable media, such as memory cards.
These devices can hold the same types of evidence already discussed, such as documents,
digital images, email messages, etc., but can also contain text messages, appointment calendars,
and personal notes.
5
There are many other types of peripheral devices that may be found at a potential crime scene.
The uses, look and structure of these devices vary greatly. Some may be capable of storing digital
information that could be used as evidence, and some may not. It is beyond the scope of this
course to go into detail on these devices, but investigator should be aware of their existence.
Such devices include keyboard, mouse, monitor, printer, fax machine, photocopier, web camera,
microphone, USB hub, tape backup system, answering machine, game units, books, cable TV
box, etc.
In addition to these, computer networks are also an important source of digital evidence. A
computer network is simply more than two or more computers connected via a method of
communication. The communication may be done via cable or via a wireless communication
device such as a router. Computer networks are usually used for the sharing of information, such
as files, and peripheral devices, such as printers. Specific devices which enable computer
networks are modems (DSL, cable and satellite), routers, switches, network hubs, cables,
wireless (Wi-Fi) access points and communication cards inserted into the computer itself.
6
It is particularly important for the first responder or investigator to be careful with these storage
devices, because it is likely that most of the evidence will be found on one or more of these
devices. Evidence can include photographs, documents, video files, audio files, email messages,
Internet browsing histories, and other software used or created by the user.
Typical approaches to preservation and production of digital evidence rely on examination on

devices in a static condition. In other words when a computer is switched off and data is not in a
truly volatile state. Digital forensics examiners are well versed in the requirements of international
and national guidelines on the handling of such evidence.
Case Example Hammaad Munsi
The youngest terrorist in the UK to be convicted of a bomb plot, Hammaad Munsi was arrested
after returning from a trip to Pakistan. Police confiscated his luggage and found a laptop inside
that contained an "encyclopaedia of terrorist instruction," among which were details on how to
make a home-made firearm. Munsi also was carrying ball bearings on him at the time of the arrest,
the weapon of choice for suicide bombers. Though he is very young, he was an active member
of a terrorist group, and being web-savvy, was responsible for hosting a Web site that posted
terrorist related materials. In the age of the computer, it comes as no surprise that someone so
young would be involved in crimes proven by digital evidence.
Challenging Aspects of Digital Evidence
Digital evidence as a form of physical

evidence creates several challenges for  Digital Evidence is Fragile
 Digital Evidence is Latent
digital forensic analysts. First, it is a
 Digital Evidence is susceptible to alteration
messy, slippery form of evidence that  Digital Evidence is stored in a decentralized manner
can be very difficult to handle. For  Digital evidence can be manipulated
instance, a hard drive platter contains a  Digital Evidence is usually circumstantial
 Digital Evidence is an Abstraction of an event or object
messy amalgam of data—pieces of
 Speed of the technical development
information mixed together and layered
on top of each other over time. Only a
small portion of this amalgam might be
7
relevant to a case, making it necessary to extract useful pieces, fit them together, and translate
them into a form that can be interpreted. Second, digital evidence is generally an abstraction of
some digital object or event. When a person instructs a computer to perform a task such as
sending an e-mail, the resulting activities generate data remnants that give only a partial view of
what occurred (Venema & Farmer, 2000). Only certain results of the activity such as the e-mail
message and server logs remain to give us a partial view of what occurred. Furthermore, using a
forensic tool to recover a deleted file from storage media involves several layers of abstraction
from magnetic fields on the disk to the letters and numbers that we see on the screen.
So, we never see the actual data but only a representation, and each layer of abstraction can
introduce errors (Carrier, 2003).
This situation is similar to that of the traditional crime scene investigation. In a homicide case,
there may be clues that can be used to reconstruct events, like putting a puzzle together.
However, all of the puzzle pieces are not available, making it impossible to create a complete
reconstruction of the crime. This book describes various sources of digital evidence and indicates
how these multiple, independent sources of corroborating information can be used to develop a
more complete picture of the associated crime. Third, digital evidence is usually circumstantial,
making it difficult to attribute computer activity to an individual. Therefore, digital evidence can
only be one component of a solid investigation. If a case hinges upon a single form or source of
digital evidence such as date-time stamps on computer files, then the case is unacceptably weak.
Without additional information, it could be reasonably argued that someone else used the
computer at the time. For instance, password protection mechanisms on some computers can be
bypassed, and many computers do not require a password, allowing anyone to use them.
Similarly, if a defendant argues that some exonerating digital evidence was not collected from
one system, this would only impact a weak case that does not have supporting evidence of guilt
from other sources.
8
Fourth, the fact that digital evidence can be manipulated or destroyed so easily raises new
challenges for digital investigators. Digital evidence can be altered or obliterated either maliciously
by offenders or accidentally during collection without leaving any obvious signs of distortion.
Fortunately, digital evidence has several features that mitigate this problem.
 Digital evidence can be duplicated exactly and a copy can be examined as if it were the
original. It is common practice when dealing with digital evidence to examine a copy, thus
avoiding the risk of altering or damaging the original evidence.
 With the right tools, it is very easy to determine if digital evidence has been modified or
tampered with by comparing it with an original copy.
 Digital evidence is difficult to destroy. Even when a file is “deleted” or a hard drive is
formatted, digital evidence can be recovered.
 When criminals attempt to destroy digital evidence, copies and associated remnants can
remain in places that they were not aware of.
The ease with which digital evidence can be altered or destroyed creates challenges in many
investigations in the form of evidence dynamics.
Evidence Dynamics and the Introduction of Error

Investigators and digital evidence examiners will rarely have an opportunity to examine a digital
crime scene in its original state and should therefore expect some evidence dynamics: any
influence that changes, relocates, obscures, or obliterates evidence, regardless of intent between
the time evidence is transferred and the time the case is resolved. Offenders, victims, first
responders, digital evidence examiners, and anyone else who had access to digital evidence prior
to its preservation can cause evidence dynamics. Some examples of evidence dynamics
encountered in past cases:
 A system administrator attempted to recover deleted files from a hard drive by installing
software on an evidential computer, saving recovered files onto the same drive. This
9
process overwrote unallocated space, rendering potentially useful deleted data
unrecoverable.
 Consultants installed a pirated version of a forensic tool on the compromised server. In
addition to breaking the law by using an unlicensed version of digital forensic software,
the installation altered and overwrote data on the evidential computer.
 Responding to a computer intrusion, a system administrator intentionally deleted an
account that the intruder had created and attempted to preserve digital evidence using the
standard backup facility on the system. This backup facility was outdated and had a flaw
that caused it to change the times of the files on the disk before copying them. Thus, the
date-time stamps of all files on the disk were changed to the current time, making it nearly
impossible to reconstruct the crime.
 During an investigation involving several machines, a first responder did not follow
standard operating procedures and failed to collect important evidence. Additionally,
evidence collected from several identical computer systems was not thoroughly
documented, making it very difficult to determine which evidence came from which
system.
Media containing digital evidence can deteriorate over time or when exposed to fire, water, jet
fuel, and toxic chemicals. Errors can also be introduced during the examination and interpretation
of digital evidence. Digital evidence examination tools can contain bugs that cause them to
represent data incorrectly, and digital evidence examiners can misinterpret data. For instance,
while a digital evidence examiner was examining several log files, transcribing relevant entries for
later reference, he transcribed several dates and IP addresses incorrectly; for example, he
10
misread 03:13 A.M. as 3:13 P.M., resulting in the wrong dial-up records being retrieved,
implicating the wrong individual. Similarly, he transcribed 192.168.1.54 as 192.168.1.45 in a
search warrant and implicated the wrong individual. There are many other ways that evidence
dynamics can occur.
Although Bolander was found guilty, his computer was destroyed before sentencing. Additionally,
a floppy disk containing evidence was mostly overwritten, presumably by accident. The evidence
dynamics in this case created a significant amount of controversy.
Evidence dynamics create investigative and legal challenges, generally making it more difficult to
determine what occurred and making it more difficult to prove that the evidence is authentic and
reliable. Additionally, any conclusions that a forensic examiner reaches without the knowledge of
how evidence was changed will be open to criticism in court, may misdirect an investigation, and
may even be completely incorrect.
11
Chapter 2 Recovery and Examination of Digital Evidence
Principles of Recovery and Examination

When it comes to the recovery of digital Evidence, “The Guidelines for Best Practice in the
Forensic Examination of Digital Technology” by the International Organization on Computer
Evidence (IOCE) considers the following as the General Principles Applying to the Recovery of
Digital Evidence (IOCE 2002):
 The general rules of evidence should be applied to all digital evidence.

 Upon seizing digital evidence, actions taken should not change that evidence.
 When it is necessary for a person to access original digital evidence that person should
be suitably trained for the purpose.
 All activity relating to the seizure, access, storage or transfer of digital evidence must be
fully documented, preserved and available for review.
 An individual is responsible for all actions taken with respect to digital evidence whilst the
digital evidence is in their possession.
The Good Practice Guide of the UK’s Association of Chief Police Officers (ACPO), advocates the
following useful principles:
Principle 1
No action taken by law enforcement agencies or their agents should change data held on a
computer or storage media which may subsequently be relied upon in court.
Principle 2
In exceptional circumstances, where a person finds it necessary to access original data held on
a computer or on storage media, that person must be competent to do so and be able to give
evidence explaining the relevance and the implications of their actions.
12
Principle 3
An audit trail or other record of all processes applied to computer- based electronic evidence
should be created and preserved. An independent third party should be able to examine those
processes and achieve the same result.
Principle 4
The person in charge of the investigation (the case officer) has overall responsibility for ensuring
that the law and these principles are adhered to.
Recovery and Analysis Process

The nature of computer-based electronic evidence is such that it poses unique challenges to
ensure its admissibility in court. It is imperative that established forensic procedures are followed.
These procedures include, but are not limited to, four phases: preservation and collection,
examination, analysis, and reporting. Although these guidelines concentrate on the collection
phase, the nature of the other three phases and what happens in each are also important to
understand.
Initial Assessment
Before starting work on any case, an assessment of the information available should be made,
together with the items provided for examination. Such an assessment may take the following
format:
 Is there information or intelligence which indicates there is likely to be evidence of a

criminal offence or any material which may assist the defence or undermine the
prosecution case?
 Has the submission of the exhibits been authorized?
 Is the evidence in support of the charges for which the subject(s) have been arrested?
 Will the evidence be pivotal in the likely success of the prosecution or will the evidence
have a significant effect on the likely sentence if convicted?
13
 Has sufficient information pertaining to the case been provided to enable keyword
searches?
 Have all available witness statements been provided?
The assessment may also involve determining:
1. The urgency and priority of the need for information
2. The other types of forensic examination which may have to be carried out on the same
items
It is also important to bear in mind whether recovered data could be present due to other
circumstances.
Risk Assessment
This is an important part of the process that should be automatically considered and completed.
The following may assist investigation and prosecution staff in determining the method of
approach to a series of different cases waiting for allocation:
 Physical Vulnerability of victim, suspect and third parties

 Emotional Vulnerability of victim, suspect and third parties
 Professional Vulnerability – suspect’s career or vocation damaged
 Economic Impact – suspect’s and/or victim’s business closed down, loss of business
reputation
 Time restrictions – evidence may be overwritten
 Impact on interagency casework – case is affected by or affects cases in other agencies
or jurisdictions
 Case older than 3 months/ 6 months/8 months/12 months
 National Impact – Denial of Service attacks, Virus distribution etc.
 Criminal Justice issues – suspect charged, remanded in custody, on bail or coroners court
proceedings
 National Security – imminent threat
 Internal investigation
14
 Other Factors – Significant Public Interest
The preservation and collection phase

The first phase involves the search for, recognition of, collection of and documentation of
computer-based electronic evidence. Preservation steps correspond to the freezing the crime
scene and consist in stopping or preventing any activities that can damage digital information
being collected. Preservation involves operations such as preventing people from using
computers during collection, stopping ongoing deletion processes, and choosing the safest way
to collect information. The aims of preservation and collection are twofold:
 First they aim to provide examination and analysis with as much relevant information as
possible
 Second they aim to ensure integrity of the collected information
The collection phase can involve real-time and stored information that may be lost unless
precautions are taken at the scene. Collection may involve removal of personal computers from
the crime scene, copying or printing out contents of files from a server, recording of network traffic,
and so on.
The examination process

This process helps to make the evidence visible and explain its origin and significance and it
should accomplish several things. It should document the content and state of the evidence in its
totality. Such documentation allows all parties to discover what is contained in the evidence.
Included in this process is the search for information that may be hidden or obscured. Once all
the information is visible, the process of data reduction can begin, thereby separating the “wheat”
from the “chaff.” Given the tremendous amount of information that can be stored on electronic
media, this part of the examination is critical.
The analysis phase

This phase differs from examination in that it looks at the product of the examination for its
significance and probative value to the case. Examination is a technical review that is the province
15
of the forensic practitioner, while analysis may be conducted by a range of people. In some
agencies, the same person or group will perform both these roles.
Most of the popular forensic analysis tools available are for PCs running the Windows family of
operating systems. Examples include En Case, Access Data FTK, X-Ways, and Pro-Discover.
Many of these products can also cope with Linux and some other UNIX family operating systems.
However, experienced forensic technicians often prefer to use Linux-based forensic tools to
examine Linux-based hard disks. Examples include SMART and Sleuth kit. The Apple Mac family
is relatively poorly supported by commercial forensic tools. En Case “understands” the disk filing
system, but there are now specialist tools such as Sub Rosa Soft’s Mac Forensics Lab and the
Black Bag suite. Since Apple OS X is in fact underpinned by BSD Unix, it is possible to use Unix-
based tools for imaging and analysis.
The report or statement

This outlines the examination process and the pertinent data recovered and completes an
examination. Examination notes must be preserved for disclosure or testimony purposes. An
examiner may need to testify about, not only the conduct of the examination, but also the validity
of the procedure and his or her qualifications to conduct the examination.
The role of the examiner is to secure from any seized material, be it hard disks, floppy disks, tape
or any other storage media, a true copy of the data contained therein. This should be obtained
without compromising the original data. In order to ensure this, care should be taken in the
selection of software or hardware utilized in any procedure that is undertaken. As the process that
is being conducted is a forensic examination, sound and established forensic principles should
be adhered to. This means full records should be made of all actions taken. These can be made
available to the defence who may subsequently conduct a further examination to validate the
actions taken. Such records are also part of the unused material for the case under investigation.
It is important to remember that legislation continues to change to keep up with requirements of

the society. Therefore, it is important to consider the legal requirements when examining
computer-based electronic data for evidential purposes. Recent case studies and precedents set
16
at higher courts are important considerations when preparing an evidence package for a case
officer. This specifically applies to the use of the Internet and files downloaded from the Internet,
or material accessible from foreign jurisdictions like online data stores.
Case Study: Shujaat Ali v. State (MLD 2008 Lah. 467)
“The brief allegation against the petitioner is that he had made video of the complainant's
daughter, who was his class-fellow, of the scene while using the bathroom and then sent the
same to different persons through E-mail. The petitioner also blackmailed the daughter of the
complainant while sending her different messages of the threats.
3. The learned counsel for the petitioner has contended that the petitioner was class-fellow of
daughter of the complainant and due to this reason, he has been falsely involved in the present
case as no other person could be traced during the investigation by the prosecution; that all the
recovery witnesses are police officials and alleged recovery was effected in violation of section
103, Cr.P.C. that Camera allegedly recovered from the petitioner, has no function of video film;
that the story of the prosecution is improbable and offence does not fall within ambit of prohibitory
clause of section 497, Cr.P.C. thus the petitioner is entitled to be released on bail.
3A. The counsel for the complainant has opposed this bail petition on the ground that during the
course of investigation, offence under section 458, P.P.C. has been added, which falls within the
prohibitory clause of section 497, Cr.P.C. that the petitioner is named in the F.I.R. and recovery
of electronic devices had been effected on his pointation which prima facie connect the petitioner
with the commission of crime; that the trial in the main case has already been commenced and
case was fixed for recording of evidence on 22-5-2007, but it was adjourned on the request of
learned defence counsel; that the petitioner also used to make obnoxious telephone calls and
send threatening messages to the family of the complainant through different E-mail address,
who is not entitled to be released on bail as he has not only spoiled the career of young virgin girl
but also caused damage to her whole family and made them shameful.
17
4. The learned Additional Prosecutor-General has contended that the police during the
investigation has collected sufficient material from the Internet Company which is sufficient to
prima facie connect the petitioner with the alleged crime; that it was a case of unique nature
committed while using the electronic devices, which have been recovered during the investigation
and there was no reason to falsely implicate the petitioner in the present case for the disgrace of
his class-fellow.
5. I have heard the arguments advanced by the learned counsel for the parties and perused the
record with due we and caution.
6. The petitioner is alleged to have made a video of the complainant's daughter of the scene in
the bathroom of her bedroom while using advance technology and then sent the same to different
persons familiar to the complainant. It is claimed that the petitioner had access to the house of
the complainant previously being class-fellow of the victim daughter of the complainant. According
to the police record, the electronic devices used for the coverage of alleged nude scene of the
complainant's daughter have been recovered at the instance of the petitioner along with a C.D.
containing said movie. The Investigating Officer explained that according to the record of the
Internet Company "WOL" the petitioner remained connected through the telephone connection in
this house with the computer attached with the telephonic connection installed in the name of the
complainant, which prima facie connect the petitioner with the alleged crime. No mala fide has
been alleged on the part of the complainant for the false implication of the petitioner by putting
the chastity and future carrier of his young virgin girl. The petitioner is involved in a case of
shameful act and is not entitled for the grant of bail merely for the reason that the offences do not
fall within prohibitory clause of section 497, Cr.P.C. The case of the petitioner falls within the
exceptions and I am not inclined to exercise my discretion in favour of such accused.”
Desktop and Laptop Computers
Computer evidence must be handled in a manner that preserves its evidentiary value. This relates
to the physical aspect of the evidence as well as the electronic data it contains. With a PC, the
essential concerns are to leave the evidence on the hard disk unchanged, and to produce an
image which represents its state exactly as it was when seized. With an organizer/PDA, there
18
tends to be no hard disk and the concern has to be to change the evidence in the main memory
as little as possible and then only in the certain knowledge of what is happening internally. The
possibility of producing an image may exist with the use of specialist software.
What should be seized?

Removable media is often concealed if it is of any great value and investigators must remember
to search any place that is big / small enough to conceal these items.
For the retrieval of evidence the following should be seized:
• Main unit: usually the box to which the monitor and keyboard are attached
• Monitor, keyboard and mouse (only necessary in certain cases. (If in doubt, seek expert
advice)
• Leads (again only necessary in certain cases (If in doubt, seek expert advice)
• Power supply units
• Hard disks not fitted inside the computer
• Modems (some contain phone numbers)
• External drives and other external devices
• Wireless network cards
• Routers
• Digital cameras
• Floppy disks
• Backup tapes
• Jaz/Zip cartridge
• CDs
• DVDs
• PCMCIA cards
• Memory sticks, memory cards and all USB/firmware connected devices
To assist in the examination of the equipment, investigators should also seize manuals of
computer and software, anything that may contain a password, encryption keys, security keys –
required to physically open computer equipment and media storage boxes. For comparisons of
19
printouts, it is advisable to seize printers, printouts and printer paper for forensic examination, if
required. They should also search the area for diaries, notebooks or pieces of paper with
passwords on which are often attached or close to the computer. Consider asking the user about
the setup of the system, including any passwords, if circumstances dictate. If these are given,
record them accurately.
Upon discovery of computer equipment which appears to be switched off, the power and other
devices from sockets on the computer itself (i.e. not the wall socket) must be unplugged. The
main power source battery from laptop computers should be removed. However, prior to doing
so, consider if the machine is in standby mode. In such circumstances, battery removal could
result in avoidable data loss. Caution should always be used in the shutdown and transport of the
subject computer. To preserve the image on the screen, a quick photograph of the screen display
may be appropriate. Then a decision has to be made as to whether or not the computer will be
unplugged from the wall or shut down systematically based on the requirements of the operating
system. Unfortunately, there is no correct answer, and there are risks in taking either course of
action. The investigator’s decision will depend on the particular facts involved, the operating
system involved, and your good judgment. Usually, networked computers should be shut down
following normal shutdown procedures as dictated by the operating system involved.
If seizure of the computer is carried out when the system is attended, any individual attending the
computer should be immediately removed from the vicinity. One press of a pre-arranged key
combination can potentially destroy all evidence stored on a hard disk. A destructive process can
be initiated in a heartbeat, and the results can be disastrous. Consider using a subterfuge to
remove the operator from the computer to eliminate the possibility of them destroying potential
evidence. Raid planning is very important, and this is especially true if the probability of destructive
processes exists.
If someone is at the keyboard, remove him or her immediately because it is possible to quickly
alter or destroy evidence in the computer. Document the current state and collect volatile data. If
the computer is “off” do not turn it on. The safest way to turn off a computer running Windows or
DOS is to pull the plug from the computer- not from the wall outlet.
20
Computer systems are sensitive to temperature, humidity, physical shock, static electricity, and
magnetic sources. It should be ensured that all evidence has been documented and properly
labelled. It is advisable to pack computers, laptops and magnetic media in antistatic packaging.
Passive Data Generators as Digital Evidence Sources
Passive data generators is the term used by ACPO (2005), to describe automated systems that
gather information for purposes unconnected to criminal investigation, but which can be accessed
by investigators. Some examples of passive data generators include CCTV and other images,
financial and transactional information, personal computer and cell phone information,
telecommunications information, voice-recording systems, customer information, including
subscriber information, access systems, tachographs, Automatic Number Plate Recognition
(ANPR) systems.
Passive data generators are widespread in the modern world and an investigator should be
familiar with the use of passive data generators, especially those found commonly like CCTV and
telephone billing systems. The potential of passive data generators to assist in investigations is,
however, far wider than these commonly used sources. For example, financial information is
routinely collected and can be used to place individuals in particular locations, trace the flow of
money, investigate lifestyles and establish relationships between people. Geographical
positioning systems (GPS), traffic safety cameras, toll records and in-car computer systems can
provide material that can assist in mapping the movements of vehicles. Computer systems can
provide material on a range of activities, particularly lifestyles and relationships between
individuals. Automatic Number Plate Recognition (ANPR) systems (police and commercial) are a
rapidly developing source of investigative opportunities for investigators. In the near future,
national searches will be possible on specific vehicles providing dates, times, locations, direction
of travel and, in some instances, an image of the vehicle. Various analytic tools are currently being
developed to assist in the analysis of ANPR data.
21
What distinguishes passive data generators from other types of record keeping, such as patient
records made by doctors and client information kept by accountants, is the fact that they are
automated and require no judgment on the part of the person making them: hence the term
passive. They are also stored in systems that require technical expertise to access them. Records
created by people are generally written documents and require no particular technical expertise
to locate and gather them, although, as with patient records, their availability to the police and use
by them may be subject to legal constraint.
There are two ways in which passive data generators can assist in investigations:
General material
Passive data generators can be used to provide material that will assist the investigating officers
to understand the circumstances of the case. This is almost exclusively confined to locating,
gathering and viewing images generated within particular locations for the purpose of identifying
people and vehicles which may be significant to the investigation. These will involve locating
CCTV systems, traffic safety cameras, police ANPR deployments and commercial ANPR
sources, and analyzing victims’ telephone activity with a view to identifying contacts which may
be relevant to the circumstances of the offense.
Any material generated in this way may later become evidence when specific suspects are
identified. In the first instance, the objective is to set the parameters within which officers should
search for this type of material.
Specific material
The second way in which passive data generators can assist in investigations is where
investigators are seeking material about specific circumstances that are relevant to the incident.
These could be:
The presence of victims, witnesses, suspects, vehicles or telephones at particular locations and
the times they were there
 The relationship between individuals

 Times of contact between individuals
22
 The lifestyles of individuals
The material already gathered by the investigation will determine the degree of certainty that
investigators can bring to defining the parameters of these enquiries. Unfocused enquiries are
likely to generate a very large quantity of data that will have to be analyzed in order to locate the
specific material required by the investigation. Setting parameters as tightly as possible is,
therefore, essential when developing the objectives for these enquires.
Mobile Telephones
A mobile or cellular telephone is a long-range, portable electronic device for personal
telecommunications over long distances. In addition to the standard voice function of a telephone,
current mobile phones can support many additional services such as SMS for text messaging,
email, packet switching for access to the Internet, and MMS for sending and receiving photos and
video. Most current mobile phones connect to a cellular network of base stations (cell sites), which
is in turn interconnected to the public switched telephone network (PSTN), the exception being
satellite phones.
Due to the high penetration rate of mobile phones, they will inevitably be connected to an
increasing number of criminal activities. The following examples illustrate some of the possible
ways in which a mobile phone can be involved in criminal activities.
 The mobile phones are the most common form of communication for people purchasing
contrabands
 Mobile phones are common targets for thieves
 Telecommunication service theft (i.e. mobile phone theft, SIM cloning, etc.) make up a
significant portion of telecommunications fraud
 The relatively large storage space of modern phones makes them a useful tool for data
theft. An employee could steal sensitive corporate information by uploading it onto their
phone
 They are the primary device used for sending threatening SMS messages and making
abusive phone calls to the victim. The call records, and SMS messages between both
parties can play a significant part in such a case
23
Since they may contain information comparable to that of a desktop computer, they are a prime
source of evidence. The following list of potential evidence that can be found in a mobile phone:
 Subscriber and equipment identifiers

 Date/time, language, and other settings
 Phonebook information
 Appointment calendar information
 Text messages
 Dialled, incoming, and missed call logs
 Electronic mail
 Photos
 Audio and video recordings
 Multi-media messages
 Instant messaging and Web browsing activities
 Electronic documents
 Location information
 Browsing History
 E-mails
 Audio and Video Recordings
 Pictures
 Appointment Calendar Entries
 GPS Data (locations the phone has been)
 Location of Photos Taken
 Hot List
 Pin Data
 SIM Card Data
 Data Stored on Internal and Removable Memory
 Service Provider
 IMSI
 Spyware Artefacts
 Other Hidden Data
Because of new features on mobile phones such as increased memory storage and third-party
applications, both the quantity and complexity of the above evidence is increasing, as phones are
getting able to store larger files and more of them.
24
Evidence acquired from examination of mobile phones
Digital evidence on a mobile phone can be found in a number of locations:
 The SIM card (if present)

 The phone’s embedded memory
 The phone’s removable memory (i.e. SD card), if present
In addition to these, subscriber and call related information is also stored by a service provider.
Data stored in phone memory

In addition to the SIM memory, memory is available within the phone to store phone software,
and additional data. This space can be used to extend the SIM memory, to store additional phone
book data, call logs and so forth. The following are some examples of the additional information
that may be found in a phone’s memory:
 Phone settings
 Calendar information
 SMS / MMS messages
 Call log entries
 Time and date
 Ring tones
 Data required for / produced by the phone’s extra features, such as audio and video
recordings, and images
 Generic data stored in the phone’s memory
 Application executables
IMEI (International Mobile Equipment Identification)

Every handset has a built-in IMEI (International Mobile Equipment Identification) number or ESN
(Electronic Serial Number), the phone's unique ID, normally a 15 digit code. It is usually manually
displayed on the box of every new cell phone, and can also be found on a label, displayed on the
rear inside the phone, behind the battery. With most handsets the IMEI can be retrieved by
entering *#06#. The IMEI number of a GSM device can be retrieved by sending the command
AT+CGSN. The IMEI information can be retrieved from older Nokia mobile phones by pressing
*#92702689# (*#WAR0ANTY#), this opens the warranty menu in which the first item is the serial
25
number (the IMEI). The warranty menu also shows other information such as the date the phone
was made and the life timer of the phone. The IMEI can frequently be displayed through phone
menus, under a section titled 'System Information', 'Device', 'Phone Info' or similar. Many phones
also have the IMEI listed on a label in the battery compartment. The IMEI will display on the device
page of iTunes for an iphone after syncing.
On refurbished phones the IMEI may be different for the software and the actual phone itself. This
can be checked by looking behind the phone where the battery is placed (phone IMEI) and by
pressing *#06# on the phone (software IMEI).
The first six digits or the 15 digit IMEI disclose the (TAC) Type Approval Code, the first two digits
being the code for the country approval. The next two digits is the (FAC) Final Approval Code.
The next six digits show the Phone Serial Number, while the last digit is an additional number.
With GSM phones the IMEI consist of numbers, and with CDMA phones the IMEI is a combination
of numbers and letters.
The IMEI number is used by the GSM network to identify valid devices and therefore can be used
to stop a stolen phone from accessing the network. For example, if a mobile phone is stolen, the
owner can call his or her network provider and instruct them to "ban" the phone using its IMEI
number. This renders the phone useless, regardless of whether the phone's SIM is changed.
Unlike the Electronic Serial Number or MEID of CDMA and other wireless networks, the IMEI is
only used to identify the device, and has no permanent or semi-permanent relation to the
subscriber.
Data stored in SIM cards

The Subscriber Identity Module, or SIM card, used in GSM phones, is a detachable smart card
containing the user's subscription information and phonebook. This allows the user to retain his
or her information after switching handsets. Alternatively, the user can also change operators
while retaining the handset simply by changing the SIM.
The SIM card contains a number of files, which contain the user’s subscriber information, and
personal information, such as:
 The International Mobile Subscriber Identity (IMSI), which is the SIM card’s globally unique
identifier
 Language preferences and network (service provider) information
26
 Currency information, such as call charge counters
 Information about the current (or most recent) location of the mobile phone
 Phone book entries
 Sent and received SMS messages
 Recently dialled numbers
Many of the features available on a SIM card are optional, and therefore may not be implemented
by every handset or service provider.
A SIM card contains
 IMSI (International Mobile Subscriber Identity)

 MSISDN (Mobile Systems International Subscriber Identity Number
IMSI (International Mobile Subscriber Identity)

An IMSI, or International Mobile Subscriber Identity, is a unique number associated with all GSM
network mobile phone users. It is provisioned and stored in the Subscriber Identity Module (SIM)
inside the phone and is sent by the phone to the network. The IMSI is used in any mobile network
that interconnects with other networks. Unlike the IMEI, the subscriber is identified by
transmission of an IMSI number, which is stored on a SIM card which can (in theory) be
transferred to any handset.
An IMSI is usually 15 digits long, but can be shorter. The first three digits are the Mobile Country
Code (MCC), followed by the Mobile Network Code (MNC) which either has two (European
standard) or three digits (North American standard). The remaining digits are the mobile
subscriber identification number (MSIN) within the network's customer base. For example, in
IMSI429011234567890, 429 is the MCC for Nepal, 01 is MNC for Nepal Telecom and
1234567890 is the MSIN.
MSISDN (Mobile Systems International Subscriber Identity Number)

The MSISDN is a number that identifies uniquely a subscription in a GSM mobile network. Simply
put, it is the telephone number to the SIM card in a mobile phone. The abbreviation has several
interpretations, most common one being the ‘Mobile Station International Subscriber Directory
Number.’ The MSISDN together with IMSI are two important numbers used to identify a mobile
phone. IMSI is often used as a key in the HLR (subscriber database) and MSISDN is the number
normally dialled to connect a call to the mobile phone.
27
Structure of MSISDN consists of Country Code (CC), National Destination Code (NDC) followed
by Subscriber Number (SN). For example, 092-333-5678910 represents country code (092),
National Destination Code (333) and Subscriber Number (567-8910).
Data Retrieval from cell phones

As emphasized earlier, technical examination and retrieval of data from a mobile phone should
be done by a qualified technical expert. There are a number of third party applications which have
been designed for forensic analysis of mobile phones, such as:
 Phone Base (Envisage Systems 2005)

 Oxygen Phone Manager II (Forensic version) (Oxygen Software 2005)
 XRY (Micro Systemation 2005)
 Cell Seizure (Paraben Forensics 2005)
These applications (and a number of others) support a wide range of phones, and claim not to
alter any data on the phone; however, they use the same software interfaces as the non-forensic
applications, and hence are placing trust in the phone’s operating system.
At the most advanced level, physical removal of memory chips is possible, but requires very
specialist hardware and expertise. Such techniques may be able to recover deleted handset data
(possibly over and above that from flash dumps).
The examination process should be properly planed to avoid the loss of data that is very important
to the case. Sequence of Examination may depend upon a number of factors and the decision
may lead to data loss. The decision on sequence will depend to some extent upon case specifics
(e.g. importance of date and times), as well as the examination environment and tools available.
Before undertaking real case work, an examiner should have prior and recent experience of
examining a device of similar functionality with the tools or process to be used. This is particularly
relevant if using non-forensic tools that may synchronize the device and PC and possibly cause
changes to the evidence stored on the device. When examining a cell phone, investigators and
the examiners should ensure that a log of actions taken with the exhibit is maintained. Any
changes to the data that occur during the examination should be noted (e.g. accidental changes
during manual examination, arrival of incoming messages etc.).
28
Consideration may also be given to recording results of the examination (photography or video)
for inclusion within final reports. This is particularly relevant for manual examinations. Even for
automated downloads, photographs can be used to indicate the condition of the exhibit and to
provide a record of certain key information (e.g. numbers of contacts in the phonebook, numbers
of SMS messages etc.), such that the results of forensic tools can be validated. The details of
tools and products used (including version numbers) should be recorded. There is a need to
establish effective communication between examiners and the investigator. Only the investigator
can fully understand the importance or relevance of specific data held on the device.
Data stored by the service provider

Data retained by the service provider includes subscriber information, location information, and
call and billing information.
Call Detail Records

Call detail records (CDRs) are logs containing data about communications, not the content of the
communications. They are generated during setup or initiation and teardown or termination of
calls, faxes, SMS messages and pages as well as during certain kinds of hand-offs and roaming
events, such as when a subscriber moves from one provider to another or from one area of
coverage to another.
A call data record is created and stored, containing, amongst other information, the sending and
receiving phone numbers, the length of the call, and the initial and final location of the two parties.
This information is available from the service provider. Typically, they are generated by PSTN
switches and by MSCs in cellular networks. CDRs are generated primarily for billing purposes,
though service providers also use CDRs to detect instances of telecommunications fraud, and to
support network management and traffic engineering.
The GSM 12.05 Standard specifies 19 different CDR types for GSM networks (ETSI TS 100 616
V7.0.1 (1999-07)). Other cellular networks record similar types of information. The format of a
CDR depends on the configuration of the switch that generates the record. In GSM, the IMSI is a
unique identifier for a subscriber, the IMEI is an identifier for a handset, and the MSISDN is a
phone number.
CDRs typically require very little storage. Most events produce CDRs of at most a few hundred
bytes. Even though billions of events occur daily, the total volume of CDRs collected and stored
is manageable. However, service providers may retain CDRs for limited (and variable) periods of
time. In some cases, providers may archive only summarized information from CDRs.
29
CDRs are analogous to the address information on an envelope, which is used to direct
correspondence to its location. Just as there is no reasonable expectation of privacy for address
information, there is no reasonable expectation of privacy for CDRs and other customer
proprietary network information (CPNI), which belongs to the service provider rather than the
subscriber. Because CDRs contain detailed information about subscribers and their
communications, including subscriber movements and communication patterns, they can be
extremely useful in crime investigations.
CDRs also identify the cellular towers on which calls were placed and received. Since cellular
towers only serve limited geographical regions and all hand-offs between towers are recorded,
by analyzing information in CDRs, it is possible to pinpoint a mobile subscriber's location at a
specific time and the subscriber's movement over time. Furthermore, location information can be
refined using other data maintained by service providers like directions (azimuths) of mobile
subscribers from cellular tower antennae and the power levels of subscriber-to-tower
communications. In order for the analysis to be as complete as possible and acceptable as
evidence, the following information also is gathered:
 Coverage maps for each cell tower

 Whether or not cell towers were undergoing maintenance
 The configuration of each of the cell towers
This information is needed so that the analyst can properly identify and map out the specific
coverage area of a tower or tower sector.
Preservation, Retrieval and Processing of CCTV data

Depending on the type of recording media, recording device, and the settings for the recording
device, the quality of a video recording can vary widely. In addition, collecting and preserving
video evidence incorrectly can reduce its value a great deal. There are certain generally accepted
procedures that should be followed in securing CCTV evidence whatever method is ultimately
selected for downloading the data:
(i) Contemporaneous notes should be kept, detailing the course of action taken, to provide an
audit trail
(ii) The make and model of the CCTV system and the number of cameras should be noted. It
is advisable to take photographs of the system if possible, particularly if the recorder is
unfamiliar or the manufacturer uncertain
30
(iii) The basic system settings (e.g. current record settings and display settings) should also be
noted, so that, if changes have to be made to facilitate the download, it is then possible to
return the system to its original state
(iv) It is important to compare the time given by the speaking clock with that displayed by the
CCTV system. Any error between the system time and real time should be noted and
compensated for when carrying out the download. This will ensure that the correct section
of data is copied
(v) Investigators should determine which cameras are required and whether they can be
downloaded separately. Depending on the nature of the incident, there might, for example,
be a requirement to archive all cameras with external views. Some systems enable video
from individual cameras to be downloaded, but some do not, in which case data from all
cameras will need to be taken. The decision taken, and the reasons for it, should be
documented in the audit trail. In case of multiplex CCTV systems, the video feed from each
camera and not just the main screen that shows all of them must be collected
(vi) Many digital CCTV systems have a built-in CD/DVD writer for archiving data, in which case
there should be an option within the CCTV software to facilitate the back-up of the selected
video sequences (in the native file format). There may also be the option to include the
replay software on the disk along with the data. Write-once disks should be used
(vii) It is imperative to check storage or overwrite time to determine how long the relevant data
will be retained on the system. This is particularly important if the download cannot be
carried out immediately, or needs to be prioritized against other tasks. Many recording
devices, such as surveillance systems and handheld video cameras, require that the user
input a time and date manually. If the time and date are wrong on the recording device by
even 15 minutes, an entire timeline of events can be thrown off, or a legitimate alibi could
be erroneously deemed false. To determine the correct time, check and record the time on
the recording device at the time of the collection, and then compare to an external time
source like a cell phone and record the difference or offset
(viii) If the facility exists to back-up data to flash drives may be utilized for extracting short video
sequences. The storage capacity for compact flash is approximately the same as a CD
(albeit increasing with time) and therefore similar problems may be encountered if archiving
large volumes of data. To assess whether archiving to CD is time-efficient for large
downloads, the time taken to create one CD should be checked, and the percentage of the
required video that fits on this disk noted. From this information, the total number of disks
required and the total archiving time can be calculated. For other archiving methods such
31
as via USB hard drive and network, the file transfer rate should be monitored and the total
transfer time estimated
(ix) Archiving to USB hard drive may be the preferred option in several scenarios, for example:
(a) For downloading smaller quantities of data where there is no other easy option (e.g. CD
writer). The USB drive in this case is just a transport medium and the data may then be
copied to DVD/CD later, at the lab, to make the master copy
(b) For downloading large quantities of data, where it is quicker or more practical than
writing to several CDs
When copying large quantities of data, it may be more efficient to exit the CCTV system
software (which may be possible on a PC Windows-based system) and copy the required
files directly using Windows Explorer. This may also be necessary if the CCTV software
does not recognize the addition of the USB device and consequently offers no suitable menu
option.
(x) The recording should not be stopped during the archiving process unless
(a) This is an unavoidable feature of the system or
(b) There is an immediate risk that important data will be overwritten, before it can be
archived
(xi) Some systems offer the option of write-protecting a selected video sequence to prevent it
from being overwritten before it can be archived. However, it should not be assumed that
this facility will be present
(xii) The investigator must confirm that the data can be archived in its native file format. It is
preferable to extract the CCTV sequence in its native format in order to maintain image
quality and provide best evidence, even where this file format is proprietary to the CCTV
manufacturer However, in circumstances where it is not possible or practical to extract the
data in its native format, alternative methods may be justifiable. Some systems may provide
an option to write the sequence to AVI file, which may seem to be an advantage, in that the
video will be replay able using standard software. However, the generation of the AVI file
often requires the video to be recompressed, resulting in a loss of quality, so this method
should be avoided. Time and date information may also be lost, along with any stored
bookmarks
(xiii) It is a good practice to replay software to see if the data format proprietary. If so, it is
necessary to download a copy of the replay software alongside the data. Some CCTV
systems provide this facility, but others do not and the software has to be obtained
separately, e.g. from the manufacturer’s website. It should be established that the facility
32
exists to replay the data before leaving the scene and allowing the system recording to be
overwritten
(xiv) The downloaded data should be checked before leaving the scene (or immediately on
returning to the lab) to confirm that (a) the archiving process was successful and (b) that
any associated replay software functions correctly. This check should be done on a machine
other than the original recorder
(xv) Afterwards, the CCTV system should be restarted, if necessary, and it should be confirmed
in the presence of the owner/operator that it is operating as it was originally
(xvi) In circumstances where all other download options have been rejected as impractical or
impossible, the decision may be made to remove the recorder, assuming that it is physically
possible to do so and that the severity of the incident justifies this course of action. However,
the implications (legal, insurance, etc.) of removal should be considered and a decision
taken as to whether a replacement recorder should be provided or other arrangements
made in order to maintain security at the premises
(xvii) The following information should be included with the evidence to assist the investigator with
subsequent replay and analysis:
(a) Make and model (important when trying to identify suitable replay software or hardware)
(b) Error in display time and date
(c) Time period covered by download
(d) Replay software if available
E-mails and Web-mails

E-mail is increasingly seen as the communications medium of choice, amongst a technically
aware population. E-mail can be forensically retrieved from physical machines, although in certain
circumstances it may be that only a small number of e-mails require retrieval and examination.
Investigators may wish to obtain these from a victim’s computer system, without having to address
possible delays in obtaining a forensic examination or causing significant inconvenience to the
victim. In such circumstances, printed copies of the e-mails themselves, including header
information, would be sufficient to evidence the sending / receipt and content of the e-mail. Header
information is not normally visible to the reader of the e-mail, but it can be viewed through the
user’s e-mail client program. The header contains detailed information about the sender, receiver,
content and date of the message. Investigators should consult staff of a cybercrime unit or
telecommunications/IT expert if they are under any doubt as to how to retrieve or interpret header
33
information. Clearly any such evidential retrievals need to be exhibited in the conventional manner
i.e. signed, dated and a continuity chain established.
Emails sent over the Internet or using internet-like protocols have “headers” associated with them,
which are normally suppressed when viewed through a regular email client program, which
contain information about where the email originated and what route it took to the recipient. This
information, though it can be forged or spoofed, can be used to provide a level of authentication.
Statements producing email exhibits need to cover the following:
a. Where the email has come from a client program installed on an individual PC – the
identification of the program and the steps taken to capture and preserve the supporting
files
b. Where the email has come from a server program – the identification of the program and
the steps taken to extract and preserve the supporting files; whether this is simply a subset
of the total email data available and what basis was made for the selection, whether a
larger subset is available against appropriate defence team request
c. In the case of a server program – what security features exist and how they are managed
(this is to anticipate a suggestion that incriminating material was placed there by someone
other than the suspect)
d. Compliance with any external good practice or system audit standards should be made
and recorded
Websites / Forum Postings / Blogs
Evidence relating to a crime committed in Pakistan may reside on a website, a forum posting or
a web blog. Capturing this evidence may pose some major challenges, as the target machine(s)
may be cited outside of national jurisdiction or evidence itself could be easily changed or deleted.
In such cases, retrieval of the available evidence has a time critical element and investigators
may resort to time and dated screen captures of the relevant material or ‘ripping’ the entire content
of particular Internet sites. When viewing material on the Internet, with a view to evidential
preservation, investigators should take care to use anonymous systems. Failure to utilize
appropriate systems could lead to the compromise of current or future operations.
34
Web Servers
Web server programs, among which the most popular are Apache and Microsoft Internet
Information Services, can be set up easily to collect activities into a log. These logs are usually in
Common Log Format (CLF), although it is possible to collect additional information. From a
forensic perspective, these logs are no different from other types of computer log that one may
wish to offer in evidence. In terms of the overall reliability of web server logs, the following
elements in a witness statement may help to persuade a court:
 A description of the computer system’s overall functions and the role of the web server
within it
 An account of how long the system in its present configuration has been in operation
 Forms of testing took place prior to commissioning and what forms of routine audit are in
place
 External factors that exist to act as a check on reliability
 Security features that exist and how they are managed (this is anticipates suggestion that
incriminating material was placed there by someone other than the suspect)
 Whether other similar systems are in existence that has a good history of reliability
 Compliance with any external good practice or system audit standards
GPS
Evidence in cases involving Global Positioning Systems (GPS) can be a vital factor in determining
whether someone was in a particular place at a particular time. Gathering GPS evidence can be
a challenge as the data or evidence being sought can reside in several places: on physical
devices, at third-party service providers, or as backups or data downloads on computers and
smart phones. If the device is part of a larger system or part of a system that is monitored by a
third-party service, getting the device and getting the records are equally important.
Image and video authentication

Usually, fakes are not created completely from scratch, but are instead composites and
modifications of already existing videos or images. However, adding visual information to a video
or image, or taking it away, makes it as much a fake as one intentionally made by a scam artist.
Even the most convincing faked images and videos can display telltale signs of modification that
an examiner should be able to identify and explain in details the methods used to create the fake.
35
Digital Alibi
The key pieces of information in an alibi are time and location. When an individual does anything
involving a computer or network, the time and location are often noted, generating digital evidence
that can be used to support or refute an alibi. For example, defendants in a number of cases have
claimed that they were alone at the time of the crime but were using a computer or playing on a
gaming system. Activities on gaming systems, or the lack thereof, may help establish or refute
their alibi. In addition, telephone calls, credit card purchases, subway ticket usage, automated toll
payments, and ATM transactions are all supported by computer networks that keep detailed logs
of activities. Telephone companies keep a record of the number dialled, the time and duration of
the call, and sometimes the caller’s number. In addition, when mobile devices are involved,
telephone companies may be able to determine the location of a defendant’s mobile device at
crucial times. Other computer networks, like the Internet, also contain a large amount of
information about times and locations. When an e-mail message is sent, the time and originating
IP addresses are noted in the header. Log files that contain information about activities on a
network are especially useful when investigating an alibi because they contain times, IP
addresses, a brief description of what occurred, and sometimes even the individual computer
account that was involved.
When dealing with an alibi based on digital evidence, it must be kept in mind that computer times
and IP addresses can be manipulated, allowing a criminal to create a false alibi. On many
computers it requires minimal skills to change the clock or the creation time of a file. Also, people
can program a computer to perform an action, like sending an e-mail message, at a specific time.
In many cases, scheduling events does not require any programming skill—it is a simple feature
of the operating system. Similarly, IP addresses can be changed, allowing individuals to pretend
that they are connected to a network from another location. Therefore, investigators should not
rely on one piece of digital evidence when examining an alibi—they should look for an associated
cyber trail.
The most challenging situations arise when investigators and prosecutors do not find any
evidence to support or refute an alibi. When this situation arises, it is important to remember an
axiom: absence of evidence is not evidence of absence. For instance, if a person claims to have
checked e-mail on a given day from a specific location and there is no evidence to support this
assertion that does not mean that the person is lying. No amount of research into the reliability of
the logging process will change the fact that an absence of evidence is not evidence of absence.
36
However, though absence of evidence is not necessarily evidence of absence, an alibi can be
severely weakened by a lack of expected digital evidence.
Chapter 3 Presentation and use of Digital Evidence in Courts

Generally, in the prosecutorial environment, theories based upon scientific truth are subordinate
to legal judgment and digital investigators must accept the ruling of the court. It is important to
keep in mind that discrepancies between legal judgment and theories based on scientific truth
may arise from a lack of understanding on the part of the decision makers. When technical
evidence supporting theories based on scientific truth is presented to a trier of fact who are not
familiar with the methods used, misunderstandings and misconceptions may result. To minimize
the risk of such misunderstandings, the investigative process and the evidence uncovered to
support prosecution must be presented clearly to the court.
37
Admissibility and Acceptability of Digital Evidence
In general the principles of admissibility are that the evidence must be relevant to the proof of a
fact in issue, to the credibility of a witness or to the reliability of other evidence, and the evidence
must not be inadmissible by virtue of some particular rule of law.1
There are some general principles of evidence that can affect the admissibility and weight of
electronic records in court. The main two evidentiary principles that affect digital records are the
hearsay rule and its exceptions, and the best evidence rule.
Rule against Hearsay

“Hearsay” is a long-standing legal concept and one that is central to the issues surrounding
documentary evidence. The inadmissibility of hearsay is one of the best-known rules in evidence
law. The word itself contains a hint to its meaning: courts do not want to receive second-hand
information, which has come into to court via someone “hearing” what another person “said”.
Courts want witnesses to testify to what they themselves saw, perceived, or knew, to preserve
accuracy and to allow for meaningful cross-examination to take place.
Generally, neither party will be able to introduce hearsay evidence in order to prove the truth of
the statement being asserted. The rule creates the basic position that a document cannot be used
as proof of the “facts” to which it refers. That is, a letter saying I saw “X” do something cannot be
used to prove the fact that X did it (unless an exception to the hearsay rule applies).
Over time exceptions to the hearsay rule were introduced to allow documents to be admitted to
provide evidence of facts. Evidence derived from a computer or an electronic device constitutes
real or direct evidence when it is used circumstantially rather than testimonials, that is to say when
the fact that it takes one form rather than another makes it relevant, rather than the truth of some
assertion which it contains. Computer output is admissible as real evidence since it does not
purport to reproduce any human assertion which had been entered into it. The machine is a tool
and that in the absence of any evidence that it is defective, the printout, the product of a
mechanical device, falls into the category of real evidence.
Best evidence rule

The best evidence rule requires that the original of any record or document be used if available.
It can also mean that copies, even if introduced, are given lower weight. The rule need not be
satisfied if the original has been lost or it is impractical or unduly burdensome to produce the
1
Keane, A (1994) The Modern Law of Evidence (London: Butterworths).
38
original. It also is not attracted where the original is a public record in the custody of the state
archives and a certified copy is available, or the original is in the possession of the other party to
the case.
In an electronic environment, it can be difficult to determine the original record. Most digital
evidence exhibits produced in a court are derived from material originally acquired, not the
material itself. Often, at the very least, it will be a printout of material originally found in digital
form. To take the matter a little further, by itself an entire log file is indigestible; usually someone
will have used software tools to look for patterns of activity that are thought to be significant. The
same applies to any of the large databases that are usually at the heart of most commercial
enterprise packages, which record orders received, goods dispatched, send invoices and create
a general ledger; it will only be selections from the database that are relevant.
The best evidence rule is likely to be most problematic for digital records in situations where the
other party disputes the version of the record (claim that the print-out is inaccurate or has been
tampered with). It will also matter in situations where it is impossible to accurately render what is
seen on-screen in a printed form. In that situation, one may wish to argue that the original is the
electronic version, and as such, constitutes the best evidence available. Legislation in many
countries has created admissibility of digital evidence by enactment of statutory provisions.
The Qanun-e-Shahadat Order 1984

Recognizing the importance and ubiquity of evidence generated by modern devices, the Federal
Shariat Court observed in Muhammad Shahid Sahil v. State (PLD 2010 FSC 215) as follows
“11. With the development of scientific knowledge provisions of the Code of Criminal Procedure
and Qanun-e-Shahadat Order, 1984 have to be construed afresh in the light of latest scientific
developments……
12. Article 164 of Qanun-e-Shahadat Order, 1984 has resolved the problem by enacting that in
such cases that the Court may consider it appropriate it may allow to be produced any evidence
that may become available because of modern devices or techniques.”
Article 164, Qanun-e-Shahadat, 1984, expressly authorizes Court to allow to produce evidence
that may have become available because of modern devices or techniques in such cases as it
may consider appropriate. Audio cassette and tape-records were thus, admissible in evidence
(Saifur Rehman Khan v. Shahab-ud-Din 1995 MLD 1485; Gulzar Hussain Awan v. Akbar 1999
YLR 2250). On the other hand, the Indian Supreme Court has clarified that tape-recorded
39
conversation can only be relied upon as corroborative evidence of conversation deposed by any
of the parties to the conversation and in the absence of evidence of any such conversation, the
tape-recorded conversation is indeed no proper evidence and cannot be relied upon (Mahabir
Prasad Verma vs. Dr. Surinder Kaur (1982) 2 SCS 258).
Extensive changes have been brought by the legislature in Qanun-e-Shahadat, 1984 through
second schedule of the Electronic Transaction Ordinance, 2002 to meet with the situation like
present one and electronically gathered evidence is to be treated as primary evidence. The
Lahore High Court has discussed these developments in detail in Alamgir Khalid Chughtai v.
State (PLD 2009 Lah. 254) as follows:
“No doubt that criterion for assessing the admissibility, of the document or information, etc. is that
the same should remain complete and un-altered but at the same time it is also provided in the
above quoted law that if there is any addition in instrument, and that arise in normal course, and
the document is still complete and un-altered, that could not be brushed aside. The legislature in
its wisdom has amended the provision of Article 2(e) of Qanun-e-Shahadat, 1984 in terms of
section 29 of Electronic Transactions Ordinance, 2002 and by said Ordinance various changes
have been made in definition clause, by addition of Article 2(e) of the Qanun-e-Shahadat, 1984
and all the documents prepared, produced or generated through Modern devices are admissible
in evidence. So, thereafter there remains no ambiguity that any document electronically
transmitted was prepared whether the same is signed or unsigned could be questioned with
reference to the crimes which is subject matter of this appeal. For facility of reference section 29
and section 2 of the Electronic Transactions Ordinance, 2002 and Article 2(e) of Qanun-e-
Shahadat Order are re-produced:
"Section 29 Amendment of Presidential Order No.X of 1984.--For the purposes of

Ordinance, the Qanun-e-Shahadat, 1984 (P.O. No.10 of 1984) shall be read subject
to amendments specified in the schedule of this Ordinance."
"2(e) the expression, "automated", "electronic", "information", "information system",

"electronic documents", "electronic signature", "advanced electronic signature", and
"security procedure" shall bear the meanings given in the Electronic Transactions
Ordinance, 2002.”
Similarly extensive changes have been brought by the legislature in Qanun-e-Shahadat, 1984
through second schedule of E.T.O.2002 to meet with the situation like present one and
electronically gathered evidence is to be treated as primary evidence, so the documents tendered
40
in evidence from Exh.PA to Exh.Ph/1 are admissible and duly proved and there is nothing on
record which could show that narration therein was altered. I may observe here that this is a case
of cyber crime wherein latest technology was used whereby the whole operational system of the
State was by-passed meaning thereby an advance and most revenue generating department of
the State was set at naught with illegal installations. Such crimes have become rampant in the
society and that is the reason the legislature in its wisdom has provided a different criterion about
admissibility of evidence in such like cases. Now a days without any wire one can have the facility
of connection all over the world and the whole business of the world is going on through Internet,
E-Mail etc. and due to development in Science and Technology, it would not be possible to bring
on record the physical existence of everything, as the whole technology is based on satellite
operational net works.”
The Electronic Transactions Ordinance, 2002

Section 3 of the Electronic Transactions Ordinance, 2002 provides as follows:
Legal recognition of Electronic Forms

No document, record, information, communication or transaction shall be denied legal
recognition, admissibility, effect, validity, proof or enforceability on the ground that it is in
electronic form and has not been attested by any witness.
This provision would show that this is a special law, according to which, all the above documents,
record and information were admissible in evidence in their present form, even if those were not
attested by any witness.
Criterion for assessing the admissibility of the document or information is that the same should
remain complete and un-altered but at the same time it is also provided in the above quoted law
that if there is any addition in instrument, and that arise in normal course, and the document is
still complete and un-altered, that cannot be brushed aside. The legislature in its wisdom has
amended the provision of Article 2(e) of Qanun-e-Shahadat, 1984 in terms of section 29 of
Electronic Transactions Ordinance, 2002 and by said Ordinance various changes have been
made in definition clause, by addition of Article 2(e) of the Qanun-e-Shahadat, 1984 and all the
documents prepared, produced or generated through modern devices are admissible in evidence.
Other Requirements
41
Though it has been conclusively established in Arif Hashwani v. Sadruddin Hashwani (PLD 2007
Kar. 448) that digital evidence in form of audio, video recorded cassettes, CDs, etc. is admissible
piece of evidence in light of Arts. 164, 46-A, 70(8) (a), 73 & 2(1) (b), (c), (e) & (f) of Qanun-e-
Shahdat 1984 and the provisions of Electronic Transmission Ordinance (LI of 2002); in deciding
whether to admit the electronic data into evidence, courts must confront concerns about the
reliability, accuracy, and authenticity of computer records. Law enforcement agencies and
prosecutors need to ensure that the evidence is authentic, complete, reliable, accurate, and that
the process of obtaining the evidence follows legal requirements. Some of the special, significant
challenges in having digital evidence admitted into court include:
 Were the records altered, manipulated, or damaged after they were created?
 Who was the author of the record?
 Was the program that converted the digital evidence to words or graphics reliable?
Section 5
Section 5 of the ETO 2002 provides that the requirement under any law for any document, record,
information, communication or transaction to be presented or retained in its original form shall be
deemed satisfied by presenting or retaining the same if, inter alia, the criterion for assessing the
integrity of the document, record, information, communication or transaction is whether the same
has remained complete and unaltered, apart from the addition of any endorsement or any change
which arises in the normal course of communication, storage or display.
Prosecutors should be conscious of the following when evaluating digital evidence to be

presented in a court:
a. Accuracy
The accuracy of computerized records may be impaired as a result of computer programming
errors, equipment malfunction, and data entry errors. The volume of relevant electronic data may
also impair a court’s ability to verify the information's integrity.
b. Authenticity
Evidence is not admissible unless it has been authenticated. Authentication means there is
information that can be presented in court to prove that what the person offering the evidence
claims it to be is what it in fact is. The requirement of authentication as a condition precedent to
admissibility is satisfied by evidence sufficient to support a finding that the matter in question is
what its proponent claims. The court warned in Arif Hashwani v. Sadruddin Hashwani (PLD 2007
42
Kar. 448) that the authenticity of digital evidence is always subject to proof in case the party
against which it can be used disputed or denied the authenticity and information contained in the
said electronic documents.
To demonstrate that digital evidence is authentic, it is generally necessary to satisfy the court that
it was acquired from a specific computer and/or location, that a complete and accurate copy of
digital evidence was acquired, and that it has remained unchanged since it was collected. In some
cases it may also be necessary to demonstrate that specific information is accurate, such as dates
associated with a particular file that is important to the case.
Establishing Authorship of the Record
 Where was the storage device (drive, disk, or other medium) found?
 What was the access of others to the storage devices/medium?
 Trace evidence on storage devices/computer components
 Passwords/screen names/chat names and who owned or had access to them
 Names of folders and labels upon which the data was contained
 Authorship tools that embed names of people who created or modified documents
 Source of e-mails that contain attachments
 Circumstantial evidence that the alias used is attributable to a particular person
Confusing Time Stamps

Issues involving time stamp metadata can confound the establishment of timelines of computer
activity (such as those that could corroborate alibis). Such information is not even required to be
provided in a uniform fashion. Law enforcement forensic reports may freely mix Universal (or
Greenwich Mean) Time, Standard Time and Daylight Savings Time, sometimes even without
annotation. If this is given only in the form of derivative evidence, there may be no easy way for
the defence attorney to correlate the various time conventions with the actual data, and much
effort may expended by the forensic team in order to determine “what happened when” on the
computer.
Rarely is there any indication in the report as to whether the system clock was properly
functioning, or what its offset may have been to real-time. If the system was live when confiscated,
its clock would likely be viewable on the display, and this information should be recorded, but the
collection of such data is often curiously absent when times are critical to an effective defence. In
one case, hundreds of file time stamps extended for a half-day after the time when a live computer
43
was impounded, but the police investigator failed to account for the disparity in any reports, until
this issue was raised by defence.
Although Microsoft generally discredits the reliability of the “last accessed” timestamp, since it is
easily altered by system operations that are not directly user-initiated, either or both prosecution
and defence may choose to use this metadata if it is helpful to their construction. Best practice
should be to always disallow it for any use.
c. Integrity
Maintaining the integrity of digital evidence throughout the process of examination presents
different problems from those encountered when handling traditional physical or documentary
evidence. Both for purposes of admissibility and persuasive value of digital evidence, it must be
shown in court that the information obtained from the media is a true and accurate representation
of the data originally contained in the media, irrespective of whether the acquisition was done
entirely by the investigator or in part or entirely by a civilian witness or victim.
Chain of custody and integrity documentation is critical for demonstrating the authenticity of digital
evidence. A proper chain of custody demonstrates that digital evidence was acquired from a
specific system and/or location, and that it was continuously controlled since it was collected.
Thus, proper chain of custody documentation enables the court to link the digital evidence to the
crime. Incomplete documentation can result in confusion over where the digital evidence was
obtained and can raise doubts about the trustworthiness of the digital evidence. Integrity
documentation helps demonstrate that digital evidence has not been altered since it was
collected.
After seizure, ensuring that the traditional chain of custody remains unbroken is necessary but
not sufficient to establish the authenticity of the data or evidence obtained from the forensic
examination. In case of digital evidence, two chains of custody may be involved: the physical item
itself and its associated data. The investigators must be aware that the chain-of-custody issues
regarding data are additional to the chain-of-custody issues regarding the physical item. In
addition to the traditional chain of custody, auxiliary precautions may be required for handling
digital evidence. Prosecutors need to consider the following key points:
 Has the data been produced in its entirety?

 Is it possible to demonstrate that no change has occurred to the data?
44
 Is there a complete audit trail for the handling of the data through to the production of
exhibits?
 Would an independent third party be able to reproduce the steps taken and achieve the
same results?
If the evidence is still on the original medium but the initial procedure used to gather the
information was less than ideal, law enforcement may be in a position to resolve evidentiary issues
even if they cannot perform their own collection process.
The investigation officer should be familiar with standards, policies, procedures, or other
guidelines followed by the examining expert, laboratory or unit, related to chain of custody, both
generally and for electronic evidence specifically. He should determine whether they have been
followed or whether a deviation has occurred and understand the effect that all deviations may
have on the case and be prepared to explain them.
To reinforce adherence to traditional chain-of-custody procedures, law enforcement investigating

a case involving digital evidence should ask the following questions to determine how evidence
was handled before they became involved.
1. What types of digital evidence have been collected prior to the involvement of law
enforcement? For example, in a kidnapping case, does a hardcopy (printed) version of the e-
mail exist? Is an electronic copy available? Does it contain full header information?
2. Who handled the evidence?
a. Document the name and job function of each individual who handled the digital evidence.
Be aware that more than one person could be involved in this process.
b. Identify everyone who had control of the digital evidence after it was examined and before
it was given to law enforcement.
3. How was the digital evidence collected and stored?
a. Identify all tools or methods used to collect the digital evidence.
b. Determine who had access to the digital evidence after it was collected—anyone with
access to the evidence should be considered part of the chain of custody. Account for all
storage of data
4. When was the evidence collected? Document the date and time when the evidence was
gathered (including a reference to time zone if necessary)
45
5. Where was the evidence when it was collected? digital evidence may exist in more than one
location simultaneously (e.g., e-mail may be located on the sender’s computer, the recipients’
computers, and their respective ISPs)
Prosecutors should consider the following questions:
 What kind of machine/device held the digital evidence (is a serial number present)?
 Who had access to the machine/device?
 Who owned the machine/device?
 Was the machine/device shared?
 Was information retrieved from a network?
 Was information password protected?
 Who had access to password-protected information?
 Is the data located at an offsite location?
In Qurban Ali v. State (2007 P.Cr.L.J 675), it was argued that anyone can send an e-mail to any
other person, if he or she knew e-mail address or account name of that person. Address of the
telephone holder/owner, could be attained from PTCL/NTC. In that way E-mail sending computer
could be identified and the data of E-mail can be retrieved from it by using computer forensics
tools and it is also possible to prove it in court of law, provided a proper chain of custody is
mentioned, it was, however, difficult to identify the particular person who sent the e-mail; that was
the area where investigation by some police agency was required. No law exists by which Cyber
Cafes were required to keep record of persons using the computer of Cyber Cafes, in
circumstances did not keep record of persons using computers, nor did they keep history of data
for long. The Karachi High court held that the prosecution, in the case had not taken any effort to
prove e-mail in accordance with law that could not be relied upon and thus, was discarded.
d. Reliability
Digital records can be altered easily, and opposing parties may allege that digital records lack
authenticity because they have been tampered with or changed after they were created. Reliability
is required of the computer process and not that of the data content. A few things can be done to
reduce this possibility:
Metadata. A computer not only creates files in which data are stored, while it is doing so it also
creates ‘metadata’ files. Metadata is ‘data about data.’ It includes such information as when a
46
particular file was created, by which user of a computer, and whether the file has been
subsequently accessed or altered. The information stored within metadata can be used to build
timelines, establish alibis, and can shed light on a particular issue in a case, or it can be the turning
point altogether. It will also associate certain file types with the software designed to create and
read them. It is, therefore, important to seize the computer software to show computer generated
‘associations’ between a particular file types and software. Having the program that creates the
data goes a long way to prove the same program will accurately print it out.
Hashing Codes. A hashing code is a mathematical algorithm performed against a file, a group of
files, or the contents of an entire hard drive. More simply, it is a method by which the metadata
associated with a file may be ascertained. Hashing codes are hash value is the digital version of
a thumbprint that as of the creation of an electronic file, becomes permanent until such time as
that file is later altered thus allowing for that file or hard drive to be uniquely identified as it exists
at the time it was hashed. The two types of hashes commonly encountered are Message Digest
5 (MD5) and Secure Hash Algorithm 1 (SHA1). They both serve the same function in the
verification of evidence and they aid in the examination of digital evidence Hashing software is
especially useful in demonstrating, for purposes of evidence authentication, that the electronic file
being offered as evidence at trial is the same file that was previously seized. When a hard drive
is hashed for verification purposes, the hashing process looks at all of the data on the hard drive
and creates a “digital thumbprint” for it. At this point, the hashing process has performed its
primary function, which is the verification of the data on the hard drive; the perfect snapshot in
time of the data has been created. At this point, only the hard drive has a hash value. All of the
files and documents that reside on the hard drive do not yet have a hash value. A forensic
examiner can hash all of the files on the hard drive, giving each and every file a unique digital
thumbprint, or hash value. Hash values also allow a forensic examiner to use the hash value from
a known file, and search the suspect’s device for that file, looking for an exact match of that hash
value. Since the hash value is created using the contents of the file and ignores the file name and
file extension, it does not matter if someone tries to hide it by changing the file extension.
CASE EXAMPLES: METADATA AS EVIDENCE
Metadata and Timelines
47
A man was accused of molesting a girl while taking pictures of her using a camera. The pictures
were innocent in content. While this girl and her family were visiting his home, she asked the
accused to take pictures of her for her MySpace page. In the girl’s recount of the events, the
molestation was said to have happened over a 30-minute period, where the accused was
supposedly taking pictures of her, and in between taking the pictures was molesting her. A review
of the metadata in the pictures showed that the entire picture-taking session lasted a total of four
minutes and forty-six seconds. By examining the metadata of the first and last picture, the entire
time period of the picture-taking session could be shown, and by looking at all metadata for all
the pictures, it was revealed that no two pictures were taken more than 30 seconds apart. This
information was critical in refuting the charges, as the picture metadata painted an entirely
different picture than the girl’s story. What she claimed to have happened would have been
physically impossible to have occurred in a timeframe of four minutes and forty-six seconds.
Document metadata
A case involved a paper submitted to get promotion at a university. The professor was accused
of cheating and plagiarism from sources on the Internet. The document metadata revealed that
the paper was written over a period of several days, included 33 separate editing sessions and a
total writing time of over 800 minutes. This indicates that the professor did actually compose the
paper on the computer on which it was found. However, that alone is not enough. Using key
phrases and terms from inside the paper to perform a search of the professor’s hard drive, it could
be shown that no other references were on the computer hard drive that could have been copied
and pasted into the paper. The results of this investigation showed that the paper did not indicate
any plagiarism from Internet sources or other documents on the computer.
In addition, a prosecutor must be able to explain how an exhibit came into being?
 What does the computer system do?

 What are its inputs?
48
 What are the internal processes?
 What are the controls?
It is advisable that a proponent of digital evidence must delineate “the original source of the
computer program and the procedures for input control including tests used to assure accuracy
and reliability” as part of the foundation to ensure the reliability of the evidence. In terms of the
precise exhibit that is being produced, it is useful to be able to say:
 How the selection of the data in the exhibit was made?

 Why it can be regarded as “complete” in terms of the issues at hand?
 What procedures were used to collect the evidence such that it can be regarded as free
from tampering?
 What procedures were used to preserve the evidence so that it can be regarded as free
from subsequent tampering – this may take the form of imaging some computers or
copying selected files to write-once data media such as CD or DVD, or making a digital
fingerprint of the files?
 What manipulation or subsequent analysis was carried out to make the material “easier to
understand” – this is a perfectly legitimate course of action, but in this event the original
material should be exhibited so that the defence can test the manipulation or analysis.
Continued importance of traditional evidence

It should be remembered that not all computer operations leave digital traces and not all existing
traces can be linked to the suspect. For example, if a suspect uses a public Internet café to
download child pornography, it is not be possible to match the download process to an identifiable
person if he did not register or leave any personal information. In this case the record of a video
surveillance camera could be useful if available. With regard to those crimes that include financial
transactions, the investigation should take into consideration records kept by financial
organisations to identify the offender.
Case Study – Daniel Pearl’s Case

In the case of abduction and later murder of the journalist Daniel pearl in Karachi, the ransom
notes were the tipoff. In sending those notes by e-mail, the kidnappers unintentionally gave
investigators an electronic trail they could trace back to the sender’s computer. On February 4,
2002, the police traced the e-mails and photos announcing Pearl’s kidnapping and ransom
49
request to Speedy Internet, a Karachi Internet café owned by a Pakistani, Sheikh Naeem. The
owner produced records showing that a young man, an unemployed computer programmer
named Fahad Naseem, had sent the e-mails. The tipoff led police to him, and they grabbed they
found, sitting on a table in plain view, a laptop computer and hard drive, a scanner. For hours, at
the U.S. Consulate, FBI computer forensics expert Ronald J. Wilczynski dug into the hard drive,
which had been reformatted to hide its old contents. He looked in the directory for clues, did a
search of Pearl’s name but found nothing. He found a job inquiry letter Naseem had written,
asserting, “I believe in personal ethics such as integrity, honesty, and accountability for actions
taken.” Then, the computer forensics expert took a word from one of the ransom notes:
“Amreeka.” He got his first hit: an electronic trail of the ransom notes. He searched for photos and
found hostage photos of Pearl. The FBI agent also found web pages that showed browsing to
news websites prior to the kidnapping and Naseem’s résumé and cover letter to potential
employers. Fahad Naseem later fingered the kidnapping instigator as a man named Omar Sheikh,
an all-around bad guy known in radical circles for kidnappings and ties to Pakistani militants.
Sample qualification questions for digital evidence/forensics expert witness
1. Please state your full name.

2. What is your official address?
3. Where are you employed?
4. What is your position there?
5. How long have you been employed at this organization?
6. What is your job function at this organization?
7. Where were you employed prior to your current job?
8. What was your position there?
9. How long were you employed there?
10. What was your job function at that company?
11. How long have you been doing computer forensics?
12. Have you ever been hired as a computer forensics expert in the past?
13. Have you ever testified in the area of forensics or appeared as a witness in a court?
14. How many times have you appeared as a digital forensics expert witness?
15. Have you received any training specific to computer forensics?
16. Do you hold any course certifications specific to digital forensics?
50
17. Do you have a degree or certificate in digital forensics?
18. Can you briefly explain what digital forensics is?
19. Can you briefly explain chain of custody?
20. Have you published any articles in the area of digital forensics?
Have you ever been invited to speak at any conferences related to digital forensics?
Some Useful Computer Terms

It is helpful to know the definitions of some terms related to electronic information when attempting
to obtain discovery of computer-related information. The following list includes several basic terms
that an attorney should know to assist in understanding electronic information.
Active Data - These are the currently-in-use data files. They may be stored on any computing
device, not just the hard disks of a network server.
Backup Data - Information copied to removable media (tapes, Zip TM drives, CD- ROM, etc.) to
be used to re-establish the system in the event of a failure. Normally the data is stored in a
compressed form that must be “restored” before it is usable.
Bookmarks - More accurately called network addresses, these are shortcuts that mark a location
on a network to which the computer can quickly return “at the push of a button.” The marker is
typically created automatically upon the request of the computer user and stored on the user’s
computer.
Cache Files - These files record Internet addresses visited by the user and graphic elements of
the Web pages visited. These files are created and stored automatically by the user’s computer,
and provide detailed trail markers identifying the path the user has travelled on the internet.
Cookies - These files contain bits of information about the user and/or the use of the computer,
such as the user ID, details the user may have filled out on a form, past purchases and other
personal data. The files are placed on the hard drive by the web-site operators. Cookie “crumbs”
is sent back to the Web site every time the computer returns there, so the Web site can track the
user’s patterns and preferences.
Embedded data - This is information contained within an electronic version of a document that
is not usually apparent on screen or in the printed “hard copy.” Examples of the information
51
revealed by these “byte-marks” are the date the document was created, the identity of the author,
the identity of subsequent editors, the distribution route for the document, and even the history of
editorial changes (for example, pieces of the drafts leading up to the latest version of the
document may be invisibly and automatically saved by the computer and hidden in the files). This
information is also called “metadata.”
Legacy Data - Older information stored in an electronic format that can no longer be read using
current software or hardware.
Replicant Data - These files are automatically created as part of a redundant system designed
to eliminate system failures (or down-time).
Residual Data - This information includes the entirety or remnants of deleted files to which the
file reference has been removed from the directory listings, making the information invisible to
most application programs. Because the name is removed from the directory and from the file
allocation table (FAT), the file does not appear to exist. However, the digital information remains
on the media until it is overwritten by new data.
Daniel Pearl’s Case Judgment
In The Court of Judge, Anti-Terrorism, Hyderabad Division & Mirpurkhas Division, at Hyd.
Spl. Case No. 26/2002
The State Versus
(1) Fahad Naseem Son of Naseem Ahmed, (2) Syed Salman Saqib son of Syed Abdul Rauf, (3)
Shaikh Muhammad Adil Son of Abdul Shakoor, (4) Ahmed Umer Shaikh alias Muzaffar Farooq
alias Amin alias Bashir Son of Saeed Ahmed Shaikh.
Police Crime No. 24/2002 Under Section 365-A/368/302/109/201/120-A/34 PPC read with
Sections 7-a, 8(a) (b) (c) 11/A (a) (b) (c), 6(2) (b) (c) (e) (f) 11/H (3-4), 11/V(I) (a) (b) (2), 11/L(a)
52
(b) 7(a) (b) (2), 11/H(2) (a) (b), 11/W (1) (2), 7 of the Anti Terrorism Act, 1997, Police Station
Artillery Maidan Karachi (South).
Mr. Raja Qureshi,learned Advocate General, Sindh along with Barrister Zahoorul-Haq, Special
Public Prosecutor, Mr Shahabuddin Memon, assisted by Miss Masooda Siraj Advocate.
Mr Abdul Waheed Katpar and Mr Mohsin Imam learned Advocate for accused Ahmed Omar
Saeed Shaikh.
Mr Rai Bashir Ahmed and Mr Muhammad Waris Parwana learned Advocate for accused Fahad
Naseem, Syed Salman Saqib and Shaikh Muhammed Adil, and Mr Choudhry Muhammad Jamil,
learned Advocate for the complainant alongwith Mr Muhammed Zaheer Ahmed Advocate.
JUDGMENT
01. The instant case has been received in this court under the orders of the Honourable High
Court of Sindh, Karachi on 2/5/2002 vide such order dt. 30/4/2002.
02. On 29th March 2002, the above named accused were challenged by Hameedullah Memon,
Investigating Officer of C.I.A. Police Karachi to face trial for the offences punishable under the
aforementioned sections before the learned Administrative Judge, who accepted the final challan
and directed the case to be registered, where after the case was ordered to be transferred and
assigned to the Anti Terrorism Court No. III Karachi, for disposal according to law and the hearing
was adjourned to 5/04/2002.
It appears that in the intervening period, the venue for trial was notified by the Home Department,
Government of Sindh directing the trial of this case to be conducted inside the Karachi Central
Jail from 5/04/2002 by the learned Anti Terrorism Judge, Court No. III Karachi. On 5/04/2002,
compliance of Section 16 of the Anti Terrorism Act appears to have been made by the learned
Predecessor of this Court. Copies were supplied to the accused persons in compliance of Section
265(c) Cr. P.C. On 5/04/2002, non-bail able warrants were issued against the absconders
reflected in Column No. 02 of the challan sheet and the matter was then adjourned. On
12/04/2002, non-bail able warrants were returned un-executed and accordingly, Proclamation
was ordered to be issued to be returned on 22/04/2002.
53
03. Thereafter, record reveals that the R&Ps of the case was received by way of transfer from the
Court of the Judge Anti Terrorism III Karachi vide order passed by the Honourable High Court of
Sindh in Criminal Misc. Application No. 91/2002 dated 19/04/2002. Prior to the receipt of the case
by the learned Anti Terrorism Court No. II, record shows that the case was while being tried by
Anti Terrorism Court No. III at Karachi, the accused had filed a Criminal Transfer Application No.
91/2002 on the ground that the learned Anti Terrorism Court No. III presided over by learned
Judge Mr. Arshad Noor could not conduct trial of this case against the accused persons as in the
challan submitted by the prosecution certain utterances were made before the learned said
Presiding Judge by the accused person and four police personnel were cited as prosecution
witnesses as to that effect. That the learned Anti Terrorism Court No.II proceeded to frame the
charge against all the accused persons on 22/04/2002 and on 22nd April 2002, the case appears
to have been bifurcated and separated for trial in respect of the absconding accused and before
the commencement of the trial, the learned Presiding Judge took Oath again as required under
Section 16 of Anti Terrorism Act, 1997. After completing the formalities, the charge was framed
to which the accused pleaded not guilty and wanted trial. As per record of this case reveals that
as many as six Prosecution witnesses were examined by the learned Presiding Judge of the Anti
Terrorism Court No. II at Karachi (my learned predecessor), when the persecution appears to
have filed an application for transfer before the learned Division Bench of the Honourable High
Court of Sindh bearing Criminal Transfer Application No. 12 of 2002 which was allowed vide order
dt. 30/04/2002. In the said application, transfer had been sought by the prosecution on the ground
of reports of various intelligence agencies and Government departments from where the following
facts had surfaced:-
"a. That there is a threat of blowing up of the premises where the proceedings are taking place;
and
b. That there is threat of elimination of the prison staff, Investigating Agency, Prosecution Team
and witnesses".
04. Based on the aforementioned grounds, the case was directed to be transferred from Anti
Terrorism Court No. II, Karachi to Anti Terrorism Court, Hyderabad, presided over by the
undersigned. It further seems that the order of transfer of this case to this court at Hyderabad
inside Jail was questioned by the accused persons before the Honourable Supreme Court of
Pakistan vide Crl. Petition for leave to Appeal No. 126 of 2002 which on hearing was dismissed
54
by the Hon'ble Supreme Court of Pakistan. Resultantly, after examination of as many as six
Prosecution witnesses, the trial had recommenced in this court and had concluded in this court.
The case was received in this court on 2nd May 2002 for continuing to commence with the
recording of P.W-7. In order to streamline the process, it would be profitable to mention that the
six prosecution witnesses were examined by my learned Predecessor were: P.W 1 Nasir Abbas;
P.W. 2 Jamil Yousuf; P.W. 3 Javed Abbas; P.W. 4 Faisal Noor; P.W. 5 ASP Athar Rasheed Butt;
and P.W. 6 Asif Mahfooz Farooqi.
05. Now the brief facts of the prosecution case are that on 4/02/2002, one Mariane Pearl residing
at 19/1 Zamzama Street D.H.A. Phase-V Karachi under her signatures addressed a letter to the
Station House Officer of Artillery Maidan Police Station, Karachi wherein she placed information
on record in the following terms: - The contents of the letter have been incorporated in FIR and
F.I.R. was registered.
"My husband, Daniel Pearl, a U.S. National and South Asia Bureau Chief of the Wall Street
Journal, was on assignment in Pakistan. He disappeared on the 23rd of Jan. 2002 and has not
come back since that date. I came to know from driver Nasir Abbas son of Muhammad Din of
Taxi Registration No. PL-1676 that Mr. Abbas dropped my husband in front of the Village
Restaurant in Saddar, Karachi. My husband's whereabouts have not been determined since that
time.
I first heard of my husband's kidnapping from e-mail message received on the 27th of January
2002. The e-mail message included photographs that showed my husband held in detention in
inhuman conditions. The writer(s) of the e-mail wrote that they had abducted my husband in
retaliation for the imprisonment of Pakistani men by the U.S. Government in Cuba and other
complaints.
The unknown accused persons had demanded the provision of Lawyers to Pakistanis detained
in the U.S., the release of the Pakistanis jailed in Cuba to Pakistan, the return of former Taliban
Ambassador Mulla Zaeef to Pakistan and the delivery of F- 16 fighter jets to Pakistan or the
repayment of money allocated for those F-16 jets as well as 15 per cent interest.
In a subsequent e-mail received on 30/01/2002, the unknown accused threatened to kill my

husband within 24 hours if their demands were not met. I approached you for registration of this
case and request that you return my husband from his kidnappers.
55
Sd/- Mariane Pearl 19/1 Zamzama Street, Defence Phase V, Karachi.
Karachi, 4/02/2002.’’
06. The above complaint was produced by P.W. 17 ASI Aslam Jatt and was taken on record as
Ex. 63/A under Section 154 Cr. P.C.
07. Now in this case, the prosecution side has examined the following P.Ws, P.W-1 Nasir Abbas
Ex. 28, P.W-2 Jameel Yousuf Ex. 31, P.W-3 Javed Abbas Ex. 32, P.W-4 Faisal Noor Ex. 33, P.W
5 Athar Rasheed Butt Ex. 34 PW 6 Asif Mehfooz Farooqi Ex. 36, P.W-7 Aamir Afzal Ex. 48, P.W-
8 Ronald Joseph Ex. 49, P.W-9 Erum Jahangir, Judicial Magistrate Ex. 50, P.W-10 Ghulam Akbar
Jafferi Handwriting Expert, Ex. 51, P.W-11 Muhammad Iqbal Awan H.C. Ex. 52, P.W-12 John
Molligan Ex. 54, P.W-13 Rajesh Kumar Ex. 55, P.W-14 Shaikh Naeem Ex. 58, P.W.-15
Muhammed Usman Ex. 59, P.W-16 Muhammad Arif Ex. 60, P.W-17 Muhammad Aslam Jatt Ex.
63, P.W-18 Mehmood Iqbal Hashmi Ex. 64, P.W-19 Muhammad Ali Balouch Ex. 65, P.W-20
Zaheer Ahmed Ansari Ex. 66, P.W-21 Ronald D. Bennet Ex. 67, P.W-22 Inspector Rao
Muhammad Aslam Ex. 78 and P.W-23 Inspector Hameedullah Memon, I.O. Ex. 80. The
prosecution side had dropped the remaining witnesses vide their Statement Ex. 96 dt. 21/06/2002.
The prosecution also dropped the complainant vide its Statement Ex. 83 dt. 5th June 2002.
08. The statements under Section 342 Cr. P.C. of the accused persons are at vide Ex. 97, 98, 99
and 100 respectively. The accused Omer Shaikh Ex. 97 had led his defence and examined two
defence witnesses namely D.Ws Muhammed Rauf Ahmed Shaikh 101 and Saeed Ahmed Shaikh
Ex. 103. The remaining accused persons have produced certain documents viz accused Adil
Shaikh produced documents Ex. 106/1 106/2, 106/3, and accused Fahad Naseem Ex. 107
produced his documents Ex. 107/1, 107/2, 107/3, 107/4, 107/5, 107/6, 107/7, 107/8, 107/9,
107/10, 107/11, 107/12, 107/13, 107/14, 107/15, 107/16, 107/17 and accused Syed Salman Saqib
Ex. 108 produced defence documents Ex. 108/1 to 78 and 108/79 to 82. The defence Advocates
close their sides vide Statement Ex.111 dt. 4/07/2002. The final arguments were made as
required under Section 265-C Cr. P.C. Now, since the accused party have led defence, therefore,
the arguments of the learned defence counsels were heard and then the prosecution side was
56
heard as required under Section 265-G Cr.P.C. The accused have not examined themselves on
oath though opportunity was provided.
09. In the instant case the points for determination are as under:-
(1) Whether the accused along with the absconding co-accused hatched a conspiracy on
11/01/2002 at Room No.411 Akbar International Hotel, Rawalpindi to abduct Daniel Pearl, a
Jewish American citizen, a professional journalist belonging to the Wall Street Journal, U.S.A. for
raising demands of ransom?
(2) Whether in pursuance of the conspiracy hatched, the accused persons had abducted Daniel
Pearl on 23/01/2002 at about 7.00 p.m. near the gate of hotel Metropole, Saddar, Karachi,
adjacent to Village Restaurant to an unknown destination and detained him in their captivity?
(3) Whether after abducting Daniel Pearl the accused transmitted the demands for ransom
through e-mails dt. 27/1/2002 (with documents) to Wall Street Journal amongst others, and the
complainant Mariane Pearl in the following terms:-
a) Lawyers should be provided to the Pakistani detainees with the FBI so that they (Pakistanis)
can fight their case.
b) The Pakistani detainees who are jailed in Cuba should be kept in Pakistani Jails so that they
could fight their case in Pakistani Courts.
c) The return of former Taliban Ambassador Mulla Muhammed Zaeef to Pakistan.
d) Delivery of F-16 fighter jets to Pakistan or the repayment of money allocated for those F-16
jets as well as 15 per cent interest.
(4) Whether the accused after having failed to receive the demanded ransom had sent yet another
e-mail (with documents) to the complainant on 30th Jan 2002 threatening to kill Daniel Pearl within
24 hours if their demands were not met?
(5) Whether the accused on or after 30th January 2002 committed murder of Daniel Pearl by
slaughtering and caused the evidence of the dead body to disappear?
(6) Whether the accused in collusion with the absconding co- accused prepared, recorded and
transmitted the video cassette of slaughter of Daniel Pearl which conveyed the visual images and
sounds, the effect of which has struck terror, fear, sense of insecurity in society?
57
(7) Whether all accused persons have aided, abetted, participated, committed acts for achieving
the objective of the hatched conspiracy of kidnapping for ransom, raising demands of ransom,
and causing murder of Daniel Pearl?
(8) What offence, if any, the accused have committed?
My findings on the above Points are as under for the following reasons:-
Point No. 01 "Proved" Point No. 02 "Proved" Point No. 03 "Proved" Point No. 04 "Proved" Point
No. 05 "Proved" Point No. 06 "Proved" Point No. 07 "Proved"
Point No. 08 :"Accused Fahad Naseem s/o Naseem Ahmed, Syed Salman Saqib S/o Syed Abdul
Rauf Shaikh, Muhammed Adil S/o Abdul Shakoor, and Ahmed Omar Saeed Shaikh alias Muzaffar
Farooqi alias Amin alias Bashir S/o Saeed Ahmed Shaikh have committed the offences under
Sections 365-A, 120-A, 302 PPC read with Section 6 of the Anti Terrorism Act, 1997 and as such
accused Ahmad Omer Saeed Shaikh is sentenced and convicted under Section 7 of Anti
Terrorism Act, 1997 to death to be hanged by the neck till he is dead and the remaining accused
persons namely Fahad Naseem. Syed Salman Saqib, and Muhammed Adil Shaikh are sentenced
and convicted under Section 7 of the Anti Terrorism Act, 1997 for life imprisonment and also to
pay fine of Rs. 5,00,000/- (Five lacs) each. In case of non-payment of fine, accused shall undergo
R.I. for Five (5) Years more. This court also direct all the accused persons to pay jointly a sum of
Rs. 20,00,000/- (Twenty lacs) which shall be paid by them in equal share to be paid to the widow
of abductee and his orphan. The imprisonment sentences shall run concurrently and benefit of S.
382-B Cr.P.C. is given to the accused persons.
10. Reasons Point No. 01.In order to prove this point, the prosecution side has examined P.W-6
Asif Mehfooz Farooqi and P.W. 7 Aamir Afzal Qureshi. P.W. Asif Mahfooz Farooqi is a Journalist
and as per prosecution version and he had association and posted in Pakistan on behalf of J.I.J.I.
Press Tokyo. He was previously known to Daniel Pearl and had worked for a week at Islamabad
with Daniel Pearl. He had arranged a meeting of Daniel Pearl with accused Ahmed Omar Saeed
Shaikh alias Basheer at Room No. 411 at Akbar International Hotel, Rawalpindi and he has
identified accused Ahmed Omar Saeed Shaikh alias Bashir to have been the person who had a
meeting at Room No. 411 on 11/02/2002 before the Judicial Magistrate P.W. 9 Erum Jehangir.
He has identified the accused Ahmed Omar Saeed Shaikh as Bashir in the proceedings of the
case.
58
11. About this witness the learned defence counsel Mr. Abdul Waheed Katpar has argued out
that this witness is a set up witness and no any conspiracy was made as alleged by the accused
Omer Saeed Shaikh regarding the Daniel Pearl. The learned defence counsel Mr. Abdul Waheed
Katpar in support of this arguments has referred Section 120-A PPC and according to him in this
case the total accused are eleven in number and how such huge No. of the accused persons can
assemble in a hotel located at Pindi to make a conspiracy as alleged regarding Daniel Pearl. The
learned D.C. Mr. Katpar has submitted in his arguments that the identification test held before the
Judicial Magistrate P.W. 9 Erum Jahangir in the presence of this P.W. regarding accused Ahmed
Omer Saeed Shaikh was quite illegal as according to him the accused was not given chance to
cross this witness through his advocate.
According to Mr. Katpar the learned D.C. the evidence of this P.W. can not be believed as true.
The learned defence counsel Mr. Abdul Waheed Katpar has argued that this witness at the time
of identification has not disclosed the role which was played by the accused Ahmed Omer Saeed
Shaikh, therefore, according to him the identification test held before the Magistrate is without any
legal force. The learned D.C. Mr Katpar in support of his arguments has referred PLD-1981-SC-
143 in a Criminal Appeal of Lal Pasand - appellant vs. The State respondent. He also referred
Article 129, 122 of Qanun-e-Shahadad Order 1984 in support of his arguments and he contended
that the prosecution side has failed to prove this allegation of conspiracy allegedly made by the
accused Ahmed Umer Saeed Shaikh.
12. Mr. Rai Bashir Ahmed the learned defence counsel for the remaining accused persons and
for Ahmed Umer has in his arguments also assailed upon the evidence of this P.W. and has
contended that this witness is a false witness and his testimony cannot be believed as to be true.
No conspiracy as alleged against accused persons regarding Daniel Pearl was hatched. The
identification test held before the Judicial Magistrate P.W-9 Erum Jahangir about accused Omer
Shaikh does not carry any legal weight. According to these learned defence counsels, the case
is full of doubt and benefit of doubt therefore must go to the accused persons. This learned
defence counsel in support of their arguments has referred 1989-SCMR-2056 (a) Sher
Muhammed - The Petitioner vs. Revenue Officer and others Respondents, 1989-SCMR- 720
Shahmir - appellant Vs. Muhammed Afzal and two others respondents.
59
13. As against this, the learned Advocate General Mr Raja Qureshi has submitted in his
arguments that this P.W. Asif Mehfooz Farooqi is a true witness. This witness has rightly identified
accused Ahmed Omer Saeed Shaikh alias Bashir as Bashir in the proceedings of the case.
14. Now about P.W. 7 Aamir Afzal Qureshi. Both the learned defence counsels has argued out
that this witness is also false witness and the prosecution side has failed to produce the record of
the employment of this witness in Akbar International Hotel Rawalpindi where he was employed
as per prosecution story and this witness according to the learned defence counsel has given a
false story that accused Ahmed Omer Saeed Shaikh was occupying a room No. 411 in the name
of Muzaffar Farooq. The learned defence counsel has also argued out that this P.W. Aamir Afzal
Qureshi has not produced a register showing the entries of incoming and outgoing of the
customers to whom the rooms of the hotel were allotted and showing that the accused Ahmed
Omer Saeed Shaikh was given room No. 411 on the date and time. Both the learned defence
counsels in their final submissions has contended that evidence of this P.W. is not trustworthy.
15. As against this, Mr Raja Qureshi the learned Advocate General has argued out that the
evidence of this P.W. Aamir Afzal Qureshi is confidence inspiring because this P.W. has produced
a record which are the receipt of the hotel confirming Room No. 411 to be in possession of
accused Ahmed Umer Saeed Shaikh and this witness has identified accused Ahmed Omer Saeed
Shaikh rightly at the time of identification test held before the Judicial Magistrate Erum Jahangir
P.W-9 in the proceeding of this case.
16. I have given my considered view to the arguments advanced by the learned defence counsels
and the learned Advocate General and I have perused the evidence of above P.Ws on record. I
find that P.W 6 Asif Mahfooz Farooqi is a journalist and had association with Daniel Pearl having
his meeting on 22nd Dec. 2001 at Islamabad. He was working for a Japanese news agency and
the Predecessor of Daniel Pearl for whom Asif Mahfooz Farooqi was working had instructed him
to remain in association with Daniel Pearl being the successor from the Wall Street Journal.
It appears from the record that Daniel Pearl and P.W-6 Asif Mahfooz Farooqi worked as Journalist
collectively and in discussion it further appears that Daniel Pearl had asked this witness that a
60
news item had appeared in the American newspaper in relation to one Richard Reed, who
according to Daniel Pearl had come to Pakistan and had stayed with Syed Mubarak Shah Gilani
at Lahore. This Richard Reed was alleged to have planted bomb in his shoes in order to blow up
an aircraft in the United States. It was in this perspective that led Daniel Pearl to meet Syed
Mubarak Shah Gilani.
Accordingly, P.W-6 Asif Mahfooz Farooqi was asked whether he could arrange a meeting of
Daniel Pearl with Syed Mubarak Shah Gilani in response to which the witness said he will make
his efforts to do so and accordingly a meeting did take place at Room No. 411 of Akbar
International Hotel on 11/01/2002 which appears to have been participated by Asif Mahfooz
Farooqi, Bashir and one Arif alias Hashim, absconding co-accused. Though this witness, it has
come on the record that Bashir in fact was the alias of accused Ahmed Omar Saeed Shaikh
whereas Arif is one of the absconding accused person reflected in the challan in the name of
Hashim alias Arif son of Qari Abdul Qadeer.
In this meeting Daniel Pearl in the presence of P.W. 6 expressed his desire to meet Pir Mubarak
Shah Gilani when accused Ahmed Omar Saeed Shaikh alias Bashir placed himself as a "Mureed"
to Pir Mubarak Shah Gilani before Daniel Pearl. Thereafter, Daniel Pearl informed P.W. 6 that
Bashir who in fact was accused Ahmed Omar Saeed Shaikh had already arranged his meeting
with Pir Mubarak Shah Gilani but in the city of Karachi. It was on 23/01/02 between 3 to 4 p.m.,
that P.W-6 received a phone call from Daniel Pearl at Karachi asking him as to whether it was
safe for him to be meeting Syed Mubarak Shah Gilani.
In response to this query, a quick answer that was responded to by P.W. 6 was to effect that if
Syed Mubarak Shah Gilani is a public figure then there was no harm in meeting him. Thereafter,
on the following day, i.e. 24/1/2002 P.W-6 received a call from complainant Mariane Pearl
informing that Daniel Pearl has not returned home since the previous day i.e. 23/01/2002 and
asked as to whether P.W-6 knew his whereabouts. PW-6 has identified the said Bashir available
in Room No. 411 at Akbar International Hotel to be accused Ahmed Omar Saeed Shaikh before
the learned Judicial Magistrate (P.W-9) in the identification parade held on 26/02/2002 and has
also identified Bashir in Court as accused Ahmed Omar Saeed Shaikh who had in court disclosed
his name to be Ahmed Omar Saeed Shaikh, upon being identified as Bashir.
17. It would be seen that the very meeting which took place at Room No. 411 was aimed to
conspire and abduct Daniel Pearl, an American Citizen a Journalist of Wall Street Journal to raise
61
their demands for ransom after abducting Daniel Pearl. Such conspiracy was between accused
Ahmed Omar Saeed Shaikh and Hashim alias Arif son of Qari Abdul Qadeer (absconding
accused). It would thus be seen that on 11/01/2002 at Room No. 411 of Akbar International Hotel,
Rawalpindi is the venue where in the conspiracy to kidnap Daniel Pearl takes place and there is
a meeting of minds between accused Ahmed Omar Saeed Shaikh and absconding accused
person Arif alias Hashim for kidnapping of Daniel Pearl. This conspiracy was based on the
fictitious mode of arranging a meeting of Daniel Pearl with Syed Mubarak Shah Gilani by Ahmed
Omar Saeed Shaikh posting to be a Mureed of Pir Mubarak Shah Gilani and that by posing under
a different name of Bashir.
18. I also find that P.W-7 Aamir Afzal Qureshi who is a receptionist of Hotel Akbar International,
Rawalpindi who has provided the record in respect of Room No. 411 to the Investigators as to
under whose occupation the said Room No. 411 was on 11/01/2002 upto 12/01/2002. On
examining the record, he has stated that the same was occupied by a person named Muzaffar
Farooq who had stayed there for one night i.e. checked in on 11/01/2002 and checked out on
12/01/2002. He further stated that it was the investigator to whom record was provided and who
had informed him that the person who had occupied Room No. 411 on 11/02/2002 was not
Muzaffar Farooq but was actually accused Ahmed Omar Saeed Shaikh. P.W-7 Aamir Afzal
Qureshi further disclosed that a foreigner had also come to meet the guest in Room No. 411 which
foreigner was disclosed by the investigator to P.W-7 to be Daniel Pearl. Record of Hotel in respect
of Room No. 411 of 11/01/2002 and 12/01/2002 are Ex.P-10/1 1 upto Ex. P-10/4.
19. It would thus be seen that P.W-7 identifies accused Ahmed Omar Saeed Shaikh alias Muzaffar
Farooq present before this court and had pointed out to him rightly as per the record of this case.
20. It would thus be seen that the elements of conspiracy being hatched could be gathered from
the aspect that while accused Ahmed Omar Saeed Shaikh checks into Room No. 411 at Akbar
International Hotel, Rawalpindi he gets his name recorded in the Hotel record as Muzaffar Farooq
and once he had checked in and a meeting has been arranged between him and Daniel Pearl
through absconding accused Arif he identifies himself to be Bashir to Daniel Pearl and P.W-6 Asif
Mahfooz Farooqi identifies accused Ahmed Omar Saeed Shaikh in the identification parade as
62
Bashir whereas P.W-7 Aamir Afzal Qureshi identifies Ahmed Omar Saeed Shaikh in court as
Muzaffar Farooq. This aspect coupled with the photocopy of the NIC in the name of Bashir and
original identity card of Rauf Ahmed Siddiqi reflecting photograph of accused Ahmed Omar Saeed
Shaikh recovered at the time of his arrest on 13/02/2002 by P.W-23 reflecting the documents i.e.
NIC the photograph of accused Ahmed Omar Saeed Shaikh to be under the identity of Rauf
Ahmed Siddiqi which has been duly confirmed by the National Registration Office at Multan Ex.
80/1 to be bogus and corroborates his criminal conduct.
21. Hence a comfortable conclusion could be arrived at that a conspiracy was hatched on
11/01/2002 at Room No. 411 of Akbar International Hotel, Rawalpindi to abduct Daniel Pearl, an
American Citizen, a Professional Journalist belonging to the Wall Street Journal under the garb
of arranging a meeting for him with Pir Mubarak Shah Gilani. Both these above witnesses were
subjected to extensive cross examination and their testimonies could not be shattered by their
learned defence counsels. Hence Point No. 1 is proved. This Point is answered accordingly.
Point No. 02.
22. In order to prove this point the prosecution has examined P.W-1 Nasir Abbas and P.W. 2
Jameel Yousuf, Ex. 28 and Ex. 31 respectively. P.W. Nasir Abbas is an eyewitness. He is Taxi
Driver, who had last dropped Daniel Pearl in front of Village Restaurant adjacent to Hotel
Metropole. He had seen Daniel Pearl to have been made to sit in a white Toyota Corolla Car by
accused Ahmed Omar Saeed Shaikh. He has further identified Ahmed Omar Saeed Shaikh sitting
in a white car with whom Daniel Pearl also sat. He participated in the identification parade test
held on 6/03/2002 before Judicial Magistrate. He is also a mashir of vardat. Such mashirnama
was executed on 5/02/2002 at 1445 hours along with co-mashir H.C. Aashiq Ali. He had also got
recorded his statement under Section 164 Cr.P.C. before the Judicial Magistrate when he was
not cross examined by the counsel for the accused before the Judicial Magistrate, though
opportunity was adequately provided. He has also identified the accused in Court.
23. P.W-2 Jameel Yousuf in his deposition on record has stated that he is Chief of CPLC Karachi.
He has further stated that Daniel Pearl had taken an appointment on 22/01/2002 from him to
discuss Police Rules which appointment was fixed for 23/01/2002 at 5.15 pm. Accordingly, Daniel
63
Pearl reached the Governor's House where the office of CPLC is situated through gate No. 4 of
the Governor's House. While Daniel Pearl was sitting with P.W-2, two calls were received by
Daniel Pearl, the first call being around 5:50 or 5:52 pm which appeared to have originated from
the office of Daniel Pearl which were overheard by P.W-2 to be relating to general discussion of
the office of Daniel Pearl.
The second call was stated by this witness to have been received by Daniel Pearl at 6:28 pm
while Daniel Pearl was in the office of P.W-2. This witness informs that Daniel Pearl told the caller
who had called at 6:28 p.m. that he is very close to the venue for his appointment with the caller
and that he will be there at 7:00 p.m. This P.W-2 further testifies that Daniel Pearl departed from
his office at 6:45 pm where after on the following day he had proceeded to Islamabad to have a
meeting with the Minister of Interior and while being in the meeting he had placed his telephone
on vibration so as to get the messages recorded.
He states to have received messages of Mariane Pearl amongst others, while in the meeting with
the Minister of Interior and after having been free from the meeting, he called Mariane Pearl to
ask the reasons as to why she called P.W-2. She informed P.W-2 that where did Daniel Pearl go
after he left his office to which he expressed no knowledge but he did specify to her that while
Daniel Pearl was sitting with P.W-2, two calls were received by him on 23-01-2002 between 5:15
pm to 6:45 pm when he departed wherein Daniel Pearl had assured the caller to be there for his
appointment at 7:00 p.m. stating that he was very close by to the meeting point. The nature and
function of P.W-2 is to assist the investigation in criminal cases and high profile cases and it is
therefore, that the police had contacted him and he was able to obtain print-outs of the telephone
of Daniel Pearl so as to see the incoming calls which were received by Daniel Pearl while he was
there with him on the previous day. Such incoming calls were reflected from the Mobil Link record
to have been made from telephone No. 0300-2170244 which information was also passed by
P.W-2 to Mariane Pearl who had, in turn, informed P.W-2 that this telephone number is of Imtiaz
Siddiqui, an absconding co-accused in this case which was learnt from the e-mails received by
Mariane Pearl from Daniel Pearl and have been produced on record as Ex. P/5 and Ex. P/6
respectively.
24. Both these witnesses were subjected to lengthy cross examination but their testimonies were
not shattered.
64
25. I have heard the arguments above this P.Ws from the learned defence counsels Mr. Abdul
Waheed Katpar and Mr. Rai Bashir Ahmed. It may be pointed here that Mr. Rai Bashir Ahmed
was also appearing for all the accused persons as per record.
26. Mr. Abdul Waheed Katpar the learned defence counsel for accused Ahmed Omar Saeed
Shaikh has contended in his arguments that both these witnesses named above are the setup
witnesses. P.Ws Nasir Abbas is a Taxi Driver and as per record the incident as alleged had taken
place on 23rd Jan. 2002, whereas, Nasir Abbas had allegedly identified the accused Ahmed Omar
Shaikh at the time of identification in the month of March 2002 and according to him this is quite
impossible that after this period how this witness Nasir Abbas could identify the accused. About
the second witness P.W. Jameel Yousuf the learned defence counsel Mr. Katpar had stated that
he is a policeman and therefore his testimony cannot be believed as to be true.
27. Mr. Rai Bashir Ahmed the learned defence counsel has argued out that both these witnesses
are the false witnesses and about the abduction of Daniel Pearl the prosecution has failed to
discharge their burden successfully. The learned defence counsels in support of their arguments
have referred 1996-Pak Cr. L. Journal-Pesh-1811 Ishtiaq Ahmed - Appellant vs. The State
Respondent, while relying on this authority the learned defence counsel has contended that
therefore the case is doubtful and benefit doubt must go to the accused persons. He placed
reliance 1989-SCMR-2056 Sher Muhammed - Petitioner vs Revenue Officer and others.
28. As against this Mr. Raja Qureshi learned Advocate General has argued out that P.W. Nasir
Abbas is an eye witness about the abduction of Daniel Pearl by the accused Ahmed Omar Saeed
Shaikh and he has narrated the ocular account without any contradictions. He is independent
witness, therefore, his testimony cannot be discarded, and according to Mr. Raja Qureshi the
evidence of P.W. Jameel Yousuf has corroborated the evidence of P.W. Nasir Abbas. The learned
Advocate General in support of his arguments has referred 2002-SCMR-820 in a criminal Appeal
of Soulat Ali Khan Appellant vs. The State Respondent. The learned A.G. has also mentioned
that evidence of P.W Nasir Abbas on the point of abduction of Daniel Pearl by accused Omar
Saeed Shaikh is last seen evidence and this evidence is a confidence inspiring and cannot be
65
discarded. He in support of his arguments has referred 2001-Pak. Cr. L.J. Quetta-1766 (c) in a
criminal appeal Muhammed Khan and others Appellant vs. The State Respondents in which it
has been held as follows:
"Appreciation of evidence - last seen evidence - circumstances that the deceased was last seen
with the accused is a reliable piece of evidence if corroborated by other pieces of circumstantial
evidence which are interlinked and which clearly connects the accused with the commission of
offence".
29. The learned A.G. Mr. Raja Qureshi has also referred PLD- 1995-SC-01 in a case State
through A.G. Sindh Karachi - Appellant vs. Salman Hussain and others Respondents, in which it
has been held "while trying in a criminal case under Section 365-A and 109 PPC the approach of
the court in matters like the case of kidnapping for ransom should be dynamic and if the court is
satisfied that the offence has been committed in the manner in which it has been alleged by the
prosecution, the technicalities should be overlooked without causing any miscarriage of justice".
30. I have given my considered view to the arguments advanced before by the learned defence
counsels and by the learned Advocate General. I have also perused the evidence of above these
two P.Ws on record, I find that it is a settled position in law that if some fact is deposed to in
examination-in-chief which is not questioned in cross examination, the presumption is that, that
part of the evidence is deemed to have been accepted by the party against whom that evidence
has been given. Acting on this principle, it would be safe to arrive at a finding that the evidence of
P.W. 1 is confidence inspiring and has not been shaken in the process of cross examination and
is positively to the effect that Daniel Pearl was last seen with accused Ahmed Omar Saeed Shaikh
where after he has not been seen.
31. In order to arrive at a positive finding, it would be profitable to examine the definition of
"Abduction" defined under Section 362 PPC.
"Abduction: Whoever by force compels or by any deceitful means induces any person to go from
any place is said to abduct that person".
66
As such the nature of evidence that has come on record through this witness falls on all four to
the element of deceit under a hatched conspiracy to kidnap Daniel Pearl.
32. In this connection, the evidence of P.W. 2 Jameel Yousuf strongly corroborates the evidence
of P.W. 1 Nasir Abbas to establish that P.W.-2 was also the second last person to have been
seen or having been available with Daniel Pearl up to 6.45 p.m. on 23-01-2002 where after, Daniel
Pearl was last seen at 7.00 p.m. on 23-01-2002 with accused Ahmed Omar Saeed Shaikh by
P.W-1. The conversation of Daniel Pearl with telephone caller heard by P.W. 2 in whose office
Daniel Pearl was sitting pursuant to an appointment with P.W.-2 is not at all hit by the provision
of hearsay evidence under Qanun-e-Shahadat. In this context, reference could be made to Article
71 of Qanun-e-Shahadat which is to the following effect:
"Article 71 - Oral Evidence must be direct. Oral evidence must, in all cases whatever, be direct
that is to say: if it refers to a fact which could be seen, it must be evidence of a witness who says
he saw it; if it refers to a fact which could be heard it must be the evidence of a witness who says
he heard it".
Hence the finding on this point is proved. As regards the citations referred by the learned defence
counsels in this connection as quoted above my respectful submission is that the citations are not
relevant to this case. As the facts reported therein are not of identical nature of this case, whereas,
the law cases referred by the learned Advocate General Mr. Raja Qureshi have got relevancy to
this case. This point is answered accordingly.
Points No. 3 and 4.
33. In order to prove these points the prosecution side has examined as many as seven (7)
prosecution witnesses namely P.W. 22 Rao Muhammed Aslam P.W.-3 Javed Abbas, P.W.-8
Ronald Joseph, P.W-14 Shaikh Naeem, P.W-18 Muhammed Iqbal Hashmi, P.W-20 Zaheer and
P.W.-10 Ghulam Akbar Jafferi, a handwriting expert.
67
34. Now, about this P.W’s I have heard arguments from the learned defence counsels and from
the learned Advocate General and I have perused the evidence of above this P.Ws they were
subjected to lengthy cross examination.
35. The learned defence counsel Mr. Abdul Waheed Katpar for accused Ahmed Omer Saeed
Shaikh has mentioned in his arguments that Daniel Pearl was never abducted by the accused
Ahmed Omer Saeed Shaikh a false story has been cooked out against the accused by the
prosecution. According to Mr. Abdul Waheed Katpar the demands for ransom through e-mails to
Wall Street Journal as alleged in the charge were never transmitted. According to Mr. Katpar, the
accused Ahmed Omer Saeed Shaikh along with the other accused persons has not sent another
e-mails documents to the complainant on 30th Jan 2002 threatening to kill Daniel Pearl within 24
hours if their demands were not fulfilled as alleged by the prosecution side.
The learned Advocate Mr. Katpar has further argued out that the accused Ahmed Omer Saeed
Shaikh along with other accused persons on 30th Jan 2002 had never committed murder of Daniel
Pearl by slaughtering him and he had never talked the evidence of dead body of Daniel Pearl to
disappear. According to Mr. Katpar the accused Ahmed Omer Saeed Shaikh in collusion with the
absconding accused persons had never recorded and transmitted the video cassette of
slaughtering of Daniel Pearl which allegedly conveyed the visual images and found no any terror,
fear, sense of insecurity in the society was created as alleged.
The learned Advocate Mr. Katpar has further argued out that accused Ahmed Omer Saeed
Shaikh along with other accused persons has never aided, abetted, participated and committed
act for achieving the purpose of making conspiracy of kidnapping for ransom and he has never
raised demands of ransom and causing murder of Daniel Pearl. The learned defence counsel Mr.
Katpar finally has argued out that all the witnesses in this regard are the policemen and they are
the false witnesses and they deposed against the accused persons the learned defence counsel
Mr. Waheed Katpar has finally submitted that the case is full of doubt and the witnesses are not
independent.
He in support of his arguments has referred PLD-1999-Lah-131 in a criminal appeal of State Pet.
vs. Sameeullah and 16 others. Mr Katpar has also referred PLD-2002-Lah-247 in a criminal
appeal The State - Pet. vs. Secretary Health Punjab. Mr. Katpar has also referred Article 123 and
Article 124 of Qanun-e-Shahadat order 1984 with the further contention that cassette Article-1 is
a document and the prosecution has failed to adduce evidence of the person who had prepared
68
this video cassette as has been provided under the relevant provision of Qanun-e-Shahadat Order
1984. Mr. Katpar also further submitted that in this case the recovery Mushirs are not inhabitants
of that place as required under Section 103 Cr.P.C.
36. Secondly, Mr. Rai Bashir Ahmed who is also appearing for all the accused persons have
contended in his arguments that in this case the burden of proof lies upon the prosecution side
for the entire allegation against the accused party. According to Mr. Rai Bashir Ahmed no any e-
mail message was made from Pakistan. According to Mr. Rai Bashir Ahmed, the recovery of the
laptop Computer and writings of e-mail messages and other documents and also video cassette
as Article 1 were not witnessed by the independent persons, all the witnesses are the policemen
and therefore, according to him their testimony cannot be believed as to be true.
The witnesses of the recovery P.W Zaheer Ahmed are not local inhabitants of the place.
According to him, the non compliance of Section 103 Cr.P.C has been made in this case and
therefore, according to him the entire case is doubtful and false and as such the benefit of doubt
is to be given to the accused persons. Mr. Rai Bashir Ahmed, in support of his arguments has
referred 1996-Pak.Cr.L.J-Pesh-1811 Ishtiaq Ahmed Appellant vs. The State Respondent. He has
also referred 1989-SCMR-2056 Sher Muhammad Pet. Vs Revenue Officer, 189-SCMR=720 in a
case Shahmeer - Appellant vs. Muhammed Afzal and others, 1992-SCMR-196 in a criminal
appeal (b) of Daniel body (Saifullah and others) - Appellant vs. the State respondent. He has
finally prayed that the case is doubtful and the accused persons are entitled to the benefit of
doubt, and are entitled to acquittal.
37. As against this Mr. Raja Qureshi the learned Advocate General has argued out that the
witnesses are reliable and their testimony cannot be brushed aside because in absence of
availability of the private witnesses of that place, these witnesses are as much competent as
those of the witnesses of that place provided that any enmity previously existing is proved,
between them and the accused party. The learned Advocate General in support of his arguments
has placed reliance 2001-Pak. Cr. L.J-Quetta-1543 (b) in a criminal appeal of Abdullah - Appellant
vs. the State respondent, in which it has been held as follows:-
(b) Criminal Trial
69
"Evidence - Police witness - Police witnesses were not always liars and the presumption
that a person acted honestly would apply as much in favour of a police officer as of any
other person and his testimony could not be excluded except for valid reasons - No
justification insisted to exclude testimony of police witnesses from consideration when
same was corroborated by independent evidence".
38. Now, about the aforesaid witnesses I would proceed while dealing with the testimony of each
of the prosecution witnesses as follows in the light of arguments made by the learned counsels
and the facts brought on record of this case
P.W 22 Rao Muhammed Aslam
39. Before, I proceed to examine the evidentiary value of prosecution witness No. 22 Rao
Muhammed Aslam, it is necessary for me to observe that it was complainant Mariane Pearl who
had sent a written application addressed to the S.H.O. Artillery Maidan Police Station dt. 4th Feb.
2002 (Ex. 63/A). This complaint was recorded in the 154 Cr. P.C Book maintained at the Artillery
Maidan Police Station by P.W-17 Muhammed Aslam Jatt which culminated into the assignment
of investigation of the complaint and the F.I.R registered by P.W 17 Aslam Jatt to P.W 22
Muhammed Aslam on 4/02/2002.
40. On 5/02/2002, Rao Muhammed Aslam goes to the residence of Mariane Pearl who provides
to him two sets of e-mails which are secured under the mashirnama Ex. P/7 and the said two sets
of e- mails are Ex. P/8 with attachments (1 to 14). These emails have been secured through
mashir P.W-3 Javed Abbas. It appears that these very e-mails had been addressed to numerous
users of Internet globally which had also reached Mariane Pearl and thus the fact that Daniel
Pearl was an American citizen, the U.S Consulate Karachi contacted P.W-18 Mehmood Iqbal
Hashmi who is an internet service provider at Karachi. P.W 18 Mehmood Iqbal Hashmi.
41. He is a graduate in Computer Science and possesses International Certificate in Microsoft

and Brain Bench. He was provided with the e-mails received even at the U.S Consulate from the
Security Manager at U.S Consulate namely Mr. Zahoor Bashir asking P.W-18 to locate the I.P
address i.e. Internet Protocol Address. As P.W 18 was working for the last six years at Web Net
70
Communication, Karachi, he possesses the capability of locating the service provider as well as
the Internet Protocol from where the e-mails may have originated.
Accordingly, by using the database and the hotmail worldwide hot-web, P.W 18 was able to locate
that the number from which they said e-mails have originated is subscribed by Shaikh Naeem
which is 8125028. Accordingly, he responded upon locating the same to the U.S Consulate as
well as provided the same details of having located the I.P. address of the sender of the e-mails
to the second Investigating Officer of this case P.W 23 namely Hameedullah Memon as Ex. 64-
A. The emails of which I.P was tracked down by P.W 18 provides the entire data pertaining to
abduction of Daniel Pearl which had been tapped which had contained certain pictures of JPG in
the form of data and each and every thing which was transmitted on 30/01/2002 and each and
every thing which was shown on the papers on the statement was as per International standards.
P.W 14 Shaikh Naeem.
42. He has an Internet concern entitled as "SPEEDY INTERNET". This Speedy Internet of P.W
14 is a provider of Internet Cables to users under contract against payment for such facility. He
had entered into a contract with accused Fahad Naseem which contract has been produced in
Court as Ex. 58/A. He further maintains the time of the users when they have used the facility
which time and the information of the user is automatically generated by the server of their system
itself.
He has produced complete record of his business for providing such facility as Ex. 58/B. Along
with the information, he has also produced the Register of customers reflecting as to which
connection is provided to which particular user and when information was provided to him that
from his telephone number at a relevant point of time on a relevant date the questioned e-mails
were sent, he had sought time from the investigation agency to provide complete information and
ultimately did provide the requisite information that such e- mails were transmitted through
connection No. 66 which under a contract was provided by him to accused Fahad Naseem and
accordingly, led the Investigation Team to the residence of Fahad Naseem where the connection
was provided which resulted into recoveries of two original manuscript of e-mails (Ex. 51/B and
Ex. 51/C) in Urdu and English respectively alongwith Scanner, Article-I, Laptop on 11/02/2002 in
the presence of mashir P.W-20 Zaheer.
71
43. It would thus be seen that P.W 18 Mehmood Iqbal Hashmi identified from his system that the
questioned e-mails originated from phone No. 8125028 which appears to have led the
Investigators to P.W 14 Shaikh Naeem being the subscriber of the phone Number 812028. Upon
contact with P.W 14 Shaikh Naeem, it was revealed that he is in the business of providing Internet
Cables to users. As the system of P.W 14 Shaikh Naeem automatically generates the information
with regard to the time of the user using the facility. Hence P.W 14 was able to locate the
originating transmission of e-mail to have been done from connection No. 66 provided by him to
accused Fahad Naseem under a Contract, which in the chain of events led the investigator to the
home of Fahad Naseem leading to the recoveries of the original manuscript of questioned e-mails
in English and Urdu under the handwriting of accused Ahmed Omer Saeed Shaikh and accused
Shaikh Adil. This original handwriting in English and Urdu have been duly confirmed by P.W-10
Ghulam Akbar Jafferi a handwriting expert to be the writing of accused Ahmed Omar Saeed
Shaikh in English and accused Shaikh Adil in Urdu.
P.W 8 Ronald Joseph
44. This P.W is a Special Agent of Federal Bureau of Investigation and has been certified by the
FBI Laboratory to be in the computer analysis response team as a Computer Forensic Examiner.
He has been certified by the FBI to conduct Computer Forensic Examination for DOS/WINDOWS
Operating System, APPLE/MACINTOSH Operating System and LINUX/UNIX Operating System.
He has attended various examinations and has put in over 800 hours of computer related training
as per certificate issued by the U.S. Department of Justice, Federal Bureau of Investigation (Ex.
49-A).
45. The leading of Shaikh Naeem to the recovery of the Laptop being used through connection
No. 66 from his system at the house of accused Fahad Naseem on 11/02/2002 was provided to
this witness who had examined the same and conducted the Forensic Examination and
formulated his report which was conveyed to the investigation from the Consulate General of the
United States of America vide Ex. 49/B. On examining the report, he has categorically stated that
the Black Soft Computer case contained "PROWORLD" written on the exterior and upon the
opening the case dell latitude Cpi Laptop was found in it. The laptop was identified in the report
produced by this witness to be of model PPL with Serial No. of ZH942 and located inside the
Laptop was an IBM Travel Star Hard Driver which was stated to have been removed from the
72
Laptop and viewing the label on the Hard Drive Model, the Drive was identified as 4.32 GB of
storage capacity and the Model No. was determined by this witness to be DKLA24302 with a
serial number of 4ZIM000N81834. On examining articles 1 and 2 of Ex. 49 compared with the
mashirnama of recovery of Laptop in juxtaposition with the computer Forensic Examination
Report and identifying the numbers of the same, there is no doubt whatsoever that the Laptop is
the same equipment which was recovered from the possession of accused Fahad Naseem on
11/02/2002.
The Forensic Examination Report is also Ex. 49/B. It would be seen that the said report reflects
the Laptop to have been made available to this witness on 4/02/2002 as suggested by the
defence. Availability of the Laptop at the American Consulate on 4/02/2002 is not only un-natural
but impossible because of the fact that complainant Mariane Pearl had filed the complaint with
the police on 4/02/2002 (Ex. 63/A) at 2345 hours which had in fact set the ball rolling at the hands
of the Investigating Agency.
46. Report of this witness relates to demands contained in the Hard Disk of which traces were
made and report was formulated. As such it is the substance which is the essence and not the
point of time when it was made or else there was no occasion whatsoever for accused Fahad
Naseem to be possessed with the original handwritten scripts of the same e-mails which were
received by the receivers and certified by the handwriting expert P.W Ghulam Akbar Jafferi to be
in the hand of accused Shaikh Adil and accused Ahmed Omar Saeed Shaikh in Urdu and English
respectively. Even upon examining the tickets produced by this witness, it would be seen that on
11/02/2002 upto 15/02/2002 he was available at the City of Karachi and thus it is that period when
the examination logically could have been conducted by him whereof followed by report coming
from Washington D.C based on the notes which were carried by this witness to U.S.A.
47. The evidence of this witness further spells out that he did not bring the entire data out from
the Hard Drive but in fact had made mirror images of the data on the other hard drive without
disturbing the original Hard Drive. Various suggestions have been made to challenge the
credibility of this witness but he has been able to withstand the test of the cross examination by
specifically stating that all these suggestions which could allege tampering or manipulation with
the Hard Disc was not so done in this case. Even otherwise, there appears to be no reasonable
73
justification for tampering a piece of evidence of this nature in the absence of any alleged
animosity.
48. On having dilated upon the aforementioned witnesses on Point No. 03, it would be necessary
to state that there was no occasion whatsoever that accused Fahad Naseem be possessed with
the two original manuscripts at the time of his arrest, the Laptop which transmitted through
connection No. 66 the e-mails containing the demands of ransom to the United States in the terms
mentioned herein above while the points for determination had been framed. There was no
reasonable justification or photocopies of the same e-mails to have recovered from the
possession of accused Ahmed Omar Saeed Shaikh upon his arrest on 13/02/2002. Further, there
is no animosity or enmity of the writing experts to have opined positively confirming the admitted
documents obtained before the Judicial Magistrate with the disputed documents. Such writing
expert being P.W 10 Ghulam Akbar Jafferi who has given his detailed reasons mentioned herein
above for arriving at a positive finding that the disputed writings contained on the original e-mails
are written by accused Ahmed Omar Saeed Shaikh (English) and accused Shaikh Adil (Urdu) Ex.
51/C and Ex. 51/B respectively. The Text of the same emails has not only been received by
Mariane Pearl but also by U.S Consulate, Wall Street Journal and endless number of consumers
World Wide. It would thus be seen that the e-mails dated 27/02/2002 raising demands of ransom
upon having not been met culminated into the second set of e-mail dt. 30/01/2002, threatening to
kill Daniel Pearl within 24 hours if their demands are not met.
49. Now as regards the contentions of the learned defence counsels that these witnesses named
above are not trustworthy. This contention has not been supported by the cogent proof and the
citations referred to me by the learned defence counsels have no relevancy to this case.
Accordingly, I hold that the prosecution has been successful in discharging its burden about these
points and these points therefore, stand proved and are answered accordingly.
Point No. 5 & 6
50. In order to prove these points, the prosecution has examined P.W 12 John Molligon. This
witness had produced the original video cassette alongwith the copy of the same. Both, the
original and the copy were viewed by the defence team, the team for the prosecution, the accused
74
persons and me. The original tape was seen and returned and the copy was also seen but
retained as article 1 that was viewed on 14/05/2002. About these points, I have heard arguments
from the learned defence counsels Mr. Abdul Waheed Katpar and also Mr. Rai Bashir Ahmed and
the learned Advocate General.
The contentions and arguments of both the learned defence counsels are that P.W 12 John
Molligon who has produced original video cassette has not disclosed the source from whom he
had obtained video cassette and it has also not been disclosed that who had prepared this video
cassette. Both the learned defence counsels in their respective arguments have submitted that
video cassette Article-1 is not a substantial piece of evidence because this video cassette is a
false and it can be prepared falsely because the science nowadays has developed such
technology through which the fake video cassette can be prepared for involving any body and
innocent men in such instant cases.
Both the learned defence counsels have further argued out that video cassette is a document and
for proving this document the person who has prepared should have been examined or in whose
presence this video cassette was prepared or edited should have also been examined. But in the
instant case, this has not been done therefore, according to the learned defence counsels this
video cassette Article-1 has no any evidentiary value.
51. As against this Mr. Raja Qureshi the learned Advocate General has submitted that this video
cassette is a cogent piece of evidence and it can certainly be relied upon. He in support of his
arguments has referred Article 164 of Qanun-e-Shahadat Order 1984.
52. Now, the accused persons in their respective statements under Section 342 Cr.P.C. have
merely made denial of the prosecution charges against them, without providing of furnishing any
documentary proof to reflect that the instant case involving all the allegations against them is
based on pre-existing enmity between the witnesses and the complaint party and the deceased.
53. Now, I want to discuss about this video cassette. This video cassette upon being viewed
reflects the same demands which are contained in the e-mails sent in Urdu and English under the
hands of accused Ahmed Omar Saeed Shaikh (English) and Shaikh Adil (Urdu). It further conveys
the atrocities being committed in Palestine, Kashmir and various other places.
75
The tape through in law is admissible in evidence under the Provisions of Article 164 of the Qanun-
e-Shahadat and this witness was subjected to extensive cross examination wherein he had stated
that such tapes could be fake tapes also prepared but at the same time the same witness on
record is stated to have said that fakeness of such tape could be and has been determined by
the experts of the FBI who certified the same not to be fake.
54. Therefore, I find that what surfaces from viewing this tape is the motive of the accused
persons, which stands proved for raising the demands of ransom, the actual and physical
slaughtering of Daniel Pearl being decapitated and this action about the accused persons falls
within the provisions of Section 6(e) of the Anti Terrorism Act, 1997 thereby conveying the scene
of fear, insecurity and terror. It is further transpires that the captivity of Daniel Pearl stands proved
in the hands of all the accused persons and when their demands as mentioned in the e- mails
were not met or not fulfill, therefore, the un-natural death of Daniel Pearl was caused in a brutal
manner by the accused persons. These points are answered accordingly and the prosecution
side has been successful in discharging its burden. Point No. 07
55. About this point, I have heard the arguments of the learned defence counsels and the learned
Advocate General.
56. Mr. Abdul Waheed Katpar the learned defence counsel has in arguments submitted that
accused Ahmed Omer Saeed is a innocent man and he has been involved falsely in this case.
The prosecution side has miserably failed to prove this case beyond any reasonable doubt against
accused Ahmed Omer Saeed Shaikh. According to Mr. Katpar accused Ahmed Omer Saeed
Shaikh has neither aided, abetted, participated in the alleged crime. He had never made any
conspiracy for kidnapping for ransom raising demands of ransom and causing murder of Daniel
Pearl.
According to Mr. Katpar the witnesses in this case against the accused persons are mostly police
men and their testimonies cannot be believed as to be true. The recoveries shown against the
accused Omer Saeed Shaikh were not witnessed by the local inhabitants of the place as required
under Section 103 Cr.P.C. Therefore, according to him the case is very much doubtful.
76
57. Mr. Rai Bashir Ahmed the learned defence counsel for all the accused persons including
Ahmed Omer Saeed Shaikh contended that the accused persons are innocent the case is false
against them. They had never participated in the alleged offence, in any manner. The witnesses
in this case are the set up witnesses and most of the witnesses are from the Police party and
other witnesses are not the respectable persons of the locality. The recoveries of the Laptop
computer and e-mail writings and the messages are false. Their confession before the Judicial
Magistrate is very much defective and not voluntary. The identification test held regarding the
accused persons is not legal therefore, according to him the case is doubtful and the state or the
prosecution has failed to prove it's the onus successfully against the accused persons.
58. As against this Mr. Raja Qureshi the learned Advocate General has argued out that no doubt
major portion or number of the witnesses regarding the alleged offence against accused persons
or from police party, but their evidence cannot be brushed aside due to non-availability of the
private witnesses.
The police party/P.Ws is therefore, in such cases competent witnesses as those of private
witnesses, unless any mala fide is proved against them. According to Mr. Raja Qureshi he has
further submitted in his arguments that the defence side have failed to prove any mala fide against
the police witnesses. He has further submitted in his arguments that the accused party in their
respective statements u/s 342 Cr.P.C. have only made denial of the allegations against them and
their oral denial cannot be accepted on absence of producing the recorded enmity or any cogent
proof to dis-proving the charges against them.
59. I have given my considered view to the arguments advanced before me; I find that the accused
persons in their respective statements u/s 342 Cr.P.C. has made oral denial of the allegation
against them. They had not produced any record showing the pre-existing enmity between the
prosecution side and themselves. One of the accused Ahmed Omer Saeed Shaikh has examined
two defence witnesses namely Mr Rauf Ahmed Shaikh D.W. and Mr Saeed Ahmed Shaikh, who
is father of accused Omer Saeed. Mr Rauf Ahmed Shaikh who is District and Sessions Judge of
Muzaffargarh and is maternal uncle of accused Omer Saeed Shaikh and the second defence
witness Saeed Ahmed is his father.
77
The defence plea that he was arrested by the police from Lahore and as such Ahmed Omer
Saeed Shaikh was handed over to DIG Police Lahore because of the reasons that his parents
were harassed. Accused Ahmed Omer Saeed Shaikh has taken the plea that he was arrested by
the Lahore Police and arrest shown by I.O. Hameedullah Memon in this case by him @ Karachi
is a false story. In this connection, D.W. No. 1 Mr. Rauf Ahmed Shaikh has also deposed that he
had handed over the custody of accused Ahmed Omer Saeed Shaikh to DIG and he was arrested
by him. D.W. No. 02 Saeed Ahmed Shaikh has also deposed the same story. Now, it can be
easily said that a criminal or anybody else during this scientific age can easily arrive at Lahore or
at any other far place after committing any crime at any other place. So the plea of arrest from
Lahore raised by Omer Saeed Shaikh has no any legal weight. I further find that D.W. 1 Mr. Rauf
Ahmed Shaikh in his defence evidence (Ex. 101) in cross examination has disclosed that accused
Omer Saeed Shaikh was previously involved and arrested by the Indian Police and was tried in a
case. This admission and the disclosure of D.W. Muhammad Rauf Shaikh reflects very much that
present accused Ahmed Omer Saeed Shaikh appears habitual offender in making the conspiracy
Internationally.
60. Now, in order to deal with the aspect as to whether the accused have aided, participated or
committed acts for achieving the objectives of the hatched conspiracy of kidnapping for ransom,
raising demands of ransom and causing murder of Daniel Pearl. Therefore, it would be necessary
to first touch upon the acts done by accused Ahmed Omer Saeed Shaikh in brief. First, he had
hatched a conspiracy at Room No. 411 at Akbar International Hotel, Rawalpindi with absconding
accused Arif alias Hashim and in the presence of P.W-6 Asif Mahfooz Farooqi. Based on the said
conspiracy between absconding accused Arif and Ahmed Omar Saeed Shaikh on the pretext of
arranging a meeting of Daniel Pearl with Syed Mubarak Shah Gilani, it was planned and to
implement the said conspiracy and plan, it was Ahmed Omer Saeed Shaikh who under his own
handwritten duly certified by the writing expert to be his handwriting recorded the demands raised
in English.
Simultaneously, the same demands were recorded under the hand of Shaikh Adil duly confirmed
by the writing expert in Urdu. These demands were transmitted from the Laptop of accused Fahad
Naseem through connection No. 66 provided to him by P.W 14 Shaikh Naeem which was tracked
down leading to the recoveries of the equipments used for transmitting of the e-mails along with
the scanner and the Polaroid and Zoom Camera with films.
78
61. About the e-mail messages the accused persons Adil Shaikh and Fahad Naseem have made
confessions before the P.W-9 Judicial Magistrate Erum Jahangir and P.W. Erum Jahangir in her
deposition on record has deposed that these accused persons had made confessions and she
had given a note at the foot of the confessional statement on record that the confessions was
voluntary. Apart from the Hand Writing Expert Ghulam Akbar Jafferi in his respective deposition
on record has confirmed the hand writing of the messages as sent by the accused persons.
62. Coming to the acquisition of Polaroid and Zoom Camera, there is evidence to the effect which
has come on record and which has not been shaken by the defence through P.W 16 Muhammed
Arif who had sold the Polaroid Camera and Zoom Camera Films to accused Salman and Fahad
Naseem, whereas, the scanner was purchased from P.W-13 Rajesh Kumar of Jogi Computers
by Salman Saqib and Fahad Naseem (Ex. 55/A and Ex. 55-E). All these instruments including
Laptop were necessary for transmitting the e-mails of the same text hand-written by Ahmed Omar
Saeed Shaikh and Shaikh Adil in English and Urdu respectively. The said e- mails were sent with
attachments, which attachments could have only been possible after having obtained the Zoom
Camera, the Polaroid Camera and the scanner which were purchased by accused Fahad Naseem
and Salman Saqib.
63. Coming to the aspect of kidnapping of Daniel Pearl, there is strong piece of evidence of
independent P.W-1 Nasir Abbas, Taxi Driver whose evidence has not been shaken in any manner
while he testified that it was on 23/01/2002 in front of Village Restaurant adjacent to Metropole
Hotel, Saddar Karachi at 7.00 p.m., that he says that accused Ahmed Omar Saeed Shaikh to
have taken Daniel Pearl in his car after Daniel Pearl left his taxi and boarded into the car after
coming from the office of CPLC at 6.45 p.m., which aspect is duly supported by P.W 2 Jameel
Yousuf. Hence Daniel Pearl was last seen alive in the company of accused Ahmed Omer Saeed
Shaikh till 7.00 p.m. on 23/01/2002.
As such, an irresistible conclusion could be arrived at that the conspiracy was hatched at Akbar
International Hotel, Rawalpindi in Room No. 411 which has been testified by the receptionist of
the Hotel P.W-7 Aamir Afzal Qureshi as well as P.W 6 Asif Mehfooz Farooqi followed by P.W 1
last seen Daniel Pearl in the company of accused Ahmed Omer Saeed Shaikh at Karachi while
79
sitting in his car, followed by the raising of demands through the e-mails coupled with the aspect
that for transmitting the e-mails with attachments it was necessary to procure the equipments
which had been so done by accused Salman Saqib and Fahad Naseem in the process of meeting
of minds to achieve the objective of the hatched conspiracy.
64. Now, coming to the aspect as to how were the e-mails transmitted and how was accused
Fahad Naseem, Shaikh Adil, Ahmed Omar Saeed Shaikh and Salman Saqib become
instrumental in aiding abetting and committing the acts for transmitting the demands of ransom,
it would be necessary to cursorily look at the evidence of P.W 8 Ronald Joseph P.W-14 Shaikh
Naeem and P.W 18 Mehmood Iqbal Hashmi. Indeed P.W-8 is the F.B.I. agent and an expert who
has examined the Laptop possessed by accused Fahad Naseem and recovered from his
possession, P.W. 14 Shaikh Naeem is the internet service provider who had provided connection
No. 66 to accused Fahad Naseem under a contract executed between accused Fahad Naseem
and the proprietorship concern of P.W. 14 and finally through P.W. 18 Mehmood Iqbal Hashmi
who was approached by the U.S. Consulate to identify and track down the I.P address which is
the Internet Protocol address which was tracked down by him resulting into the finding of the
telephone number 8125028 by him of P.W 14 Shaikh Naeem leading to connection No. 66
provided to accused Fahad Naseem who used the Laptop which is testified from the images
transmitted from the Hard Drive of the Laptop of accused Fahad Naseem by P.W-8 Ronald
Joseph an F.B.I. agent and an expert on the Forensic Examination of Computers.
65. The Process of tracking e-mails messages was duly conducted by P.W 18 Mehmood Iqbal
Hashmi, P.W-14 Shaikh Naeem, P.W 8 Ronald Joseph, an FBI agent. It was P.W 18 Mehmood
Iqbal Hashmi who had tracked down the telephone number being 8125028 which led to the
connection of P.W-14 Shaikh Naeem and on approach to Shaikh Naeem, it reveals that he was
an Internet service provide who has provided as many as 70 connections out of which connection
No. 66 was provided by P.W 14 Shaikh Naeem to accused Fahad Naseem, who had used his
Computer Laptop and employed connect No. 66 to transmit the e-mails raising demands of
ransom in English and Urdu. This aspect stands duly confirmed by the Forensic Examination
Report conducted by P.W 9 Ronald Joseph FBI agent who had taken images of the Hard Disk of
the Laptop Computer possessed by accused Fahad Naseem. For the purposes of convenience,
80
reference could be made to Ex. P-8 (1- 14) and Ex. 49-C/1 to Ex. 49-C/64 and Ex. 64-A with six
leaves produced by P.W. 18 Mehmood Iqbal Hashmi. Consequently this point stands proved.
66. Now, at this stage I come to the submissions made by the defence counsels that the FIR is
delayed by 12 days without any reasonable explanation. My reply in this connection is that
complainant is a Mariene Pearl wife of Daniel Pearl and it is therefore, clear that a woman always
fear in lodging FIR promptly at the police station in such case of murder and abduction and
therefore, this delay in lodging FIR can be overlooked when there is Lady complainant in such
cases.
67. The learned defence counsels have also contended that the FIR of this case should have
been produced by the complainant herself. Such contention was resisted by the prosecution side
on the ground that FIR is not a substantive piece of evidence and can be used only for conveying
the information to the police and the police had investigated the instant case and had brought all
the materials on record and also evidences, thereupon, the accused persons were arrested and
their confessions were recorded by the learned Judicial Magistrate regarding the e-mail messages
sent by them through Laptop computer and the video cassette was recovered Article-1 and finally
the case was challaned. The complainant being Lady was in France and she had given birth to a
son, therefore in these circumstances the complainant could not undertake the Journey from
France to Pakistan therefore, the complainant was given up by prosecution. In assessing these
contentions, I find that the prosecution side had rightly not examined the Lady Complainant. The
contentions of DGs are replied accordingly.
Point No. 08.
68. In the light of aforesaid findings and evidence of P.Ws brought on record, I find that the motive
of the occurrence against the accused as alleged stood proved and established beyond any
doubt. The minor discrepancies pointed out in evidence of P.Ws did not hit or touched the root of
the case. The accused had not been able to establish any pre-existing enmity between
themselves and the prosecution side for their false implication in the case, there is judicial
confession of the accused persons on the record and the recoveries of the e-mail messages and
the Laptop computers and so also the scanner and the receipts for the purchase of cameras and
81
there is opinion of the handwriting expert on the writings of the e-mails and there is evidence of
identification test by the P.Ws on the point of kidnapping of Daniel Pearl and conspiracy regarding
Daniel Pearl.
The oral denial of the charges of the prosecution made by the accused party and the evidence of
the defence witnesses do not result the instant case in a doubtful position. The captivity of the
Daniel Pearl in possession of the accused party stands proved and the non-fulfillment of their
demands has presumably resulted the murder of Daniel Pearl at the hands of accused party.
69. I have therefore, arrived at the conclusion that all the four accused persons are guilty of
offences under Sections 120-A PPC, 365-A, 302 PPC read with Section 6(a) of the Anti Terrorism
Act, 1997. Now coming to the aspect of sentence in view of the Terrorist Activities of accused
Ahmed Omer Saeed Shaikh it appears that this accused had engineered entire plan of creating
sense of fear nationally and internationally and thereby made conspiracy and he was a Principal
Offender and he made with his efforts the other remaining accused to be his aiders/associates
for the purpose of completion of his above plan involving the sense of fear, insecurity nationally
and internationally.
I therefore, convict accused persons under Section 365-A, 302 PPC read with Section 6(a) of the
Anti Terrorism Act 1997 and S. 120- A PPC, and thereupon as a result accused Ahmed Omer
Saeed Shaikh is sentenced to death under Section 7 of the Anti Terrorism Act, 1997, to be hanged
by the neck till he is dead. The other accused persons namely Adil Shaikh, Salman Saqib and
Fahad Naseem are sentenced under Section 7 of the Anti Terrorism Act, 1997 to suffer Life
Imprisonment. They are also sentenced to pay fine of Rs. 5, 00,000/- each. In case of non-
payment of fine, these accused persons shall undergo sentence for Five (5) Years more. This
court also direct all the four accused persons to pay jointly a sum of Rs. 20,00,000/- (Twenty lacs),
which shall be paid by them in equal share and if this amount is paid it shall be given to the widow
of Daniel Pearl and also to his Orphan son. The imprisonment sentences shall to run concurrently
and benefit of Section 382-B Cr.P.C. is given to the accused persons. The death sentence so
awarded will be executed subject to the confirmation by the Honorable High Court of Sindh, for
which the reference is separately made to the Hon'ble High Court of Sindh.
82
70. Before I part with this Judgment, I would like to record my appreciation of all the members of
the prosecution team and their assistance and also members of the defence team and their
assistance.
71. Now, the accused persons who are present in judicial custody, they are remanded back to
serve out their sentences so awarded. It is pointed out here that absconding accused persons of
this case have been allotted a separate case No. as Spl. case No. 9/2002 by the Hon'ble
Administrative Judge A.T.Cs Karachi therefore, on their arrest their case will be tried separately
by the competent Anti Terrorism Court Karachi as their case has been kept on dormant file by the
A.T.C. Karachi having competent jurisdiction
Further Details:
Announced in open Court in Jail (C.P. Hyd). Dated this the 15th day of July 2002.
(Syed Ali Ashraf Shah) Judge Anti Terrorism Court Hyderabad & Mirpurkahs Divisions @
Hyderabad.
ORDER FOR DISPOSAL OF CASE PROPERTY

The following property will be disposed of after appeal period over:-
1. One Scanner,
2. Laptop Computer and disk
3. One video cassette Article-1
4. One C.D. Cassette
5. Hand bag of the accused Omer Shaikh containing tooth brush, one towel, photocopies of NICs,
visiting cards, two purses and Rs. 300/- and two e-mails messages in Urdu dt. 27/1/02,
30/1/2002 regarding Daniel Pearl and one e-mail in English language written by Ahmed Omer
Saeed Shaikh about abductee Daniel Pearl, etc.
(Syed Ali Ashraf Shah)
83
Judge Anti Terrorism Court Hyderabad & Mirpurkhas Divisions
84
Key Terms And Concepts
• applications: An application, or application program, is a software program that runs on your
computer. Web browsers, e-mail etc.
• application software: Application software are often called productivity programs or end-user
programs because they enable the user to complete tasks such as creating documents, spreadsheets,
databases, and publications, doing online research, sending email, designing graphics, running
businesses, and even playing game etc.
• ARPANet: The precursor to the Internet, ARPANET was a large wide-area network created by the
United States Defense Advanced Research Project Agency (ARPA). Established in 1969, ARPANET served
as a testbed for new networking technologies, linking many universities and research centers.
• bandwith: Bandwidth refers to how much data you can send through a network or modem
connection. It is usually measured in bits
• binary code: A binary code represents text or computer processor instructions using the binary
number system's two binary digits, 0 and 1. A binary code assigns a bit string to each symbol or
instruction.
• bit: The contraction or the short form of term Binary Digit, the smallest unit of computer data.
• bombs: A bomb or a logic bomb is a piece of code intentionally inserted into a software system that
will set off a malicious function when specified conditions are met.
• boot sequence: The initial set of operations in which the computer activates the necessary hardware
components and loads the appropriate software so that a user can interact with the machine.
• buses: A bus inside a computer consists of set of wires that allow data to be passed back and forth.
Most computers have several buses that transmit data to different parts of the machine. Each bus has a
certain size, measured in bits (such as 32-bit or 64-bit), that determines how much data can travel across
the bus at one time. Buses also have a certain speed, measured in megahertz, which determines how
fast the data can travel.
• byte: A byte is a set of 8 bits that represent a single character in the computer's memory.
• cable modem: A cable modem is used for connecting to the Internet and is much faster than a typical
dial-up modem.
• central processing unit: The brain of computer where the data is processed.
• cloud computing: Cloud computing allows users to backup and retrieve information online.
• command-line interface (CLI): Interacting with a computer program where the user (or client) issues
commands to the program in the form of successive lines of text (command lines).
• computer forensics: A branch of digital forensic science pertaining to illegal evidence found in
computers and digital storage media.
85
• cookies: A cookie is data sent to your computer by a Web server that records your actions on a certain
Web site.
• data mining: The analysis step of the "Knowledge Discovery in Databases" process, or the
computational process of discovering patterns in large data sets involving methods at the intersection of
artificial intelligence, machine learning, statistics, and database systems
• digital subscriber line (DSL): A medium for transferring data over regular phone lines and usually used
to connect to the Internet.
• DNS: Stands for "Domain Name System." The primary purpose of DNS is to keep Web surfers sane.
Without DNS, we would have to remember the IP address of every site we wanted to visit, instead of
just the domain name.
• domains: A domain contains a group of computers that can be accessed and administered with a
common set of rules. For example, a company may require all local computers to be networked within
the same domain so that each computer can be seen from other computers within the domain or
located from a central server.
• gigabytes (GB): A gigabyte is a unit of data storage that equals 2 to the 30th power, or 1,073,741,824
bytes.
• graphical user interface (GUI): Refers to the graphical interface of a computer that allows users to click
and drag objects with a mouse instead of entering text at a command line.
• hard disk drives(HDD): An HDD is a storage device used to store data
• hardware: The physical components of a computer.
• hertz: Hertz (abbreviated: Hz) is the standard unit of measurement used for measuring frequency.
• host computer worms: A computer worm is a standalone malware computer program that replicates
itself in order to spread to other computers. Often, it uses a computer network to spread itself, relying
on security failures on the target computer to access it. Unlike a computer virus, it does not need to
attach itself to an existing program
• HTTP (hypertext transfer protocol): Stands for "HyperText Transfer Protocol." This is the protocol used
to transfer data over the World Wide Web. That's why all Web site addresses begin with "http://".
• hubs: A hardware device that is used to network multiple computers together.
• IMAP: Stands for "Internet Message Access Protocol" and is pronounced "eye-map." It is a method of
accessing e-mail messages on a server without having to download them to your local hard drive.
• Internet protocol: IP provides a standard set of rules for sending and receiving data through the
Internet.
• Internet: Internetworking between the networks
86
• intranets: Contrary to popular belief, this is not simply a misspelling of "Internet." "Intra" means
"internal" or "within," so an Intranet is an internal or private network that can only be accessed within
the confines of a company, university, or organization.
• kernel: Today's operating systems are built in "layers." Each layer has different functions such as serial
port access, disk access, memory management, and the user interface itself. The base layer, or the
foundation of the operating system, is called the kernel. The kernel provides the most basic "low-level"
services, such as the hardware-software interaction and memory management. The more efficient the
kernel is, the more efficiently the operating system will run.
• kilobytes (KB): A kilobyte is a unit of data storage that equals 2 to the 10th power, or 1,024 bytes.
• LINUX: Linux is a free, open source, Unix-like operating system. It is available in several different
distributions, including CentOS, Debian, Ubuntu, and Red Hat.
• malware: Short for "malicious software," malware refers to software programs designed to damage or
do other unwanted actions on a computer system.
• motherboard: The main circuit board of a computer.
• operating system: Also known as an "OS," this is the software that communicates with computer
hardware on the most basic level. Without an operating system, no software programs can run. The OS
is what allocates memory, processes tasks, accesses disks and peripherials, and serves as the user
interface.
• packets: This is a small amount of computer data sent over a network.
• plug and play: Plug and Play, sometimes, abbreviated PnP, is used to describe devices that work with a
computer system as soon as they are connected.
• POP: Stands for "Post Office Protocol." It is a simple, standardized method of delivering e-mail
messages. A POP or POP3 mail server receives e-mails and filters them into the appropriate user folders.
When a user connects to the mail server to retrieve his mail, the messages are downloaded from mail
server to the user's hard disk.
• random access memory (RAM): Stands for "Random Access Memory,". RAM is made up of small
memory chips that form a memory module. These modules are installed in the RAM slots on the
motherboard of your computer. Every time you open a program, it gets loaded from the hard drive into
the RAM. This is because reading data from the RAM is much faster than reading data from the hard
drive. It is the place where the data are stored before, during and after the processing.
• registry: This is a database used by Microsoft Windows to store configuration information about the
software installed on a computer. This information includes things like the desktop background,
program settings, and file extension associations.
• routers: This is a hardware device that routes data from a local area network (LAN) to another network
connection.
• shell: A shell is a software program that interprets commands from the user so that the operating
system can understand them and perform the appropriate functions.
87
• software: Computer software is a general term that describes computer programs.
• source code: Every computer program is written in a programming language, such as Java, C/C++, or
Perl. These programs include anywhere from a few lines to millions of lines of text, called source code.
• spam: Unsolicited or undesired e-mails.
• Spoofing: Spoofing, or decoying, is the practice of inundating/flooding online networks with bogus or
incomplete files of the same name in an effort to reduce copyright infringement on file sharing networks
• TCP/IP: Every computer program is written in a programming language, such as Java, C/C++, or Perl.
These programs include anywhere from a few lines to millions of lines of text, called source code.
• Trojan horse: In the computing world, Trojan horses are more than just a myth. They really exist and
can cause damage to your computer. Trojan horses are software programs that masquerade as regular
programs, such as games, disk utilities, and even antivirus programs. But if they are run, these programs
can do malicious things to your computer.
• universal serial bus (USB): Stands for "Universal Serial Bus." USB is the most common type of computer
port used in today's computers. It can be used to connect keyboards, mice, game controllers, printers,
scanners, digital cameras, and removable media drives etc.
• UNIX: The Unix operating system was first created in Bell Labs way back in the 1960s. It became
popular in the 1970s for high-level computing, but not on the consumer level. Since a lot of Internet
services were originally hosted on Unix machines, the platform gained tremendous popularity in the
1990s. It still leads the industry as the most common operating system for Web servers.
• URL: Stands for "Uniform Resource Locator." A URL is the address of a specific Web site or file on the
Internet. It cannot have spaces or certain other characters and uses forward slashes to denote different
directories.
• virus: Computer viruses are small programs or scripts that can negatively affect the health of your
computer. These malicious little programs can create files, move files, erase files, consume your
computer's memory, and cause your computer not to function correctly. Some viruses can duplicate
themselves, attach themselves to programs, and travel across networks. In fact opening an infected e-
mail attachment is the most common way to get a virus.
• World Wide Web: The World Wide Web, or just "the Web," as ordinary people call it, is a subset of the
Internet. The Web consists of pages that can be accessed using a Web browser. The Internet is the
actual network of networks where all the information resides. Things like Telnet, FTP, Internet gaming,
Internet Relay Chat (IRC), and e-mail are all part of the Internet, but are not part of the World Wide
Web. The Hyper-Text Transfer Protocol (HTTP) is the method used to transfer Web pages to your
computer. With hypertext, a word or phrase can contain a link to another Web site. All Web pages are
written in the hyper-text markup language (HTML), which works in conjunction with HTTP.
88

Introduction To Digital Evidence PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Introduction To Digital Evidence PDF

Uploaded by

Copyright:

Available Formats

Digital Evidence

Training Manual by Mohammad Murtaza Khan

I.T Expert / Faculty Member, Sindh Judicial Academy

(U.S. Department of Justice, 2009)

Importance of Digital Evidence

Digital evidence is difficult to discard or destroy

Case Example – Iran-Contra Affair

Storage of Digital Data

1. Input / Output components

Typical approaches to preservation and production of digital evidence rely on examination on

Case Example Hammaad Munsi

Challenging Aspects of Digital Evidence

Digital evidence as a form of physical

Evidence Dynamics and the Introduction of Error

Principles of Recovery and Examination

 The general rules of evidence should be applied to all digital evidence.

Recovery and Analysis Process

 Is there information or intelligence which indicates there is likely to be evidence of a

The assessment may also involve determining:

1. The urgency and priority of the need for information

 Physical Vulnerability of victim, suspect and third parties

The preservation and collection phase

The examination process

The analysis phase

The report or statement

It is important to remember that legislation continues to change to keep up with requirements of

Case Study: Shujaat Ali v. State (MLD 2008 Lah. 467)

Desktop and Laptop Computers

What should be seized?

For the retrieval of evidence the following should be seized:

Passive Data Generators as Digital Evidence Sources

 The relationship between individuals

 Subscriber and equipment identifiers

 The SIM card (if present)

Data stored in phone memory

IMEI (International Mobile Equipment Identification)

Data stored in SIM cards

A SIM card contains

 IMSI (International Mobile Subscriber Identity)

IMSI (International Mobile Subscriber Identity)

MSISDN (Mobile Systems International Subscriber Identity Number)

Data Retrieval from cell phones

 Phone Base (Envisage Systems 2005)

Data stored by the service provider

Call Detail Records

 Coverage maps for each cell tower

Preservation, Retrieval and Processing of CCTV data

E-mails and Web-mails

Statements producing email exhibits need to cover the following:

Image and video authentication

Chapter 3 Presentation and use of Digital Evidence in Courts

Rule against Hearsay

Best evidence rule

The Qanun-e-Shahadat Order 1984

"Section 29 Amendment of Presidential Order No.X of 1984.--For the purposes of

"2(e) the expression, "automated", "electronic", "information", "information system",

The Electronic Transactions Ordinance, 2002

Legal recognition of Electronic Forms

Prosecutors should be conscious of the following when evaluating digital evidence to be

Establishing Authorship of the Record

Confusing Time Stamps

 Has the data been produced in its entirety?

To reinforce adherence to traditional chain-of-custody procedures, law enforcement investigating