Professional Documents
Culture Documents
Evidence in Pakistan
Presented by:
Table of contents
Abstract
Criminals use mobile phones, laptop computers, and network servers in the course of
committing their crimes. In some cases, computers provide the means of committing crime.
For example, the Internet can be used to deliver a death threat via email, to launch hacker
attacks against a vulnerable computer network, to disseminate computer viruses, or to
transmit images of child pornography. In other cases, computers merely serve as convenient
storage devices for evidence of crime. For example, a drug dealer might keep a list of who
owes him money in a file stored in his desktop computer at home, or a money laundering
operation might retain false financial records in a file on a network server. Indeed, virtually
every class of crime can involve some form of digital evidence
1.1 Introduction
Digital evidence or electronic evidence is any probative information stored or transmitted in
digital form that a party to a court case may use at trial. Before accepting digital evidence, a
court will determine if the evidence is relevant, whether it is authentic, if it is hearsay and
whether a copy is acceptable, or the original is required.
The use of digital evidence has increased in the past few decades as courts have
allowed the use of e-mails, digital photographs, ATM transaction logs, word processing
documents, instant message histories, files saved from accounting programs, spreadsheets,
internet browser histories, databases, the contents of computer memory, computer backups,
computer printouts, Global Positioning System tracks, logs from a hotel’s electronic door
locks, and digital video or audio files.
1
Kerr, 2009; Whitcomb, 2002
2
Casey, 2011; National Institute of Justice [NIJ], 2007; Palmer, 2002
3
Cohen, 2008, 2010
4
Brown, 2010; Casey, 2011; NIJ, 2007
5
Brown; Casey; NIJ
6
Casey, 2011; Frowen, 2009
not on formal training and education but on personal experiences involving the use of
7
computers and networks such as the Internet.
Judges must be able to balance the imperatives of a thorough examination with the
needs of a speedy trial.8Most people are not consciously aware of the impact that digital
devices and the large volume of data stored in digital repositories have on everyday life. 9 As
examples of this impact, consider automated operations and functions within computer
controlled buildings, utility company facilities, and telecommunication carrier networks; data
gathered by security systems, closed-circuit television, surveillance cameras, and
automobiles; and online activities such as e-mail, online payment systems, and social
networks. As a consequence of the increasing use of ICTs that, a few years ago, were used
only by technologists and the increasing depiction of computer technology in the popular
media, technology users have an overly simplistic or incorrect understanding of how these
ICTs work.10 For this reason, it may be quite difficult for individuals to apply critical analysis
to statements based on digital forensic evidence offered as fact in a courtroom.11
Digital evidence has been previously defined as any data that can establish that a crime has been
committed or can provide a link between a crime and its victim or a crime and its perpetrator. It is
any information of probative value that is either stored or transmitted in a digital form. 12 Another
proposed definition of digital evidence is, information stored or transmitted in binary form that may
be relied upon in court. 13 However, these definitions focus too heavily on proof and neglect data that
simply further an investigation. Additionally, the term binary in the later definition is inexact,
describing just one of many common representations of computerized data. A broader definition
proposed by the Association of Chief Police Officers is information and data of investigative value
that are stored on or transmitted by a computer. A more general definition proposed by BrianCarrier
is digital data that support or refute a hypothesis about digital events or the state of digital data.
7
Cohen, 2008, 2010; Losavio, Adams, & Rogers, 2006
8
Casey, Ferraro, &Nguyen, 2009)
9
O’Harrow, 2006
10
Del Bosque&Chapman, 2008
11
Dinat, 2004; Mason, 2008
12
The definition proposed by the Standard Working Group on Digital Evidence (SWGDE)
13
The definition proposed by the International Organization of Computer Evidence (IOCE)
technology,14 by means evidence taken from such terms can be attributed as electronic or digital
evidence. The electronic evidence can further be elaborated from definitions of “electronic
document” which includes documents, records, information, communications or transactions in
electronic form,15 and “electronic signature” which means any letters, numbers, symbols, images,
characters or any combination thereof in electronic form, applied to, incorporated in or associated
with an electronic document, with the intention of authenticating or approving the same, in order to
establish authenticity or integrity, or both. 16
Chapter 2: Digital & Electronic Evidence in Pakistan, its relevant provisions and
judgmental development
In general, the principles of admissibility are that the evidence must be relevant to the
proof of a fact in issue, to the credibility of a witness or to the reliability of other
evidence, and the evidence must not be inadmissible by virtue of some particular rule
of law.17
There are some general principles of evidence that can affect the admissibility
and weight of electronic records in court. The main two evidentiary principles that
affect digital records are the hearsay rule and its exceptions, and the best evidence
rule.
14
Sec 2 (b) (l) of Electronic Transaction Ordinance, 2002
15
Sec 2 (b) (m) of Electronic Transaction Ordinance, 2002
16
Sec 2 (b) (n) of Electronic Transaction Ordinance, 2002
17
Keane, A (1994) The Modern Law of Evidence (London: Butterworths).
2.2.1 Rule against Hearsay
“Hearsay” is a long-standing legal concept and one that is central to the issues
surrounding documentary evidence. The inadmissibility of hearsay is one of the best-
known rules in evidence law. The word itself contains a hint to its meaning: courts do
not want to receive second-hand information, which has come into to court via
someone “hearing” what another person “said”. Courts want witnesses to testify to
what they themselves saw, perceived, or knew, to preserve accuracy and to allow for
meaningful cross-examination to take place.
Over time exceptions to the hearsay rule were introduced to allow documents to
be admitted to provide evidence of facts. Evidence derived from a computer or an
electronic device constitutes real or direct evidence when it is used circumstantially
rather than testimonials, that is to say when the fact that it takes one form rather than
another makes it relevant, rather than the truth of some assertion which it contains.
Computer output is admissible as real evidence since it does not purport to reproduce
any human assertion which had been entered into it. The machine is a tool and that in
the absence of any evidence that it is defective, the printout, the product of a
mechanical device, falls into the category of real evidence.
The best evidence rule is likely to be most problematic for digital records in
situations where the other party disputes the version of the record (claim that the print-
out is inaccurate or has been tampered with). It will also matter in situations where it is
impossible to accurately render what is seen on-screen in a printed form. In that
situation, one may wish to argue that the original is the electronic version, and as such,
constitutes the best evidence available. Legislation in many countries has created
admissibility of digital evidence by enactment of statutory provisions.
18
Muhammad Shahid Sahil v. State (PLD 2010 FSC 215
19
Saifur Rehman Khan v. Shahab-ud-Din 1995 MLD 1485; Gulzar Hussain Awan v. Akbar 1999 YLR
2250
conversation and in the absence of evidence of any such conversation, the tape-
recorded conversation is indeed no proper evidence and cannot be relied upon.20
20
Mahabir Prasad Verma vs. Dr. Surinder Kaur (1982) 2 SCS 258
21
Alamgir Khalid Chughtai v. State (PLD 2009 Lah. 254)
"electronic documents", "electronic signature", "advanced electronic
signature", and "security procedure" shall bear the meanings given in the
Electronic Transactions Ordinance, 2002.”22
This provision would show that this is a special law, according to which, all the
above documents, record and information were admissible in evidence in their present
form, even if those were not attested by any witness.23
22
ibid
23
Muhammad Shahid Sahil v. State (PLD 2010 FSC 215
Criterion for assessing the admissibility of the document or information is that the same
should remain complete and un-altered but at the same time it is also provided in the
above quoted law that if there is any addition in instrument, and that arise in normal
course, and the document is still complete and un-altered, that cannot be brushed aside.
The legislature in its wisdom has amended the provision of Article 2(e) of Qanun-e-
Shahadat, 1984 in terms of section 29 of Electronic Transactions Ordinance, 2002 and
by said Ordinance various changes have been made in definition clause, by addition of
Article 2(e) of the Qanun-e-Shahadat, 1984 and all the documents prepared, produced
or generated through modern devices are admissible in evidence.
Were the records altered, manipulated, or damaged after they were created?
Was the program that converted the digital evidence to words or graphics
reliable?
24
Arif Hashwani v. Sadruddin Hashwani (PLD 2007 Kar. 448)
and unaltered, apart from the addition of any endorsement or any change which arises
in the normal course of communication, storage or display.
a. Accuracy
The accuracy of computerized records may be impaired as a result of computer
programming errors, equipment malfunction, and data entry errors. The volume of
relevant electronic data may also impair a court’s ability to verify the information's
integrity.
b. Authenticity
Evidence is not admissible unless it has been authenticated. Authentication means there
is information that can be presented in court to prove that what the person offering the
evidence claims it to be is what it in fact is. The requirement of authentication as a
condition precedent to admissibility is satisfied by evidence sufficient to support a
finding that the matter in question is what its proponent claims. The court warned in
Arif Hashwani v. Sadruddin Hashwani that the authenticity of digital evidence is
always subject to proof in case the party against which it can be used disputed or denied
the authenticity and information contained in the said electronic documents.25
• Where was the storage device (drive, disk, or other medium) found?
Rarely is there any indication in the report as to whether the system clock was
properly functioning, or what its offset may have been to real-time. If the system was
live when confiscated, its clock would likely be viewable on the display, and this
information should be recorded, but the collection of such data is often curiously absent
when times are critical to an effective defence. In one case, hundreds of file time
stamps extended for a half-day after the time when a live computer was impounded, but
the police investigator failed to account for the disparity in any reports, until this issue
was raised by defence.27
c. Integrity
Maintaining the integrity of digital evidence throughout the process of examination
presents different problems from those encountered when handling traditional physical
or documentary evidence. Both for purposes of admissibility and persuasive value of
27
Introduction to Electronic evidence by Sindh Judicial Academy
digital evidence, it must be shown in court that the information obtained from the
media is a true and accurate representation of the data originally contained in the
media, irrespective of whether the acquisition was done entirely by the investigator or
in part or entirely by a civilian witness or victim.
After seizure, ensuring that the traditional chain of custody remains unbroken is
necessary but not sufficient to establish the authenticity of the data or evidence
obtained from the forensic examination. In case of digital evidence, two chains of
custody may be involved: the physical item itself and its associated data. The
investigators must be aware that the chain-of-custody issues regarding data are
additional to the chain-of-custody issues regarding the physical item. In addition to the
traditional chain of custody, auxiliary precautions may be required for handling digital
evidence. Prosecutors need to consider the following key points:
• Is there a complete audit trail for the handling of the data through to the
production of exhibits?
• Would an independent third party be able to reproduce the steps taken and
achieve the same results?
If the evidence is still on the original medium but the initial procedure used to gather
the information was less than ideal, law enforcement may be in a position to resolve
evidentiary issues even if they cannot perform their own collection process.
28
ibid
The investigation officer should be familiar with standards, policies,
procedures, or other guidelines followed by the examining expert, laboratory or unit,
related to chain of custody, both generally and for electronic evidence specifically. He
should determine whether they have been followed or whether a deviation has occurred
and understand the effect that all deviations may have on the case and be prepared to
explain them.
1. What types of digital evidence have been collected prior to the involvement of law
enforcement? For example, in a kidnapping case, does a hardcopy (printed) version
of the email exist? Is an electronic copy available? Does it contain full header
information?
2. Who handled the evidence?
a. Document the name and job function of each individual who handled the digital
evidence.
Be aware that more than one person could be involved in this process.
b. Identify everyone who had control of the digital evidence after it was examined
and before it was given to law enforcement.
3. How was the digital evidence collected and stored?
b. Determine who had access to the digital evidence after it was collected—
anyone with access to the evidence should be considered part of the chain of
custody. Account for all storage of data
4. When was the evidence collected? Document the date and time when the evidence
was gathered (including a reference to time zone if necessary)
5. Where was the evidence when it was collected? digital evidence may exist in more
than one location simultaneously (e.g., e-mail may be located on the sender’s
computer, the recipients’ computers, and their respective ISPs)
In Qurban Ali v. Statecase. it was argued that anyone can send an e-mail to any other
person, if he or she knew e-mail address or account name of that person. Address of the
telephone holder/owner could be attained from PTCL/NTC. In that way E-mail sending
computer could be identified and the data of E-mail can be retrieved from it by using
computer forensics tools and it is also possible to prove it in court of law, provided a
proper chain of custody is mentioned, it was, however, difficult to identify the
particular person who sent the e-mail; that was the area where investigation by some
police agency was required. No law exists by which Cyber Cafes were required to keep
record of persons using the computer of Cyber Cafes, in circumstances did not keep
record of persons using computers, nor did they keep history of data for long. 29 The
Karachi High court held that the prosecution, in the case had not taken any effort to
prove e-mail in accordance with law that could not be relied upon and thus, was
discarded.30
d. Reliability
Digital records can be altered easily and opposing parties may allege that digital
records lack authenticity because they have been tampered with or changed after they
were created. Reliability is required of the computer process and not that of the data
content. A few things can be done to reduce this possibility:
29
Qurban Ali v. State (2007 P.Cr.L.J 675),
30
ibid
Metadata. A computer not only creates files in which data are stored, while it is
doing so it also creates ‘metadata’ files. Metadata is ‘data about data.’ It includes such
information as when a particular file was created, by which user of a computer, and
whether the file has been subsequently accessed or altered. The information stored
within metadata can be used to build timelines, establish alibis, and can shed light on a
particular issue in a case, or it can be the turning point altogether. It will also associate
certain file types with the software designed to create and read them. It is, therefore,
important to seize the computer software to show computer generated ‘associations’
between a particular file types and software. Having the program that creates the data
goes a long way to prove the same program will accurately print it out.
Hashing Codes.
31
Introduction to Electronic evidence by Sindh Judicial Academy