Admissibility of Electronic & Telegraphic Evidence under Law of

Evidence in Pakistan

Presented by:

Mr. Muhammad Asawal Khan

Table of contents

Chapter 1: Introducing Digital & Electronic

Evidence……………………………………...
1.1 Introduction…………………………………………………………………………
1.2 Defining Digital & Electronic evidence……………………………………………
Chapter 2: Digital & Electronic Evidence in Pakistan, its relevant provisions and
judgmental development………………………………………………………………………
2.1 Presentation and use of Digital Evidence in Courts………………………………
2.2 Admissibility and Acceptability of Digital Evidence ……………………………
2.2.1 Rule against Hearsay…………………………………………………………..
2.2.2. Best evidence rule…………………………………………………………….
2.3 Electronic evidence in terms of “The Qanun-e-Shahadat Order 1984”……….
2.3.1 Changes brought by second schedule of Electronic Transaction Ordinance,
2002 in QSO, 1984……………………………………………………
2.4 Detailed evaluation of Digital evidence through Electronic Transactions Ordinance,
2002………………………………………………………………………………..
2.4.1 Section 3 of the Electronic Transactions Ordinance, 2002……………………
2.4.1.1 Criterion for assessing the admissibility of the document…………
2.4.1.1.1 Other Requirements…………………………………………
2.4.2 Section 5 as to requirements for any document to be deemed admissible…
2.4.2.1 Establishing Authorship of the Record…………………………………
2.4.2.2 Confusing Time Stamps…………………………………………………

Abstract

Criminals use mobile phones, laptop computers, and network servers in the course of
committing their crimes. In some cases, computers provide the means of committing crime.
For example, the Internet can be used to deliver a death threat via email, to launch hacker
attacks against a vulnerable computer network, to disseminate computer viruses, or to
transmit images of child pornography. In other cases, computers merely serve as convenient
storage devices for evidence of crime. For example, a drug dealer might keep a list of who
owes him money in a file stored in his desktop computer at home, or a money laundering
operation might retain false financial records in a file on a network server. Indeed, virtually
every class of crime can involve some form of digital evidence

Chapter 1: Introducing Digital & Electronic Evidence

1.1 Introduction
Digital evidence or electronic evidence is any probative information stored or transmitted in
digital form that a party to a court case may use at trial. Before accepting digital evidence, a
court will determine if the evidence is relevant, whether it is authentic, if it is hearsay and
whether a copy is acceptable, or the original is required.

The use of digital evidence has increased in the past few decades as courts have
allowed the use of e-mails, digital photographs, ATM transaction logs, word processing
documents, instant message histories, files saved from accounting programs, spreadsheets,
internet browser histories, databases, the contents of computer memory, computer backups,
computer printouts, Global Positioning System tracks, logs from a hotel’s electronic door
locks, and digital video or audio files.

Digital forensics combines computer science concepts, including computer

architecture, operating systems, file systems, software engineering, and computer networking
as well as legal procedures that describe criminal and civil litigation, cyber law, and rules of
evidence.1The digital forensics process encompasses identifying activity that requires
investigating (including determining pertinent digital sources), collecting information,
preserving the information from inadvertent changes, analysing the information, and
reporting the results of the examination. 2 Digital evidence (also called digital forensic
evidence) is the product of the digital forensics process.3 Digital evidence comes from a
variety of sources including computing devices (e.g., desktop and laptop computers, digital
cameras, music players, personal digital assistants [PDAs], and cellular telephones); network
servers (e.g., supporting applications such as Web sites, electronic mail [e-mail], and social
networks); and network hardware (e.g., routers found in businesses, homes, and the backbone
of the Internet.4 Information of evidentiary value may be found on digital media such as
compact discs (CDs), digital versatile discs (DVDs), floppy disks, thumb drives, hard drives,
and memory expansion cards found in digital cameras and mobile phones. 5 To make
informed and proper decisions about the acceptability of digital evidence sources and expert
testimony, judges and other judicial panels must be knowledgeable in a variety of information
and communication technology (ICT) areas.6 All too often, however, this knowledge is based

1
Kerr, 2009; Whitcomb, 2002
2
Casey, 2011; National Institute of Justice [NIJ], 2007; Palmer, 2002
3
Cohen, 2008, 2010
4
Brown, 2010; Casey, 2011; NIJ, 2007
5
Brown; Casey; NIJ
6
Casey, 2011; Frowen, 2009
not on formal training and education but on personal experiences involving the use of
7
computers and networks such as the Internet.

Judges must be able to balance the imperatives of a thorough examination with the
needs of a speedy trial.8Most people are not consciously aware of the impact that digital
devices and the large volume of data stored in digital repositories have on everyday life. 9 As
examples of this impact, consider automated operations and functions within computer
controlled buildings, utility company facilities, and telecommunication carrier networks; data
gathered by security systems, closed-circuit television, surveillance cameras, and
automobiles; and online activities such as e-mail, online payment systems, and social
networks. As a consequence of the increasing use of ICTs that, a few years ago, were used
only by technologists and the increasing depiction of computer technology in the popular
media, technology users have an overly simplistic or incorrect understanding of how these
ICTs work.10 For this reason, it may be quite difficult for individuals to apply critical analysis
to statements based on digital forensic evidence offered as fact in a courtroom.11

1.2 Defining Digital & Electronic evidence

Digital evidence has been previously defined as any data that can establish that a crime has been
committed or can provide a link between a crime and its victim or a crime and its perpetrator. It is
any information of probative value that is either stored or transmitted in a digital form. 12 Another
proposed definition of digital evidence is, information stored or transmitted in binary form that may
be relied upon in court. 13 However, these definitions focus too heavily on proof and neglect data that
simply further an investigation. Additionally, the term binary in the later definition is inexact,
describing just one of many common representations of computerized data. A broader definition
proposed by the Association of Chief Police Officers is information and data of investigative value
that are stored on or transmitted by a computer. A more general definition proposed by BrianCarrier
is digital data that support or refute a hypothesis about digital events or the state of digital data.

In Electronic Transaction Ordinance, 2002, the term electronic is defined as “electronic”

includes electrical, digital, magnetic, optical, biometric, electrochemical, wireless or electromagnetic

7
Cohen, 2008, 2010; Losavio, Adams, & Rogers, 2006
8
Casey, Ferraro, &Nguyen, 2009)
9
O’Harrow, 2006
10
Del Bosque&Chapman, 2008
11
Dinat, 2004; Mason, 2008
12
The definition proposed by the Standard Working Group on Digital Evidence (SWGDE)
13
The definition proposed by the International Organization of Computer Evidence (IOCE)
technology,14 by means evidence taken from such terms can be attributed as electronic or digital
evidence. The electronic evidence can further be elaborated from definitions of “electronic
document” which includes documents, records, information, communications or transactions in
electronic form,15 and “electronic signature” which means any letters, numbers, symbols, images,
characters or any combination thereof in electronic form, applied to, incorporated in or associated
with an electronic document, with the intention of authenticating or approving the same, in order to
establish authenticity or integrity, or both. 16

Chapter 2: Digital & Electronic Evidence in Pakistan, its relevant provisions and
judgmental development

2.1 Presentation and use of Digital Evidence in Courts

Generally, in the prosecutorial environment, theories based upon scientific truth are
subordinate to legal judgment and digital investigators must accept the ruling of the
court. It is important to keep in mind that discrepancies between legal judgment and
theories based on scientific truth may arise from a lack of understanding on the part of
the decision makers. When technical evidence supporting theories based on scientific
truth is presented to a trier of fact who are not familiar with the methods used,
misunderstandings and misconceptions may result. To minimize the risk of such
misunderstandings, the investigative process and the evidence uncovered to support
prosecution must be presented clearly to the court.

2.2 Admissibility and Acceptability of Digital Evidence

In general, the principles of admissibility are that the evidence must be relevant to the
proof of a fact in issue, to the credibility of a witness or to the reliability of other
evidence, and the evidence must not be inadmissible by virtue of some particular rule
of law.17

There are some general principles of evidence that can affect the admissibility
and weight of electronic records in court. The main two evidentiary principles that
affect digital records are the hearsay rule and its exceptions, and the best evidence
rule.

14
Sec 2 (b) (l) of Electronic Transaction Ordinance, 2002
15
Sec 2 (b) (m) of Electronic Transaction Ordinance, 2002
16
Sec 2 (b) (n) of Electronic Transaction Ordinance, 2002
17
Keane, A (1994) The Modern Law of Evidence (London: Butterworths).
2.2.1 Rule against Hearsay
“Hearsay” is a long-standing legal concept and one that is central to the issues
surrounding documentary evidence. The inadmissibility of hearsay is one of the best-
known rules in evidence law. The word itself contains a hint to its meaning: courts do
not want to receive second-hand information, which has come into to court via
someone “hearing” what another person “said”. Courts want witnesses to testify to
what they themselves saw, perceived, or knew, to preserve accuracy and to allow for
meaningful cross-examination to take place.

Generally, neither party will be able to introduce hearsay evidence in order to

prove the truth of the statement being asserted. The rule creates the basic position that a
document cannot be used as proof of the “facts” to which it refers. That is, a letter
saying I saw “X” do something cannot be used to prove the fact that X did it (unless an
exception to the hearsay rule applies).

Over time exceptions to the hearsay rule were introduced to allow documents to
be admitted to provide evidence of facts. Evidence derived from a computer or an
electronic device constitutes real or direct evidence when it is used circumstantially
rather than testimonials, that is to say when the fact that it takes one form rather than
another makes it relevant, rather than the truth of some assertion which it contains.
Computer output is admissible as real evidence since it does not purport to reproduce
any human assertion which had been entered into it. The machine is a tool and that in
the absence of any evidence that it is defective, the printout, the product of a
mechanical device, falls into the category of real evidence.

2.2.2. Best evidence rule

The best evidence rule requires that the original of any record or document be used if
available. It can also mean that copies, even if introduced, are given lower weight. The
rule need not be satisfied if the original has been lost or it is impractical or unduly
burdensome to produce the original. It also is not attracted where the original is a public
record in the custody of the state archives and a certified copy is available, or the
original is in the possession of the other party to the case.

In an electronic environment, it can be difficult to determine the original record. Most

digital evidence exhibits produced in a court are derived from material originally
acquired, not the material itself. Often, at the very least, it will be a printout of material
originally found in digital form. To take the matter a little further, by itself an entire log
file is indigestible; usually someone will have used software tools to look for patterns
of activity that are thought to be significant. The same applies to any of the large
databases that are usually at the heart of most commercial enterprise packages, which
record orders received, goods dispatched, send invoices and create a general ledger; it
will only be selections from the database that are relevant.

The best evidence rule is likely to be most problematic for digital records in
situations where the other party disputes the version of the record (claim that the print-
out is inaccurate or has been tampered with). It will also matter in situations where it is
impossible to accurately render what is seen on-screen in a printed form. In that
situation, one may wish to argue that the original is the electronic version, and as such,
constitutes the best evidence available. Legislation in many countries has created
admissibility of digital evidence by enactment of statutory provisions.

2.3 Electronic evidence in terms of “The Qanun-e-Shahadat Order 1984”

Recognizing the importance and ubiquity of evidence generated by modern devices, the
Federal Shariat Court observed as follows,18

“With the development of scientific knowledge provisions of the Code of Criminal

Procedure and Qanun-e-Shahadat Order, 1984 have to be construed afresh in the light
of latest scientific developments. Article 164 of Qanun-e-Shahadat Order, 1984 has
resolved the problem by enacting that in such cases that the Court may consider it
appropriate it may allow to be produced any evidence that may become available
because of modern devices or techniques.”

Article 164, Qanun-e-Shahadat, 1984, expressly authorizes Court to allow to

produce evidence that may have become available because of modern devices or
techniques in such cases as it may consider appropriate. Audio cassette and tape-
records were thus, admissible in evidence. 19 On the other hand, the Indian Supreme
Court has clarified that tape-recorded conversation can only be relied upon as
corroborative evidence of conversation deposed by any of the parties to the

18
Muhammad Shahid Sahil v. State (PLD 2010 FSC 215
19
Saifur Rehman Khan v. Shahab-ud-Din 1995 MLD 1485; Gulzar Hussain Awan v. Akbar 1999 YLR
2250
conversation and in the absence of evidence of any such conversation, the tape-
recorded conversation is indeed no proper evidence and cannot be relied upon.20

2.3.1 Changes brought by second schedule of Electronic Transaction Ordinance,

2002 in QSO, 1984
Extensive changes have been brought by the legislature in Qanun-e-Shahadat, 1984
through second schedule of the Electronic Transaction Ordinance, 2002 to meet with
the situation like present one and electronically gathered evidence is to be treated as
primary evidence. The Lahore High Court has discussed these developments in detail in
as follows:
“No doubt that criterion for assessing the admissibility, of the document or information,
etc. is that the same should remain complete and un-altered but at the same time it is
also provided in the above quoted law that if there is any addition in instrument, and
that arise in normal course, and the document is still complete and un-altered, that
could not be brushed aside. The legislature in its wisdom has amended the provision of
Article 2(e) of Qanun-e-Shahadat, 1984 in terms of section 29 of Electronic
Transactions Ordinance, 2002 and by said Ordinance various changes have been made
in definition clause, by addition of Article 2(e) of the Qanun-e-Shahadat, 1984 and all
the documents prepared, produced or generated through Modern devices are admissible
in evidence.21 So, thereafter there remains no ambiguity that any document
electronically transmitted was prepared whether the same is signed or unsigned could
be questioned with reference to the crimes which is subject matter of this appeal. For
facility of reference section 29 and section 2 of the Electronic Transactions Ordinance,
2002 and Article 2(e) of Qanun-eShahadat Order are re-produced:

"Section 29 Amendment of Presidential Order No.X of 1984.--For the

purposes of Ordinance, the Qanun-e-Shahadat, 1984 (P.O. No.10 of 1984)
shall be read subject to amendments specified in the schedule of this
Ordinance."

"2(e) the expression, "automated", "electronic", "information", "information

system",

20
Mahabir Prasad Verma vs. Dr. Surinder Kaur (1982) 2 SCS 258
21
Alamgir Khalid Chughtai v. State (PLD 2009 Lah. 254)
 "electronic documents", "electronic signature", "advanced electronic
signature", and "security procedure" shall bear the meanings given in the
Electronic Transactions Ordinance, 2002.”22

Similarly extensive changes have been brought by the legislature in Qanun-e-Shahadat,

1984 through second schedule of E.T.O.2002 to meet with the situation like present one
and electronically gathered evidence is to be treated as primary evidence, so the
documents tendered in evidence from Exh.PA to Exh.Ph/1 are admissible and duly
proved and there is nothing on record which could show that narration therein was
altered. I may observe here that this is a case of cyber crime wherein latest technology
was used whereby the whole operational system of the State was by-passed meaning
thereby an advance and most revenue generating department of the State was set at
naught with illegal installations. Such crimes have become rampant in the society and
that is the reason the legislature in its wisdom has provided a different criterion about
admissibility of evidence in such like cases. Now a days without any wire one can have
the facility of connection all over the world and the whole business of the world is
going on through Internet, E-Mail etc. and due to development in Science and
Technology, it would not be possible to bring on record the physical existence of
everything, as the whole technology is based on satellite operational net works.”

2.4 Detailed evaluation of Digital evidence through Electronic Transactions Ordinance,

2002
2.4.1Section 3 of the Electronic Transactions Ordinance, 2002 provides as follows:

Legal recognition of Electronic Forms

No document, record, information, communication or transaction shall be denied legal
recognition, admissibility, effect, validity, proof or enforceability on the ground that it
is in electronic form and has not been attested by any witness.

This provision would show that this is a special law, according to which, all the
above documents, record and information were admissible in evidence in their present
form, even if those were not attested by any witness.23

2.4.1.1 Criterion for assessing the admissibility of the document

22
ibid
23
Muhammad Shahid Sahil v. State (PLD 2010 FSC 215
Criterion for assessing the admissibility of the document or information is that the same
should remain complete and un-altered but at the same time it is also provided in the
above quoted law that if there is any addition in instrument, and that arise in normal
course, and the document is still complete and un-altered, that cannot be brushed aside.
The legislature in its wisdom has amended the provision of Article 2(e) of Qanun-e-
Shahadat, 1984 in terms of section 29 of Electronic Transactions Ordinance, 2002 and
by said Ordinance various changes have been made in definition clause, by addition of
Article 2(e) of the Qanun-e-Shahadat, 1984 and all the documents prepared, produced
or generated through modern devices are admissible in evidence.

2.4.1.1.1 Other Requirements

Though it has been conclusively established in Arif Hashwani v. Sadruddin

Hashwanicase, that digital evidence in form of audio, video recorded cassettes, CDs,
etc. is admissible piece of evidence in light of Arts. 164, 46-A, 70(8) (a), 73 & 2(1) (b),
(c), (e) & (f) of Qanun-eShahdat 1984 and the provisions of Electronic Transmission
Ordinance (LI of 2002); in deciding whether to admit the electronic data into evidence,
courts must confront concerns about the reliability, accuracy, and authenticity of
computer records.24 Law enforcement agencies and prosecutors need to ensure that the
evidence is authentic, complete, reliable, accurate, and that the process of obtaining the
evidence follows legal requirements. Some of the special, significant challenges in
having digital evidence admitted into court include:

 Were the records altered, manipulated, or damaged after they were created?

 Who was the author of the record?

 Was the program that converted the digital evidence to words or graphics
reliable?

2.4.2 Section 5 as to requirements for any document to be deemed admissible

Section 5 of the ETO 2002 provides that the requirement under any law for any
document, record, information, communication or transaction to be presented or
retained in its original form shall be deemed satisfied by presenting or retaining the
same if, inter alia, the criterion for assessing the integrity of the document, record,
information, communication or transaction is whether the same has remained complete

24
Arif Hashwani v. Sadruddin Hashwani (PLD 2007 Kar. 448)
and unaltered, apart from the addition of any endorsement or any change which arises
in the normal course of communication, storage or display.

Prosecutors should be conscious of the following when evaluating digital

evidence to be presented in a court:

a. Accuracy
The accuracy of computerized records may be impaired as a result of computer
programming errors, equipment malfunction, and data entry errors. The volume of
relevant electronic data may also impair a court’s ability to verify the information's
integrity.

b. Authenticity
Evidence is not admissible unless it has been authenticated. Authentication means there
is information that can be presented in court to prove that what the person offering the
evidence claims it to be is what it in fact is. The requirement of authentication as a
condition precedent to admissibility is satisfied by evidence sufficient to support a
finding that the matter in question is what its proponent claims. The court warned in
Arif Hashwani v. Sadruddin Hashwani that the authenticity of digital evidence is
always subject to proof in case the party against which it can be used disputed or denied
the authenticity and information contained in the said electronic documents.25

To demonstrate that digital evidence is authentic, it is generally necessary to

satisfy the court that it was acquired from a specific computer and/or location, that a
complete and accurate copy of digital evidence was acquired, and that it has remained
unchanged since it was collected. In some cases, it may also be necessary to
demonstrate that specific information is accurate, such as dates associated with a
particular file that is important to the case.26

2.4.2.1 Establishing Authorship of the Record

• Where was the storage device (drive, disk, or other medium) found?

• What was the access of others to the storage devices/medium?

• Trace evidence on storage devices/computer components

• Passwords/screen names/chat names and who owned or had access to them

25
Arif Hashwani v. Sadruddin Hashwani (PLD 2007 Kar. 448)
26
ibid
 • Names of folders and labels upon which the data was contained

• Authorship tools that embed names of people who created or modified

documents

• Source of e-mails that contain attachments

• Circumstantial evidence that the alias used is attributable to a particular person

2.4.2.2 Confusing Time Stamps

Issues involving time stamp metadata can confound the establishment of timelines of
computer activity (such as those that could corroborate alibis). Such information is not
even required to be provided in a uniform fashion. Law enforcement forensic reports
may freely mix Universal (or Greenwich Mean) Time, Standard Time and Daylight
Savings Time, sometimes even without annotation. If this is given only in the form of
derivative evidence, there may be no easy way for the defence attorney to correlate the
various time conventions with the actual data, and much effort may expended by the
forensic team in order to determine “what happened when” on the computer.

Rarely is there any indication in the report as to whether the system clock was
properly functioning, or what its offset may have been to real-time. If the system was
live when confiscated, its clock would likely be viewable on the display, and this
information should be recorded, but the collection of such data is often curiously absent
when times are critical to an effective defence. In one case, hundreds of file time
stamps extended for a half-day after the time when a live computer was impounded, but
the police investigator failed to account for the disparity in any reports, until this issue
was raised by defence.27

Although Microsoft generally discredits the reliability of the “last accessed”

timestamp, since it is easily altered by system operations that are not directly user-
initiated, either or both prosecution and defence may choose to use this metadata if it is
helpful to their construction. Best practice should be to always disallow it for any use.

c. Integrity
Maintaining the integrity of digital evidence throughout the process of examination
presents different problems from those encountered when handling traditional physical
or documentary evidence. Both for purposes of admissibility and persuasive value of

27
Introduction to Electronic evidence by Sindh Judicial Academy
digital evidence, it must be shown in court that the information obtained from the
media is a true and accurate representation of the data originally contained in the
media, irrespective of whether the acquisition was done entirely by the investigator or
in part or entirely by a civilian witness or victim.

Chain of custody and integrity documentation is critical for demonstrating the

authenticity of digital evidence. A proper chain of custody demonstrates that digital
evidence was acquired from a specific system and/or location, and that it was
continuously controlled since it was collected. Thus, proper chain of custody
documentation enables the court to link the digital evidence to the crime. Incomplete
documentation can result in confusion over where the digital evidence was obtained
and can raise doubts about the trustworthiness of the digital evidence. Integrity
documentation helps demonstrate that digital evidence has not been altered since it was
collected. 28

After seizure, ensuring that the traditional chain of custody remains unbroken is
necessary but not sufficient to establish the authenticity of the data or evidence
obtained from the forensic examination. In case of digital evidence, two chains of
custody may be involved: the physical item itself and its associated data. The
investigators must be aware that the chain-of-custody issues regarding data are
additional to the chain-of-custody issues regarding the physical item. In addition to the
traditional chain of custody, auxiliary precautions may be required for handling digital
evidence. Prosecutors need to consider the following key points:

• Has the data been produced in its entirety?

• Is it possible to demonstrate that no change has occurred to the data?

• Is there a complete audit trail for the handling of the data through to the
production of exhibits?
• Would an independent third party be able to reproduce the steps taken and
achieve the same results?
If the evidence is still on the original medium but the initial procedure used to gather
the information was less than ideal, law enforcement may be in a position to resolve
evidentiary issues even if they cannot perform their own collection process.

28
ibid
 The investigation officer should be familiar with standards, policies,
procedures, or other guidelines followed by the examining expert, laboratory or unit,
related to chain of custody, both generally and for electronic evidence specifically. He
should determine whether they have been followed or whether a deviation has occurred
and understand the effect that all deviations may have on the case and be prepared to
explain them.

To reinforce adherence to traditional chain-of-custody procedures, law enforcement

investigating a case involving digital evidence should ask the following questions to
determine how evidence was handled before they became involved.

1. What types of digital evidence have been collected prior to the involvement of law
enforcement? For example, in a kidnapping case, does a hardcopy (printed) version
of the email exist? Is an electronic copy available? Does it contain full header
information?
2. Who handled the evidence?

a. Document the name and job function of each individual who handled the digital
evidence.

Be aware that more than one person could be involved in this process.

b. Identify everyone who had control of the digital evidence after it was examined
and before it was given to law enforcement.
3. How was the digital evidence collected and stored?

a. Identify all tools or methods used to collect the digital evidence.

b. Determine who had access to the digital evidence after it was collected—
anyone with access to the evidence should be considered part of the chain of
custody. Account for all storage of data
4. When was the evidence collected? Document the date and time when the evidence
was gathered (including a reference to time zone if necessary)

5. Where was the evidence when it was collected? digital evidence may exist in more
than one location simultaneously (e.g., e-mail may be located on the sender’s
computer, the recipients’ computers, and their respective ISPs)

Prosecutors should consider the following questions:

 • What kind of machine/device held the digital evidence (is a serial number
present)?

• Who had access to the machine/device?

• Who owned the machine/device?

• Was the machine/device shared?

• Was information retrieved from a network?

• Was information password protected?

• Who had access to password-protected information?

• Is the data located at an offsite location?

In Qurban Ali v. Statecase. it was argued that anyone can send an e-mail to any other
person, if he or she knew e-mail address or account name of that person. Address of the
telephone holder/owner could be attained from PTCL/NTC. In that way E-mail sending
computer could be identified and the data of E-mail can be retrieved from it by using
computer forensics tools and it is also possible to prove it in court of law, provided a
proper chain of custody is mentioned, it was, however, difficult to identify the
particular person who sent the e-mail; that was the area where investigation by some
police agency was required. No law exists by which Cyber Cafes were required to keep
record of persons using the computer of Cyber Cafes, in circumstances did not keep
record of persons using computers, nor did they keep history of data for long. 29 The
Karachi High court held that the prosecution, in the case had not taken any effort to
prove e-mail in accordance with law that could not be relied upon and thus, was
discarded.30

d. Reliability
Digital records can be altered easily and opposing parties may allege that digital
records lack authenticity because they have been tampered with or changed after they
were created. Reliability is required of the computer process and not that of the data
content. A few things can be done to reduce this possibility:

29
Qurban Ali v. State (2007 P.Cr.L.J 675),
30
ibid
 Metadata. A computer not only creates files in which data are stored, while it is
doing so it also creates ‘metadata’ files. Metadata is ‘data about data.’ It includes such
information as when a particular file was created, by which user of a computer, and
whether the file has been subsequently accessed or altered. The information stored
within metadata can be used to build timelines, establish alibis, and can shed light on a
particular issue in a case, or it can be the turning point altogether. It will also associate
certain file types with the software designed to create and read them. It is, therefore,
important to seize the computer software to show computer generated ‘associations’
between a particular file types and software. Having the program that creates the data
goes a long way to prove the same program will accurately print it out.
Hashing Codes.

A hashing code is a mathematical algorithm performed against a file, a group of files,

or the contents of an entire hard drive. More simply, it is a method by which the
metadata associated with a file may be ascertained. Hashing codes are hash value is the
digital version of a thumbprint that as of the creation of an electronic file, becomes
permanent until such time as that file is later altered thus allowing for that file or hard
drive to be uniquely identified as it exists at the time it was hashed. The two types of
hashes commonly encountered are Message Digest 5 (MD5) and Secure Hash
Algorithm 1 (SHA1). They both serve the same function in the verification of evidence
and they aid in the examination of digital evidence Hashing software is especially
useful in demonstrating, for purposes of evidence authentication, that the electronic file
being offered as evidence at trial is the same file that was previously seized. When a
hard drive is hashed for verification purposes, the hashing process looks at all of the
data on the hard drive and creates a “digital thumbprint” for it. At this point, the
hashing process has performed its primary function, which is the verification of the data
on the hard drive; the perfect snapshot in time of the data has been created. At this
point, only the hard drive has a hash value. All of the files and documents that reside on
the hard drive do not yet have a hash value. A forensic examiner can hash all of the
files on the hard drive, giving each and every file a unique digital thumbprint, or hash
value. Hash values also allow a forensic examiner to use the hash value from a known
file, and search the suspect’s device for that file, looking for an exact match of that hash
value. Since the hash value is created using the contents of the file and ignores the file
name and file extension, it does not matter if someone tries to hide it by changing the
file extension. 31

31
Introduction to Electronic evidence by Sindh Judicial Academy