UNIT – 3

Forensic Investigation, Evidence

Presentation and Legal aspects
of Digital Forensics
Faculty – Hepi Suthar
Authorization to collect the evidence
• Original identification sighted by agency
• If the agency has public facing offices, the original identification
documents could be shown to an agency officer, who could make a
file note confirming the original document has been sighted. There is
also an area on the application form where the officer and confirm
the original identification was sighted.
• There is no need to photocopy the evidence of identity document,
however, the agency may wish to take a copy of an agent authority.
Certified copies
• The most common method of providing evidence of identity is by way
of a certified copy. A photocopy of the evidence of identity document
must be certified as a correct copy of the original by a ‘qualified
witness’ which means a Justice of the Peace, lawyer, Commissioner
for Declarations or notary public.8
• Under no circumstances can a qualified witness certify their own
identification.
Providing electronic copies
• The RTI Act and the IP Act do not specify how copies of evidence of identity documents are to be
given to an agency.  If the agency allows, they can be provided electronically, such as by email or fax.
• Country provides that where a State law requires or permits the production of a paper document an
electronic version may be provided if the following conditions are met: 10
• The method used to produce the electronic copy of the document ensures the integrity of the
document’s information, ie the information is complete and unaltered, apart from immaterial or
endorsed changes.
• The information in the electronic document will be readily accessible for subsequent reference.
• The person the paper document is to be given to agree to receive an electronic copy of the document.
• It is up to each agency to decide whether it is appropriate to accept identity documents electronically,
taking into account any general restrictions about receipt of sensitive personal information
documents. However allowing these documents to be provided electronically can help simplify the
application process.
Dealing with a second agent
• On some applications that have an applicant and agent, or child and parent, the agent or parent
will ask someone else to deal with the agency. This ‘second agent’ will often be a lawyer, but not
always. Sometimes, particularly in the case of a parent applying on behalf of a child, it may be
another family member.
• There is nothing in the Act that prevents this. For these applications, agencies will need to first
satisfy the identity and authority requirements of the Act in relation to the applicant and agent
or parent and child. Then they will need to decide, as a matter of policy, what they require to
satisfy themselves that the second agent is properly authorised to represent the parent or agent.
• Where the applicant is a child, written confirmation from the parent that the second agent is
acting for them may be sufficient. Where the applicant is an adult, the agency may want
confirmation from the applicant as well as the first agent that the second agent is authorised to
deal with the agency in relation to the application. Where the second agent is a lawyer,
confirmation on firm letterhead that the lawyer is acting for the agent or parent may be enough
to satisfy the agency.
Applications for access to non-personal
information
• If the application does not seek access to documents containing the applicant's personal
information:
• the applicant does not need to provide evidence of their identity; and
• an agent does not need to provide evidence of identity or evidence of authority to act for the
applicant.
• However, if an agent applies for sensitive information about the applicant, such as confidential
information about the company that they claim to be acting for, and the agency has concerns
about the agent's authority to act, then those concerns may be taken into account when making
the access decision.
• Before doing so, however, it would be reasonable for the agency to speak with the agent
explaining those concerns, the possible ramifications on the decision and ask them to provide
proof of their authority to act for the applicant. However, the agent is not required to provide
evidence of authority, and the application will be valid even if they refuse, as it is not a
requirement of the RTI Act.
Authentication of the evidence
• Just because a witness or party has written evidence to support his claim does not
automatically mean that a judge will allow that evidence to be presented to the jury.
One test evidence must meet in order to be deemed admissible by the court is that
the evidence must be authentic.
• Authentication refers to a rule of evidence which requires that evidence must be
sufficient to support a finding that the matter in question is what its proponent claims.
The "authenticity" rule relates to whether the subject of an evidentiary offering
(generally a tangible thing), is what it purports to be. This is a legal way of saying that
evidence must be proven to be genuine to be admissible.
• The issue of authenticity must be determined at two stages of a proceeding. First, the
court must determine if the proffered item appears sufficiently genuine so that its
admission could assist the fact-finder (usually the jury). Second, the fact-finder must
ultimately decide whether he believes that the evidence is actually genuine.
• For instance, evidence may be authenticated by the testimony of a witness that a matter is what it
is claimed to be; as in the case of a witness testifying that a picture accurately represents the
object in the photograph.
• Authentication of evidence may also be accomplished when it involves a writing authorized by law
to be recorded or filed which has been recorded or filed in a public office, or a purported public
record, report or statement. Telephone conversations may be authenticated by evidence that a
call was made to the number assigned at the time by the telephone company to a particular
person or business.
• However, the fact that evidence is found by the court to satisfy the authenticity requirement does
not mean that it is necessarily admissible. Authenticated evidence may be excluded by other rules
such as those that relate to hearsay. For instance, a police report by an investigating officer can be
authenticated by having the policeman testify at trial that the report is genuine and was created
by him. However, that report is hearsay, since it is a writing, and would not be admissible under
the hearsay rule even though it initially became authenticated by the officer's testimony.
• Authentication of evidence is an important factor for your attorney to
consider when the case proceeds to trial. Some states have laws that
provide a procedure to have evidence deemed authentic. For instance, some
states provide that a person's medical records are automatically deemed
authentic if the healthcare provider who provides the records certifies in
writing that the copies of the records are a true and accurate copy.
• The rule of authentication must be applied in conjunction with the other
rules of evidence to ensure that the judge will allow the evidence to be
presented to the jury. There is nothing more devastating to a case than a
court's exclusion of valuable written evidence on the grounds that the
attorney has failed to properly authenticate the evidence.
Performing RAID Acquisition
• RAID stands for Redundant Array of Inexpensive Disks and is a method of
storing data on hard drive disks to ensure that it is protected in the event of
hardware failure. Typically, in a RAID setup, hard drives are grouped
together and work to keep a copy or multiple copies of data on them.
• Currently, there are several levels of RAID which have their own techniques
and methods for how data is preserved. These techniques include data
mirroring, striping, and parity. In short, data mirroring writes data to two
drives simultaneously. Striping, on the other hand, spreads the data across
the available drives in chunks. Lastly, parity ensures that data has been
transferred correctly when it is moved between drives. Depending on the
RAID level, one or more of these techniques will be used.
RAID Levels
• Currently, there are several types of RAID levels that can be used to preserve data on hard
drives. The most basic are RAID levels 0, 1, and 3, though there are many more. The RAID level
employed by an organization depends on what the company hopes to achieve. As mentioned
earlier, different levels use different techniques for storing data.
• RAID 0: This level performs basic disk striping. Data is simply spread across all the hard drives in
the RAID group in chunks. This level offers the best performance, as no single hard drive is
tasked with the load of storing all the data. However, with RAID 0, should a disk fail, the data on
that particular disk is lost.
• RAID 1: This level performs disk mirroring. As mentioned earlier, disk mirroring stores data on
two separate drives simultaneously. An advantage of RAID 1 is that there is always a full copy of
data should one of the drives fail. However, RAID 1 is slower in writing data to disks since it has
to perform the action twice (once for each drive).
• RAID 3: This level uses a specialized disk called a parity disk to store the parity information of
the data being stored. Parity is essentially a special number generated when data is written to a
drive. This special number is stored on the parity disk and is used in the event that a drive fails
in order to recreate the data that was lost.
RAID in Digital Forensic Investigations
• Due to their ability to store large amounts of data, RAID disks are valuable sources of evidence for forensic
investigations. However, investigators must know how to properly access this trove of data or risk corrupting it.
For example, suppose an investigator is working to retrieve data stored on a RAID 0 group of disks. If he
accidentally damages a disk, the part of the data stored on that disk will be lost unless there is another backup
stored elsewhere. Generally, there is a process that investigators can use in order to ensure data is preserved
during a forensic investigation.
• Determine the level for the RAID system: This is one of the most important steps, as it will determine how an
investigator will work with the disks.
• Create additional backups: Creating additional backups of the drives will ensure that data is not completely lost
should something happen to the RAID disks.
• Analyze the data: Once additional backups have been created, an investigator can then begin to analyze the data
stored on the RAID disks.
• Gather evidence: Throughout the analysis phase, investigators should begin collecting any evidence pertinent to
the investigation.
• Create reports: Towards the end of the investigation, reports should be drafted to present any findings and next
steps.
Remote Network Data Acquisition Tools
Validating Forensic Data
• Validation is the confirmation by examination and the provision of objective
evidence that a tool, technique or procedure functions correctly and as
intended. Verification is the confirmation of a validation with laboratories
tools, techniques and procedures.
• One of the most critical aspects of computer forensics
• Ensuring the integrity of data you collect is essential for presenting evidence
in court
• Most computer forensic tools provide automated hashing of image files
• Computer forensics tools have some limitations in performing hashing
• Learning how to use advanced hexadecimal editors is necessary to ensure data
integrity.
Analysis of the evidence
• Evidence analysis is a process in which evidence related to a criminal
trial is analyzed to learn more about it. While some evidence may
provide all the information one might need with a surface
examination, often, the evidence needs to be explored more deeply.
• This process is conducted by a technician who specializes in the
techniques used to analyze evidence, and has been trained in the
proper care and handling of evidence, to ensure that evidence is not
compromised during the analysis process.
• In the field, investigators collect anything and everything which might
be relevant to a crime, assuming that it would be better to have too
much information than too little. Before being collected, every piece
of evidence is photographed in situ to give the technician and
investigators a frame of reference.
• Then, the evidence is collected in a container appropriate to the
evidence type, before being labeled and tagged. The label includes
data about who collected the evidence, where it was found, and
when it was collected. Then, it can be taken to the lab for processing
and evidence analysis.
Reporting on the findings
• Reporting on the findings
• Testimony
• Writing Investing Reports.
• Definition of Cyber Crime in IT Act, Structure of IT Act
• Adjudications and Criminal Provisions, Tampering with computer
source documents and Hacking
• Online Obscenity & Pornography, Cyber Stalking
• Theft of Identity
• Cyber Defamation
• Admissibility of Digital Evidence.
Definition of Cyber Crime in IT Act
• cybercrime, also called computer crime, the use of a computer as an
instrument to further illegal ends, such as committing fraud,
trafficking in child pornography and intellectual property, stealing
identities, or violating privacy.
Structure of IT Act
Online Obscenity & Pornography
• the concept of obscenity is limited to material depicting hard core
pornography, which means graphic portrayals of ultimate sex acts or
lewd exhibition of sexual organs. Pornography is a non legal term with
a broader meaning. All obscenity is pornographic, but not all
pornography is obscene.
• Digital Obscenity is the exchanging of sexually expressive materials
within the internet. The Supreme Court of India has characterized
obscene as “repulsive, offensive to modesty filthy, decency or lewd “.
Cyber Stalking
• Cyberstalking is a crime in which someone harasses or stalks a victim
using electronic or digital means, such as social media, email, instant
messaging (IM), or messages posted to a discussion group or forum.
• Some examples of cyberstalking include: Sending manipulative,
threatening, lewd or harassing emails from an assortment of email
accounts. Hacking into a victim's online accounts (such as banking or
email) and changing the victim's settings and passwords.
Cyber Defamation
• Publication of defamatory material against another person with the
help of a computer or the internet (social media or messaging
channels or emails) is known as cyber defamation.
• https://
telanganatoday.com/all-you-need-to-know-about-cyber-defamation
Admissibility of Digital Evidence
• Under Section 65B(1), any information contained in an electronic
record, which has been stored, recorded or copied as a computer
output, shall also be deemed as a 'document' – and shall
be admissible as evidence without further proof or production of the
originals, if the conditions mentioned are satisfied.
• https://www.google.com/search?q=Admissibility+of+Digital+Evidence