Presentation and Legal aspects of Digital Forensics Faculty – Hepi Suthar Authorization to collect the evidence • Original identification sighted by agency • If the agency has public facing offices, the original identification documents could be shown to an agency officer, who could make a file note confirming the original document has been sighted. There is also an area on the application form where the officer and confirm the original identification was sighted. • There is no need to photocopy the evidence of identity document, however, the agency may wish to take a copy of an agent authority. Certified copies • The most common method of providing evidence of identity is by way of a certified copy. A photocopy of the evidence of identity document must be certified as a correct copy of the original by a ‘qualified witness’ which means a Justice of the Peace, lawyer, Commissioner for Declarations or notary public.8 • Under no circumstances can a qualified witness certify their own identification. Providing electronic copies • The RTI Act and the IP Act do not specify how copies of evidence of identity documents are to be given to an agency. If the agency allows, they can be provided electronically, such as by email or fax. • Country provides that where a State law requires or permits the production of a paper document an electronic version may be provided if the following conditions are met: 10 • The method used to produce the electronic copy of the document ensures the integrity of the document’s information, ie the information is complete and unaltered, apart from immaterial or endorsed changes. • The information in the electronic document will be readily accessible for subsequent reference. • The person the paper document is to be given to agree to receive an electronic copy of the document. • It is up to each agency to decide whether it is appropriate to accept identity documents electronically, taking into account any general restrictions about receipt of sensitive personal information documents. However allowing these documents to be provided electronically can help simplify the application process. Dealing with a second agent • On some applications that have an applicant and agent, or child and parent, the agent or parent will ask someone else to deal with the agency. This ‘second agent’ will often be a lawyer, but not always. Sometimes, particularly in the case of a parent applying on behalf of a child, it may be another family member. • There is nothing in the Act that prevents this. For these applications, agencies will need to first satisfy the identity and authority requirements of the Act in relation to the applicant and agent or parent and child. Then they will need to decide, as a matter of policy, what they require to satisfy themselves that the second agent is properly authorised to represent the parent or agent. • Where the applicant is a child, written confirmation from the parent that the second agent is acting for them may be sufficient. Where the applicant is an adult, the agency may want confirmation from the applicant as well as the first agent that the second agent is authorised to deal with the agency in relation to the application. Where the second agent is a lawyer, confirmation on firm letterhead that the lawyer is acting for the agent or parent may be enough to satisfy the agency. Applications for access to non-personal information • If the application does not seek access to documents containing the applicant's personal information: • the applicant does not need to provide evidence of their identity; and • an agent does not need to provide evidence of identity or evidence of authority to act for the applicant. • However, if an agent applies for sensitive information about the applicant, such as confidential information about the company that they claim to be acting for, and the agency has concerns about the agent's authority to act, then those concerns may be taken into account when making the access decision. • Before doing so, however, it would be reasonable for the agency to speak with the agent explaining those concerns, the possible ramifications on the decision and ask them to provide proof of their authority to act for the applicant. However, the agent is not required to provide evidence of authority, and the application will be valid even if they refuse, as it is not a requirement of the RTI Act. Authentication of the evidence • Just because a witness or party has written evidence to support his claim does not automatically mean that a judge will allow that evidence to be presented to the jury. One test evidence must meet in order to be deemed admissible by the court is that the evidence must be authentic. • Authentication refers to a rule of evidence which requires that evidence must be sufficient to support a finding that the matter in question is what its proponent claims. The "authenticity" rule relates to whether the subject of an evidentiary offering (generally a tangible thing), is what it purports to be. This is a legal way of saying that evidence must be proven to be genuine to be admissible. • The issue of authenticity must be determined at two stages of a proceeding. First, the court must determine if the proffered item appears sufficiently genuine so that its admission could assist the fact-finder (usually the jury). Second, the fact-finder must ultimately decide whether he believes that the evidence is actually genuine. • For instance, evidence may be authenticated by the testimony of a witness that a matter is what it is claimed to be; as in the case of a witness testifying that a picture accurately represents the object in the photograph. • Authentication of evidence may also be accomplished when it involves a writing authorized by law to be recorded or filed which has been recorded or filed in a public office, or a purported public record, report or statement. Telephone conversations may be authenticated by evidence that a call was made to the number assigned at the time by the telephone company to a particular person or business. • However, the fact that evidence is found by the court to satisfy the authenticity requirement does not mean that it is necessarily admissible. Authenticated evidence may be excluded by other rules such as those that relate to hearsay. For instance, a police report by an investigating officer can be authenticated by having the policeman testify at trial that the report is genuine and was created by him. However, that report is hearsay, since it is a writing, and would not be admissible under the hearsay rule even though it initially became authenticated by the officer's testimony. • Authentication of evidence is an important factor for your attorney to consider when the case proceeds to trial. Some states have laws that provide a procedure to have evidence deemed authentic. For instance, some states provide that a person's medical records are automatically deemed authentic if the healthcare provider who provides the records certifies in writing that the copies of the records are a true and accurate copy. • The rule of authentication must be applied in conjunction with the other rules of evidence to ensure that the judge will allow the evidence to be presented to the jury. There is nothing more devastating to a case than a court's exclusion of valuable written evidence on the grounds that the attorney has failed to properly authenticate the evidence. Performing RAID Acquisition • RAID stands for Redundant Array of Inexpensive Disks and is a method of storing data on hard drive disks to ensure that it is protected in the event of hardware failure. Typically, in a RAID setup, hard drives are grouped together and work to keep a copy or multiple copies of data on them. • Currently, there are several levels of RAID which have their own techniques and methods for how data is preserved. These techniques include data mirroring, striping, and parity. In short, data mirroring writes data to two drives simultaneously. Striping, on the other hand, spreads the data across the available drives in chunks. Lastly, parity ensures that data has been transferred correctly when it is moved between drives. Depending on the RAID level, one or more of these techniques will be used. RAID Levels • Currently, there are several types of RAID levels that can be used to preserve data on hard drives. The most basic are RAID levels 0, 1, and 3, though there are many more. The RAID level employed by an organization depends on what the company hopes to achieve. As mentioned earlier, different levels use different techniques for storing data. • RAID 0: This level performs basic disk striping. Data is simply spread across all the hard drives in the RAID group in chunks. This level offers the best performance, as no single hard drive is tasked with the load of storing all the data. However, with RAID 0, should a disk fail, the data on that particular disk is lost. • RAID 1: This level performs disk mirroring. As mentioned earlier, disk mirroring stores data on two separate drives simultaneously. An advantage of RAID 1 is that there is always a full copy of data should one of the drives fail. However, RAID 1 is slower in writing data to disks since it has to perform the action twice (once for each drive). • RAID 3: This level uses a specialized disk called a parity disk to store the parity information of the data being stored. Parity is essentially a special number generated when data is written to a drive. This special number is stored on the parity disk and is used in the event that a drive fails in order to recreate the data that was lost. RAID in Digital Forensic Investigations • Due to their ability to store large amounts of data, RAID disks are valuable sources of evidence for forensic investigations. However, investigators must know how to properly access this trove of data or risk corrupting it. For example, suppose an investigator is working to retrieve data stored on a RAID 0 group of disks. If he accidentally damages a disk, the part of the data stored on that disk will be lost unless there is another backup stored elsewhere. Generally, there is a process that investigators can use in order to ensure data is preserved during a forensic investigation. • Determine the level for the RAID system: This is one of the most important steps, as it will determine how an investigator will work with the disks. • Create additional backups: Creating additional backups of the drives will ensure that data is not completely lost should something happen to the RAID disks. • Analyze the data: Once additional backups have been created, an investigator can then begin to analyze the data stored on the RAID disks. • Gather evidence: Throughout the analysis phase, investigators should begin collecting any evidence pertinent to the investigation. • Create reports: Towards the end of the investigation, reports should be drafted to present any findings and next steps. Remote Network Data Acquisition Tools Validating Forensic Data • Validation is the confirmation by examination and the provision of objective evidence that a tool, technique or procedure functions correctly and as intended. Verification is the confirmation of a validation with laboratories tools, techniques and procedures. • One of the most critical aspects of computer forensics • Ensuring the integrity of data you collect is essential for presenting evidence in court • Most computer forensic tools provide automated hashing of image files • Computer forensics tools have some limitations in performing hashing • Learning how to use advanced hexadecimal editors is necessary to ensure data integrity. Analysis of the evidence • Evidence analysis is a process in which evidence related to a criminal trial is analyzed to learn more about it. While some evidence may provide all the information one might need with a surface examination, often, the evidence needs to be explored more deeply. • This process is conducted by a technician who specializes in the techniques used to analyze evidence, and has been trained in the proper care and handling of evidence, to ensure that evidence is not compromised during the analysis process. • In the field, investigators collect anything and everything which might be relevant to a crime, assuming that it would be better to have too much information than too little. Before being collected, every piece of evidence is photographed in situ to give the technician and investigators a frame of reference. • Then, the evidence is collected in a container appropriate to the evidence type, before being labeled and tagged. The label includes data about who collected the evidence, where it was found, and when it was collected. Then, it can be taken to the lab for processing and evidence analysis. Reporting on the findings • Reporting on the findings • Testimony • Writing Investing Reports. • Definition of Cyber Crime in IT Act, Structure of IT Act • Adjudications and Criminal Provisions, Tampering with computer source documents and Hacking • Online Obscenity & Pornography, Cyber Stalking • Theft of Identity • Cyber Defamation • Admissibility of Digital Evidence. Definition of Cyber Crime in IT Act • cybercrime, also called computer crime, the use of a computer as an instrument to further illegal ends, such as committing fraud, trafficking in child pornography and intellectual property, stealing identities, or violating privacy. Structure of IT Act Online Obscenity & Pornography • the concept of obscenity is limited to material depicting hard core pornography, which means graphic portrayals of ultimate sex acts or lewd exhibition of sexual organs. Pornography is a non legal term with a broader meaning. All obscenity is pornographic, but not all pornography is obscene. • Digital Obscenity is the exchanging of sexually expressive materials within the internet. The Supreme Court of India has characterized obscene as “repulsive, offensive to modesty filthy, decency or lewd “. Cyber Stalking • Cyberstalking is a crime in which someone harasses or stalks a victim using electronic or digital means, such as social media, email, instant messaging (IM), or messages posted to a discussion group or forum. • Some examples of cyberstalking include: Sending manipulative, threatening, lewd or harassing emails from an assortment of email accounts. Hacking into a victim's online accounts (such as banking or email) and changing the victim's settings and passwords. Cyber Defamation • Publication of defamatory material against another person with the help of a computer or the internet (social media or messaging channels or emails) is known as cyber defamation. • https:// telanganatoday.com/all-you-need-to-know-about-cyber-defamation Admissibility of Digital Evidence • Under Section 65B(1), any information contained in an electronic record, which has been stored, recorded or copied as a computer output, shall also be deemed as a 'document' – and shall be admissible as evidence without further proof or production of the originals, if the conditions mentioned are satisfied. • https://www.google.com/search?q=Admissibility+of+Digital+Evidence