Conditions of Admissibility of Evidence

Section 20 of the Indian Evidence Act, 1872 states about the admissions of persons referred
to or by a party to a particular suit.

Admissions made by a third party are considered relevant and are admissible when a party
refers another to him for information in regard to uncertain or disrupted manner.

There are two basic factors that are considered when determining whether evidence is
admissible or not:

Relevant
The evidence must prove or disprove an important fact in the criminal case. If the evidence
doesn’t relate to a particular fact, it is considered “irrelevant” and is therefore inadmissible
and is also not permissible in Court.

Reliable
Reliability refers to the credibility of a source that is being used as evidence. This usually
applies to witnesses’ testimonies.
Hence, an evidence is admissible in Court proceedings only if it is relevant to the facts or
issues or matters in dispute.

If evidence is admissible but irrelevant to the case then it is only a waste of time for the
Court.

Thus, evidence shall be relevant and shall also satisfy all the specified provisions of
admissibility then only it can be admissible in the Court of Law.

As of the present situation, even the electronic or digital records are admissible as evidence
as they are reliable, relevant and obtained from an authentic source of electronic
communication.
Digital Evidence

• Digital forensics is a technique in the identification of computer based

crimes.
• But digital forensics faces a few major challenges when it comes to
conducting investigations.

• Technical challenges – e.g. differing media formats, encryption, steganography, anti-forensics, live
acquisition and analysis.
• Legal challenges – e.g. jurisdictional issues, privacy issues and a lack of standardized international
legislation.
• Resource challenges – e.g. volume of data, time taken to acquire and analyse forensic media.
 Technical Challenges

• With the vast development of the computer technologies within the last decade, usage of technology has been

defined as both good and bad.

• One of the main problems is that as soon as a technology is developed to identify and investigate criminals,

there is another technique that helps the criminals to hide themselves.

• Unlike many other sources of physical evidence, digital evidence is easy to modify, remove or hide, possibly

without leaving tracks that might identify the criminal. So anti-forensics has become a major challenge for
digital forensics.

• Anti-forensic techniques can be classified into categories as listed below.

Encryption
• Steganography
• Covert Channel
• Data hiding in storage space
• Residual Data Wiping
• Tail Obfuscation
• Attacking the tools
• Attacking the investigators
• Encryption
• Encryption is process of scrambling information that can only be
decoded and read by someone who has the correct decoding key.
Encryption is used to hide or make the evidence unreadable on the
compromised system.
• Steganography
• “Steganography is an encryption technique that can be used along with
cryptography as an extra-secure method in which to protect
data.” Attackers use this steganography to hide their hidden data
(payloads) inside the compromised system. When investigating
computer crimes, the investigator has to identify these hidden data in
order to reveal the information for further reference.
Covert Channel
• “Covert channel in communication protocols allows attackers to hide data over the network and possibly bypass
intrusion detection techniques. Typically, a network protocol is chosen and its header is modified to leak messages
between attackers, exploiting the fact that few fields of the header are modified during transmission.”
• Attackers use these covert channels in order to maintain a hidden connection between the attacker and the
compromised system. It is less identifiable.

Data hiding in storage space

• Attackers hide some data inside storage areas and make them invisible to the usual system commands and programs. It
makes the investigation more complex and more time consuming and sometimes data can be corrupted too. Rootkit is
one of the most popular techniques used to hide data in storage space.

Residual Data wiping

• When the attacker uses a computer for his goal, a few hidden processes (e.g. temporary files, history of commands) are
running without the knowledge of the attacker. But an intelligent attacker can avoid this risk by wiping out the tracks
that were made by his process and making the system work as if it has not been used for such a purpose.

Tail Obfuscation – attacking the tools

• Here, the attacker uses some false information in order to mislead the investigator (e.g. false email headers, changing
file extensions). i.e transforming the structure of program while preserving its original functionality.
Resource Challenges
• Depending on the scenario, the volume of data involved in the case might be large. In that case the investigator has to
go through all the collected data in order to gather evidence. It may take more time for the investigation. Since time is
a limiting factor, it becomes another major challenge in the field of digital forensics.

• When collecting data from the source, an investigator must make sure that none of the data is modified or missed
during the investigation, and the data must be well secured.

• Data sources which are damaged cannot be easily used in investigations. So it is a major issue when an investigator
finds a valuable source that is not usable.

Legal Challenges
• Privacy is also important to any organization or victim. In many cases it may be required that the computer forensics
expert share the data or compromise privacy to get to the truth.
• It becomes a challenge when the investigator ‘accidently’ figures out or stumbles across some facts related to the
crime, but is not allowed to use these against the attacker due to privacy issues.
Necessary steps which one should remember in collecting computer forensic evidence.
REPORTING:

Planning the response is important. One should not panic, and the person should not touch any button on the
computer.

It is important that the crime is reported immediately because time is of essence in cyber forensic evidence
collection. Usually unaltered digital evidence is available only within the span of a few hours. Sometimes even
24 hours proves to be too late to recover non-tampered digital evidence. In this step the company should be
clear as to whom it has to report to so that an investigative team is formed, because the investigators may
access sensitive data.

INVESTIGATION:
Only a skilled computer forensic investigator should undertake investigation. Otherwise collection of evidence
will almost end up in a failure of an investigation and ultimately a failed prosecution.

They must be considered to be experts in any case and ancillary counter-measures must be adopted to guard
against the destruction of any digital evidence. If this is neglected, it may modify the data on the computer.
Some computers have automatic wiping programmes in case a new person touches the wrong key on the
keyboard.
SECURING MACHINE AND DATA:

Electronic evidence can be damaged or altered by improper handling or examination.

Special precautions should be taken to document, collect, preserve and examine this type of evidence. This will ensure the
integrity of the electronic evidence at a later stage.

When a cyber crime is committed, the room and computer of occurrence should be considered to be a crime scene and
sealed off to ensure evidence is not tampered with. Even the victim’s computer should be sealed off.

IMAGING:

This basically means duplication of the hard drives. This is a crucial stage of digital evidence collection.

It is to duplicate the entire hard drive.The original drives should then be moved to secure storage to prevent tampering. Some
softwares such as “Encase” or “Sleuth Kit” are available, to duplicate the drives for digital evidence collection.

It is important to use some kind of hardware write protection to ensure no writes will be made to the original drive.

It should be ensured that the image is: (i) Complete (i.e. contains all information); and (ii) Accurate (i.e. copied correctly).

When analyzing the image, investigators should keep in mind that even wiped drives can retain important recoverable data to
identify and catalogue. In the best cases, they can recover all deleted files using forensic techniques.
In imaging:

1. Everyday computers or media should not be used. New media should be used, e.g. the computer should be taken to a
technical lab for imaging. Now many law enforcing agencies have their own labs for imaging and analysis of
digital evidence whose reports are used in legal cases.

2. Imaging software should be forensically sound so that no changes occur during imaging.

3. All investigation material should be backed up.

It is therefore necessary that the persons involved in evidence collection relating to cyber crimes are specially trained
personnel.

FORENSIC ANALYSIS AND DRAWING A CONCLUSION.

The expert then examines the digital evidence and gives a final report about the act complained of as a crime. This report
is a determination of whether an act on a computer was a breach of any penal law or not.

It must be objective, based on indisputable facts, because law enforcers will connect the suspect to the act of the computer
performed by a human.
DIGITAL EVIDENCE PRESERVATION BEST PRACTICES

Document the Condition of the Device

Take pictures from all sides of the physical device which holds the digital media to be collected and document its physical
condition and location. Make note of any dents, scratches, or other physical blemishes. Avoid plugging any external storage
media into the device(s); even a memory card or thumb drive can cause data to be lost.

Do Not Alter the Power Status

While it may be tempting to turn the device on if it’s powered off — or even power it down to save battery life and boot it up
again down the line — it’s not advisable to do so. In short, if the device is on, leave it on. If it’s off, leave it off. Leave battery-
powered devices in their current state for as long as you can, and consult your forensic expert team for wired devices, such as
desktop computers.

Keep the Device Secure and Establish an Internal Chain of Custody

Ensure proper chain of custody for the hardware and data with physical security in a climate-controlled environment; don’t
store the device in an open access area where employees and unauthorized personnel can easily get a hold of it. Log
important information such as where the device is, who has access, and when it is moved.
Get Forensic Experts Involved

While there are steps you can take (and common missteps to avoid), it pays to know when to pass everything off to
trained specialists. From recovering deleted files to providing trial support, the process of preserving and analyzing data
requires the expertise of a forensic investigation specialist.

Do Not Permit IT to Reallocate the Device

Typically, when an employee leaves, IT departments will consider reallocating assets to new users. While this may seem
like a good idea, it can destroy valuable evidence on the device. Whenever a key employee, sales team member, or
anyone with access to confidential intellectual property leaves an organization, steps should be taken to preserve the
computer of the former employee.

This information can be useful in trade secret cases or to defend a wrongful termination lawsuit. Preserving the data can
be accomplished by forensic experts quickly, allowing reallocation of the device, while maintaining the forensic image for
possible investigation down the line.
Need to Apply the Process of documentation in the Investigation

Documentation is fundamental at all phases of dealing with and processing digital forensic investigation.

Documentation is “a means of describing an existing investigation process with graphics, words, or a combination of
the two”. The documentation can be prepared manually or with the use of a computer, and the medium can be paper
or magnetic storage.

Documentation Process