DIGITAL EVIDENCES IN INVESTIGATION OF CYBER CRIME by - Sahana Ashokumar

DIGITAL EVIDENCES IN INVESTIGATION OF CYBER CRIME

Authored by - Sahana Ashokumar

(B. Com MM, LL. B (Hons)

, LLM in Criminal Law & Criminal Justice Administration)

INTRODUCTION

Digital evidence plays a critical role in the investigation of cybercrime. With the increasing use of technology and the internet in our daily lives, cybercrime has become a significant threat to individuals, organizations, and even governments. Cybercriminals use various tools and techniques to carry out their nefarious activities, and digital evidence can help law enforcement agencies to identify, track, and prosecute them. Digital evidence can take many forms, such as emails, text messages, chat logs, social media posts, photos, videos, documents, and metadata. It can be found on computers, smartphones, tablets, servers, cloud storage, and other digital devices. When properly collected, preserved, and analysed, digital evidence can provide valuable information about the identity, location, motive, and modus operandi of cybercriminals. However, investigating cybercrime using digital evidence presents unique challenges. The volume and complexity of digital data can be overwhelming, and the evidence can be easily manipulated, deleted, or encrypted. Moreover, digital evidence collection and analysis require specialized knowledge, skills, and tools that are not commonly possessed by law enforcement personnel. To address these challenges, digital forensics has emerged as a specialized field that applies scientific methods and techniques to investigate digital crimes. Digital forensics involves the collection, preservation, analysis, and presentation of digital evidence in a manner that is admissible in court. Digital forensics experts use a range of tools and techniques, such as forensic imaging, file carving, data recovery, network analysis, and steganography detection, to extract and interpret digital evidence.

DIGITAL EVIDENCE

Digital evidence refers to valuable information or data that can aid an investigation and is stored on, received by, or transmitted by an electronic device. Examples of digital evidence include text messages, emails, pictures, videos, and internet searches. However, the rapid adoption of new technology often surpasses the development of a shared ethical code governing its use and the legal system's ability to deal with it, as demonstrated by the handling of digital evidence. Digital evidence is now an integral part of cyber investigations, extending beyond computer-related crimes. The regular use of digital devices in daily life generates what is known as “digital exhaust,” which can provide vital clues about the relationships, location, and intended audience of both the accused and the victims. Locating the device used to create the digital evidence, such as a computer or cell phone, can be challenging, and other networked devices like video game consoles and navigation systems may contain critical information. Online user profiles that are not physically linked to a crime scene can also provide essential details about offline activities. Recognizing and preserving digital evidence is just one step in its life cycle. Infrastructure and technical capabilities must be planned, and the IT Act, 2000 and its amendments, based on the model law on electronic commerce from the United Nations Commission on International Trade Law (UNICITRAL), are critical for a successful prosecution. The IT Act, 2000, which was updated to enable the admissibility of digital evidence, was enacted in 2000 and has since been amended.

CYBER FORENSICS

Cyber forensics is the process of using investigative and analytical techniques to collect, identify, examine, and create evidence or information that has been magnetically encoded or stored. Its primary goal is to conduct a methodical investigation while maintaining a chain of documented evidence to determine what happened on a computer and identify the real culprit. Cyber analysts perform this work by recovering electronic evidence in accordance with evidence standards and making it admissible in court using appropriate forensics tools and technological expertise. There are four main tasks that cyber analysts undertake when working with digital evidence: organizing and analysing the information, collecting, observing, and preserving the information, identifying the information, and verifying the information.

ORIGIN OF DIGITAL EVIDENCE

The origin of digital evidence can be traced back to the early days of computing when the first computers were developed. However, the use of digital evidence in criminal investigations is a relatively new concept. The first recorded use of digital evidence in a criminal case was in 1984, in the United States, when police used computer evidence to convict David Smith of embezzlement. Since then, the use of digital evidence has become more prevalent with the increasing use of technology in our daily lives. Today, digital evidence is an essential part of almost every criminal investigation, and its importance is only expected to grow as technology continues to advance. David Smith is a well-known case in the United States that involves digital evidence. David Smith was charged with computer hacking in 1999 and was the first person to be convicted under the 1986 Computer Fraud and Abuse Act (CFAA) in the United States. Smith had distributed a virus called the “Melissa virus” that infected thousands of computers worldwide[1].

ORIGIN OF ELECTRONIC EVIDENCE

The term 'Computer evidence' was first used by the FBI in 1984, and the term 'Computer Forensics' was coined in 1991. In 2000, India passed the Information Technology Act, 2000 to address issues related to Cyber Law. Electronic evidence has its origins in the development and widespread use of digital technologies such as computers, mobile devices, and the internet. As these technologies became more prevalent in everyday life, they also became a tool for criminal activity, leading to the need for their use in criminal investigations. The first documented case involving the use of electronic evidence in a criminal trial was in the United States in 1984. The case, United States v. Frank Riccardi[2], involved the use of electronic accounting records as evidence in a criminal trial. Since then, the use of electronic evidence in criminal investigations and trials has become more common and has evolved alongside advances in technology. Today, the use of electronic evidence has become increasingly important in both criminal and civil cases, and the legal system has developed rules and guidelines for the collection, preservation, and admissibility of this type of evidence in court.

MEANING OF DIGITAL EVIDENCE/ E-

FORM OF EVIDENCE

The definition of electronic form evidence, as per Section 79A of the Information Technology Act, 2000, encompasses any information stored or transmitted in electronic form that holds probative value. This definition includes computer evidence, digital audio, digital video, cell phones, and digital fax machines[3].

The term Evidence encompasses not only the information discovered on a computer but also extends to evidence in digital devices like multimedia or telecommunication devices, emails, digital photographs, ATM transaction logs, e-documents, word-processing histories, instant messages, e-accounting programs, spreadsheets, internet browsers, computer memory, computer printers, computer backups, digital video or audio files, mobile data, virtual games, multimedia, and more[4].

The definition has three key elements:

1. It encompasses all types of digital storage devices.
2. It covers all forms of digital information or data stored within those devices.
3. It limits the scope of relevant data or information that is admissible as evidence.

LEGALITY OF DIGITAL EVIDENCE UNDER INDIAN LAW

In India, digital evidence is admissible in court if it is collected and presented in accordance with the provisions of the Indian Evidence Act, 1872. The act recognizes electronic records as a form of evidence, and such records are admissible in court if they are produced in compliance with the provisions of the Information Technology Act, 2000.

The amended definition of ‘Evidence’ under Section 3(a) of the Indian Evidence Act, 1872 now includes ‘E-record’. Evidence can be categorized into two types: oral or documentary. The updated definition of documentary evidence includes e-records for court inspection. As per the Information Technology Act, 2000, the term e-record has the same meaning as defined in Section 2(1)(t), which refers to any data, record, image, or sound that is generated, stored, received, or transmitted in electronic form or through microfilm or computer-generated microfiche.[5]

Section 65B of the Indian Evidence Act lays down the procedure for proving the authenticity of electronic records. It requires that the electronic record must be accompanied by a certificate issued by a person in charge of the computer or device containing the electronic record, stating that the record was produced by the computer or device during its normal operation and that the information contained in it is accurate. The certificate must be signed by the person in charge of the computer or device, and it must be produced in court along with the electronic record. If the certificate is not produced, the electronic record may be deemed inadmissible as evidence. Therefore, in India, digital evidence is legal and admissible in court if it is collected and presented in compliance with the provisions of the Indian Evidence Act and the Information Technology Act.

NATURE OF DIGITAL EVIDENCE - PRIMARY OR SECONDARY:

The Indian Evidence Act, 1872 provides two ways to prove the contents of a document - through Primary or Secondary Evidence. According to Section 62, “Primary evidence” refers to the document itself being produced for the court's inspection, while Section 63(2) defines “Secondary Evidence” as certified copies made from the original document using mechanical processes that ensure the accuracy of the copy, as well as copies compared with such certified copies.

Digital evidence refers to valuable information and data that is stored, received, or transmitted by or DNA, in that it may not be readily apparent. It is also unique in that it can cross jurisdictional boundaries easily and can be easily altered, damaged, or destroyed. Additionally, digital evidence can be time-sensitive and must be collected promptly. There are various sources of digital electronic devices and can be useful in investigations. This type of evidence can be obtained by analysing electronic devices that have been seized. Digital evidence shares similarities with latent evidence, such as fingerprints evidence, but this discussion will focus on the three main categories of devices where evidence can be found: internet-based devices, standalone computers or devices, and mobile devices. Each category has distinct evidence-gathering processes, tools, and concerns, and the type of crime being investigated often determines which category is most relevant.

In the case of State v. Navjot Sandhu[6], it was held that- The fact that the data in call records is stored in large servers that cannot be readily moved and presented in court is not disputed. Therefore, printouts of such data that are obtained from the computer's servers by a mechanical process and certified by a trustworthy officer of the service providing company can be presented as evidence through a witness who can confirm the certifying officer's signature or provide testimony based on their personal knowledge. Even if Section 65B's conditions are not met, there is no prohibition against presenting secondary evidence under other provisions of the Evidence Act.

LOCATION OF DIGITAL AND ELECTRONIC EVIDENCES

In general, digital evidence is information and data that is valuable in an investigation and is stored on, received, or transmitted by electronic devices. This evidence can be found by analysing seized electronic devices, where the evidence is typically stored on hard drives or discs. The hard drive contains both volatile and non-volatile data, with non-volatile data being saved or preserved in the system's hard drive while volatile data can be lost when the computer is turned off. Digital evidence can be found in various formats such as spreadsheets, images, videos, audio files, documents, emails, calendars, user-protected files, encrypted or password-protected files, log files, backup files, and metadata. However, there are practical problems associated with digital evidence, such as the fact that it is easily altered or changed.

DIGITAL EVIDENCE COLLECTION PROCESS

The process of collecting digital evidence involves several steps. First, the investigator must identify potential sources of evidence, which may include computers, smartphones, tablets, and other electronic devices. Next, the investigator must secure the device to prevent any alteration or deletion of data. This may involve disconnecting the device from any networks, seizing the device, or obtaining a warrant to search the device.

Once the device is secured, the investigator must make a forensic copy of the data on the device. This involves creating a bit-for-bit copy of the entire storage media, including all hidden and deleted files. The forensic copy must be verified to ensure it is an exact replica of the original data. The investigator can then begin the analysis of the digital evidence, using specialized tools and techniques to examine the data. This may include searching for specific keywords, analysing file metadata, and recovering deleted files. Throughout the analysis process, the investigator must document all steps taken and maintain the integrity of the original data. Finally, the investigator must present their findings in a clear and concise manner, which may involve creating reports, diagrams, or other visual aids to assist in explaining the digital evidence to non-technical audiences. The evidence collected must also be admissible in court, which requires following established legal guidelines and procedures for handling digital evidence.

Digital evidence takes two fundamental forms: static and dynamic. In the static form, information is stored in ones and zeros in a physical location either permanently or for a period, and this is best represented by floppy disks, optical disks, hard drives, and other forms of storage devices. A file system is used to organize and keep track of where the data is stored. In the dynamic form, data is in motion, transiting from place to place using copper wire, fibre optics, or radio frequency transmission. A system that uses data communication protocols has evolved to keep track of the transmitted and received data.

Digital forensics involves peeling back the layers of complexity to expose the data and information about how the data was created, stored, and manipulated. This process starts with the acquisition of data, where static data may be seized in its native state, and an image copy may be created in some cases. Dynamic evidence is captured by storing and arranging the packets in sequence and examining both the contents and the metadata associated with the packets. Once the data has been acquired, the examiner designs an examination using forensic software to document the contents of the media, determines if there is probative value contained in either the active or latent information in the examination specimen, and exports the results for investigative analysis and presentation.

The forensic process involves working our way down from the physical media such as the Hard Drive through the Operating System to the File System and finally down to the Data itself. Each layer presents unique challenges to the forensic examiner, and processing the ever-increasing volumes of data while ensuring a complete examination that does not miss important data is a significant challenge.

THE PROCESS ASSOCIATED WITH THE COLLECTION OF DIGITAL EVIDENCE

The primary procedures involved in gathering digital evidence are outlined below:

• Data Collection: This step involves identifying and gathering relevant data for examination.
• Inspection: The collected data is meticulously examined in the second stage.
• Analysis: Various tools and methods are utilized in this phase to analyze the obtained evidence and draw conclusions.
• Reporting: In the final stage, all documentation and reports are compiled for submission in court.

ACQUISITION

The initial step of forensic examination involves gathering evidence in a manner that preserves its legal and scientific significance. When dealing with digital media (static evidence), the data can either be collected in its entirety or selectively. It is commonly accepted that the seizure of the original media or an exact copy of it, known as an “image” or “bit-stream copy,” is preferable as it provides the complete context of the original data and enables the search for hidden or latent data. In the case of dynamic data (network or internet communications), the original packets are obtained from complete or filtered data streams, then re-assembled into the correct order and data streams during the examination stage. When preparing search warrants, investigators must justify the necessity of seizing original digital media. If it is not feasible to seize the original media, qualified individuals should prepare an on-site image. In some circumstances, it may be impractical, inappropriate, or impermissible to seize the entire original media, such as seizing the entire reservations database of a significant airline, shutting down a hospital to confiscate its computer system, or cases involving privileged communications beyond the scope of the warrant. Nevertheless, there are no hard and fast rules. The seizure of evidence entails striking a balance between the interests of the parties and the state.

EXAMINATION

The forensic examination involves a systematic exploration of the original data to establish its content, origin, and features. The process is purely scientific and aims at providing unbiased results that align with the investigative purpose. To commence the examination, the examiner identifies the examination goal and discusses it with the examination customer to ensure mutual understanding. Effective documentation of the items to be examined is crucial and includes the media to be examined, the operating systems in use, the file systems for data storage, and the volume of data. Once documented, the examiner can plan an efficient examination, which should be formally documented to articulate the process used and the rationale for selecting a particular methodology. The examination goals agreed upon with the customer determine the selection of tools and techniques that are most appropriate to satisfy the examination goal. The sequencing of the tools and techniques applied can significantly affect the examination's efficiency and results. Some of the techniques applied include data recovery, data reduction, and content searches. After applying the tools, the examiner reviews the results for accuracy, ensuring that the results meet the desired outcomes for the examination stage and support the achievement of the examination goal. This feedback loop is essential to ensure quality assurance.

ANALYSIS

After examination, the next crucial step in the process of digital evidence is to analyze the results in the context of the case or investigation. This phase is particularly significant as it sheds light on the case by addressing important questions such as

1. Does this information support or refute the facts of the case?
2. Does this information corroborate what is already known?
3. Is it a testimony or merely a lead value?

 While the examiner may assist in the analysis, it is not exclusively a forensic process, but rather an integral part of the investigation. Analysis can be viewed from different angles, and the same information can be analysed from various perspectives. The most common perspective is to analyse the information in the context of the specific case for which it was collected (vertical analysis). However, there is much to gain from comparing the similarities and differences to all other cases of the same type and region (horizontal analysis). Horizontal analysis has both tactical and strategic value as it can identify other actors, organizations, or methods that impact the current case while providing a clearer picture of crime patterns and organizations from a strategic perspective. Neglecting to employ horizontal analysis disregards a significant portion of the value of digital evidence.

PRESENTATION

The output of the examination process typically involves a written report and a set of data attached to it, which can be in paper or electronic form. These represent the presentation phase of the examination. Composing a report is a delicate balancing act, as it needs to be comprehensive, precise, and easily comprehensible by non-technical individuals, while forming the basis of the examiner's testimony.

This requires specialized training and expertise to produce consistently high-quality reports. Testimony includes three essential elements: direct oral testimony, cross-examination testimony, and courtroom exhibits. Since the testimony is based on hidden evidence, expert testimony is frequently required. The Federal Rules of Evidence acknowledge the need for two types of “expert testimony,” with the most common one being opinion testimony, which is associated with scientific evidence.

In this form, the expert's scientific training, education, and qualifications are assessed, and if deemed admissible, the expert can draw a conclusion that is presented to the fact-finder and is subject to cross-examination. The other type of expert testimony is the witness, who, by education, training, and experience, can provide information that will help the fact-finder understand the evidence presented. This type of expert testimony essentially educates the jury so that they can make their conclusions about the evidence.

With digital evidence, the latter form of expert testimony is frequently utilized. In either case, the expert witness must be an impartial, unbiased party who seeks to educate the fact-finder on the facts, the science, and the application of the science to the physical evidence. Like creating clear, accurate, and understandable reports, this is also an art form.

THE FUTURE

The analysis of digital evidence is still in its early stages and needs to become more efficient to keep up with the exponential growth of data storage and transmission. As our reliance on computers and data continues to increase, digital forensics must become more robust. However, capacity is not the only concern. Since this evidence can be as significant as DNA, we must ensure the quality of the science and practice. To monitor and facilitate the science, science working groups have been established. Forensic laboratories conducting this type of examination are now being accredited. But there is still much work to be done in the coming years. Certification of practitioners is likely to be the next step, followed closely by the accreditation of training and educational programs that produce examiners[7].

TYPES OF COLLECTIBLE DATA

To effectively investigate computers and digital devices for potential evidence, computer investigators and experts must have a thorough understanding of the types of evidence they are seeking and how to structure their search pattern accordingly. Computer-related crimes can vary widely, from the illegal trade of endangered species to intellectual property theft or personal data breaches. Therefore, the investigator must select appropriate tools to aid in the analysis of the evidence. Challenges may arise during the investigation, such as deleted or damaged files or encrypted data, requiring the investigator to have knowledge of various tools and methods to prevent further damage and effectively recover the data.

In a computer forensics investigation, there are two main types of data that can be collected: persistent data and volatile data. Persistent data refers to information that is stored on non-volatile memory devices, such as internal or external hard drives, pen drives, CDs, and SSDs. This data is retained even when the computer is powered off. On the other hand, volatile data is stored in temporary memory locations such as cache, registers, and RAM, or it may exist in transit. This type of data is lost once the computer loses power or is turned off. It is important for an investigator to know how to reliably capture volatile data due to its fleeting nature.

EVIDENTIARY VALUE OF E- EVIDENCE AND MODES OF PROOF

The evidentiary value of electronic evidence and modes of proof can be examined and analysed under different heads. One such head is the admissibility of digital evidence and the legislative arrangements made in this regard. Admissions, which can be in oral, documentary, or digital form, can suggest an inference to any facts in issue or relevant fact. Section 22A of the Act prohibits oral admission regarding the contents of E-records when the question in issue is about the genuineness. Statements forming a part of E-records can be given as evidence under Section 39 of the Evidence Act, 1872, but only to the extent that the court considers necessary for the full understanding of the circumstances under which it was made. This means that evidence of a statement forming a part of a longer statement or conversation, or part of an isolated document, can be presented, as well as statements contained in documents that form part of a book or series of letters or papers.

ELECTRONIC/DIGITAL EVIDENCE AND ITS ADMISSIBILITY

The scope of Sec 5 of the Evidence Act, 1872 is limited to stating that evidence can only be given with respect to facts that are in issue or relevant, and not any other facts. The admissibility of facts or things is a matter for the judge's exclusive judicial scrutiny, as per Sec 136 of the Evidence Act, 1872. After the Information Technology Act, 2000 was passed, Sec 65A and 65B were added to the Evidence Act, 1872. Sec 65A specifies that the contents of E-records may be proven in accordance with Sec 65B. According to Sec 65B, despite anything contained in an E-record, such as the contents of a document or recorded copy in optical or magnetic media produced by a computer (referred to as computer output in the Act), it is considered a document and can be admitted as evidence without further proof of the production of the original, subject to the satisfaction of the conditions outlined in Sec 65B (2)-(5).

MANDATORY AUTHENTICATION OF DIGITAL EVIDENCE

Over the years, the treatment of electronic records has undergone a significant shift, moving from being treated like ordinary documents to being subject to a specific procedure for their proof. However, it took nearly a decade for the Indian Supreme Court to clarify that electronic records can only be proved in accordance with the procedure outlined in Section 65B of the Evidence Act. This was established in the case of Anvar P.V vs. P.K Basheer &Ors[8]., where the court overruled the decision in Navjot Sandhu, and reinterpreted the application of Sections 63, 65, and 65B of the Evidence Act. Mr. Anvar had filed an appeal alleging that his opponent had tarnished his image and indulged in character assassination, with defamatory content recorded in songs and on CDs. The Supreme Court held that electronic records, such as CDs, VCDs, chips, etc., must be accompanied by a certificate under Section 65B, failing which, the secondary evidence pertaining to that electronic record is inadmissible. The strict compliance with Section 65B is now mandatory for persons intending to rely upon e-mails, websites, or any electronic record in a civil or criminal trial in India.

The Supreme Court’s approach seeks to ensure that electronic evidence is given proper credibility and evidentiary value, given its susceptibility to tampering and alteration[9]. In the court's opinion, electronic records require strict safeguards; otherwise, a trial based on proof of electronic records can lead to a miscarriage of justice. The progressive and disciplined approach of Indian courts in ensuring compliance with safeguards for digital evidence is a result of their proper recognition and appreciation of the nature of electronic records. This landmark decision not only saves time that would be wasted in trying to prove electronic records through secondary oral evidence but also discourages the admission of fudged and tampered electronic records from being relied upon. However, certain precautions for ensuring the authenticity of electronic records will still be necessary. As a result, the computer-generated electronic record cannot be solely relied upon as corroborative evidence since it could be tampered with.

RELEVANCE OF ELECTRONIC EVIDENCE

The increasing use of electronic communication, e-commerce, and digital storage has necessitated a transformation in the laws relating to information technology and rules of admissibility of electronic evidence in both civil and criminal matters in India. This shift in technology has presented challenges for legal systems worldwide to accommodate and reflect new developments in laws, which in turn has resulted in the emergence and appreciation of digital evidence. To keep pace with these changes, India introduced the Information Technology Act, 2000 (IT Act), which led to corresponding amendments to existing Indian statutes, including the Indian Evidence Act, 1872 (Evidence Act), the Indian Penal Code, 1860 (IPC), and the Banker's Book Evidence Act, 1891. As a result, Indian courts have developed case law on the admissibility of electronic evidence, including its interpretation and filing. While electronic evidence has been admissible in legal proceedings for some time, the safeguards employed for enabling its production have changed significantly as electronic information storage and usage have increased and become more complex.

In the recent case of Anvar P. V. vs. P.K Basheer &Ors[10]., the Supreme Court of India overruled its earlier decision in the case of the State (NCT of Delhi) v Navjot Sandhu[11], which is also known as the ‘Parliament Attacks’ case. The Supreme Court reinterpreted the application of sections 63, 65, and 65B of the Evidence Act to redefine the evidentiary admissibility of electronic records. This decision reflects the need to correctly interpret the provisions of the Evidence Act, as well as the underlying principles of evidence, to understand the implications of digital records being adduced as evidence in Indian courts[12].

RISK OF MANIPULATION AND COMPLIANCE WITH THE PROVISIONS OF SECTION 65B OF THE EVIDENCE ACT

Despite the mandatory nature of certain conditions under the law, it has not been consistently applied, as seen in cases where the certificate of authenticity has not been filed with electronic records in legal proceedings. For instance, in Navjot Sandhu's case, the Supreme Court allowed electronic records such as printouts and CDs to be admitted as prima facie evidence without authentication. The accused argued that the prosecution had failed to produce the relevant certificate and had not followed the procedure set out in the Evidence Act. However, the Supreme Court found that cross-examination of a competent witness familiar with the functioning of the computer during the relevant time and the way the printouts of the call records were taken was sufficient to prove the call records. Consequently, the printouts and CDs were not compared to the original electronic record or certified at the time of adducing it as evidence. Unfortunately, the lower judiciary in India, with few exceptions, do not appreciate the authenticity issues or ensure safeguards while allowing the admission of electronic evidence, and this trend of ignoring the special procedure prescribed for adducing electronic records as evidence was seen even in subsequent cases, such as Ratan Tata v. Union of India[13].

The decisions of the Supreme Court set up a further precedent for the lower judiciary to appreciate the special procedure prescribed for electronic evidence, but they lost sight of the fact that the special procedure was promulgated precisely because printed copies of electronic records would be vulnerable to manipulation and abuse. However, courts in India have not taken up the discussion on this topic by Mason. Unless the credibility of the digital evidence itself was in question, courts have not raised any apprehension regarding the authenticity or required the intervention of forensic teams to determine the veracity of the record, and electronic records filed in court were considered correct without any checks and balances.

In the United States, the position regarding authentication is not consistent, and although a series of tests advocated by Professor Winkelried[14] were followed in some cases, no consideration has been given to criticisms of part of this test. In England and Wales, the approach tends to consider other evidence surrounding the facts of the case to determine authenticity, while in Singapore, the admissibility of digital evidence is provided for under section 3(1) of the Singapore Evidence Act, and the rules of best evidence and authentication apply to electronic evidence in the same manner as any other item of evidence, as provided for by the Evidence (Amendment) Act 2012[15].

CONCLUSIONS DRAWN FROM DUPLICATION AND PRESERVATION OF DIGITAL EVIDENCE

• The laws governing evidence collection and preservation are extensive and intricate.
• Even without an in-house computer forensics expert, local law enforcement should be familiar with fundamental rules of evidence collection and should have contacts within the law enforcement community who specialize in computer forensics.
• A well-documented plan is crucial for a successful evidence collection process, and should be developed with the assistance of legal counsel and law enforcement agencies to ensure compliance with all relevant local, state, and federal laws.
• Once the plan has been drafted and the incident team is assembled, it is essential to conduct practice sessions.
• Setting up a test network in a lab environment and inviting IT staff members to attempt to circumvent security measures can be useful in simulating an actual incident and testing the evidence collection procedures.
• The team should review the results and evaluate whether the evidence collected would be admissible based on the procedures followed and the analysis results. Legal staff and local law enforcement can be included in practice sessions when possible, and outside assistance should be sought if needed.
• It is vital for the company to ensure that the investigation is handled appropriately to collect and preserve evidence that will be admissible in a court of law.

AN AGENDA FOR ACTION IN DUPLICATION AND PRESERVATION OF DIGITAL EVIDENCE

The researcher should provide a detailed description, review, and assessment for ease of use and admissibility for the following provisional list of actions for duplication and preservation of digital evidence. The order is not significant, but these activities should be thoroughly documented:

• Shut down the computer.
• Record the hardware configuration of the system.
• Securely transport the computer system to a safe location.
• Create bit stream backups of all hard disks and floppy disks.
• Verify the integrity of data on all storage devices using mathematical authentication.
• Document the system date and time.
• Compile a list of key search terms.
• Analyse the Windows swap file.
• Assess file slack.
• Analyse unallocated space (erased files).
• Search files, file slack, and unallocated space for key words.
• Record file names, dates, and times.
• Identify file, program, and storage anomalies.
• Evaluate program functionality.
• Document all findings.
• Keep copies of software used.
• Establish a strong relationship with local law enforcement, as they can be an invaluable resource during the evidence collection process.

JUDICIAL INFERENCES ON DIGITAL EVIDENCE THROUGH JUDICIAL PRONOUNCEMENTS:

Recording of evidence in CD’s

In the case of Jagjit Singh versus the State of Haryana[16], the Haryana Legislative Assembly Speaker disqualified a member based on the grounds of defection. During the Supreme Court of India's hearing of the case, the court considered and acknowledged the use of digital evidence in the form of transcripts from electronic media such as Aaj Tak, Zee News, and Haryana News. The court's recognition of the admissibility of digital evidence is indicated in paragraph 25 of the judgment.

Evidentiary Value of Video Conferences:

The case of State of Maharashtra vs. Dr. Praful B Desai[17] revolved around the question of whether witnesses can be examined through E-conferencing. The Supreme Court noted that with the advancement of science and technology, it is now possible to conduct live conversations with individuals who are not physically present. Therefore, witnesses can be examined through E-conferencing if appropriate care and caution is taken.

Search and Seizure:

The case of State of Punjab vs. Amritsar Beverages Ltd[18] clarified that the appropriate action for officers in such cases is to either create copies of the hard disk or obtain a hard copy, which should be signed and sealed officially. A copy of the same should also be provided to the dealer or relevant individual.

Deleted Files on Storage devices:

In the case of Dharambir v. Central Bureau of Investigation[19], the supreme court made a significant observation in the judgment that even if the hard disk is erased and restored to its original state of a blank hard disk, it still contains information that identifies the fact that some text or file in any form was previously recorded on it and then deleted. Using software programs, it is possible to determine the specific time when such changes occurred in the hard disk. Therefore, even a blank hard disk that was previously used for any purpose will contain some information and will be considered an electronic record to some extent.

SMS and its evidentiary value:

The High Court of Bombay, Maharashtra, in the case of Rohit Vedpaul Kaushal v. State of Maharashtra[20], examined the SMS messages sent by the accused to the victim and concluded that such SMS messages fall within the ambit of Section 67 of the IT Act, making them admissible as evidence.

Evidentiary Value of IP Addresses:

In the case of Sanjay Kumar Kedia v. Narcotics Control Bureau & Anr.[21], paragraphs 8 and 9 of the judgment held that Xponse Technologies Ltd and Xponse IT Services Pvt. Ltd were not simply acting as network service providers, but were actually operating an internet pharmacy and engaging in the sale of prescription drugs such as Phentermine and Butalbital. Therefore, Section 79 of the Act cannot provide immunity to an accused who has violated the provisions of the Act in such a situation.

Evidentiary value of emails:

In the case of Nidhi Kakkar v. Munish Kakkar[22], the admissibility of email text as evidence was in question. After examining the provisions of the Evidence Act, 1872 and IT Act, 2000, it was observed that if a person produced text of information generated through a computer or any digital device, it should be permissible as evidence if sufficient proof was tendered in a way brought through the Evidence Act. The printed edition created by the wife, which enclosed the text of what was significant for the case, was held as admissible.

Liability of intermediary for pornography or restricted content:

In the landmark case of Avnish Bajaj v. State[23], the Apex court observed that in the absence of suitable content filters that can detect the words in the inventory or the pornographic material that was being offered for sale or exhibition, the website will have the risk of being imputed to it that such content was in fact obscene. The creation of the internet and the likelihood of widespread use through instantaneous transmission of pornographic material call for a stringent standard to be brought.

CONCLUSION

In conclusion, electronic evidence has become an integral part of legal proceedings in the digital age. Courts all over the world are adapting to the rapid advancements in technology and acknowledging the evidentiary value of electronic evidence. The use of electronic evidence has not only expedited legal proceedings but has also brought about greater accuracy and reliability in the justice system. However, the admissibility and authenticity of electronic evidence remain a matter of concern and requires continuous monitoring and scrutiny. The admissibility of electronic evidence depends on compliance with the provisions of the Evidence Act, 1872, and the IT Act, 2000. The courts have also established liability for intermediaries for the publication or hosting of obscene or restricted content on their platforms. It is imperative for legal practitioners to keep themselves abreast of the latest developments in technology and evidence law to ensure that justice is served effectively and efficiently.

[1] United States v. Smith, 155 F.3d 1051 (9th Cir. 1998).

[2] United States v. Frank Riccardi, 405 F.3d 852 (10th Cir. 2005)

[3] Justice K.N. Basha 2009, Detection of Cyber Crime and Investigation (July 15, 2010), https://www.tnsja.tn.gov.in/article/Cyber%20Crime%20by%20KNBJ.pdf, last accessed on 09.04.2023 at 8.17pm.

[4] Evidentiary Value of Sms, Mms And E-Mail, Karnika Seth - Cyberlawyer & Expert | (Jan. 7, 2010), http://www.karnikaseth.com/evidentiary-value-of-sms-mms-and-e-mail.html, last accessed on 09.04.2023 at 8.00pm.

[5] Sec. 2(1)(t) ‘electronic record’ means data, record or data generated, image or sound stored, received, or sent in an electronic form or micro film or computer-generated micro fiche; IT Act, 2000. http://www.dot.gov.in

[6] AIR 2005 SC3 820.

[7] Cyril H.Wecht, John T.Rago , Forensic Science and Law, Investigate applications in criminal, civil and family justice , p.502, Taylor & Francis Group LLC, 2006.

[8] (2014) 10 SCC 473.

[9] 3rd edition, Stephen Mason, ed, Electronic Evidence, pg.4.26, LexisNexis Butterworths, 2012.

[10] Supra note no 8.

[11] Supra note no 6.

[12] 3rd edition, Manisha T. Karia and Tejas D. Karia, ‘India’in Stephen Mason, ed, Electronic Evidence , Chapter 13, LexisNexis Butterworths, 2012.

[13] Writ Petition (Civil) 398 of 2010.

[14] Edward J. Imwinkelried, Evidentiary Foundations, para 4.03[2], LexisNexis,2005,

[15] 3rd edition, Daniel Seng and Bryan Tan, ‘Singapore (chapter 17) in Stephen Mason, ed, Electronic Evidence, LexisNexis Butterworths, 2012

[16] (2006) 11 SCC 1

[17] AIR 2003 SC 2053

[18] 2006 Ind Law SC 3911

[19] 148(2008) DLT 289

[20] 1996 Cri LJ 74[7]

[21] CRIMINAL APPEAL NO. 1659 OF 2007 (SLP (Crl.) No. 3892 of 2007)

[22] (2011)162PLR113

[23] 116 (2005) DLT 427