Cyber forensics is a very important emerging area of evidence law, but very little is understood by the lawyer community about this. This article was written by Saswati Soumya Sahu, a 4th year student from Symbiosis Law School. Over to Saswati.
The surge of technological advances has seemed to challenge the archaic ways of collecting and generating evidence. The intangible nature of digital evidence coupled with the fragile and vulnerable structure of the internet has posed inherent obstacles in collecting and preserving of digital evidence. The dearth of adequate techno-legal skills coupled with lack of expertise in collecting such evidence has undisputedly led to a rise in the cyber-crimes in the nation.
According to the National Crimes Record Bureau, 4,231 cyber-crimes were registered under the IT Act and cyber-crime-related sections of the Indian Penal Code (IPC) during 2009-11. A total of 1,184 people were arrested under the IT Act for cyber-crimes, while 446 people were arrested under IPC sections. At least 157 cases were registered for hacking under the IT Act in 2011, while 65 people were arrested. Although a very large number of cyber-crimes probably go unreported, this statistics give us some idea about prevalence of cyber-crime in the country. This is making cyber forensics increasingly relevant in today’s India.
In strictest legal parlance, the usage of apt forensic tools and technical knowledge to recover the electronic evidence within the contours of the rules of evidence, for it to be admissible before the court of law can be defined as cyber forensics. The electronic evidence so obtained has to satisfy the criteria of crime attribution to the perpetrator by tracing its digital footprints by preservation, extraction, interpretation, and documentation of digital evidence. It encompasses a gamut of overlapping arena, e.g. database forensic, wireless forensic, network forensic, disk forensic, mobile forensic, media forensic, IP Address tracking, cloud computing, e-mail tracking etc. It seeks to protect the subject computer system, discover all the files on the system, recover the deleted files, reveal the content of hidden and temporary files, access the contents of the protected or encrypted files, analyse the relevant data and provide a testimony on the basis of analysis of the above evidence.
The confluence of two legal paradigms, i.e., the law of evidence and that of information technology has made the legal domain at par with the contemporary challenges of the cyber space.
- Firstly, the traditional law defining the term “Evidence” has been amended to include electronic evidence in Section 3, The Evidence Act, 1872. The other parallel legal recognition appeared in Section 4, The Information Technology (Amendment) Act, 2008, with the provision for acceptance of matter in electronic form to be treated as “written” if the need arises. These show a prima facie acceptability of digital evidence in any trial.
- Further, Section 79A of the IT (Amendment) Act, 2008 has gone aboard to define electronic evidence as any information of probative value that is either stored, or transmitted in electronic form and includes computer evidence, digital audio, digital video, cell phones and digital fax machines.
- With regards to admissibility of electronic records, Section 65-B of the Evidence Act, 1872 enunciates various conditions for the same.
- Since digital evidence ought to be collected and preserved in certain form, the admissibility of storage devices imbibing the media content from the crime scene is also an important factor to consider. Reading Section 3 and Section 65-B, The Evidence Act, 1872 cumulatively, it can be inferred that certain computer outputs of the original electronic record, are now made admissible as evidence “without proof or production of the original record. Thus, the matter on computer printouts and floppy disks and CDs become admissible as evidence.”
- The other most crucial question in cybercrime investigation regarding the reliability of digital evidence has also been clarified by Section 79A of the IT (Amendment) Act, 2008, which empowers the Central government to appoint any department or agency of Central or State government as Examiner of Electronic Evidence. This agency will play a crucial role in providing expert opinion on electronic form of evidence.
A Brief Overview
Since every law is toothless without an enforcement mechanism, it becomes pertinent to understand the mechanisms as well. In such a scenario, understanding the effect and the nature of the computer-related crime becomes relevant, i.e., whether the computer is used as a means/target for conducting any illegal activity with a dishonest and fraudulent intention under Section 66 of the Information Technology (Amendment) Act, 2008. It is important to understand that, for an act to be investigated as a cyber-crime under Section 66 of the Information Technology (Amendment) Act, 2008, it has to be an act as defined under Section 43 of the Act coupled with dishonest and fraudulent intentions according to Section 24 and 25 of the Indian Penal Code. If the act falls short of the above criteria, then it falls under the jurisdiction of the Adjudicating Officer and becomes an offence only, and will not be investigated as a cybercrime.
The computer-related crimes wherein computer is used as a target could include hacking, denial of service, virus dissemination, website defacement, spoofing and spamming. Whereas, the crimes wherein computer is used as tool for attack could include financial frauds, data modification, identity theft, cyber stalking, data theft, pornography, theft of trade secret and intellectual property and espionage on protected systems. In such scenarios, cyber forensic can be used to image, retrieve and analyse the data stored in any digital device which has the probability to relate the crime to the criminal. Be it an answering machine which stores voice messages, or a server which records the contents downloaded, everything needs to be evaluated with caution so that a chain of custody is maintained and the authenticity of the original message is left unaltered.
At the initial level, the complainant can approach the cyber-crime police stations, or to a police station in its absence. Once the information reveals the commission of a cognisable offence under the IT (Amendment) Act, 2000, the details regarding the nature/modus operandi of the cyber- crime is recorded in the complaint, e.g., , profile name in case of social networking abuse, with the allied documents like, server logs, copy of defaced web page in soft copy and hard copy etc. Subsequent to this, a preliminary review of the entire scene of the offence is done to identify and evaluate the potential evidences. A pre-investigation technical assessment is also conducted to make the Investigating Officer fully aware about the scope of the crime, following which a preservation notice is sent to all the affected parties for preserving the evidence. To ensure the integrity of the evidence, containment steps are taken to block access to the affected machines. For instance, the Investigating Officer could ask the bank to freeze the suspect`s bank account in case of financial frauds. When it comes to collection of evidence, the procedure for gathering evidences from switched-off systems and live systems have to be complied with the search and seizure mandate under Section 165, CrPC and Section 80 of the IT (Amendment) Act, 2008 and should be reflected in the Panchanama. Another indispensable part of the investigation would be to avert the fabrication and tampering of the digital evidence by maintaining the chain of custody of the evidence since the time it is seized, transferred, analysed and presented before the court of law to ensure its integrity. Hashing is one of the most common methods used to ensure the integrity of the digital evidence and the media content. It encompasses “cryptographic hash function algorithm” and is a kind of mathematical method which is “based on an algorithm which creates a digital representation, or compressed form of the message, often referred to as a “message digest” or “finger print” of the message, in the form of a “hash value” or “hash result” of a standard length that is usually much smaller than the message but nevertheless substantially unique to it”. With regards to documentation recording the digital evidence collection, the Investigating Officer needs to record it in Digital Evidence Collection Form. This shall succinctly include the process, the tools used, the hash value acquired from the forensic images of the evidences, and the hashing algorithm used for hashing. Apart from being crucial factors in affecting the evidentiary value of the digital evidence, maintaining the chain of custody and a documentation record of the same is in the nature of a mandate on the Investigating Officer, since its non-observance might expose the IO to criminal liability under Section 72 of the IT (Amendment) Act, 2008.
After collecting and documenting the evidence either by forensic imaging or by storing it in other devices like USBs, hard drives etc., the evidence is packaged, labelled, tagged and is updated in the evidence database. Once the digital evidence is seized, orders of the competent court may be sought to retain the seized properties or send the digital evidence for forensic analysis. In cases where the owners of the property approach the court for the release of the impounding properties, the IO should send a forensic imaged copy of the seized property rather than the original material seized for smoother investigation.
Apart from these procedural compliances, a cyber-crime investigation would be incomplete without analysing other external information. For instance, time zone conversions are used to assess the exact time of the offence especially when targeted at a system beyond the local jurisdiction with a different time zone. Other external data gathered from ISPs, mobile service providers, social networking websites, financial institutions, web-site domain etc. is collated and co-related with the lab findings for reconstructing the case in totality.
Cyber Crime Investigation by CBI
The CBI also can be approached for any serious economic offence, which is not of a general and routine nature. It has Economic Offences Division for the investigation of major financial scams and serious economic frauds, including crimes relating to fake Indian currency notes, bank frauds and cyber-crimes. For the purpose of combating such crimes, CBI has certain specialised structures, namely, Cyber Crimes Research and Development Unit (CCRDU), Cyber Crime Investigation Cell (CCIC), Cyber Forensics Laboratory; and Network Monitoring Centre.
- The CCRDU is mainly entrusted with the task of collecting information on cyber-crime cases reported for further investigation in liaison with the State Police Forces. On a larger parlance, it plays a pivotal role in the collection and dissemination of information on cyber-crimes in consonance with the Ministry of IT, Government of India and other organizations/Institutions and Interpol Headquarters.
- The CCIC has the power to investigate the criminal offences envisaged under the Information Technology (Amendment) Act, 2008 and is also the point of contact for Interpol to report the cyber-crimes in India.
- The third organ, i.e., CFL, is the one which provides consultations and conducts criminal investigation for various law enforcement agencies. It not only provides on-site assistance for computer search and seizure upon request, but also is the one which provides expert testimony in the court of law. It is pertinent to note that, the CFL must also adhere to all the legal formalities during the seizure of the media for making the media analysis admissible. The analysis should be based on the image of the media, rather than the media itself and the chain of custody should be maintained.
- Keeping the possibility of remote access from an isolated location across the globe into consideration, the data storage in another jurisdiction cannot be ruled out all-together. In situations involving the storage location of the data in another country, the Interpol ought to be informed and Section 166, Cr PC needs to be complied.
- Last but not the least, the Network Monitoring Centre is entrusted to monitor the Internet by the usage of various tools.
Recently, CBI has signed a memorandum of understanding (MoU) with Data Security Council of India (DSCI) with a view to seek expert services from the latter in managing the new challenges in cybercrimes and updating officials with the latest technology. This shows a novel collaborative approach between the law enforcement agencies and IT Industry for strengthening the security measures.
The appointment of private investigators is not a preferable practice
Apart from these law enforcement agencies, the question of the validity of the appointment of private forensic investigators by HDFC Bank for inspecting the accusations of money laundering and benami transactions by the RBI has thrown upon numerous questions. It is quite certain that, an assumption of adverse inference could be drawn leading to a dubious conclusion and thereby raising a finger on the integrity of the evidence. Thus, for the purpose of adducing the digital evidence before the court of law, it is wise to seek the assistance of a forensic expert by various law enforcement agencies.
The dearth of best cyber-crime investigation practices can be seen by the recent instances of cyber forensic blunder in Aarushi murder case and its importance can be gauged by the need for e-discovery practices in Bitcoin websites. This gap can only be filled with a sound techno-legal framework in this area. The PIL before the Honourable Supreme Court in the case of Dilipkumar Tulsidas v. Union of India, is pressing for a regulatory framework for the effective investigation of the cyber-crimes, the need for uniformity in cyber security control and enforcement practices. Thus, cyber forensics, being a part of the wider enforcement mechanism needs to encapsulate the best practices to give meaning to every fair trial.
 T. Vikram, “Cyber Crimes- A Study with a Case”, July-September 2002, Indian Police Journal 78.
 Data Security Council of India, Cyber Crime Investigation Manual . Accessible at http://uppolice.up.nic.in/All%20Rules/Cyber%20crime/4-Cyber_Crime_Investigation_Manual.pdf
 Chap 1, “Introduction to the Model Law: Purpose and origin of the Model Law: Purpose” in UNCITRAL Model Law on Electronic Signatures with Guide to Enactment 2001.
 Central Bureau of Investigation, Frequently Asked Questions. Accessible at http://cbi.nic.in/faq.php
The Times of India, CBI signs MoU with Data Security Council of India for managing cybercrime, Mar 6, 2014, 03.54 PM IST. Accessible at http://timesofindia.indiatimes.com/india/CBI-signs-MoU-with-Data-Security-Council-of-India-for-managing-cybercrime/articleshow/31537939.cms
 [W.P.(C).No. 97 of 2013].