iPleaders

How does digital forensics help in identifying, recovery and analyse data from electronic devices

October 11, 2021
275 Views
electronic devices

Image source: https://bit.ly/353xkxB

This Article is written by Harmanjot Kaur and the article has been edited by Khushi Sharma (Trainee Associate, Blog iPleaders).

Introduction

A survey conducted by Thomson Reuters (2020) quotes that there is a data breach of 9000 users in Apollo, 3000 people had their data accessible to the third party from various clinical labs and 2100 Indians lost their sensitive data from Aadhar cards.

Research conducted by Juniper Research, 2019 shows that the global cost of cybercrimes has reached over $2 trillion in 2020.

Today is an era where there is an increase in the instances of cybercrimes. With the instances such as the BoisLocker room, the issues related to cyber security are constantly amongst the top news headlines of the everyday newspapers.

What is its relevance in law

With the judgment of the Puttaswamy case about the conundrum between Article 21 and the right to privacy, it has been found that data leakage and cybercrimes are a burning issue. The penetration of dark webs, online networks, attacks from DDoS is some of the key examples of how the data breach has become a spine-chilling area of growing interest. However, since the law related to cyber security is all scattered in various areas such as IT Act, 2000; Indian Penal Code, 1860; Copyright Act, 1957; IPR and Technology Law establishing key areas and demarcating the boundaries has become an area of great concern.

What is a chain of custody

The chain of custody is simply defined as the details collected in the forensic investigation in a detailed yet easy-to-understand format. This chain consists of three columns, which carries crime-related details. These are related to:

How to know from where the stains of blood are coming by looking at the evidence

There can be a mixture of mathematics, forensics, and trigonometry to solve this problem. One need not be a hardcore rocket scientist or a postgraduate in mathematics for this. This can be done by simple rough calculations. Some instances are as follows:

A bloodstain from 90° angle

In case the stain would be from a 90° angle, there will be no smudge or any other subsidiary stains. There can be small stains that would be at a projectile distance when it is measured by making a concentric after looking at it from above. By measuring the length and breadth it can be easily found whether the stain is from 90° or not. If the length and breadth are approximately the same lengths, there are chances that the stains are from a 90° angle.

A bloodstain from a 60° angle

In case the stain would be from a 60° angle, there will be smudge and some other subsidiary stains. There can be small stains that would be near to the major stain. These are slanting, however, oval. They cannot be termed as perfect round in shape.

A bloodstain from 180° angle

In case the stain would be from a 180° angle, there will be smudge and some other subsidiary stains. These stains are very slanting to look at. These are not perfectly round or circular. They will have a ‘sausage-like shape’.

What are the devices to carry in a forensics toolkit

Data Cables

It is not the typical data cable that one uses at home which we have to carry to a crime scene. There are various types of cables such as SATA, IDE, Micro, and Mini, etc. it is crucial to come with full preparation.

Tape

It is always advisable to carry white tape. It is because at the time of investigations you would have to number every finding. That number can be written on white tape with a marker easily.

Faraday Bags

All the evidence should be properly numbered and sealed. For this task, faraday bags are very useful.

Storage 

One should keep an SSD, USB, and HDD (Hard Disk Drive) handy at the time of collecting evidence related to computers and mobile phones.

Seizing Material

This would include the machine which would record the model of the phone, translate the data at the other place such as a hard disk, etc.

Devices

Devices such as duplicator, UFED, write blockers and adopters, etc. should be carried. 

Dongle

This includes a Bootable OS, Kali Linus, and License, etc.  

Camera

It is crucial to record the evidence which is collected. The images of the murdered person, images of broken glass, vases, and every smallest detail. These would later act as one of the primary evidence in the court.

Marker

One should mark every piece of evidence that is collected. For this one should always carry a permanent marker with him.

Chain of Custody Form

It is the form that contains various details such as the evidence collected, its serial number, credentials, etc. It also contains the names and signatures of the investigation team, whom it was handed over? Who was the handling officer? And many other similar questions. The basic aim is to make a summary of all the evidence and the people involved in the investigation procedure.

Are the toolkits for ‘computer forensics’ and ‘mobile forensics’ same

No, there are different toolkits for computer and mobile forensics.

In the case of computer forensics, the data collecting device is of more storage. Furthermore, because computer data is arranged in various drives, it is advisable that these drives are to be transferred to the data collecting device bit-by-bit slowly. One should not try to transfer all the data at once as this can lead to an error message and even cause some troubleshoot device problems.

In the case of mobile forensics, the data interpreting device is characterized by the Model of which the suspect’s phone is. Here the data interpreting device is different as compared to the computer forensics device.

What to do if the model of the phone is not listed in the device through which you are acquiring data

In case the mobile company launches a new model of a phone, which is done every year, this can be a difficulty. However, this is not a big issue. 

Let’s take a case study here.

In case the mobile is let’s say Apple iPhone 7 is the suspect’s mobile phone. However, in the interpreting device, there is only iPhone 5S. This can create a problem for a novice person in the criminal investigation. However, there is a solution to this problem. We can try a creative way out. 

If the interpreting device has the model of iPhone 5S, the investigating officer has to just click that model and copy the data to the storage device where he will keep it. This is the most critical point which confuses most of the investigation officers. This is one of the reasons for the delay in the investigation procedure. 

What is the ‘SSC name list’

After the data is acquired from the crime scene, it has to be numbered and kept in an analysed format. This means that the data should be solidified concretely, without missing any detail. This would require an analytical mind which can analyse the data properly with attention to detail. For this, a list of articles, their quantity and the other connotations differentiating the serial number, model, the version, USB which can be used with it, company or brand name, weight, all these things are to be numbered in a very careful way. This list has the names of all the things acquired at the crime scene and the name of the investigating officers’ subordinates and an attested copy to verify the crime scene goods as truthfully discovered and presented is known as the ‘SSC list’. This list also carries the names of the investigating officers and their signatures. 

This is a very meticulous task with lots of patience and attention to detail. This is because these pieces of evidence form the ‘backbone of justice’ as they will be further produced in the court of law. This would be responsible for the persuasion of the court whether the decision would be in favour of the victim or the suspect.

What is the ‘Left-Right Rule’ in criminal forensic investigation

The rule of ‘Left-Right’ says that whenever anyone is going for a crime scene investigation, it is advisable to keep the suspected device to the left and the interpreting device in the centre. This central device will act as a transferer of the data which is collected from the crime scene. And at last, the device to which the data is transferred after the criminal investigation should be kept on the right side. 

To ease the understanding, a mnemonic is created that the right-hand side, which has the device collecting the data acquired from the suspected device would be on the right side. Here, the right-hand side is equated with ‘right’ which is related to the English word ‘correct’.

Are there some limitations on how much memory a device should carry to a crime scene

In a crime scene, there is already lots of stress. However, it is a real test for the investigating officers and the team to work efficiently under this stress as the ‘quest for justice’ is dependent on the shoulders of these investigation officers.

There are some rules related to this. It is advised that if the suspect’s the hard drive is one terabyte; then, the criminal investigation officer should carry the storage device of at least two terabytes at the investigation scene.

Also, it is advised that a USB of at least 128 GB of power should be carried to the crime scene.

What should be the precautionary measures to take at the time of a forensics investigation

Be patient, don’t panic

This is one of the number one pieces of advice that is the most important when it comes to forensic science. One should not start shouting or yelling among peers or start using curse words or vulgar language. The situation is tense however, it is very crucial not to lose calm. Take some deep breaths and continue with the work patiently.

Do not rush

Hasty climbers sudden fall. This is also true in this case. If you would try to rush things, you may destroy some of the crucial evidence. However, that would take you nowhere. This behaviour can even impair justice because the life of a suspect whether he will be convicted or not, what will be his terms of imprisonment, what is the gravity of the crime, all these questions are in the hands of the person who is investigating the matter.

Try to preserve the evidence as much as possible

We know that in criminal forensics, even a small string of someone’s nail or even a hair string can be useful to know the entire DNA and biometrics of the suspect. This is especially crucial in case of rape, murder, or dacoity cases. So, it is advisable to be patient yet not delaying the process unnecessarily.

Prefer wearing hand gloves and masks 

It is crucial to protect every piece of evidence. Even a piece of small evidence can entirely change the entire verdict of the decision of the jury. There can be fingerprints or the voice recording sample, a photograph of someone close to the accomplice of the criminal, and many other examples. Due to the destruction, the room can be smeared with blood strains and destruction here and there. However, it is always preferable to wear gloves, masks, and other protective equipment.

It can be probable that the person who would have committed the crime would have AIDS. However, having all the precautionary measures taken beforehand is a better idea. After all, prevention is better than a cure.

Seal the evidences as quickly as possible

It is quite probable that the person who was killed, their family members would cry, shout and ask you to give them their dead bodies. However, the criminal investigation must seal all the rooms and prevent unnecessary people from coming there as this may destroy the evidence.

Take a torch with you

It is always advisable to be very careful even while walking over small places. A small piece of the broken glass frame or a vase thrown in a certain direction can be understood by applying logical and analytical abilities. This can be very beneficial for the investigation of a crime scene.

Am you good enough for forensic science and criminology

If you have been reading so far, then absolutely, yes. However, if we look at a longer answer then it is crucial to look at the following points for reference:

Being intuitive

This is one of the most important skills when it comes to being a good criminal forensics expert. You should be able to make decent guesswork looking at the probable situations as being true. You should have the ability to read between the lines and seek a deeper and more probable reason for the cause of a problem. You have to be happy to learn body language, graphology, mathematics, and logic. It is not sufficient that having an LLB degree would help you get into it. 

Being Bold and Not fearing a change

It is okay for you to work with the most hardened criminals. You should not shy away from a bad crime scene with lots of destruction and blood strains everywhere. You should have the ability to have integrity at work as there can be chances where goons may give you threats via cyber threats, pornography, emails, calls, and even texts. You should be assertive with your ethics and goals and work on the entire process without getting affected by threats or calls. You should have the courage of conviction for your actions and take responsibility for whatever you have suspected or presented to the court.

Being comfortable with attention to details

Forensics is all about attention to detail and making educated guesswork. It should be okay for you to just sit and think about the probable cause-and-effect relationship of various areas in the crime scene. You should be able to have a bird’s eye view and at the same time be okay with the solving of a mysterious puzzle along with hands.

Being okay to work for long hours

There can be chances that it may take a long time to work on the actual project but you won’t get enough evidence. However, at this time you should be okay with the delayed gratification and not get tense or frustrated.

Happy to solve puzzles

You have to be comfortable with the grey areas. It is okay for you to stop and persevere till the time you find the answer to the problem you are tackling. This has to come along with the right mindset of perseverance, patience, and integrity at work.

Good at logics and mathematics

Here, I don’t mean to say one has to have to solve a rocket science equation or problem. However, the basic knowledge of geometry, trigonometry, arithmetic comes in as handy while solving the problem.

Ability to introspect and reflect

You should be able to make educated guesswork of from where the stone, vase, or gun was triggered. In which direction it would have gone? What could be the line of the path?

It is okay to be an introvert for this case as you would have to work with a small group of people. At the same time, this can be your greatest strength as you do not show any emotions on your face and do concentrate on the work at hand properly.

Ability to have a deep thinking

You should be happy to see how and why things happen in a certain way. There can be instances where you would get shattered pieces of evidence here and there but you can think through and join the things dot-by-dot.

Happy to acknowledge new technology

There are many new ways of committing cybercrime. The darknets, spiderwebs, and thousands of other similar technologies are there which are spreading cybercrime like a forest fire. However, there are some positive sides too such as improved GPS, tracking tools, DNA testing, etc. which could aid the forensic investigators to track the culprit easily.

Perseverance

It is the most important of all the qualities. There may be thousands of people in society who would say, what look at her career option, she is working with criminals. What she is doing? She should be doing some job related to hospitality, teaching, or cooking. Why is she choosing that path? There can be thousands of threats given to you by various criminals through emails, texts, calls, etc. 

But raising from all these things and materialism, you should be true to your ethics and morals and work diligently with complete integrity, selflessness, objectivity, and perseverance. You should be true to your ethics, as it is the evidence that would be proved in the court and these can entirely shift the verdict in case they were manipulated in any way.

Ability to control emotions

There can be times where the members of the family of the victim who was murdered would be crying in front of you. However, considering the importance of forensics and the need to work diligently even in a stressful situation is a cherry on the top while working in the forensics department.

In the light of the above discussion, we see that new and better technologies are still there, evolving every passing day. Cyber forensics science is still at its infancy stage and with new technologies and updates, it is still growing into a full-grown plant. 

We must build a team that can efficiently deal with these cybercriminals. Ping me at LinkedIn for more information about criminal forensics.


Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.

LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join:

https://t.me/joinchat/J_0YrBa4IBSHdpuTfQO_sA

Follow us on Instagram and subscribe to our YouTube channel for more amazing legal content.

Exit mobile version