Digital Evidence and Law
Uploaded by
VENKAT SDigital Evidence and Law
Uploaded by
VENKAT SPost Graduate Diploma
Cyber Law & Cyber Forensics
Digital Evidence and Law
Dissertation
Submitted By
Satish Venkatasubbu
Student Id: CLCF/694/18
Distance Education Department
National Law School of India University
Nagarbhavi, Bangalore – 560 242
(Academic Year: 2018-19)
Acknowledgement
I, Satish Venkatasubbu, a student of National Law School of India
University (NLSIU) pursuing PostGraduate Diploma in Cyber Law and Cyber
Forensics (PGD-CLCF), wish to place on record my thanks for the help
rendered by the Teachers, Staff of Distance Education Department (DED) and
NLSIU Library for information, research and administrative help.
Lastly, I wish to place on record the support and encouragement received
from my friends and family in completing this course.
Digital Evidence and Law Page 2
Declaration
I, Satish Venkatasubbu, a student of NLSIU pursuing PGD-CLCF, Hereby
declare that the submission of this dissertation on – Digital Evidence and Law,
is carried out entirely by me. I have utilized available information on the topic
through books, research papers, case laws and internet. After going through the
material collected and information gathered, I have analyzed them and arrived
at the conclusion by applying my global experience of 20 years in IT industry
and DED contact class lectures.
I further acknowledge the relevant publications, their authors and other
contributions to their own copyright on their published material.
I hereby declare that the work on producing this report is original and entirely
by me and have not taken any assistance direct or indirect, from anyone else. I
confirm that I neither borrowed from other’s work nor have I presented this
partly or fully to any other institution/college/university. I have complied with
all the formalities in this regard.
Date: 24/05/2019
Place: Bangalore
Digital Evidence and Law Page 3
TABLE OF CONTENTS
1. INTRODUCTION ......................................................................................................... 7
2. COLLECTION OF DIGITAL EVIDENCE ................................................................ 11
2.1 Characteristics of Digital Evidence ............................................................................. 17
2.2 Lifecycle of Digital Forensic Investigative process..................................................... 18
2.3 Principles of Handling Digital Evidence ..................................................................... 22
2.4 Divisions of Digital Forensics to handle Digital Evidence:......................................... 22
2.5 Cardinal Rules .............................................................................................................. 23
3. DOCUMENTATION OF DIGITAL EVIDENCE ...................................................... 24
3.1 Chain of Custody while handling Digital Evidence .................................................... 25
3.2 Packaging, Transportation, and Storage of Digital Evidence ...................................... 26
3.3 Electronic and Digital Signatures ................................................................................ 29
4. LEGAL ASPECTS OF DIGITAL EVIDENCE .......................................................... 34
4.1 Cyber Forensic Procedure: ........................................................................................... 34
4.2 Amendments to Indian Evidence Act, 1872 Regarding Digital Evidence: ................. 36
5. IMPORTANT CASE LAWS ....................................................................................... 43
6. CONCLUSION & SUGGESTIONS ........................................................................... 57
7. LIST OF ABBREVATIONS ....................................................................................... 58
8. BIBILOGRAPHY ........................................................................................................ 60
8.1 Books, Articles and other References .......................................................................... 60
Digital Evidence and Law Page 4
Table of Case Laws
No Case Law Reference
01 State of Maharashtra Vs Dr Praful B Desai(AIR 2003 SC 2053)
02 State(NCT of Delhi) Vs Navjot Sandhu (AIR 2005, SC 3820)
03 Amithabh Bagchi Vs Ena Bagchi (AIR 2005 Cal 11)
04 Jagjit Singh Vs State of Haryana
05 Badola Murali Krishna Vs Smt. Bodala Prathima (2007 (2) ALD 72)
06 Dharambir v Central Bureau of Investigation (148 (2008) DLT 289)
07 In Twentieth Century Fox Film Corporation Vs NRI Film Production
Associates (P) Ltd. (AIR 2003 Kant 148)
08 Tukaram S. Dighole Vs Manikrao Shivaji Kokate Civil Appeal No. 2928
of 2008 decided on 05 February, 2010(Supreme Court)
09 Anvar P. K. vs. P.K Basheer & ors
10 Suhas Katti Vs Tamilnadu
11 Shafi Mohammad Vs The State of Himachal Pradesh
12 Paul Ceglia vs. Facebook's Mark Zuckerberg
13 Shreya Singhal Vs Union Of India
14 State (NCT of Delhi) v Navjot Sandhu alias Afsal Guru (2005) 11 SCC 600
15 National Textile Workers’ Union v P.R. Ramakrishnan (1983) 1 SCC 228
16 State v S.J. Choudhary (1996) 4 SCC 567
Digital Evidence and Law Page 5
Table of Statues
No Statue Reference
01 Indian Evidence Act, 1872
02 Information Technology Act, 2000 & its Amendments
Digital Evidence and Law Page 6
1. INTRODUCTION
Digital Evidence is "information of probative value that is stored or transmitted in binary
form and includes" any information that is created or stored in digital form and is relevant to
a case. Evidence is not only limited to that found on computers but may also extend to
include evidence on digital devices such as telecommunication or electronic multimedia
devices. Electronic evidence can also be defined as any probative information stored or
transmitted in digital form that a party to a court case may use at trial. Before accepting
digital evidence, a court will determine if the evidence is relevant, whether it is authentic if it
is hearsay and whether a copy is acceptable or the original is required. In criminal cases, main
purpose of investigation is to collect sufficient and legally admissible evidence to ensure
conviction of offenders.
Digital evidence forms to be an important evidence today heavily relied on in various cases-
of both civil and criminal in nature. Further collection of digital evidence forms to be an
important part of investigation of a cyber-crime. However as this evidence is technical in
nature, it is important to understand the technology that functions behind this and the
technical procedure through which such evidence can be identified, searched for and
collected. Further it is also important to store this evidence in tact till it is presented as well as
appreciated by the court. On the other hand, the legal procedure as insisted by applicable laws
including criminal or civil procedure laws, rules of evidence also needs to be complied with.
Digital evidence can be found like digital photographs, ATM computer Logs, sms or mms, or
messages, emails, text documents, spreadsheets, excel documents, images and graphics,
database files, deleted files, data back-ups, etc in any of the following sources floppy disks,
zip disks, hard drives, CD-ROMs or DVDs, as well as portable electronic devices such as
cellular phones, IOT devices etc..
Person collecting digital evidence needs to know about digital forensics which includes
computer and mobile forensics. Forensics according to dictionaries means “Relating to or
denoting the application of scientific methods and techniques to the investigation of crime”.
According to the Digital Forensic Research Workshop(DFRWS), digital forensics can be
defined as “the use of scientifically derived and proven methods towards the preservation ,
collection validation, identification, analysis, interpretation, documentation and preservation
of digital evidence derived from digital sources for the purpose of facilitating or furthering
Digital Evidence and Law Page 7
the reconstruction of events found to be criminal , or helping to anticipate unauthorized
actions shown to be disruptive to planned operations”. In other words, digital forensics is an
analysis methodology based on a few well defined procedures, which when performed in a
given sequence, along with the application of technical skills, help us uncover the hidden
facts, and thereby investigate a given scenario. Cyber forensics is investigation of various
crimes happening in the cyberspace like fraud and financial crimes, phishing scams, Identity
theft, Cyber extortion, cyber terrorism and cyber warfare, scientifically. Cyber forensics , e-
discovery(electronic evidence discovery), digital forensics, computer forensics are terms
related to each other that could be used interchangeably depending on the audience and the
scenario.
Electronic evidence has lately become the most important evidence. Information Technology
has caused a paradigm shift in the way individuals and organizations communicate, create,
collect, share and store data and information. With the help of mobile phones, people are
daily documenting their lives which results in an expansive collection of records that may
become ‘evidence’ in the forthcoming cases. Electronic documents include photographs,
video, audio, comments, emails, and different other social media records. This has enhanced
the way things proceed in the court and with this, the traditional way of eyewitness testimony
is highly corroborated with this digital/electronic evidence.
The law about digital evidence varies from country to country as no consensus about Cyber
law is there in the world on a global level, so is the situation of the digital evidence law.
Primarily, in India the legislation that introduced the Cyber space technology to law was the
IT Act, 2000 (amend. 2008). The Section 65A and 65B of Indian Evidence Act have defined
the Electronic Evidence and were added to the Indian Evidence Act in the year 2000 with the
advent of the Information and Technology Act.
The Section 65A and 65B have been added to the Indian Evidence Act, 1872 by the
Information Technology Act, 2000. The Government of India enacted its Information
Technology Act 2000 with the objectives stating officially as: “to provide legal recognition
for transactions carried out by means of electronic data interchange and other means of
electronic communication, commonly referred to as ‘electronic commerce’, which involve the
use of alternatives to paper-based methods of communication and storage of information, to
facilitate electronic filing of documents with the Government agencies and further to amend
the Indian Penal Code, the Indian Evidence Act, 1872, the Bankers’ Books Evidence Act,
Digital Evidence and Law Page 8
1891 and the Reserve Bank of India Act, 1934 and for matters connected therewith or
incidental thereto.” The main aim of the said legislation was to provide legal recognition to
electronic documents, electronic signatures, other offences and contraventions and
dispensation of justice for cyber crimes.
Justice P.N Bhagwati held in the case of National Textile Workers’ Union v P.R.
Ramakrishnan (1983) 1 SCC 228, held that “law cannot stand still and it must change with
the changing social concepts and values. If the law fails to respond to the needs of changing
society, then it will stifle the growth of the society and choke its progress or if the society is
vigorous enough, it will cast away the law which stands in the way of its growth.” Therefore,
the changing circumstances today where virtually every crime has an electronic component
has had a considerable effect in the law of the land and to respond to the current needs the
laws have been amended to cater or facilitate its larger goals i.e. dispensation of justice.
The trend of changing laws relating to evidence can be seen, for example in the case, State v
S.J. Choudhary (1996) 4 SCC 567, It was held that the Evidence Act was an ongoing Act and
the word “handwriting” in Section 45 of that Act was construed to include “typewriting” and
on the same principle, courts have interpreted, over a period of time, various terms and
phrases. For example, “telegraph” to include “telephone”; “banker’s books” to include
“microfilm”; “to take note” to include “use of tape recorder”; “documents” to include
“computer databases”.
Section 65-A provides that the contents of electronic records may be proved in accordance
with the provisions of Section 65-B. Section 65-B provides that notwithstanding anything
contained in the Evidence Act, any information contained in an electronic, is deemed to be a
document and is admissible in evidence without further proof of the original's production,
provided that the conditions set out in Section 65-B are satisfied.
I will be critically investigating on the collection, storage, documentation of Digital
Evidence and associated Laws as part of my dissertation.
I have applied Doctrinaire and Analytical method for this dissertation. Research will be based
on applicable international and regional law, ‘soft law’, such as recommendations and
declarations, legal doctrines, various websites.
The present dissertation attempts to look at the Digital Evidence and associated Laws from all
the angles and aims to present the technical, legal and social perspective, respective
Digital Evidence and Law Page 9
challenges and possible solutions as gathered from various resources and independent
research. The prime source of data for this study has been publications on internet and study
material provided. Care has been taken to highlight every source and credit it appropriately.
Despite that, if any source got missed out, the author apologizes for such a miss in advance as
that is purely unintentional and nothing more than human oversight. In case such a source
gets highlighted, appropriate amendments will be made. Besides the sources on internet, the
Acknowledgement section highlights and credits the individuals and institutions whose
assistance was sought towards the completion of this research in the bibliography section.
Digital Evidence and Law Page 10
2. COLLECTION OF DIGITAL EVIDENCE
Digital or Electronic evidence has lately become the most important evidence. Information
Technology has caused a paradigm shift in the way individuals and organizations
communicate, create, collect, share and store data and information. With the help of mobile
phones, people are daily documenting their lives which results in an expansive collection of
records that may become ‘evidence’ in the forthcoming cases. This has enhanced the way
things proceed in the court and with this, the traditional way of eyewitness testimony is
highly corroborated with this digital/ electronic evidence.
Digital evidence forms to be an important evidence today heavily relied on in Various cases-
of both civil and criminal in nature. Further collection of digital evidence forms to be an
important part of investigation of a cyber-crime. However as this evidence is technical in
nature, it is important to understand the technology that functions behind this and the
technical procedure through which such evidence can be identified, searched for and
collected. Further it is also important to store this evidence intact till it is presented as well as
appreciated by the court. On the other hand, the legal procedure as insisted by applicable laws
including criminal or civil procedure laws, rules of evidence also needs to be complied with.
Digital evidence includes "any information that is created or stored in digital form and is
relevant to a case”. Digital Evidence includes evidences from sms or mms, or messages,
emails, text documents, spreadsheets, excel documents, images and graphics, database files,
deleted files, data back-ups, photographs, video, audio, comments, and different other social
media records. Etc
Digital Evidence may be located in any of the following sources:
1. Electronic Mail: Electronic mail, commonly known as email or e-mail, is a method of
exchanging digital messages from an author to one or more recipients; Modern email
operates across the Internet or other computer networks. Today's email systems are based
on a store-and-forward model. Email servers accept, forward, deliver and store messages.
Neither the users nor their computers are required to be online simultaneously; they need
to connect only briefly, typically to an email server, for as long as it takes to send or
receive messages.
Digital Evidence and Law Page 11
An email message consists of three components, the message envelope, the message
header and the message body. The message header contains control information
including, minimally, an originator's email address and one or more recipient addresses.
Usually descriptive information is also added, such as a subject header field and a
message submission date/time stamp. Main message is contained in the body of email.
2. Digital Photographs: Digital Photographs are taken by Digital Photography. Digital
photography is a form of photography that uses an array of light sensitive sensors to
capture the image focused by the lens, as opposed to an exposure on light sensitive film.
The captured image is then stored as a digital file ready for digital processing (color
correction, sizing, cropping, etc.), viewing or printing. Digital photographs can be
displayed, printed, stored, manipulated, transmitted and archived using digital and
computer techniques.
Digital photography is one of several forms of digital imaging. Digital images are also
created by non-photographic equipment such as computer tomography scanners and radio
telescopes. Digital images can also be made by scanning photographic images. Digital
Photographs are important pieces of evidence.
3. ATM Transaction Logs: ATMs (Automatic Teller Machines) are merely computers in a
large secure enclosure that handle normal banking transactions. The sole purpose is to
provide customer services 24 X7 X365 at many locations dispensing money. These basic
facts make ATMs targets for theft and violent crimes. With the use of CCTV and ATM
interfaces most problems with ATMs can be solved. An ATM interface is an electronic
device that monitors transactions made on an ATM machine and superimposes or overlays
this data on the video picture of the customer making the transaction. The Time and Date
is also recorded to verify when the event occurred. This video overlay along with the
transaction data is recorded on a DVR later review when a question arises.
4. Word Processing Documents: Word Processing Documents are end result of using a
computer to create, edit and print documents. Of all computer applications, word processing
is the most common. To perform word processing, you need a computer special program
called a word processor and a printer. A word processor enables you to create a document,
store it electronically on a disk, display it on a screen, modify it by entering commands and
characters from the keyboard and print it on a printer. They support macros which are
nothing but a software program (simple to complex in size and functions/actions carried
Digital Evidence and Law Page 12
out) defined to carry out a set of actions based on data available in word processing
document, there may be some computations done based on formulas defined or the program
logic with the result values displayed in the same or different word processing document.
Macros are usually written in Visual Basic language.
5. Instant Message Histories: Instant Messaging (IM) is a form of communication over the
Internet that offers an instantaneous transmission of text-based messages from sender to
receiver. In push mode between two or more people using personal computers or other
devices, along with shared clients, instant messaging basically offers real-time direct
written language-based online chat. The user's text is conveyed over a network, such as the
Internet. It may address point-to-point communications as well as multicast
communications from one sender to many receivers. More advanced instant messaging
allows enhanced modes of communication, such as live voice or video calling, video chat
and inclusion of hyperlinks to media.
6. Accounting Programs Files: Accounting software is application software that records and
processes accounting transactions within functional modules such as accounts payable,
accounts receivable, payroll and trial balance. It functions as an accounting information
system. It may be developed in-house by the company or organization using it or may be
purchased from a third party or may be a combination of a third party application software
package with local modifications. Accounting software is typically composed of various
modules, different Sections dealing with particular areas of accounting. Core Modules:
➢ Accounts receivable - where the company enters money received
➢ Accounts payable - where the company enters its bills and pays money it owes
➢ General ledger - the company's books
➢ Billing - where the company produces invoices to clients/customers.
➢ Stock/Inventory - where the company keeps control of its inventory
➢ Purchase Order - where the company orders inventory
➢ Sales Order - where the company records customer orders for the supply of inventory.
➢ Cash Book - where the company records collection and payment
7. Spreadsheets: A spreadsheet is a computer application with tools that increase the user's
productivity in capturing, analyzing and sharing tabular data sets. It displays multiple cells
usually in a two-dimensional matrix or grid consisting of rows and columns (in other words, a
table, hence "tabular"). Each cell contains alphanumeric text, numeric values or formulas. A
formula defines how the content of that cell is to be calculated from the contents of any other
Digital Evidence and Law Page 13
cell (or combination of cells) each time any cell is updated. A pseudo third dimension to the
matrix is sometimes applied as another layer or layers/sheets, of two dimensional data. They
support macros which are nothing but software program (simple to complex in size and
functions/actions carried out) defined to carry out a set of actions based on data available in
spreadsheet, there may be some computations done based on formulas defined or the program
logic with the result values displayed in the same or different spreadsheet. Macros are usually
written in Visual Basic language.
8. Internet Browser Histories: A web browser is a software application for retrieving,
presenting and traversing information resources on the World Wide Web. An information
resource is identified by a Uniform Resource Identifier (URT) and may be a web page,
image, video or other piece of content. Hyperlinks present in resources enable users easily to
navigate their browsers to related resources. A web browser can also be defined as an
application software or program designed to enable users to access, retrieve and view
documents and other resources on the Internet. Although browsers are primarily intended to
access the World Wide Web, they can also be used to access information provided by web
servers in private networks or files in file systems. The major web browsers are Firefox,
Google Chrome, Internet Explorer, Opera and Safari.
9. Databases: A database is an organized collection of data, today typically in digital form. The
data are typically organized to model relevant aspects of reality (for example, the availability
of rooms in hotels), in a way that supports processes requiring this information (for example,
finding a hotel with vacancies). The term database is correctly applied to the data and their
supporting data structures and not to the database management system (DBMS). The
database data collection with DBMS is called a database system.
10. Contents of Computer Memory: In computing, memory refers to the physical devices to
store programs (sequences of instructions) or data (ex: program state information) on a
temporary or permanent basis for use in a computer or other digital electronic device. The
term primary memory is used for the information in physical systems which are fast (i.e.
RAM), as a distinction from secondary memory, which are physical devices for program and
data storage which are slow to access but offer higher memory capacity. Primary memory
stored on secondary memory is called virtual memory." The term "storage" is often (but not
always) used in separate computers of traditional secondary memory such as tape, magnetic
disks and optical discs (CD-ROM and DVD-ROM). The term "memory" is often (but not
always) associated with addressable semiconductor memory, i.e. integrated circuits consisting
Digital Evidence and Law Page 14
of silicon-based transistors, used for example as primary memory but also other purposes in
computers and other digital electronic devices
11. Computer Backups: In information technology, a backup or the process of backing up is
making copies of data which may be used to restore the original after a data loss event. The
verb form is back up in two words; whereas the noun is backup. Backups have two distinct
purposes, the primary purpose is to recover data after its loss, be it by data deletion or
corruption. Data loss is a very common experience of computer users. The secondary purpose
of backups is to recover data from an earlier time, according to a user-defined data retention
policy, typically configured within a backup application for how long copies of data are
required. Though backups popularly represent a simple form of disaster recovery and should
be part of a disaster recovery plan, by themselves, backups should not alone be considered
disaster recovery. Not all backup systems or backup applications are able to reconstitute a
computer system or in turn other complex configurations such as a computer cluster, active
directory servers or a database server data from a backup.
12. Computer Printouts: In information handling, a computer printout or a hard copy is a
permanent reproduction or copy, in the form of a physical object, of any media suitable for
direct use by a person (in particular paper), of displayed or transmitted data. Examples of
hard copy include tele-printer pages, continuous printed tapes facsimile pages, computer
printouts and radio photo prints. Magnetic tapes, diskettes and non printed punched paper
tapes are not hard copies
13. Global Positioning System Tracks: A Global Positioning System (GPS) tracking unit is a
device that uses the Global Positioning System to determine the precise location of a vehicle,
person or other asset to which it is attached and to record the position of the asset at regular
intervals. The recorded location data can be stored within the tracking unit or it may be
transmitted to a central location data base or internet-connected computer, using a cellular
(GPRS or SMS), radio or satellite modem embedded in the unit. This allows the asset's
location to be displayed against a map backdrop either in real time or when analyzing the
track later, using GPS tracking software.
14. Logs from a Building's Electronic Door Locks: An electronic lock is a locking device
which operates by means of electric current. Electric locks are sometimes standalone with an
electronic control assembly mounted directly to the lock. More often electric locks are
connected to an access control system. The advantages of an electric lock connected to an
access control system include: key control, where keys can be added and removed without re-
Digital Evidence and Law Page 15
keying the lock cylinder; fine access control, where time and place are factors; and
transaction logging, where activity is recorded
15. Digital Video or Audio Files: Digital video is a type of digital recording system that works
by using a digital rather than an analog video signal. The terms camera, video camera and
camcorder are used interchangeably. Digital audio is sound reproduction using pulse-code
modulation and digital signals. Digital audio systems include analog-to-digital conversion
(ADC), digital-to-analog conversion (DAC), digital storage, processing and transmission
components. A primary benefit of digital audio is in its convenience of storage, transmission
and retrieval.
16. Windows Operating System: Since more than 90% of computers have various versions of
Microsoft WINDOWS operating systems as per NETMARKETSHARE, lots of digital
evidence can be found is various sections of the Windows operating system. Some of the
major or important sources inside the windows operating system are listed below:
a. File System: All the files containing data is organized and managed by the file system
software, so any file including deleted file can be retrieved(if it’s not overwritten
physically) forensically.
➢ Hiberfil.sys : Hiberfil.sys files are created whenever a windows system is put to
hibernation. So whenever a system hibernates , the operating system writes the
content of the memory to this file Hiberfil.sys. Forensic importance here is that this
file has the complete memory dump which can include artifacts like chat, passwords,
encryption keys, network connections, unsaved documents and email among many
other things.
➢ Pagefile.sys: The swap file or pagefile.sys are the windows paging file, where the
memory that currently does not fit into physical memory gets stored. Readable strings
can be extracted from pagefile.sys, which can be very helpful during investigation.
➢ Windows Registry: Windows Registry is a set of hives that store various information
regarding the windows operating system, which could be very helpful while
performing forensic investigation. Some of the key information that is stored include:
• Operating system configuration
• last shutdown time
• Timezone
• User account details
• Web browsing activity
Digital Evidence and Law Page 16
• Programs executed
• Recently opened file details
• Run commands executed
• Search terms used
• Softwares installed
• Autorun and startup programs/services.
• Removable drives connected
17. Mobile or Smartphone: Mobile phones accomplish plenty of functions ranging from a
normal telephone device to those of a computing device. Now a day most of the transactions
and frauds happen on or using mobile or smart phone devices. Hence can be a very useful
source of digital evidence during investigation of a civil or a criminal case. In Mobile
forensics, data acquisition and analysis could be achieved by three types of extraction:
a. Logical acquisition is a bit by bit copy of logically storage objects(ex: files) that reside on
a logical storage
b. Physical acquisition is a bit by bit copy of the physical storage(ex: Flash semiconductor
memory).
c. File system acquisition can provide information for files that are deleted but not
overwritten.
Mobile phone smart devices comprises of both non-volatile and volatile memory. Some
of the important digital evidence that is extracted include call history, sms, other chat
messengers data, browsing history, media files, including deleted and extracted files
along with type of extraction like manual or logical or physical level extraction with the
details of the mobile forensic tools used. Cellular network service providers often
maintain logs of their customer activities such as calling history, messaging details,
records of their location/CELL ID which could be very useful during investigation and
trial.
2.1 Characteristics of Digital Evidence
Some of the characteristics of Digital Evidence are they:
➢ tends to be more voluminous
➢ more difficult to destroy
➢ easily modified
Digital Evidence and Law Page 17
➢ easily duplicated
➢ potentially more expressive
➢ more readily available
The scientifically derived and proven methods toward the preservation, collection,
validation, identification, analysis, interpretation, documentation and presentation of
digital evidence derived from digital sources, for the purpose of facilitating or
furthering the reconstruction of events found to be criminal, or helping to anticipate
unauthorized actions shown to be disruptive to planned operations is covered under
digital forensics.
2.2 Lifecycle of Digital Forensic Investigative process
There are multiple models proposed that define the various stages a digital forensics
investigation goes through, but all of them cover the following components or processes
in one form or the other
1. Identification: Identification of the relevant Evidences forms the base on which the
investigation would take place. Hence it becomes extremely important for the
investigator to ensure that no evidences relevant for the investigation are left
unidentified. The investigator would be required to identify the possible locations
where relevant data could be residing. It would range from desktop systems, laptops
to servers, smart watches, notebooks to smart phones, storage devices present in the
premises like, CDs, DVDs, a removable media like USB drives, external hard disks
and toy-shaped pen drives which can turnout extremely difficult to identify. The
investigator at the premises should attempt to identify the operating system running
on the identified systems, storage location of data (whether locally stored on the
device hard disk or on data server or on cloud etc.), if any kind on encryption present
on the disks etc. He must be able to assess the scope of the investigation, kind of data
that would be required and the volume of the data that would be collected from the
premise. These details would help the examiner prepare better and choose appropriate
resources and tools for the next step, where the data needs to be collected.
2. Collection: Collection of identified evidences is the next step that the investigator has
to take. Typically there are two processes involved while forensically collecting the
digital evidences, namely, seizure and acquisition. Before we get into the details of
Digital Evidence and Law Page 18
evidence collection, seizure and acquisition, let us understand the concept of
cryptographic hash. A cryptographic hash function is a deterministic procedure that
takes an arbitrary block of data and returns a fixed-size bit string called the hash
value5. A hash value is an alphanumeric value of a predefined length that would
uniquely identify the input or the message provided to the hash function. There are
numerous hashing algorithms available like MD5, SHA-1,SHA-2 are just a few
internationally accepted hashing standards. The hash value generate by each of these
algorithm has a predefined length, i.e. for any given input MD5 always generates a
hash of length 32 alphanumeric characters (128 bits similarly SHA-1 produces a hash
of length 40 characters (160 bits) and SHA-2 produces hash of length 64 characters
(256 bits).
An ideal, secure cryptographic hash function must have following characteristics:
➢ Efficient : Easy to compute the hash value for any given message
➢ Deterministic: The same message always results in the same hash, i.e. if we
provide a certain message/data as input to a hashing algorithm say MD5, we
would always get the same hash value, always, every time
➢ Pre-image resistance: The hash function or hashing algorithm must be a one way
function that is, given a hash value, it must be infeasible to generate the message.
➢ Second pre-image resistance : It must be infeasible to modify a message without
changing the hash
➢ Collision resistance : It must be infeasible to identify two messages, such that for
the given hash function, they both generate the same hash
A hash value plays a crucial role in the entire process of digital forensics. A hash
value is used to validate the media acquired from the scene of crime. This ensures that
the data collected from the premises was not tampered with. During the analysis of
the collected data, the concept of hashing helps the examiner identify duplicate files
from the large collection of data. It is often employed to segregate benign or known
set of files, like files generated by the operating system, thereby reducing the size of
the data set to be analyzed.
The Information Technology Act, 2000, also accepts the use of hash values to
authenticate the electronic evidences and states under Section 3 of IT Act.
Digital Evidence and Law Page 19
In the next step, we explain the process of seizure and acquisition and thereby the
process of evidence collection. Seizure is the process of generating a hash value
corresponding to the data present in the evidence seized. The hash value thus
generated would uniquely represent the data in the collected evidence and this would
ensure that if the data present in the evidence is tampered in any manner, after it was
seized, the hash value of the evidence would differ from the one generated during the
process of seizure and thus the authenticity of the evidence would be void. Anything
and everything the investigator feels is relevant for the case should be seized. Starting
from the sticky-notes on the desk to all possible storage media, including mobile
phone and PDAs, connecting cables for smart phones, Backup tapes, Digital cameras
etc. There's no exhaustive list available, collection should be based on the
investigator's intuition.
Acquisition (also referred as Disk Imaging) is the process of creating a bit-stream disk
image of the evidence seized in the previous step.
Tech Assist, Inc. has defined disk imaging as following:
"Term given to creating physical sector copy of a disk and compressing this image in
the form of a file. This image file can then be stored on dissimilar media for archiving
or later restoration."
In simple words, disk imaging can be defined as to make a secure forensically sound
copy to media that can retain the data for extended period. So in short disk acquisition
is the process of making a bit stream image of the digital evidence being captured. To
ensure that the investigator or the operating system doesn't tamper the data, the
process of disk imaging is always carried out in a trusted write blocked environment.
Write blockers are either hardware devices or software applications that allow
applications to read data from a storage device, seized evidence in this case, and not
blocks the write commands, essentially making the devices read-only. There are
multiple freeware and commercial tools available that have the capability to seize and
acquire the digital evidence like dcfldd, FTK Imager, EnCase Imager and TruBack.
EnCase Forensic Imager is a freeware, comes with software write blocking module
FastBloc.
Digital Evidence and Law Page 20
3. Validation: Once the evidence is collected (the disk image and corresponding hash
value) examination commences, to ensure that the disk image is genuine to be
admissible by the generated. Acquired disk image is authenticated and validated
before the forensic court.
The pre-acquisition hash that was computed would be used to prove the authenticity
and integrity of the evidence, i.e. the hash value of disk image provided for forensic
examination or analysis is compared with the hash value of the evidence that was
generated at the scene of crime to ensure that the data was not tampered between the
scene of crime and the forensic lab, where the examination would occur.
4. Examination: The validated disk image is then subjected to forensic examination
which is the process of methodically examining the acquired disk images for
evidence. Forensic techniques would be applied to extract out the meaningful data
from the image. Because of the sheer volume of data that is usually extracted out of
every storage device, the examination is usually focused on interpreting and analyzing
relevant data so as to identify what caused the incident in question.
5. Presentation: Presenting the findings from the forensic examination in a proper
report is the last phase of forensic examination. The process of examination must be
treated as a fact finding exercise, and while reporting taking due care to document and
present each step or action performed during examination which is on the basis of the
notes taken during the entire forensic process. The format of the report would change
from organization to organization but must include the details of the examiner who
performed the analysis, details of all the storage media including the hash values
generated when the devices were collected software applications and other forensic
tools were used for the examination.
6. Preservation: Digital evidence cannot be treated as a separate phase of forensic
examination. It is essential to ensure that importance is given to preserving the Digital
evidence in a non-tampered manner and due care is taken while handling the
evidences. It must be ensured that the evidence storage devices associated with the
case are in a cool, dry and secure area which is kept away from generators and
magnetic field which may tamper the data present in the disk. Use of Anti-static bags
and Faraday bags can be helpful to preserve devices.
Digital Evidence and Law Page 21
2.3 Principles of Handling Digital Evidence
An investigator, while collecting the evidences from the premise needs to take proper
precautions, ensuring that the collected data doesn't get tampered. Following principles
need to be adhered to, while handling digital evidences:
No action taken by the examiner should change data which may subsequently be relied
upon in court.
In circumstances where a person finds it necessary to access original data, that person
must be competent to do so and be able to give evidence explaining the relevance and
the implications of their actions.
An audit trail or other record of all processes applied to digital evidence should be
created and preserved. An independent third party should be able to examine those
processes and achieve the same result.
The person in charge of the investigation has overall responsibility for ensuring that the
law and these principles are adhered to.
Next main section talks about this in detail.
2.4 Divisions of Digital Forensics to handle Digital Evidence:
Though different articles and books classify digital forensics into many categories or
divisions, but they all can be broadly grouped under below four divisions:
1. Disk Forensics: Involves analysis of disk image of a system. Results in identifying
file system related artifacts including deleted files, processes executed, anti-forensic
activities, Browser history etc
2. Network Forensics: Involves analysis of network packet captures, Net flow,
Perimeter device logs. Results in identifying network artifacts including
downloaded pictures, Infected WebPages visited, VoIP calls, Inbound and
Outbound connections.
3. Memory/Live Forensics: Involves collecting and analyzing the volatile
memory(RAM) of the system. Results in identifying Network Connections, Rogue
processes, Files artifacts, chat, email, web browsing artifacts, Encryption keys
among other artifacts.
Digital Evidence and Law Page 22
4. Device Forensics: Involve acquiring and analyzing logical or physical dump of the
data present on a device where the device’s internal storage cannot be separated out
without damaging it. Devices here include mobile phones, smart phones etc.
Results in identifying File system related artifacts including files present, files
deleted, App related data etc.
2.5 Cardinal Rules
Below are some of the cardinal rules that need to be followed while collecting digital
evidence using digital forensics:
1. Never mishandle the Evidence - The evidence should not to be tampered with or
contaminated, maintaining the evidential value.
2. Never work on the Original Evidence : Digital evidence are highly fragile,
hence ensure that the original evidences are not used and all the analysis is
performed on the disk image created
3. Never trust the suspect's Operating System: Never work on the suspect's OS, a
single keystroke can tamper the digital evidence.
4. Document everything: Maintain a proper trail of evidence.
5. The results should be repeatable: Forensic analysis should not be analyst or
application depended. Any other examiner using any other standard forensic
should be able to retrieve the same results.
Digital Evidence and Law Page 23
3. DOCUMENTATION OF DIGITAL EVIDENCE
Documentation is essential at all stages of handling and processing digital evidence.
Documenting who collected and handled evidence at a given time is required to
maintain the chain of custody. It is not unusual for every individual who handled an
important piece of evidence to be examined on the witness stand.
Continuity of possession, or the chain of custody, must be established whenever
evidence is presented in court as an exhibit. Frequently, all of the individuals involved
in the collection and transportation of evidence may be requested to testify in court.
Thus, to avoid confusion and to retain complete control of the evidence at all times,
the chain of custody should be kept to a minimum.
So, careful note should be made of when the evidence was collected, from where, and
by whom. For example, if digital evidence is copied onto a floppy diskette, the label
should include the current date and time, the initials of the person who made the copy,
how the copy was made, and the information believed to be contained on the diskette.
Additionally, MD5 values of the original files should be noted before copying. If
evidence is poorly documented, an attorney can more easily shed doubt on the
abilities of those involved and convince the court not to accept the evidence.
Documentation showing evidence in its original state is regularly used to demonstrate
that it is authentic and unaltered. For instance, a video of a live chat can be used to
verify that a digital log of the conversation has not been modified - the text in the
digital log should match the text on the screen. Also, the individuals who collected
evidence are often called upon to testify that a specific exhibit is the same piece of
evidence that they originally collected. Since two copies of a digital file are identical,
documentation may be the only thing that a digital investigator can use to tell them
apart. If a digital investigator cannot clearly demonstrate that one item is the original
and the other is a copy, this inability can reflect badly on the digital investigator.
Similarly, in situations where there are several identical computers with identical
components, documenting serial numbers and other details is necessary to specifically
identify each item.
Digital Evidence and Law Page 24
Documenting the original location of evidence can also be useful when trying to
reconstruct a crime. When multiple rooms and computers are involved, assigning
letters to each location and numbers to each source of digital evidence will help keep
track of items. Furthermore, digital investigators may be required to testify years later
or, in the case of death or illness, a digital investigator may be incapable of testifying.
So, documentation should provide everything that someone else will need in several
years time to understand the evidence. Finally, when examining evidence, detailed
notes are required to enable another competent investigator to evaluate or replicate
what was done and interpret the data.
It is prudent to document the same evidence in several ways. If one form of
documentation is lost or unclear, other backup documentation can be invaluable. So,
the computer and surrounding area, including the contents of nearby drawers and
shelves, should be photographed and/or videotaped to document evidence in
situ. Detailed sketches and copious notes should be made that will facilitate an exact
description of the crime scene and evidence as it was found.
3.1 Chain of Custody while handling Digital Evidence
Chain of Custody is the process of maintaining the audit trail of the digital evidence
from the instance it is taken by the investigator or person in charge, till the time the
case is closed or goes to the court. This process helps in assessing the integrity of the
digital evidence. A typical chain of custody form captures information like:
➢ Basic information about the case - Case number, Details of the Suspect and/or
Victim, Officer in-charge, location, Date etc
➢ Description of Evidence - Device Model number, Serial number, Size, Condition,
Any other notes.
➢ Details of transfer/ Chain of Custody Date/Time when the device was released by
whom and was received by whom. Other notes and Location.
The chain of custody report must be able to verify several critical pieces of information:
➢ Identify the item precisely, listing type of evidence, make, model, and serial number
(if relevant), and make a photograph of the item (if possible).
➢ Specify when was the item taken into possession.
➢ Identify where or from whom the item was seized.
Digital Evidence and Law Page 25
➢ Record who acquired the item along with the time and date acquired.
➢ Document who transported the item and how was it transported.
➢ Document how was the item stored during transport.
➢ Regularly record how the item was stored during possession.
➢ Provide a continual log, showing the time and date of each time it was checked out
for examination, the purpose for checking it out, and the time and date it was
checked back in for storage, identifying who had possession of the item during that
time.
While an item is in possession of an individual investigator, that person should
document what steps were taken to preserve the integrity of the evidence while in
possession. Such documentation needs to include a precise identification of the device
in possession (as defined above) and what controls were in place to protect the device
from electrostatic discharge, electromagnetic interference, and other potential sources
of data corruption and other protections. Document what methods were used to
prevent data from being inadvertently written to the device (write-blocker devices,
software write-protection, etc.). Generate before and after hash values to confirm that
the data source did not change while in possession. If it did change, document what
process caused the change, along with how and why the change occurred.
Any deviation from standard documentation procedures in preparing the chain of
custody can, and most likely will, lead to challenges from opposing counsel and can
possibly cause the evidence to be thrown out. No breaks can exist in the timeline,
because this indicates an opportunity for the data to be replaced, corrupted, or
modified.
3.2 Packaging, Transportation, and Storage of Digital Evidence
The computers and electronic devices on which the digital evidence is stored is fragile
and sensitive to extreme temperatures, humidity, physical shock, static electricity, and
magnetic fields.
The first responder should take precautions when documenting, photographing,
packaging, transporting, and storing digital evidence to avoid altering, damaging, or
destroying the data. First responders should take precautions when packaging digital
evidence.
Digital Evidence and Law Page 26
1. Packaging Procedures: All actions related to the identification, collection,
packaging, transportation, and storage of digital evidence should be thoroughly
documented. When packing digital evidence for transportation, the first responder
should:
➢ Ensure that all digital evidence collected is properly documented, labeled,
marked, photographed, video recorded or sketched, and inventoried before it is
packaged. All connections and connected devices should be labeled for easy
reconfiguration of the system later.
➢ Remember that digital evidence may also contain latent, trace, or biological
evidence and take the appropriate steps to preserve it. Digital evidence
imaging should be done before latent, trace, or biological evidence processes
are conducted on the evidence.
➢ Pack all digital evidence in antistatic packaging. Only paper bags and
envelopes, cardboard boxes, and antistatic containers should be used for
packaging digital evidence. Plastic materials should not be used when
collecting digital evidence because plastic can produce or convey static
electricity and allow humidity and condensation to develop, which may
damage or destroy the evidence.
➢ Ensure that all digital evidence is packaged in a manner that will prevent it
from being bent, scratched, or otherwise deformed.
➢ Label all containers used to package and store digital evidence clearly and
properly.
➢ Leave cellular, mobile, or smart phone(s) in the power state (on or off) in
which they were found.
➢ Package mobile or smart phone(s) in signal-blocking material such as faraday
isolation bags, radio frequency-shielding material, or aluminum foil to prevent
data messages from being sent or received by the devices. (First responders
should be aware that if inappropriately packaged, or removed from shielded
packaging, the device may be able to send and receive data messages if in
range of a communication signal.)
➢ Collect all power supplies and adapters for all electronic devices seized.
2. Transportation Procedures:
When transporting digital evidence, the first responder should:
Digital Evidence and Law Page 27
➢ Keep digital evidence away from magnetic fields such as those produced by
radio transmitters, speaker magnets, and magnetic mount emergency lights.
Other potential hazards that the first responder should be aware of include seats
heaters and any device or material that can produce static electricity.
➢ Avoid keeping digital evidence in a vehicle for prolonged periods of time. Heat,
cold, and humidity can damage or destroy digital evidence.
➢ Ensure that computers and electronic devices are packaged and secured during
transportation to prevent damage from shock and vibration.
➢ Document the transportation of the digital evidence and maintain the chain of
custody on all evidence transported.
3. Storage Procedures:
When storing digital evidence, the first responder should:
➢ Ensure that the digital evidence is inventoried in accordance with the agency’s
policies.
➢ Ensure that the digital evidence is stored in a secure, climate-controlled
environment or a location that is not subject to extreme temperature or
humidity.
➢ Ensure that the digital evidence is not exposed to magnetic fields, moisture,
dust, vibration, or any other elements that may damage or destroy it.
Note: Potentially valuable digital evidence including dates, times, and system
configuration settings may be lost due to prolonged storage if the batteries or
power source that preserve this information fails. Where applicable, inform the
evidence custodian and the forensic examiner that electronic devices are battery
powered and require prompt attention to preserve the data stored in them.
If more than one computer is seized as evidence, all computers, cables, and
devices connected to them should be properly labeled to facilitate reassembly if
necessary. In this example, the computer is designated as computer A. All
connections and cables are marked with an "A" and a unique number.
➢ Subsequently seized computers can be labeled in alphabetical order. The
corresponding connections and cables can be labeled with the letter designation
for the computer and a unique number to ensure proper reassembly.
Digital Evidence and Law Page 28
3.3 Electronic and Digital Signatures
The advent of Information and Technology has changed the way data is created,
shared and authenticated. With all the data shared on the cloud, or electronically,
documents filed and verified through e-filing, e-documents are being signed with
electronic form of signatures, known as Digital/Electronic signature.
The traditional signatures are hand written and are uniquely representative of one’s
identity. The use of signature is mandatory in law in certain cases and holds an
important legal position in the document as it signify two things, the identity of the
person and its intent to it. The Signature is one’s identity on a document and is used in
day to day transaction and in case of illiterate persons its fingerprint is considered as
his signature. The handwritten signature is prone to forgery and tampering hence
insufficient for online transaction and contracts. The online transaction requires
unique and strong protection which is served by electronic signature.
The concept of digital signature was introduced through Information Technology Act
2000 in India, which is enhanced with hybrid concept of electronic signature which is
based on UNCITRAL Model Law on Electronic Signatures 2001. The electronic
signature is a technologically neutral concept and includes a digital signature. The
object and purpose of electronic signature are similar to that of traditional signature.
In cyber world electronic signature ensures that the electronic records are authentic
and legitimate as electronic signature are safer and cannot be forged and is convenient
as the sender himself does not have to be present personally at the place to contract to
sign the document. For example a person can sign a contract in India and send it to
any part of the world to complete the transaction.
Section 2 of Information Technology Act 2000 had defines electronic signature as
“Authentication of any electronic record by a subscriber by means of the electronic
technique specified in the second schedule and includes digital signature.”
The definition of electronic signature includes digital signature and other electronic
technique which may be specified in the second schedule of the Act, thus an
electronic signature means authentication of an electronic record by a subscriber by
means of electronic techniques. The adoption of ‘electronic signature’ has made the
Act technological neutral as it recognizes both the digital signature method based on
cryptography technique and electronic signature using other technologies.
Digital Evidence and Law Page 29
Digital Signature was the term defined in the old I.T. Act, 2000. Electronic
Signature is the term defined by the amended act (I.T. Act, 2008). The concept of
Electronic Signature is broader than Digital Signature. Section 3 of the Act delivers
for the verification of Electronic Records by affixing Digital Signature and makes
digital signatures legal in India. It states that electronic records can be authenticated
by digital signatures that use an asymmetric crypto system and hash function for
authentication. Section 5 assigns legal recognition to digital or electronic signatures
laying down that all electronic documents affixed by a digital signature are authentic.
As per the amendment, verification of electronic record by electronic signature or
electronic authentication technique shall be considered reliable.
Below is a brief definition of digital and electronic signature
➢ Digital Signature: A digital signature is a technique to validate the legitimacy of
a digital message or a document. A valid digital signature provides the surety to
the recipient that the message was generated by a known sender, such that the
sender cannot deny having sent the message. Digital signatures are mostly used
for software distribution, financial transactions, and in other cases where there is a
risk of forgery.
Benefits of Digital Signature:
Digital signature provides the following advantages:
• It eliminates the need to print documents for authentication.
• It reduces storage of physical documents.
• It improves management and access to electronic documents.
• It improves security of document transmission.
• It enhances management processes.
A Digital Signature Certificate in India can be obtained from a registered
certificate agent. There are certain documents required to apply for a Digital
Signature Certificate, along with the application form like:
• Self-attested copy of PAN card.
• Self-attested copy of address proof.
• Notarized copy of passport.
Digital Evidence and Law Page 30
• Notarized copy of address proof.
➢ Electronic Signature: An electronic signature or e-signature, indicates either that a
person who demands to have created a message is the one who created it.
A signature can be defined as a schematic script related with a person. A signature on
a document is a sign that the person accepts the purposes recorded in the document. In
many engineering companies digital seals are also required for another layer of
authentication and security. Digital seals and signatures are same as handwritten
signatures and stamped seals. An electronic Signature shall be considered as reliable
if it fulfills following requirement in India as per amended IT Act:
E-signatures must be uniquely linked to the person signing the document. This
condition is often met by issuing a digital-certificate-based digital ID.
At the time of signing, the signer must have total control over the data used to
generate the e-signature. Most online e-signature service providers allow signers to
directly affix their e-signature to the document in order to meet this requirement.
Any alteration to the affixed e-signature or the document to which the signature is
affixed must be detectable. This can be done by encrypting the document with a
tamper-evident seal.
There should be an audit trail that details steps taken during the signing process.
The digital signature certificate must be issued by a Certifying Authority (CA)
recognized by the Controller of Certifying Authorities (CCA) appointed under the IT
Act.
Benefits of Electronic Signature:
Electronic signatures provide following benefits to businesses:
• Verify the identity of their signers
• Associate the necessary identifiers with the signing process
• Safely capture a legal and binding signature
• Easily retain and store completed documents
• All these without the hassle and cost of digital certificates.
In India the IT Act recognizes two types of signatures:
Digital Evidence and Law Page 31
• E-signatures that combine an Aadhaar with an eKYC service: Users with
an Aadhaar ID, the unique identification number issued by the Indian
government to all Indian residents, are free to use an online e-signature service
to securely sign documents online. In this case, the online e-signature service
integrates with an Application Service Provider (ASP) to provide users with a
mobile or web app interface that they can interact with.
The users then use this app interface to apply e-signatures to any online
document by authenticating their identity using an eKYC service such as OTP
(one time passcode) provided by an e-sign service provider. The online e-
signature service works with an accredited service provider to provide
certificates and authentication services that comply with government
guidelines.
• Digital signatures that are generated by an asymmetric crypto-system and
hash function: An ‘asymmetric crypto system’ refers to a secure pair of keys:
a private key and a public key. Both are unique to each user, and can be
leveraged to verify and create an e-signature.
In this scenario, users obtain a digital signature from a reputed Certifying
Authority (CA) in the form of a digital certificate. These certificates typically
include the user’s name, public key, the expiration date of the certificate, and
other necessary information about the user. Operating systems and browsers
typically maintain a list of trusted CA root certificates that are used to verify
digital certificates issued by a CA.
The user might also be issued a USB token containing the digital-certificate-
based ID, along with a personal PIN, to sign a document.
Restrictions on Electronic/Digital Signature Usage:
Certain documents that require a notary process, or documents must be registered
with a Registrar or Sub-Registrar, can only be executed using handwritten signatures
to be legally enforceable. These include:
• Negotiable instruments such as a promissory note or a bill of exchange other
than a cheque.
• Powers of attorney
Digital Evidence and Law Page 32
• Trust deeds
• Wills and any other testamentary disposition
• Real estate contracts such as leases or sales agreements
Digital Evidence and Law Page 33
4. LEGAL ASPECTS OF DIGITAL EVIDENCE
Digital evidence may like any other conventional form of evidence become relevant to a
case if it has direct bearing on a fact in issue in terms of being proved or disproved. Hence it
can be admitted as evidence in the court of law as long as it fulfills all legal requirements.
These legal requirements are prescribed in order to ensure authenticity of such evidence.
Digital evidence is generally regarded as that which can be easily manipulated or altered or
even deleted and hence is the need of ensuring its authenticity as well as reliability.
The foundations for digital evidence are based on established principles of authentication
and admissibility that originated with the use of "paper" evidence and the five foundations
are:
1. Relevance: The evidence must be relevant to the claims asserted, i.e. it must have "any
tendency" to prove or disprove a consequential fact in the litigation.
2. Authenticity: A process for establishing that digital data or a document is what it is
represented to be.
3. Hearsay: An out-of-court statement introduced for the truth of the matter asserted; it
applies if the proponent plans to use the record's contents as substantive evidence. The
evidence must not be hearsay, or it must be admissible under a hearsay exception.
4. Best Evidence: This standard applies if the document's terms are at issue; there are no
"originals" of digital evidence.
5. Probative Value Must Outweigh Any Prejudicial Effect: A court may exclude relevant
evidence if its probative value is substantially outweighed by the danger of unfair
prejudice, or by considerations of undue delay, waste of time, or needless presentation of
cumulative evidence.
Considering the nature of digital evidence it is important to always establish the
authenticity and integrity of digital evidence which can be established by following few
procedures such as the below:
4.1 Cyber Forensic Procedure:
Cyber forensic procedure needs to be adopted while collecting and analyzing digital
evidence. Such forensic method must be transparent and freely testable by a third
Digital Evidence and Law Page 34
party expert, if required. Listed below are the standard sets of cyber forensic
procedure adopted while collecting and analyzing digital evidence:
1. DOCUMENTATION: Proper documentation of digital evidence collected is very
crucial to prove its authenticity and reliability. Legally also its important to
comply with requirements of Section 100 and Section 165 of Criminal Procedure
Code whenever search and seizure of evidence is done in the course of
investigation of a crime. Such procedure also includes preparation of the list of
articles seized and the signature of a minimum of 2 witnesses on such seizure
memo. Additionally it is also important to annex such document with the chain of
custody.
2. CHAIN OF CUSTODY: An investigating officer of a digital forensic examiner
must document the details of what digital evidence was searched for and seized,
when, by whom and also transferred to whom in detail. Each person's hands it
passes through must be documented in detail.
This should also include details of procedure of collection, examination, analysis
and reporting of digital evidence, the name, designation of officers handling such
digital evidence, the reason for such possession or transport or handling, date of
transfer, etc. It should also include identification description of such device
number, model details, etc. Exhibits that contain statements like the email copy,
database, e-record, etc., must also be documented and it should show accuracy of
contents as well as the procedure adopted in collecting such material. [In such
cases, it is preferable to also have such document's originator later available for
cross examination during trial.]
The Information Technology Act, 2000 and its amendment is based on the United
Nations Commission on International Trade Law (UNCITRAL) model Law on
Electronic Commerce.
The Model law on Electronic Commerce adopted by the UN Commission on
International Trade Law adopted vide General Assembly's resolution provides a
model law which aims to facilitating e-commerce. According to Article 9 of the
model law:
Digital Evidence and Law Page 35
"(1) In any legal proceedings, nothing in the application of the rules of evidence
shall apply so as to deny the admissibility of a data message in evidence:
(a) on the sole ground that it is a data message; or,
(b) if it is the best evidence that the person adducing it could
reasonably be expected to obtain, on the grounds that it is not in its
original form.
(2) Information in the form of a data message shall be given due evidential
weight. In assessing the evidential weight of a data message regard shall be
had to the reliability of the manner in which the data message was generated,
stored or communicated, to the reliability of the manner in which the integrity
of the information was maintained, to the manner in which its originator was
identified, and to any other relevant factor.”
4.2 Amendments to Indian Evidence Act, 1872 Regarding Digital
Evidence:
The Information Technology Act 2000 in its statement of object and reasons states "It
is proposed to make consequential amendments in the IPC and the Indian Evidence
Act,1872 [IEA] to provide necessary changes in the various provisions which deal
with offences relating to documents and paper based documents." Thus documentary
evidence today also includes electronic documents produced as evidence.
For the purpose of legally assigning evidentiary value to a digital evidence we can
classify digital evidence into 2 types, namely
• primary [digital] evidence
• secondary [digital] evidence
A secondary electronic evidence receives secondary evidentiary values as per section
65B of IEA. According to Section 65A of the IEA “The contents of electronic records
may be proved in accordance with the provisions of section 65B."
Section 65B prescribes conditions to provide "admissibility of electronic records",
according to which:
(1) Notwithstanding anything contained in this Act, any information contained
in an electronic record which is printed on a paper, stored, recorded or
Digital Evidence and Law Page 36
copied in optical or magnetic media produced by a computer (hereinafter
referred to as the computer output) shall be deemed to be also a document, if
the conditions mentioned in this section are satisfied in relation to the
information and computer in question and shall be admissible in any
proceedings, without further proof or production of the original, as evidence
of any contents of the original or of any fact stated therein of which direct
evidence would be admissible.
(2) The conditions referred to in sub-section (1) in respect of a computer
output shall be the following, namely:-
(a) the computer output containing the information was produced by
the computer during the period over which the computer was used
regularly to store or process information for the purposes of any
activities regularly carried on over that period by the person having
lawful control over the use of the computer;
(b) during the said period, information of the kind contained in the
electronic record or of the kind from which the information so
contained is derived was regularly fed to the computer in the ordinary
course of the said activities;
(c) throughout the material part of the said period, the computer was
operating properly or if not, then in respect of any period it was not
operating properly or was out of operation for that part of the period,
was not such as to affect the electronic record or the accuracy of the
contents; and
(d) the information contained in the electronic record reproduces or is
derived from such information fed into the computer in the ordinary
course of the said activities.
(3) Where over any period, the function of storing or processing information
for the purposes of any activities regularly carried on over that period as
mentioned in clause (a) of sub section (2) was regularly performed by
computers, whether -
(a) by a combination of computers operating over that period; or
Digital Evidence and Law Page 37
(b) by different computers operating in succession over that period; or
(c) by different combinations of computers operating in succession
over that period; or
(d) in any other manner involving the successive operation over that
period, in whatever order, of one or more computers and one or more
combinations of computers, all the computers used for that purpose
during that period shall be treated for the purposes of this section as
constituting a single computer, and references in this section to a
computer shall be construed accordingly.
(4) In any proceedings where it is desired to give a statement in evidence by
virtue of this section, a certificate doing any of the following things, that is to
say,-
(a) identify the electronic record containing the statement and
describing the manner in which it was produced;
(b) giving such particulars of any device involved in the production of
that electronic record as may be appropriate for the purpose of
showing that the electronic record was produced by a computer;
(c) dealing with any of the matters to which the conditions mentioned
in sub-section (2) relate, and purporting to be signed by a person
occupying a responsible official position in relation to the operation of
the relevant device or the management of the relevant activities
(whichever is appropriate) shall be evidence of any matter stated in the
certificate; and for the purpose of this sub-section it shall be sufficient
for a matter to be stated to the best of the knowledge and belief of the
person stating it.
(5) For the purposes of this section, -
(a) information shall be taken to be supplied to a computer if it is
supplied thereto in any appropriate form and whether it is so supplied
directly or (with or without human intervention) by means of any
appropriate equipment;
Digital Evidence and Law Page 38
(b) whether in the course of activities carried on by any official
information is supplied with a view to its being stored or processed for
the purposes of those activities by a computer operated otherwise than
in the course of those activities, that information, if duly supplied to it
in the course of those activities;
(c) a computer output shall be taken to have been produced by a
computer whether it was produced by it directly or (with or without
human intervention) by means of any appropriate equipment.
Statutory Explanation: For the purposes of this section any reference
to information being derived from other information shall be a
reference to its being derived there from by calculation, comparison or
any other process."
Clarifications on Section 65B:
A computer output includes an electronic record which is printed on a paper or stored,
recorded or copied in optical or magnetic media produced by a computer.
A computer output will be deemed to be a document and secondary evidentiary value
may be assigned to it if the conditions prescribed under the section are complied with.
The conditions are as follows:
a. The computer output was produced by a computer which was used regularly to
store or process such information for the purposes of any activities regularly
carried on over that period.
b. That the computer output was taken by a person having lawful control over the
use of the computer.
c. During the said period, the information of the kind was regularly fed into such
computer in the ordinary course of business
d. Throughout such period the computer was operating properly - or - if not then
such non-working [or not operating properly] was not of such a nature that it
affected the electronic record or the accuracy of contents of such electronic
record.
e. In case of use of multiple computers like in a network situation or when
multiple computers are used to store or process information or to perform any
Digital Evidence and Law Page 39
other activity by using a combination of computers operating over that period
or by different computers operating in succession over that period or by
different combinations of computers operating in succession over that period
or in any other manner involving the successive operation over that period
Then all such computers shall be deemed to be a ‘single computer’ for the purpose
of this provision.
Manner of presenting such evidence according to Section (4) a certificate
popularly known as “65B Certificate” must be prepared and submitted along with
the computer output to the court. Such certificate is supposed to be the proof of
compliance to the conditions prescribed by the provision. The certificate must
state or explain the following
Identification of the electronic record along with a statement with details of the
manner in which such output is produced [for example if it's through printout
mode or through a soft copy in a USB etc.].
Details of the device used to take the output so as to show the manner of taking of
such output and compliance of earlier stated conditions in the provision.
The term 'electronic records' has been given the same meaning as that assigned to
it under the IT Act. IT Act provides for "data, record or data generated, image or
sound stored, received or sent in an electronic form or microfilm or computer-
generated microfiche.”
The definition of 'admission' (Section 17 of the Evidence Act) has been changed
to include a statement in oral, documentary or electronic form which suggests an
inference to any fact at issue or of relevance
New Section 22A has been inserted into Evidence Act to provide for the relevancy
of oral evidence regarding the contents of electronic records. It provides that oral
admissions regarding the contents of electronic records are not relevant unless the
genuineness of the electronic records produced is in question.
Section 27 of Indian Evidence Act provides that how much of information
received from accused may be proved. When any fact is discovered in
consequence of information received from a person accused of any offence, in the
Digital Evidence and Law Page 40
custody of a police officer, so much of such information, as relates distinctly to
the fact thereby discovered, may be proved.
When oral admissions as to the contents of electronic records are relevant is
provided in Section 22A of India Evidence Act Oral admissions as to the contents
of electronic records are not relevant, unless the genuineness of the electronic
record produced is in question.
The Evidence Act in Section 59 provides for proof of facts by oral evidence by me
of such information, as relates distinctly to the fact thereby discovered, may be
proved by oral evidence.
Section 39 of Evidence Act has been amended to provide for how much evidence
to be given when statement forms part of electronic record:
When any statement of which evidence is given forms a part of an
electronic record then evidence shall be given of so much and no more of
the electronic record, as the Court considers necessary in that particular
case to the full understanding of the nature and effect of the statement and
of the circumstances under which it was made.
Section 47A of Evidence Act prescribes as to when opinion as to digital signature
is relevant. When the court has to form an opinion as to the digital signature of
any person, the opinion of the Certifying Authority which has issued the Digital
Signature Certificate is a relevant fact.
Section 67 A of Evidence Act provides what is proof as to digital signature.
Except in the case of a secure digital signature, if the digital signature of any
subscriber is alleged to have been affixed to an electronic record, the fact that such
digital signature is the digital signature of the subscriber must be proved.
Section 73A of Evidence Act states what proof is required for verification of
digital signature. In order to ascertain whether a digital signature is that of the
person by whom it purports to have been affixed, the court may direct -
1. That person or the controller or the Certifying Authority to produce the
Digital Signature Certificate;
Digital Evidence and Law Page 41
2. Any other person to apply the public key listed in the Digital Signature
Certificate and verify the digital signature purported to have been affixed
by that person.
Section 85A of Evidence Act raises the presumption as to electronic agreements.
The court shall presume that every electronic record purporting to be an
agreement containing the digital signatures of the parties was so concluded by
affixing the digital signature of the parties
Presumptions as to electronic records and digital signatures are found in Section
85B (1) & (2) of Evidence Act. Section 85B (1) states that the Court shall presume
that the section electronic record has not been altered since the specific point of
time to which the secure status relates. Section 85 (2) provides that in proceedings
involving secure digital signature, the Court shall presume that the secure digital
signature is affixed by subscriber with the intention of signing or approving the
electronic record
Section 88 A of Evidence Act deals with presumption as to electronic messages. It
provides that the Court may presume that an electronic message forwarded by the
originator through an electronic mail server to the addressee to whom the message
purports to be addressed corresponds with the message as fed into his computer
for transmission; but the Court shall not make any presumption as to the person by
whom such message was sent.
There is a presumption as to electronic records five years old. As per Section 90A
of Evidence Act, where any electronic record, purporting or proved to be five
years old, is produced from any custody which the Court in the particular case
considers proper, the Court may presume that the digital signature which purports
to be the digital signature of any particular person was so affixed by him or any
person authorized by him in this behalf.
Digital Evidence and Law Page 42
5. IMPORTANT CASE LAWS
I have listed below some of the important case laws where the respective court analyzed or
defined or elaborated on an aspect of digital evidence during case trial, I have also tried to
include some relevant international cases also below
1. State of Maharashtra Vs Dr Praful B Desai(AIR 2003 SC 2053):
Case Overview: It is a case of the prosecution that the complainant's wife suffered terrible
physical torture and mental agony due to medical negligence by the respondent. These
Appeals are against a Judgment of the Bombay High Court dated 23rd/24th April 2001.
The question for consideration is whether in a criminal trial, evidence can be recorded by
video conferencing. The High Court has held, on an interpretation of Section
273, Criminal Procedure Code, that it cannot be done.
Salient outcome of the judgment: The Supreme Court observed that video conferencing
is an advancement of science and technology which permits seeing, hearing and talking
with someone who is not physically present with the same facility and ease as if they were
physically present. The legal requirement for the presence of the witness does not mean
actual physical presence and the court allowed the examination of a witness through video
conferencing and concluded that there is no reason why the examination of a witness by
video conferencing should not be an essential part of electronic evidence. Supreme court
also clarified that CRPC - section 273 - recording of evidence by video conferencing -
code provides that evidence be recorded in the presence of accused and in cases where
accused is dispensed off from his personal attendance, evidence would be recorded in
presence of his pleader - presence of pleader is deemed to be the presence of the accused -
evidence includes oral, documentary as well as electronic records which would include
video conferencing - recording of evidence of one of the witness can be done through
video conferencing.
2. State(NCT of Delhi) Vs Navjot Sandhu (AIR 2005, SC 3820):
Case Overview: This case relates to appeal against the conviction following the attack on
the parliament house on December 13 2001. This case dealt with the proof and
admissibility of mobile telephone call records. While considering the appeal against the
accused for attacking Parliament, a submission was made on behalf of the accused that no
Digital Evidence and Law Page 43
reliance could be placed on the mobile telephone call records, because the prosecution had
failed to produce the relevant certificate under Section 65B(4) of the Evidence Act. Also It
is the contention of the learned counsel that in the absence of a certificate issued under
sub-Section (2) of Section 65B of the Evidence Act with the particulars enumerated in
clauses (a) to (e), the information contained in the electronic record cannot be adduced in
evidence and in any case in the absence of examination of a competent witness acquainted
with the functioning of the computers during the relevant time and the manner in which
the printouts were taken, even secondary evidence under Section 63 is not admissible.
Salient outcome of the judgment: The Supreme Court concluded that a cross-
examination of the competent witness acquainted with the functioning of the computer
during the relevant time and the manner in which the printouts of the call records were
taken was sufficient to prove the call records. But ‘oral evidence’ about the contents of an
‘electronic document’ had been accepted without see.65B 12 certificate. This decision to
accept the ‘electronic documents’ even though it was not certified under Sec.65B has now
been over-ruled in Anvar P.V. Vs. P.K. Basheer and others, AIR 2015 SC 180, where it
was held that see.65B certificate would be mandatory when the contents of an ‘electronic
document’ are to be admitted in a court of law. However, it may be relevant to note that, if
genuineness of see.65B certified evidence statement is questioned, then it may be
appropriate and necessary for examine oral evidence relevant to the objection.
3. Amithabh Bagchi Vs Ena Bagchi (AIR 2005 Cal 11):
Case Overview: In case of Amitabh Bagchi Vs Ena Bagchi, wife was in India and
husband remained in USA, When there was an issue of maintenance between the parties,
the husband made application before the Court for examining him through
video conferencing.
Salient outcome of the judgment: The High Court of Calcutta in the judgment Amitabh
Bagchi vs Ena Bagchi: AIR 2005 Cal 11 analyzed sections 65A and 65B of Evidence Act,
1872. The court held that the physical presence of person in Court may not be required for
purpose of adducing evidence and the same can be done through medium like video
conferencing. Sections 65A and 65B provide provisions for evidences relating to
electronic records and admissibility of electronic records, and that definition of electronic
records includes video conferencing. The court also provided a list of 14 safeguards to be
employed for conducting video conferencing, which are:
Digital Evidence and Law Page 44
a. Before action of the witness under Audio-Video Link starts the witness will have to
file an affidavit or an undertaking duly verified before a Judge or a Magistrate or a
Notary that the person who is shown as the witness is the same person as who is
going to depose on the screen with a copy of such identification affidavit to the other
side.
b. The person who wishes to examine the witness on the screen will also file an
affidavit or an undertaking in the similar manner before examining the witness with a
copy of the other side with regard to identification beforehand.
c. As soon as identification part is complete, oath will be administered through the
media as per the Oaths Act, 1969 of India.
d. The witness will be examined during working hours of Indian Courts. Plea of any
inconvenience on account of time difference between India and other country will
not be allowed.
e. The witness action, as far as practicable, is proceeded without any interruption
without granting unnecessary adjournments. However, discretion of the Court or the
Commissioner will be respected.
f. Witness includes parties to the proceedings.
g. In case of non-party witness, a set of plaint, written statement and/or other papers
relating to proceeding and disclosed documents should be sent to the witness for his
acquaintance and an acknowledgement in this regard will be filed before the Court.
h. Court or Commissioner must record any remark as is material regarding the demur of
the witness while on the screen and shall note the objections raised during recording
of witness either manually or mechanically.
i. Depositions of the witness either in the question answer form or in the narrative form
will have to sign as early as possible before a Magistrate or Notary Public and
thereafter it will form part of the record of the proceedings.
j. Mode of digital signature, if can be adopted in this process, such signature will be
obtained immediately after day’s deposition.
k. The visual is to be recorded at both the ends. The witness alone can be present at the
time of video conference, Magistrate and Notary is to certify to this effect.
l. In case of perjury Court will be able to take cognizance not only about the witness
gave evidence but who induced to give such evidence.
Digital Evidence and Law Page 45
m. The expenses and the arrangements are to be borne by the applicant who wants to
this facility.
n. Court is empowered to put condition/s necessary for the purpose. Hence video
conferencing is a permissible method for testimony of witnesses, including the
parties of the case.
4. Jagjit Singh Vs State of Haryana:
Case Overview: In this case petitioners were elected as members of assembly as
independent candidates - they joined a political party and news of their joining was
reported in print as well as electronic media - that fact was allegedly admitted by members
in an interview given to a TV news channel - members were disqualified from being
members of assembly by speaker - hence, instant petitions - held, mere denial of
opportunity to cross-examine or adduce evidence may not automatically lead to violation
of principles of natural justice.
Salient outcome of the judgment: When hearing the matter, the Supreme Court
considered the appreciation of digital evidence in the form of interview transcripts from
the Zee News television channel, the Aaj Tak television channel and the Haryana News of
Punjab Today television channel. The supreme court and determined that the electronic
evidence placed on record was admissible and upheld the reliance placed by the speaker on
the recorded interview when reaching the conclusion that the voices recorded on the CD
were those of the persons taking action. The comments in this case indicate a trend
emerging in Indian courts: judges are beginning to recognize and appreciate the
importance of digital evidence in legal proceedings.
5. Badola Murali Krishna Vs Smt. Bodala Prathima (2007 (2) ALD 72):
Case Overview: The petitioner is the husband of the respondent. Their marriage had taken
place in the year 1977 and were blessed with a child. The respondent filed H.M.O.P.No.
136 of 2004 in the Court of Additional Senior Civil Judge, Narsaraopet, against the
petitioner, for divorce under Section 13 of the Hindu Marriage Act, 1955. The trial of the
O.P. commenced. The petitioner is a resident of U.S.A. He filed I.A.No. 340 of 2006
seeking permission of the trial Court for recording his evidence through the video
conferencing. The respondent opposed the application. Through its order, dated 15-6-
2006, the trial Court dismissed the I.A.
Digital Evidence and Law Page 46
Salient outcome of the judgment: The court ruled that the amendments carried to the
Evidence Act by introduction of Sections 65-A and 65-B are in relation to the electronic
record. Sections 67-A and 73-A were introduced as regards proof and verification of
digital signatures. As regards presumption to be drawn about such records, Sections 85-A,
85-B, 85-C, 88-A and 90-A were added. These provisions are referred only to demonstrate
that the emphasis, at present, is to recognize the electronic records and digital signatures,
as admissible pieces of evidence. It is no doubt true that the recording of evidence through
the process of video conferencing is not specifically referred to in these provisions. Also
the court instructed that the party, who intends to avail such facility, shall be under
obligations to meet the entire expenditure
6. Dharambir v Central Bureau of Investigation (148 (2008) DLT 289)
Case Overview: The petitioners herein this case are accused of Criminal Conspiracy
under Section 120B of IPC and are also charged under Section 7-12 read with Section 13
of Prevention of Corruption Act, 1988. During the investigation, telephonic conversations
were recorded and stored in 4 Hard Disks which are kept at the Special Unit, CBI in New
Delhi. The four computer systems containing the recordings were sent to Andhra Pradesh
Forensic Science Laboratory. CDs were made for the four cases and they were sent to the
Special Judge along with the charge sheets. A Delhi High Court Case in which several
accused were prosecuted on the basis of intercepted telephone conversations. The case
concerns the admissibility and reliability of digital evidence. These intercepted
communications were stored on hard disks out of which CD’s were made subsequently.
These CD’s contained relevant conversations out of the entire conversations contained on
the hard disks. The prosecution sought to rely upon these CD’s as evidence against the
accused.
Salient outcome of the judgment: The court opined that the amended Evidence Act
widely defines ‘document’ and ‘evidence’ in Section 3 read with Section 2(t) & 2(o) of
the IT Act. In this case, the hard disk itself is a document which was used for recording the
telephonic conversation. Hence, they are electronic records for both their latent and patent
characteristics. The judgment is quite a watershed as it is the first Indian judgment which
elaborately discusses the admissibility of electronic records and the evidentiary
requirements under the Indian Evidence Act.
Digital Evidence and Law Page 47
The judgment significantly notes that, “once a blank hard disc is written upon it is
subject to a change and to that extent it becomes an electronic record. Even if the
hard disc is restored to its original position of a blank hard disc by erasing what
was recorded on it, it would still retain information which indicates that some text
or file in any form was recorded on it at one time and subsequently removed. By
use of software programs it is possible to find out the precise time when such
changes occurred in the hard disc. To that extent even a blank hard disc which
has once been used in any manner, for any purpose will contain some information
and will therefore be an electronic record.”
The court arrived at the conclusion that when Section 65B talks of an electronic
record produced by a computer referred to as the computer output. It would also
include a hard disc in which information was stored or was earlier stored or
continues to be stored. It distinguished as there being two levels of an electronic
record. One is the hard disk which once used itself becomes an electronic record
in relation to the information regarding the changes the hard disc has been subject
to and which information is retrievable from the hard disc by using a software
program. The other level of electronic record is the active accessible information
recorded in the hard disc in the form of a text file or sound file or a video file etc.
Such information that is accessible can be converted or copied as such to another
magnetic or electronic device CD, Pen drive etc. Even a blank hard disc which
contains no information but was once used for recording information can also be
copied by producing a cloned had or a mirror image.
7. In Twentieth Century Fox Film Corporation Vs NRI Film Production
Associates (P) Ltd. (AIR 2003 Kant 148):
Case Overview: This petition involves a techno-legal questions resulting in the growth of
technically speedy procedure. The issue Involved in the case on hand is with regard to
examination of witnesses in USA either by way of Commissioner or by way of Audio-
Video Link.
Salient outcome of the judgment: As part of the judgment certain safeguard conditions
have been laid down for video-recording of evidence by the court:
Digital Evidence and Law Page 48
a. Before a witness is examined in terms of the Audio-Video Link, witness is to
file an affidavit or an undertaking duly verified before a notary or a Judge that
the person who is shown as the witness is the same person as who is going to
depose on the screen. A copy is to be made available to the other side.
(Identification affidavit).
b. The person who examines the witness on the screen is also to file an
affidavit/undertaking before examining the witness with a copy to the other
side with regard to identification.
c. The witness has to be examined during working hours of Indian Courts. Oath
is to be administered through the media.
d. The witness should not plead any inconvenience on account of time different
between India and USA.
e. Before examination of the witness, a set of plaint, written statement and other
documents must be sent to the witness so that the witness has acquaintance
with the documents and an acknowledgement is to be filed before the Court in
this regard.
f. Learned Judge is to record such remarks as is material regarding the demur of
the witness while on the screen.
g. Learned Judge must note the objections raised during recording of witness and
to decide the same at the time of arguments.
h. After recording the evidence, the same is to be sent to the witness and his
signature is to be obtained in the presence of a Notary Public and thereafter it
forms part of the record of the suit proceedings.
i. The visual is to be recorded and the record would be at both ends. The witness
also is to be alone at the time of visual conference and notary is to certificate
to this effect.
j. The learned Judge may also impose such other conditions as are necessary in a
given set of facts.
k. The expenses and the arrangements are to be borne by the applicant who
wants this facility.
Digital Evidence and Law Page 49
8. Tukaram S. Dighole Vs Manikrao Shivaji Kokate Civil Appeal No. 2928
of 2008 decided on 05 February, 2010(Supreme Court):
Case Overview: This election petition challenges the declaration of the respondent as
the elected candidate from 69, Sinnar constituency at the election held on 13.10.2004. It
has been filed by a candidate of the NCP-Congress and R.P.I. alliance who
unsuccessfully contested the elections. The petitioner has alleged that the respondent has
indulged in corrupt practices thereby materially affecting the result of the election for the
Sinnar constituency. The petitioner has alleged that the returned candidate had flagrantly
violated the provisions of the Act and the election rules framed there under. He has also
alleged that the returned candidate had violated several orders of the election
commission issued under the provisions of the Act. The petitioner produced several
documents along with an affidavit of documents on record as also a Compact Disk
(hereinafter referred to as CD) which according to the petitioner was a reproduction of
the speeches delivered by the respondent and his supporters during the election period
when the code of conduct was in force.
Salient outcome of the judgment: Holding that "standard of proof" in the form of
electronic evidence should be "more accurate and stringent" compared to other
documentary evidence, the Supreme Court has upheld the election of a Shiv Sena Lok
Sabha candidate accused of making inflammatory speeches
"If a stringent test of proof is not applied a serious prejudice is likely to be caused
to the successful candidate whose election would not only be set aside, he may
also incur disqualification to contest an election for a certain period, adversely
affecting his political career."
Thus a heavy onus lies on the election petitioner to prove the charge of corrupt
practice in the same way as a criminal charge is proved," the apex court ruled.
A bench of Justice DK Jain and justice P Sathasivam passed the judgment while
upholding the election of Manikrao Shivaji Kokate from Maharashtra's Sinnar seat
in the 2004 parliamentary polls which was challenged by Tukaram Dighoie, the
defeated candidate of the NCP-Cong-RPI combine
"Though it was neither feasible nor advisable to lay down any exhaustive set of
rules by which the admissibility of such evidence may be judged but it needs to be
Digital Evidence and Law Page 50
emphasized that to rule out the possibility of any kind of tampering with the tape,
the standard of proof about its authenticity and accuracy has to be more stringent
as compared to other documentary evidence," the bench said Dichole had filed
the appeal after the Election Tribunal of the Bombay High Court dismissed his
petition on the ground that the video cassette copy containing the alleged
inflammatory speeches purportedly obtained from the Election Commission be
established as genuine.
In other words, the tribunal was of the view that Dighole could not prove that
cassette copy was obtained from the Election Commission office as claimed by
him since he could not support his claim with any proof.
It was the case of the defeated candidate that Kokate had made certain whipping
up pro- Maratha sentiments thus adversely affecting his (Dighole's) electoral
prospects.
Upholding the tribunal's order, the SC citing its earlier rulings said the success of
candidate who has won at an election should not be lightly interfered with.
Any petition seeking disqualification of an elected candidate should strictly
confirm the requirement of the law, the bench said.
"Having pursued the material on record, we are in complete agreement with
the tribunal that in the absence of any cogent evidence regarding the source
and the manner of its acquisition, the authenticity of the cassette was not
proved and it could not be read in evidence despite the fact that the cassette is
a public document.”
“No relevant material was brought to our notice which would impel us to hold
that the finding by the tribunal is perverse, warranting out interference," the
apex court said in a judgment in Feb. 2010.
9. Anvar P. K. vs. P.K Basheer & ors:
Case Overview: In the general election to the Kerala Legislative Assembly held on
13.04.2011, the first respondent was 1 REPORTABLE Page 2 declared elected to 034
Eranad Legislative Assembly Constituency. He was a candidate supported by United
Democratic Front. The appellant contested the election as an independent candidate,
Digital Evidence and Law Page 51
allegedly supported by the Left Democratic Front. Appellant was second in terms of votes;
He sought to set aside the election under Section 100(1)(b) read with Section 123(2)(ii)
and (4) of The Representation of the People Act, 1951 (hereinafter referred to as ‘the RP
Act’) and also sought for a declaration in favor of the appellant. The evidence consisted of
three parts –
a. electronic records,
b. documentary evidence other than electronic records, and
c. oral evidence.
Salient outcome of the judgment: Supreme Court overruled the statement of law on
admissibility of secondary evidence pertaining to electronic record, as held by the court in
case of State (NCT of Delhi) v Navjot Sandhu alias Afsal Guru (2005) 11 SCC 600 .
Supreme court in case of Anvar P.K vs. P.K Basheer & ors., further explained the position
by saying that “an electronic record by way of secondary evidence shall not be admitted in
evidence unless the requirement under section 65 B are satisfied. Thus in case of CD, VCD
and chip etc., the same shall be accompanied by the certificate in term of section 65B
obtained at the time of taking the document, without which the secondary evidence
pertaining to that electronic record is inadmissible.”
Following the principle of that generalia specialibus non derogant, which means special
law will always prevail over general law, court in case of Anvar P.K vs. P.K. Basheer &
ors has overruled the holding of Afzal Guru’s case and held inadmissibility of the CD’s as
these electronic evidence produced without the compliance of the requirement of the
section 65B. Here the special provision of the law is the section 65B of the Indian
Evidence Act 1872.
The judgment in Anvar’s case signifies the concern of our judiciary on reliability of the
electronic evidences. The new approach set up by the court is that the general law relating
to secondary evidence is not applicable in electronic evidence. Electronic records being
more susceptible to tampering and alteration so if the electronic records, which is not
complying with the special provision of the Indian evidence act that is section 65B, may
led to the travesty of justice.
Digital Evidence and Law Page 52
The Judgment referred to Section 22A of IEA which stated “Oral admissions as to the
contents of electronic records are not relevant, unless the genuineness of the electronic
record produced is in question.”
Judgment also referred to Section 45A according to which the opinion of Digital Evidence
Examiner (under Section 79A-When appointed) is relevant only when the genuineness of
an already admitted electronic evidence is in question.
After this case, for the presentation and admissibility of any electronic evidence like
computer data, CD, VCD, chip any other digital record, there is mandatory necessity to
comply with section 65B of the Act.
10. Suhas Katti Vs Tamilnadu:
Case Overview: In this case, a woman complained to the police about a man who was
sending her obscene, defamatory and annoying messages in a Yahoo message group.
The accused also forwarded emails received in a fake account opened by him in the
victim's name. The victim also received phone calls by people who believed she was
soliciting for sex work. After the victim made the complaint in February 2004, the police
traced the accused who was the victim's friend, to Mumbai and arrested him. The police
found the accused was interested in marrying the victim but she turned him down and
married someone else instead. The marriage, however, ended in divorce, which is when
the accused started contacting the victim again but she rejected him again. The accused
then started harassing the victim online.
Salient outcome of the judgment: This was the first case in India where a conviction
was handed down in connection with the posting of obscene messages on the internet
under the controversial section 67 of the Information Technology Act, 2000. The case is
also significant for having introduced electronic evidence under Section 65B of the
Indian Evidence Act for the first time in a Court, where a certified copy of the electronic
document present on Yahoo server was produced by a private techno legal consultant,
not being part of a Government forensic lab, and was accepted as the prime evidence of
crime. The role of a private person as an "Expert" and the "Validity of Section 65B of
Indian Evidence Act" were examined and validated in the trial.
Digital Evidence and Law Page 53
During the trial conviction was also brought on the concept of "Forgery" of an electronic
document under Indian Penal Code when a person writes his name below a message
intending the recipient to consider it as a message sent by that person.
The impact of the case was far reaching and set a benchmark for the courts and inspired
people to lodge cases related to harassment on the internet.
The Case also brought out the responsibilities of an intermediary like a Cyber Cafe in
maintaining a visitor's register and its importance as evidence.
The case validated the concept of production of electronic evidence through Section 65B
certification without the production of the original hard disk containing the document.
11. Shafi Mohammad Vs The State of Himachal Pradesh
Case Overview: In this case the key issue that was considered was whether a video
recording of the scene of crime during investigation should be necessary to inspire
confidence in the evidence collected and in the given context, what would be the scope
of applicability of the procedural requirements under Section 65(B)(4) of the Act for
furnishing a certificate in case of electronic evidence produced by a person not in
custody of the device generating such evidence.
Salient outcome of the judgment: After hearing submissions of the parties and
clarifying the legal position on the subject on the admissibility of the electronic evidence
(especially by a party who is not in possession of device from which the document is
produced) the Apex Court made the following observations:
➢ Electronic evidence is admissible under the Act. Section 65A and 65B are
clarificatory and procedural in nature and cannot be held to be a complete
code on the subject.
➢ If the electronic evidence so produced is authentic and relevant, then it can
certainly be admitted subject to the court being satisfied of its authenticity.
The procedure for its admissibility may depend on the facts such as whether
the person producing the said evidence is in a position to furnish a certificate
under Section 65B(h).
➢ The applicability of the procedural requirement under Section 65B(4) of the
Act of furnishing a certificate is to be applied only when such electronic
Digital Evidence and Law Page 54
evidence is produced by a person who is in a position to produce such a
certificate being in control of the said device and not of the opposite party.
➢ In a case where electronic evidence is produced by a party who is not in
possession of a device, applicability of Sections 63 and 65 of the Act cannot
be held to be excluded. In such cases, procedure under the said provisions
cannot be held to be excluded.
➢ A person who is in possession of authentic evidence but on account of manner
of proving, such document is kept out of consideration by the court in absence
of certificate under Section 65B(4) of the Evidence Act, which party
producing cannot possibly secure, will lead to denial of justice.
➢ A party who is not in possession of a device from which the document is
produced cannot be required to produce a certificate under Section 65B (4) of
the Act. Thus, the requirement of certificate under Section 65B is not always
mandatory.
12. Paul Ceglia vs. Facebook's Mark Zuckerberg:
Case Overview: In 2010 at U.S.A District Court for the Western District of New York,
Paul Ceglia, a wood pellet salesman from Wellsville, New York, sued both Facebook and
CEO Mark Zuckerberg, alleging that a 2003 contract he wrote to hire Zuckerberg to do
computer programming for his company, Street Fax, entitled him to 50% of Facebook.
Zuckerberg, a student at Harvard at the time, had responded to an ad on Craigslist
published by Ceglia. Zuckerberg was paid $1000 for his work. The copy of the contract
filed by Ceglia in his lawsuit showed that he made also a $1000 investment in “The Page
Book,” and Ceglia’s suit claimed that that seed investment entitled him to a 50% share of
the company. Ceglia’s team produced a series of emails between the two that appeared to
show the agreement to the 50/50 share.
Salient outcome of the judgment: Digital Forensics and Digital Evidence played a key
role in the judgment of this case. The court then ordered that a computer forensic
examination of Paul Ceglia’s computer was carried out, contrary to Paul Cegla’s requests.
During the examination Facebook identified the document that contained the original
contract dating from 2004 and, whilst his case was becoming believed by many, it
showed that Paul Ceglia’s contract made no reference to “The Page Book” or Facebook
and only mentioned his own company, Street Fax.
Digital Evidence and Law Page 55
The examination also identified the use of 6 USB memory sticks that were claimed to
have been lost by Paul Ceglia and found in one of those devices was a folder named
“Facebook Files” and image file that was named “Zuckerberg Contract page1.tif,” and
this image was the same as the one used by Paul Ceglia in his lawsuit.
Facebook alleged that the contract that had been produced had been forged to support
Paul Ceglia’s claim and forensic experts also examined Mark Zuckerberg’s email account
from the time and found no evidence of the email chain that Paul Celgia had also
produced that contained the agreement of 50% share in Facebook.
The case against Facebook was then dismissed by the court and Paul Ceglia was then
arrested on charges of attempting to defraud Facebook of 1 billion US Dollars.
Digital Evidence and Law Page 56
6. CONCLUSION & SUGGESTIONS
In this final chapter, I have summarized the findings and provides a conclusion to this
dissertation thesis. I have relied on the available literature and also reviewed relevant case
laws applicable to the theme of the dissertation thesis.
The area of Digital Evidence is very vast and going through continuous evolution thanks to
new digital devices and communication methods that keep getting into the market. This is
also closely linked to the technological developments in computing (both hardware and
software), telecommunications, and consumer usage patterns. Thanks to Internet Of Things
(IOT), machine learning, increased state monitoring with common ID like Aadhar and
CCTV’s across the cities and by private individuals, the amount of digital evidence that is
going to be available for any crime will only increase. Nowadays every crime will have some
or other digital evidence tagged as primary/secondary evidence due to increased usage of
technology which leaves lot of digital footprint, so legal regime needs to move faster by
appreciating and accommodating the newer set of digital evidences that will keep on getting
added as a secondary/primary evidence to help victim get due justice.
Based on various reading on the challenges faced while collecting, maintaining and
presenting digital evidence, I suggest that more awareness and training sessions need to be
conducted for all the associated parties regarding new technological advances in digital
devices and communication methods and create SOP’s for gathering, maintaining and
presenting evidences such that the evidence value is not destroyed and appreciated by the
law. Similarly student suggests that legal fraternity must also embrace newer technological
advancements to provide justice to the victims in a timely manner.
I have restricted this dissertation thesis mainly to Indian legal framework on digital evidence,
and suggests as a scope for future work that a study can be taken up on how digital evidence
is collected, documentation and legal framework works in other countries.
Digital Evidence and Law Page 57
7. LIST OF ABBREVATIONS
➢ NLSIU National Law School of India University
➢ PGD-CLCF PostGraduate Diploma in Cyber Law and Cyber Forensics
➢ DED Distance Education Department
➢ IT Information Technology
➢ DFRWS Digital Forensic Research Workshop
➢ ATM Automatic Teller Machines
➢ SMS Short Messaging Service
➢ MMS Multimedia Messaging Service
➢ CDROM Compact Disc Read Only Memory
➢ CD Compact Disk
➢ DVD Digital Video Device
➢ IOT Internet Of Things
➢ Email Electronic Mail
➢ CCTV Closed Circuit Television
➢ DVR Digital Video Recorder
➢ IM Instant Messaging
➢ URT Uniform Resource Identifier
➢ DBMS Data Base Management System
➢ RAM Random Access Memory
➢ GPS Global Positioning System
➢ ADC Analog-to-Digital Conversion
➢ DAC Digital-to-Analog Conversion
➢ USB Universal Service Bus
➢ FTK Forensic Toolkit
➢ VoIP Voice Over Internet Protocol
➢ OS Operating System
➢ UNCITRAL United Nations Commission on International Trade Law
➢ PAN Permanent Account Number
➢ CA Certifying Authority
➢ CCA Controller of Certifying Authorities
➢ eKYC Electronic Know Your Customer
Digital Evidence and Law Page 58
➢ ASP Application Service Provider
➢ OTP One Time Password
➢ CRPC Criminal Procedure Code
➢ IPC Indian Penal Code
➢ NCP National Congress Party
➢ RPI Republican Party Of India
➢ SC Supreme Court
➢ NCT National Capital Territory
➢ USA United Stated Of America
➢ CEO Chief Executive Officer
Digital Evidence and Law Page 59
8. BIBILOGRAPHY
8.1 Books, Articles and other References
A. Books:
➢ Published by NLSIU(2018-19):
➢ Information Technology Act, 2000 Along with Rules & Regulations
Paperback – 2017
➢ The Indian Evidence Act, 1872 as amended by the Criminal Law
(Amendment) Act, 2013/Latest Edition
➢ Digital Evidence and Computer Crime, Second Edition by Eoghan Casey BS
MA
➢ The Anatomy of a Digital Investigation By Michael W. Graves
B. Journals:
➢ International Journal of Advanced Research in Computer Science and
Software Engineering By Matthew N. O. Sadiku, Mahamadou Tembely, and
Sarhan M. Musa
C. Articles and extract from Internet:
➢ http://www.forensicsciencesimplified.org/digital/DigitalEvidence.pdf
➢ Electronic Evidence/ Digital Evidence & Cyber Law in India By Adv Prashant
Mali
➢ https://www.legalbites.in/electronic-evidence-indian-evidence-act-1872/
➢ http://itatonline.org/info/wp-
content/files/CBDT_Digital_Evidence_Investigating_Manual_.pdf
➢ https://www.forensicmag.com/article/2010/09/packaging-transportation-and-
storage-digital-evidence
➢ https://www.tutorialspoint.com/information_security_cyber_law/digital_and_e
lectronic_signatures.htm
➢ https://www.myadvo.in/blog/everything-about-digital-signature-in-india/
➢ India: Admissibility Of Electronic Evidence Under The Indian Evidence Act,
1872 By Vijay Pal Dalmia, Partner
Digital Evidence and Law Page 60
➢ Section 65B of Indian Evidence Act on Electronic Evidence Explained By
Vijayashankar Na
➢ Indian Evidence ACT Section 65A and Section 65B By mdjainam
➢ https://www.advocatekhoj.com/library/judgments
➢ https://indiankanoon.org
➢ https://mylawbook.blogspot.com/2011/08/state-nct-of-delhi-v-navjot-
sandhu.html
➢ https://cyberblogindia.in/digitalevidencelaw-and-all-about-anvar-v-basheer/
➢ https://everipedia.org/wiki/lang_en/Suhas_Katti_v._Tamil_Nadu/
➢ https://www.digital-strata.com/articles/two-famous-cases-where-digital-
evidence-was-key/
Digital Evidence and Law Page 61
END OF THE DISSERTATION
Digital Evidence and Law Page 62
You might also like
- Chfiv9 Study Guide: Locard's Exchange Principle Takes Something Leaves Something100% (1)Chfiv9 Study Guide: Locard's Exchange Principle Takes Something Leaves Something48 pages
- Laudon-Traver Ec15 PPT Ch04-Rev AccessiblePPT-ct100% (1)Laudon-Traver Ec15 PPT Ch04-Rev AccessiblePPT-ct67 pages
- Automotive Cyber Security: Andi Otea May 2018No ratings yetAutomotive Cyber Security: Andi Otea May 201818 pages
- Blockchain Cloud Integration Comprehensive Survey and Open Research IssuesNo ratings yetBlockchain Cloud Integration Comprehensive Survey and Open Research Issues27 pages
- Priya A Jagadish Course Teacher: Jurisprudence JSS Law College, Autonomous MysuruNo ratings yetPriya A Jagadish Course Teacher: Jurisprudence JSS Law College, Autonomous Mysuru20 pages
- IT PROJECT - Legal Recognition of Electronic EvidenceNo ratings yetIT PROJECT - Legal Recognition of Electronic Evidence12 pages
- Constitution and Subordination of The Criminal CourtsNo ratings yetConstitution and Subordination of The Criminal Courts5 pages
- Priya A Jagadish Course Teacher: Jurisprudence JSS Law College, Autonomous MysuruNo ratings yetPriya A Jagadish Course Teacher: Jurisprudence JSS Law College, Autonomous Mysuru24 pages
- Linux TCG Software Stack Low Level DesignNo ratings yetLinux TCG Software Stack Low Level Design64 pages
- Legal and Policy Framework For Digital ForensicsNo ratings yetLegal and Policy Framework For Digital Forensics81 pages
- Law of Torts & Consumer Protection Syllabus 2019100% (1)Law of Torts & Consumer Protection Syllabus 20192 pages
- Digital Evidence Nature, Collection & Production Before Court of LawNo ratings yetDigital Evidence Nature, Collection & Production Before Court of Law13 pages
- Review Paper On Secure Hash Algorithm With Its Variants: ResearchNo ratings yetReview Paper On Secure Hash Algorithm With Its Variants: Research8 pages
- Priya A Jagadish Course Teacher: Jurisprudence JSS Law College, Autonomous MysuruNo ratings yetPriya A Jagadish Course Teacher: Jurisprudence JSS Law College, Autonomous Mysuru19 pages
- Index: Term Paper On Web AuthenticationNo ratings yetIndex: Term Paper On Web Authentication16 pages
- How To Use ProDiscover, ProDiscover Forensics100% (1)How To Use ProDiscover, ProDiscover Forensics13 pages
- Module 03 Digital Evidence and First Responder ProcedureNo ratings yetModule 03 Digital Evidence and First Responder Procedure18 pages
- A Study On Interplanetary File System Based On BlockchainNo ratings yetA Study On Interplanetary File System Based On Blockchain6 pages
- Post Graduate Govt College Sector-11 ChandigarhNo ratings yetPost Graduate Govt College Sector-11 Chandigarh26 pages
- Admissibility of Electronic and Digital EvidenceNo ratings yetAdmissibility of Electronic and Digital Evidence18 pages
- Electronic Evidence or Digital Evidence and Cyber Law in IndiaNo ratings yetElectronic Evidence or Digital Evidence and Cyber Law in India10 pages
- Instructor Materials Chapter 12: Intrusion Data Analysis: Cybersecurity OperationsNo ratings yetInstructor Materials Chapter 12: Intrusion Data Analysis: Cybersecurity Operations21 pages
- A Comparative Analysis of Admissibility and Relevance of Electronic and Digital Evidence in Criminal Cases100% (1)A Comparative Analysis of Admissibility and Relevance of Electronic and Digital Evidence in Criminal Cases11 pages
- Admissibility of Electronic Evidence Under ActNo ratings yetAdmissibility of Electronic Evidence Under Act5 pages
- Cyber Forensics and Admissibility of Digital Evidence PDFNo ratings yetCyber Forensics and Admissibility of Digital Evidence PDF10 pages
- Bangabandhu Sheikh Mujibur Rahman Maritime University, BangladeshNo ratings yetBangabandhu Sheikh Mujibur Rahman Maritime University, Bangladesh6 pages
- Two Level QR Code For Private Message Sharing and Document Authentication-IJAERDV03I1227786N PDFNo ratings yetTwo Level QR Code For Private Message Sharing and Document Authentication-IJAERDV03I1227786N PDF5 pages
- BCIT COMP 8505 Final Project Covert Channel Exfiltration by Wesley Kenzie, June 2011No ratings yetBCIT COMP 8505 Final Project Covert Channel Exfiltration by Wesley Kenzie, June 201139 pages
- Unit IV Digital Evidence: Total Marks: 08No ratings yetUnit IV Digital Evidence: Total Marks: 0816 pages
- Importance of Digital Forensic in Electronic EvidencNo ratings yetImportance of Digital Forensic in Electronic Evidenc16 pages
- Analyzing The Evolution: A Comparative Study of Provisions Related To Electronic Evidence' in The Old Statute and New Proposed Bill in IndiaNo ratings yetAnalyzing The Evolution: A Comparative Study of Provisions Related To Electronic Evidence' in The Old Statute and New Proposed Bill in India3 pages
- Subject Name: Digital Forensics Subject Code: 3170725No ratings yetSubject Name: Digital Forensics Subject Code: 317072546 pages
- Bachelors of Law (Hons.) Semester-III Ca-IiiNo ratings yetBachelors of Law (Hons.) Semester-III Ca-Iii13 pages
- Can We Trust Large Language Models Generated Code ANo ratings yetCan We Trust Large Language Models Generated Code A27 pages
- A Mini Project Report ON Decentralized Voting System Using BlockchainNo ratings yetA Mini Project Report ON Decentralized Voting System Using Blockchain55 pages
- 2nd Lecture Digital Forensics Updated DFSNo ratings yet2nd Lecture Digital Forensics Updated DFS40 pages
- F) Electronic Evidence: Criminal Law - Practice and ProcedureNo ratings yetF) Electronic Evidence: Criminal Law - Practice and Procedure24 pages
- Sanjivani K.B.P Polytechinc, Kopargoan: Sanjivani Rural Education Society'SNo ratings yetSanjivani K.B.P Polytechinc, Kopargoan: Sanjivani Rural Education Society'S15 pages
- Unit 5 Understanding Computer ForensicsNo ratings yetUnit 5 Understanding Computer Forensics47 pages
- Practical Digital Forensics: Forensic Lab Setup, Evidence Analysis, and Structured Investigation Across Windows, Mobile, Browser, HDD, and Memory (English Edition)From EverandPractical Digital Forensics: Forensic Lab Setup, Evidence Analysis, and Structured Investigation Across Windows, Mobile, Browser, HDD, and Memory (English Edition)No ratings yet
- Investigative Computer Forensics: The Practical Guide for Lawyers, Accountants, Investigators, and Business ExecutivesFrom EverandInvestigative Computer Forensics: The Practical Guide for Lawyers, Accountants, Investigators, and Business Executives1/5 (1)
