ELECTRONIC EVIDENCE

&
CYBER FORENSICS
 INTRODUCTION

DEFINITION
“Forensic computing is the process of
identifying, preserving, analyzing and
presenting digital evidence in a manner
that is legally acceptable.”(Rodney
Mckemmish 1999).
CHARECTERISTICS

• IDENTIFYING
• PRESERVING
• ANALYZING
• PRESENTING
NEED OF CYBER FORENSICS
• To produce evidence in the court that
can lead to the punishment of the actual.
• To ensure the integrity of the computer
system.
• To focus on the response to hi-tech
offenses, started to intertwine.
HISTORY OF CYBER FORENSICS
• Began to evolve more than 30 years ago in US when law
enforcement and military investigators started seeing
criminals get technical.

• Over the next decades, and up to today, the field has

exploded. Law enforcement and the military continue to
have a large presence in the information security and
computer forensic field at the local, state and federal level.

• Now a days, Software companies continue to produce

newer and more robust forensic software programs. And
law enforcement and the military continue to identify and
train more and more of their personnel in the response to
crimes involving technology.
GOAL OF CYBER FORENSICS
The main goal of computer forensic
experts is not only to find the criminal
but also to find out the evidence and the
presentation of the evidence in a
manner that leads to legal action of the
criminal.
 CYBER CRIME & EVIDENCE

CYBER CRIME
Cyber crime, or computer related crime, is crime that
involves a computer and a network. The computer may
have been used in the commission of a crime, or it may
be the target.
"Offences that are committed against individuals or groups
of individuals with a criminal motive to intentionally
harm the reputation of the victim or cause physical or
mental harm, or loss, to the victim directly or indirectly,
using modern telecommunication networks such as
Internet (networks including but not limited to Chat
rooms, emails, notice boards and groups) and mobile
phones (Bluetooth/SMS/MMS)"..
TYPES OF CYBER CRIME
o Child Porn
o Breech of Computer Security
o Fraud/Theft
o Copyright Violations
o Identity Theft
o Narcotics Investigations
o Threats
o Burglary
o Suicide
o Obscenity
o Homicide
o Administrative Investigations
o Sexual Assault
o Stalking
 AUTHORITIES

 The Central Forensic Science Laboratory (CFSL) is a

Thewing ofForensic
Central the Ministry of Home (CFSL)
Science Laboratory Affairs, which
is a wing of fulfils the
the Indian Ministry of Home Affairs, which fulfills the forensic requirements in
forensic requirements in the country.
the country.
 There are seven central forensic laboratories in India,
at Hyderabad, Kolkata, Chandigarh, New
Delhi, Guwahati, Bhopal and Pune.

 State Forensic Science Laboratories

DIGITAL EVIDENCE
“Any data that is recorded or preserved on any
medium in or by a computer system or other
similar device, that can be read or understand by
a person or a computer system or other similar
device. It includes a display, print out or other
output of that data.”

•Latent as fingerprint or DNA

•Fragile and can be easily altered, damaged, or
destroyed.
• Can be Time sensitive
 INDIAN EVIDENCE ACT

 The Indian Evidence Act has been amended by virtue of

Section 92 of Information Technology Act, 2000 (Before
amendment).
 Section 3 of the Act was amended and the phrase “All
documents produced for the inspection of the Court”
were substituted by “All documents including electronic
records produced for the inspection of the Court”.
 Regarding the documentary evidence, in Section 59, for
the words “Content of documents” the words “Content of
documents or electronic records” have been substituted
and Section 65A & 65B were inserted to incorporate the
admissibility of electronic evidence.
TYPES OF DIGITAL EVIDENCE

1) PERSISTANT DATA,
Meaning data that remains intact when the computer is
turned off. E.g. hard drives, disk drives and removable
storage devices (such as USB drives or flash drives).

2) VOLATILE DATA,
Which is data that would be lost if the computer is turned
off. E.g. deleted files, computer history, the computer's
registry, temporary files and web browsing history.
5 RULES OF EVIDENCES
1) Admissible,
• Must be able to be used in court or elsewhere.
2) Authentic,
• Evidence relates to incident in relevant way.
3) Complete (no tunnel vision),
•Exculpatory evidence for alternative suspects.
4) Reliable,
• No question about authenticity & veracity.
5) Believable,
• Clear, easy to understand, and believable by a jury.
SOURCES
1) Internet History Files
2) Temporary Internet Files
3) Slack/Unallocated Space
4) Buddy lists, personal chat room
records, others saved conversations
5) News groups/club lists/posting
6) Settings, folder structure, file names
7) File Storage Dates
8) Software/Hardware added
9) File Sharing ability
10) E-mails
APPLICATIONS OF CYBER FORENSICS

•FINANCIAL FRAUD DETECTION

• CRIMINAL PROSECUTION
• CIVIL LITIGATION
THE ELEPHANT IN THE ROOM – SEC 65B

 Section 65B of the Indian Evidence Act relates to

admissibility of electronic records as evidence in a
Court of law.
The computer holding the original evidence does not
need to be produced in court.
 CASE LAWS

 Amitabh Bagchi Vs. Ena Bagchi (AIR 2005

Cal 11) [Sections 65-A and 65-B of Evidence Act,
1872 were analyzed.]
The court held that the physical presence of person
in Court may not be required for purpose of
adducing evidence and the same can be done
through medium like video conferencing. Sections
65-A and 65-B provide provisions for evidences
relating to electronic records and admissibility of
electronic records, and that definition of electronic
records includes video conferencing.
State of Maharashtra vs. Dr Praful B Desai (AIR 2003 SC 2053)
[The question involved whether a witness can be examined by
means of a video conference.]
The Supreme Court observed that video conferencing is an
advancement of science and technology which permits seeing,
hearing and talking with someone who is not physically present
with the same facility and ease as if they were physically present.
The legal requirement for the presence of the witness does not mean
actual physical presence.

The court allowed the examination of a witness through video

conferencing and concluded that there is no reason why the
examination of a witness by video conferencing should not be an
essential part of electronic evidence.
•DHARAMBIR Vs. CENTRAL BUREAU OF INVESTIGATION
(148 (2008) DLT 289)

The court arrived at the conclusion that when Section 65-B talks of an electronic
record produced by a computer (referred to as the computer output) it would also
include a hard disc in which information was stored or was earlier stored or
continues to be stored.

It distinguished as there being two levels of an electronic record. One is the hard disc
which once used itself becomes an electronic record in relation to the information
regarding the changes the hard disc has been subject to and which information is
retrievable from the hard disc by using a software program. The other level of
electronic record is the active accessible information recorded in the hard disc in the
form of a text file, or sound file or a video file etc.
Such information that is accessible can be converted or copied
as such to another magnetic or electronic device like a CD, pen
drive etc. Even a blank hard disc which contains no information
but was once used for recording information can also be copied
by producing a cloned had or a mirror image.
•STATE (NCT OF DELHI) Vs. NAVJOT SANDHU (AIR 2005
SC 3820) There was an appeal against conviction following the
attack on Parliament on December 13 2001. This case dealt with the
proof and admissibility of mobile telephone call records. While
considering the appeal against the accused for attacking Parliament,
a submission was made on behalf of the accused that no reliance
could be placed on the mobile telephone call records, because the
prosecution had failed to produce the relevant certificate under
Section 65-B(4) of the Evidence Act. The Supreme Court concluded
that a cross-examination of the competent witness acquainted with
the functioning of the computer during the relevant time and the
manner in which the printouts of the call records were taken was
sufficient to prove the call records.
ANVAR P.V. VERSUS, P.K. BASHEER AND OTHERS,

Computer Output is not admissible without Compliance of 65B,EA

overrules the judgment laid down in the State (NCT of Delhi) v. Navjot
Sandhu alias Afzal Guru[(2005) 11 SCC 600 by the two judge Bench of
the Supreme Court.