Digital Evidence
________________________________________________________________________________
This Blog is written by Rujuta Sunil Jog & Soham Sanjay Athavale. Edited by Uroosa Naireen.
| Runners-up of 1st Online National Blog Writing Competition |
________________________________________________________________________________
INTRODUCTION
One of the most significant and influential inventions of the 20th century is the Computer. More and more information is being stored, transmitted, or processed in digital form in enforcement agencies including the Income Tax department. The law of the country has also taken cognizance of this reality. The IT Act, 2000 has been enacted that recognizes electronic records as evidence, governing access to and acquisition of digital evidence from an individual, corporate bodies, and public domains. Electronic evidence is a piece of valuable evidence and it should be treated in the same manner as traditional forensic evidence i.e. with respect and care.
Section 79A of the IT Act, 2000 provides an explanation to the term ‘electronic form evidence’ as any information of probative value that is either stored or transmitted in electronic form and includes computer evidence, digital audio, and digital video, cell phones, fax machines.
MAIN CHARACTERISTICS OF DIGITAL EVIDENCE
• It is invisible to the untrained eye.
• It requires to be interpreted by a specialist.
• It is highly volatile.
• It can be altered even by normal use.
• It may be copied without limits.
• It can transcend national borders easily.
There are two types of digital evidence: [1]
1. Persistent evidence: The data is stored on a local hard drive and is preserved when the computer is turned off. For e.g. documents (word, slides, files), browser history, chat log, phone log, email, SMS/MMS, applications, images, registry, audio/video etc.
2. Volatile evidence: Any data that is stored in memory, or exists in transit, that will be lost when the computer loses power or is turned off. for e.g. memory, network connection and status, process running, time information, etc.
Section 2(t) of the Information Technology Act, 2000 interprets ‘electronic record’ means data record or data generated, image or sound stored, received or sent in the electronic form or microfilm or computer-generated microfiche.
Section 2(o) of the Information Technology Act, 2000 defines data as representation of information, knowledge, facts, concepts or instructions which are being prepared in a formalized manner, and is intended to be processed, is being processed or has been processed in a computer system or computer network and may be in any form or started internally in the memory of the computer.
Section 65B of Indian Evidence Act, 1872 states the conditions of admissibility of electronic records: [2] [3]
1. Any information contained in an electronic record which is printed on a paper, stored, recorded or copied in an optical or magnetic media produced by a computer (hereinafter referred to as the computer output. for e.g. WhatsApp chat print) shall be deemed to be a document, if the conditions, mentioned in this section are satisfied in relation to the information and computer in question and shall be admissible in any proceeding, without further proof or production of the original as evidence of any contents of the original or any fact stated therein of which direct evidence would be admissible.
2. Conditions about computer output:
- Information produced by the computer during the period over which the computer was used regularly to store or process information for the purposes of any activities regularly carried on over that period by the person having lawful control over the use of the computer.
- During the said period, information of the kind contained in the electronic record or of the kind from which the information contained is derived was regularly fed into computers in the ordinary course of the said activities.
- Throughout the material part of the said period, the computer was operating properly or, if not, then in respect of any period in which it was not operating properly or was out of operation during that part of the period, was not such as to affect the electronic record or the accuracy of its contents, and
- The information contained in the electronic record reproduces or is derived from such information fed into the computer in the ordinary course of the said activities.
3. Where over any period, the function of starting or processing information for the purpose of any activities regularly carried on over that period as mentioned in clause (a) of sub section (2) was regularly performed by computers, whether –
- By a combination of computers operating over the period,
- By different computers operating in succession over the period,
- By different combinations of computers operating in succession over that period, or,
- In any other manner involving the successive operation over that period, in whatever order, of one or more computers and one or more combinations of computer. All the computers used for that purpose during that period shall be treated for the purposes of this section as constituting a single computer, and references in this section to a computer shall be construed accordingly.
4. Condition for a certificate under section 65B of the Indian Evidence Act –
- Fulfill all the conditions described in section 65B (2) of the Indian Evidence Act.
- The responsible authority under 65B can produce the certificate.
SOURCES OF DIGITAL EVIDENCE
Nowadays digital evidence cannot be just a document produced by the computer. It can be in the form of anything. It could be your browsing data, it could be your chats, it could be your bank transactions or it could be just a post on social media. Thus it is very difficult to track it down. Now with industry 4.0, the vastness of digital data is going to extend beyond imagination. Basically, industry 4.0 depends on automation and cloud computing. By this, one can imagine the amount of data produced in a day.
1. A desktop computer
2. Pen drives
3. Hard drives
4. Handled devices like mobile phones, electronic organizer, IPAD, personal digital assistant, etc.
5. Smart cards, dongles, and biometric scanner
6. Display monitor (CRT, LCD, TFT) etc.
7. Answering machines
8. Local Area Networks (LAN) or card or network interface cards
9. Modems, routers, hubs, switches
10. Servers
11. Removable storage device like SD cards in mobile phones
12. Scanners and copies
13. Digital cameras
14. CD/DVD
15. Facsimile machine
16. Global positioning systems
17. Cloud data servers
That’s all digital evidence and its sources. This is very easy to destroy or manipulate. For example, if a post on Facebook is evidence, but it is deleted. No one can see it or access it but Facebook itself. In this case, the company refuses to do so giving an excuse for their privacy norms. A detailed case study can be given of it. In 2016, BREXIT (the withdrawal of the United Kingdom from the European Union) took place. Maximum votes to leave the European Union were cast from South Wales that is 62% of the population voted to leave the EU. When interacted with the people they said that the EU has not done anything for us. Moreover, they added to the refugee crisis. They also said that Turkey was joining the EU. When facts were checked it was totally opposite. EU funded many developmental projects in South Wales. There were no refugees coming in there from any other part of Europe or Central Asia. Moreover, Turkey was also not joining the European Union. So those people were misled. After much research, it came forward that Facebook ads were misleading the people. British Government filed a case against Facebook and demanded those fake advertisements. But, as usual, the company denied everything. Further due to tremendous pressure by the British parliament the company had to accept its act and also provide details that were asked by the British Government. [4]
ISO: International Organization for Standardization provides guidelines for specific activities in the handling of digital evidence.
• 27037: Guidelines for identification, collection, acquisition, and preservation of digital evidence. (CCTV, mobiles, pen drive)
• 27042: Guidelines for the analysis and interpretation of digital evidence. (validity, continuity)
• 27043: Incident investigation principles and processes. (unauthorized access, data corruption)
• 27050: Electronic discovery. (terms, describes concepts)
CASE LAWS RELATED TO CERTIFICATION
State (N.C.T. of Delhi) v. Navjot Sandhu, [5]
In the Parliament Attack Case, Laptop which was relevant to this case was recovered. They found some incriminating evidence, then it produced by the prosecution in support of their case. Supreme Court had propounded certain principles:
1) The burden of proof in case of computer evidence shifts automatically to the defense.
2) Related to certificate u/s 65B (4): A certificate u/s 65B (4) is not mandatory.
Findings:
1) If the accuracy of computer evidence is to be challenged the burden lies on the side who makes such a challenge.
2) The Court went ahead to say that the certificate under 65B (4) is an alternative method to prove an electronic record and not mandatory.
Anvar P.V. v. P.K. Basheer [6]
Anwar v. Basheer laid down the ratio that an electronic record by way of secondary evidence is inadmissible unless accompanied by a certificate at the time of taking the document. The earlier proposition was that a certificate is not mandatory. Anwar v. Basheer said that the earlier proposition is bad in law and is therefore overruled. Where a person is handed over a copy of a document to print out to the lawyers who want to produce it as evidence, the person is not willing to give a certificate saying that how he has produced it. This situation was not envisaged by Anwar v. Basheer court.
Shafhi Mohammad v. State of Himachal Pradesh [7]
Supreme Court of India rationalized the law relating to the admissibility of the electronic evidence particularly in view of the provision of Section 65B of the Indian Evidence Act.
Section 54A of the Cr.P.C. provides for videography of the identification process and proviso to Section 164(1) Cr.P.C. provides for audio-video recording of confession or standard under the said provision.
CASE STUDY: [8]
A. Geotags
Facts: The Russian annexation of Crimea in February 2014, international tensions built over allegations that Russian troops were operating in other parts of Ukraine. Russian officials repeatedly denied these allegations. Starting in late June 2014, Alexander Sotkin, a sergeant in the Russian Army, posted a month-long series of selfies taken from his cell phone to his public Instagram account. The press picked the story up when it was discovered that the jpeg files posted included geotag metadata, and that the geotags and pictures showed the sergeant moving on-duty from a military base in Russia into eastern Ukraine and then back to the base.
The takeaway: Geotags, such as those embedded in stokin’s pictures, are a form of locational metadata. Geotags generated by smartphones tend to be very accurate and are associated with other types of file metadata, like date- and timestamps. Combine these attributes with the conventional wisdom that a picture is worth a thousand words and reports showing that smartphone users take over 150 pictures per month, and you have a treasure trove of data to pin down who/what/when/where details during an investigation. Geotags and other types of locational data can also be embedded in other types of files, such as video files and SMS text messages. Other cell phone locational data can be drawn from routes stored in mapping applications, Wi-Fi connections, cell towers in call history, and applications like weather or real estate tool.
B. Wearable sensors
Facts: Connie Debate was murdered in her home in 2015. According to his arrest warrant, her husband Richard provided an elaborate explanation of the day’s event, claiming that he returned home after receiving an alarm alert. Richard went on to claim that, upon entering his house; he was immobilized and tortured by an intruder. He told police that the intruder then shot and killed Connie when she returned home from the gym. Relying on evidence collected from Connie’s Fitbit, police were able to show that she had been in the house at the time. Richard said she was at the gym. According to the Fitbit’s data, Connie stopped moving one minute before the home alarm went off.
The takeaway: Wearable devices like Fitbit monitor location via GPS and activities like distance traveled, steps taken, sleep time, and heart rate. The devices are configured to synchronize data to applications on smartphones and personal computers or to cloud or social media sites. Evidentiary collections can be made from either of these sources using standard digital forensics tools and techniques.
REFERENCES
[1] https://en.wikipedia.org/wiki/Digital_evidence
[2] https://tripakshalitigation.com/evidentiary-value-of-section-65-b-of-the-indian-evidence-act/
[5] AIR 2005 SC 3820
[6] (2014) 10 SCC 473
[7] (2018) 1 SCC (Cri) 860
Great!
Well written and knowledgable. Thank you for sharing.