CRIMINOLOGY

CYBER CRIMINOLOGY & CYBER FORENSICS

Digital Evidence

1
 MODULE 31 : DIGITAL EVIDENCE

Component - I - Personal Details

Role Name Affiliation

Principal Investigator Prof(Dr) G S Bajpai Registrar
National Law University
Delhi
Paper Coordinator Prof(Dr) K. Jaishankar Professor and Head,
Department of Criminology,
Raksha Shakti University,
Ahmedabad, Gujarat
Content Writer/Author(s) Dr. Debarati Halder Professor and Head,
Department of Research,
Unitedworld School of Law,
Karnavati University,
Gandhinagar, Gujarat &
Honorary Managing
Director, Centre for Cyber
Victim Counselling (CCVC)

Content Reviewer Dr. Akshat Mehta Associate Professor and

Head, Department of Police
Administration, Raksha
Shakti University,
Ahmedabad, Gujarat

Component - I (B) Description of Module

Description of Module
Subject Name Criminology
Paper Name Cyber Criminology and Cyber Forensics
Module No. 31
Module Name/Title Digital Evidence
Pre-requisites Criminal justice administration, data extraction, digital
footprint

Objectives  To understand concepts of digital evidence

 To know how digital evidence is collected

 To know the admissibility of digital evidence in

Indian courts.

Keywords Data, electronic, evidence, digital foot print Digital

evidence, chain of custody, cyber crimes, Indian
Evidence Act

2
Table of Contents
1. Introduction
2. Admissibility of digital evidence
3. How to get the digital evidence
4. Legal Stand on Digital Evidence in India
5. Summary and Conclusion

Learning Outcomes
After the completion of this module, you will be able to:
1. To understand what is digital evidence
2. To know whether digital evidence is admissible in law in India.
3. To understand how to get digital evidence without breaking the chain of custody
4. To know the responsibilities of the police to protect the digital evidence
5. To understand how the victim of cyber crime may produce digital evidence

3
 Digital Evidence
1. Introduction
It has been seen that cyber crimes may either be committed with the aid of the
computer or computer system or computer system networks, or through the computer,
computer system, computer networks etc. The classic examples of the earlier can be cyber
assisted murders, bank robberies or simple robberies, sextortion, shadowing and stalking etc.
For the later, classic example can be attacking the government websites and defacing them,
unauthorized access to personal data or public data, misusing the same, revenge porn,
phishing, job scam, cyber terrorism, cyber stalking, voyeurism etc. in both the cases, various
electronic devices or computers may be used; for example, desktop or laptop computers,
smart phones etc. With the advent of technology, several other devices like the Google glass
(It is a wearable device prepared by Google which is attached with android app and also a
camera), are also being used to penetrate privacy of individuals.
Whenever any computer or computer device is used for committing any crime, it
becomes essential to get the digital evidence for prosecution. Unlike real life physical crimes
where evidences may be collected by way of finger prints, blood stains or any other
mechanism, in cases of cyber crimes, collection of evidences is not easy. It needs trained
police officers to collect the digital evidences and also to analyze the same for getting the
correct track. Often it has been seen that digital evidences may lead to geo-location of the
offender, time of committing the crime and target victims, but it may not be able to get the
actual persons as the evidences may show only the person who owns the device and not the
persons who may have used it for the purpose of committing the crime. In such cases, it
becomes a Herculean task for establishing the identity of the perpetrator. Further, it may also
be seen that the police may ask the victim (in case it an attack on the individual) to collect the
evidences. The victim may never know what evidences may be collected and how. There
have been several cases where the device like the desk top or laptop computer or the smart
phone may have been ceased by the police for some offences, but no accused could have been
arrested due to jurisdictional issues. Information technology Act, 2000 brought in several
changes in related laws including the Indian evidence Act which even though was drafted
almost a century ago, was amended to suit the needs of digital crimes.

4
 Source: https://image.slidesharecdn.com/electornicevidencecollection-101122053538-
phpapp02/95/electornic-evidence-collection-14-638.jpg?cb=1422636700.

2. Admissibility of digital evidence

S.3 of the Indian Evidence Act explains the definition of evidence as all documents
including electronic records produced for the inspection of the court. The term digital
evidence is explained by Casey (2004) as “Digital evidence or electronic evidence is any
probative information stored or transmitted in digital form that a party to a court case may use
at trial”. However, before accepting the digital evidences courts must verify whether the same
is relevant evidence or authentic evidence or hearsay evidence. As such digital evidences may
also include electronic records. The term electronic record has been explained by the
Information Technology Act, 2000 amended in 2008) as follows: Electronic record means
data recorded or data generated, image or sound stored, received or sent in an electronic form,
or micro film or computer generated micro fiche.” The question is whether the electronic
record is recognized as evidence and if so, then whether it can be admissible evidence or not.
The first question is answered by S.4 of the information Technology Act which states as
follows: “Where any law provides that information or any other matter shall be in writing or

5
in the typewritten or printed form, then, notwithstanding anything contained in such law, such
requirement shall be deemed to have been satisfied if such information or matter is (a)
rendered or made available in an electronic form; and (b) accessible so as to be usable for a
subsequent reference.”
The admissibility of digital record or evidence is dealt with S.65B of the Indian
evidence Act which states as follows:

“(1) Notwithstanding anything contained in this Act, any information contained

in an electronic record which is printed on a paper, stored, recorded or copied in
optical or magnetic media produced by a computer (hereinafter referred to as the
computer output) shall be deemed to be also a document, if the conditions
mentioned in this section are satisfied in relation to the information and computer
in question and shall be admissible in any proceedings, without further proof or
production of the original, as evidence of any contents of the original or of any
fact stated therein or which direct evidence would be admissible.

(2) The conditions referred to in sub-section (1) in respect of a computer output

shall be the following, viz.

(a) the computer output containing the information was produced by the
computer during the period over which the computer was used regularly to store
or process information for the purposes of any activities regularly carried on over
that period by the person having lawful control over the use of the computer;

(b) during the said period, information of the kind contained in the electronic
record or of the kind from which the information so contained is derived was
regularly fed into the computer in the ordinary course of the said activities;

(c) throughout the materiel part of the said period, the computer was operating
properly or, if not, then in respect of any period in which it was not operating
properly or was out of operation during that part of the period, was not such as to
affect the electronic record or the accuracy of its contents; and

6
(d) the information contained in the electronic record reproduces or is derived
from such information fed into the computer in the ordinary course of the said
activities.

(3) Where over any period, the functions of storing or processing information for
the purposes of any activities of any regularly carried on over that period as
mentioned in clause (a) of sub-section (2) was regularly performed by computer,
whether-

(a) by a combination of computers operating over that period; or

(b) by different computers operating in succession over that period; or

(c) by different combinations of computers operating in succession over that

period; or

(d) in any other manner involving the successive operation over that period, in
whatever order, of one or more computers and one or more combinations of
computers.

all the computers used for that purpose during that period shall be treated for the
purposes of this section as constituting a single computer; and references in this
section to a computer shall be construed accordingly.

(4) In any proceedings where it is desired to give a statement in evidence by

virtue of this section, a certificate doing any of the following things, that is to
say,-

(a) identifying the electronic record containing the statement and describing the
manner in which it was produced;

(b) giving such particulars of any device involved in the production of that
electronic record as may be appropriate for the purpose of showing that the
electronic record was produced by a computer;

7
 (c) dealing with any of the matters to which the conditions mentioned in sub-
section (2) relate, and purporting to be signed by a person occupying a
responsible official position in relation to the operation of the relevant device or
the management of the relevant activities (whichever is appropriate) shall be
evidence of any matter stated in the certificate; and for the purpose of this sub-
section it shall be sufficient for a matter to be stated to the best of the knowledge
and belief of the person stating it.

(5) For the purposes of this section,-

(a) information shall be taken to be supplied to a computer if it is supplied thereto
in any appropriate form and whether it is so supplied directly or (with or without
human intervention) by means of any appropriate equipment;
(b) whether in the course of activities carried on by any official, information is
supplied with a view to its being stored or processed for the purposes of those
activities by a computer operated otherwise than in the course of those activities,
that information, if duly supplied to that computer, shall be taken to be supplied
to it in the course of those activities;
(c) a computer output shall be taken to have been produced by a computer
whether it was produced by it directly or (with or without human intervention) by
means of any appropriate equipment.”
Explanation attached with the Section further states that “For the purposes of this
section any reference to information being derived from other information shall be a reference
to its being derived there from by calculation, comparison or any other process.”
As may be seen from various case laws, several electronic records including
computer print outs (state (NCT of Delhi) vs. Navjot Sandhu (AIR 2005 SC 3820)), emails
(M/S P.R. Transport Agency vs. Union of India (AIR 2006), Allahabad), SMS and MMS
(State of Delhi vs. Md Afzal & others), call data records, IP addresses, electronic bank
statement etc were taken as admissible evidences (Mali, 2015). Also, recent understanding by
the courts including Supreme Court has extended the meaning of electronic records and
digital evidence to include social media like Facebook and Whatsapp messages and posts.
Even though both the social media sites have their own policy guidelines provide details of
the originator of the posts, the extra territorial jurisdiction of the Information technology Act
may be used for compelling the websites to reveal the names of the originators to show who
was handling that particular profile from where the offensive post or communication was
posted.

8
Source: http://www.cyberblogindia.in/wp-content/uploads/2015/01/Untitled-Infographic-
4.png

9
3. How to get digital evidence
As has been discussed above, there are two ways to get the digital evidence: to cease
the device as a whole and put it to forensic lab for extracting the digital evidence in case the
investigating officer is not well versed with the computer and does not know how to handle
the digital evidences; and to take record the call logs, emails with headers, links of the
particular website page etc where the offensive post has been seen. The second way may be
adopted by the victim or the viewer him/herself if he/she is aware how to record or store such
links/documents. In this regard the following guidelines may be followed by the victims:
1. Victims must not delete the message/content/mail. Rather they must save the copy of
the same along with the link that may appear in the header bar.
2. Victims must refrain from answering/sharing the offensive content.
3. If the content looks like a malicious link or virus, the victims must not open the same.
But they may take a screen shot of the link and store /save it for further investigation.
For example, let us take the example of a mail received by an individual from an
account which may be suspicious. The receiver may take a screen shot of the sender’s
link without opening the mail. This can be like as below:

4. Next, the receiver may find out the real address of the sender by simply putting the
curser on the sender’s initiations’, i.e., IH. In this case, the information below
surfaced when the curser was placed on the initials. It needs to be noted that the
receiver need not press the open the link. It may automatically open the information
once put on the initials.
Nicolae Sandu

[email protected]
NRG
5. As may be seen, this is a spoofed mail sent by spammers to possibly spread virus in
the computer or for phishing. Even though certain email service providers like the
Gmail etc have provided reporting mechanism for phishing, in case the victim had

10
 unfortunately clicked in the mail and has become victimized, he/she may consider
taking the following steps to save the evidences.
6. The other important mechanism to record the evidence is to save the header of the
mail which may provide the path, the link and the original sender’s email id and IP
address. For example, Support Google provides a guideline for getting the header for
gmail which is as below:
 Log in to Gmail
 Open the message you'd like to view headers for.
 Click the down arrow next to Reply, at the top of the message pane.
 Select Show Original.
 The full headers will appear in a new window (Google, n.d.).
7. In case of social media contents, the victim may follow quite the same mechanism to
store the digital evidence of the offensive content. For example, if it is a facebook
content, the victim may not only save the screen shot of the offending content, he/she
may also copy the link of the page where it was published.
8. For the police, especially investigating officers, the way of collection of evidence
may differ with the expertise of the same;

Source: http://www.dynotech.com/articles/images/crimescene.jpg

4. Legal Stand on Digital Evidence in India

Computer Output is not admissible without Compliance of 65B (Anvar P.V. versus,
P.K. Basheer and Others, in Civil Appeal No.4226 OF 2012). It is admissible as long as the

11
original recording etc is preserved well. The old rule of admissibility of tape recorded voice
u/s.63 of the Evidence Act still accepted. Identification of voice etc must be followed (Simran
Pal Singh vs State of Himachal Pradesh, 2012). The four conditions of S.65B of the evidence
Act needs to be fulfilled:
(i) The electronic record containing the information should have been produced
by the computer during the period over which the same was regularly used to
store or process information for the purpose of any activity regularly carried on
over that period by the person having lawful control over the use of that
computer;
(ii) The information of the kind contained in electronic record or of the kind from
which the information is derived was regularly fed into the computer in the
ordinary course of the said activity;
(iii) During the material part of the said period, the computer was operating
properly and that even if it was not operating properly for some time, the break or
breaks had not affected either the record or the accuracy of its contents; and
(iv) The information contained in the record should be a reproduction or
derivation from the information fed into the computer in the ordinary course of
the said activity.

Source: https://images-na.ssl-images-amazon.com/images/G/01/books/stech-ems/Digital-
Evidence-and-Computer-Crime-3E-image-9780123742681._V154965471_.jpg

12
 It should be noted that recorded voices are different from call logs. In the Parliament
attack case, the Supreme Court concluded that a cross examination of the competent witness
(expert) acquainted with the functioning of the computer during the relevant time and the
manner in which the printouts of the call records were taken was sufficient to prove the call
records. Section 4 of the Information Technology Act: if the document in electronic form i.e.
CD/DVD etc., is (a) rendered or made available in an electronic form; and (b) accessible so as
to be usable for a subsequent reference, then it would be sufficient compliance. Contents in
CD/Pen drives are ‘electronic record’ & electronic evidences. As per 65B(4) of the Evidence
Act, if it is desired to give a statement in any proceedings pertaining to an electronic record, it
is permissible provided the following conditions are satisfied :
(a) There must be a certificate which identifies the electronic record containing
the statement;
(b) The certificate must describe the manner in which the electronic record was
produced;
(c) The certificate must furnish the particulars of the device involved
in the production of that record;
(d) The certificate must deal with the applicable conditions mentioned
under Section 65B(2) of the Evidence Act; and
(e) The certificate must be signed by a person occupying a responsible
official position in relation to the operation of the relevant device.
Who can give certificate u/s/65B(4)? The certificate must be signed by a person
occupying a responsible official position in relation to the operation of the relevant device
(Ark Shipping Co. Ltd. Vs. GRT Shipmanagement Pvt. Ltd. 2007(5) ALLMR). What about
CCTV images of violence? They are crucial evidence, needs to follow 65b(4) procedure and
must be preserved well.
According to S. 2T of Information Technology Act, 2000, a photograph taken from a
digital camera is an electronic record. Procedures of section 65B of the Indian Evidence Act
must be followed. With regard to Email/messages Section 88 speaks:
Presumption as to telegraphic messages.—The Court may presume that a
message, forwarded from a telegraph office to the person to whom such message
purports to be addressed, corresponds with a message delivered for transmission
at the office from which the message purports to be sent; but the Court shall not
make any presumption as to the person by whom such message was delivered for
transmission.

13
 S.88A Presumption as to electronic messages.—The Court may presume that an
electronic message, forwarded by the originator through an electronic mail server
to the addressee to whom the message purports to be addressed corresponds with
the message as fed into his computer for transmission; but the Court shall not
make any presumption as to the person by whom such message was sent.
Presumption as to the person by whom such message was sent." Explanation.—
For the purposes of this section, the expressions “addressee” and “originator”
shall have the same meanings respectively assigned to them in clauses (b) and
(za) of sub-section(1) of section 2 of the Information Technology Act, 2000.

Summary and Conclusion

In this module, the concept of digital evidence, the methodology of digital evidence
collection and the legal stand on digital evidence in India was presented. There are many
challenges in case of digital evidence. With regard to the images, the following challenges
needs to be addressed. 1. Viral spreading of the images, 2. ‘re-writing’ the evidence, 3.
Creation of multiple offences, 4. Difficult to ascertain the originator and 5. Issue of Chain of
evidence becomes a problem. There are some generic challenges. They are: 1. Non-
cooperation from the service providers, 2. Accidental erasing the data, 3. Too much
involvement of the hackers, 4. Less numbers of certified cyber forensic labs, 5. private
companies engaging untrained youth, 6. Deletion of all contents and 7. Less electronic data
reaching the courts. To have an effective disposal of cyber related cases, digital evidence
becomes crucial and the above challenges should be addressed by the criminal justice system
to ensure justice for the victims of cyber crimes.

References
Casey, E. (2004). Digital Evidence and Computer Crime, Second Edition. Elsevier. ISBN 0-
12-163104-4.
Google (n.d.). Message headers. Retrieved from
https://support.google.com/mail/answer/22454?hl=en.
Mali, P. (2015). Electronic evidence/digital evidence & cyber law in India. Retrieved from
https://www.linkedin.com/pulse/electronic-evidence-digital-cyber-law-india-adv-
prashant-mali-.

14
15