Digital Forensics includes identification, collection, analysis and interpretation of any valuable digital information related to cyber-crimes stored in the digital devices. Preserving digital evidence is much more complex than preserving physical evidence, thus digital forensics is an advanced and an emerging field of forensic science. Digital forensics is an expanded form of computer forensics as it includes all devices capable of storing digital data.
Digital forensics consists of five steps:
- Policy and Procedure Development: Digital forensics is a field which requires trained personnel in the areas of digital recovery techniques. Considerable efforts need to be spent on the development of policies of digital forensics investigation in order to allow others to follow the same procedure and end up with the same results.
- Evidence Assessment: The possible sources of digital sources should be assessed in a thorough manner in order to establish the size of the investigation and plan the next steps. It is necessary to establish the nature of hardware and software to be seized. The nature of the evidence can be in the form of spreadsheets, photographs, financial records, databases or in some cases additional information is also required like the Internet Service Provider used, passwords etc. Other evidence like scanners, printers, digital cameras etc. can also be a part of evidence assessment depending on the case.
- Evidence Acquisition: Preservation of digital evidence is as important as acquiring it. Digital evidence can be easily tampered or destroyed by mishandling as they are fragile in nature. Failure to preserve such evidence may lead to inaccurate conclusions. For example, an exact copy of the original storage data can be made so that the forensic investigation can be done on the copy instead of the original one.
- Evidence Examination: Different types of cases will require different methods of examination. Firstly, it is important to prepare and decide which files to be recovered for the case. Next comes the extracting the data from digital devices. It is of two types; physical extraction, identifies and recovers data without regard to the file system such as doing a keyword search and finding relevant files. Logical extraction recovers data based on the file system or applications. Then, the extracted data is analyzed to determine their significance in the case.
- Documentation and Reporting: Each step of the investigation must be documented completely in order to allow others to allow others to reproduce the investigation and reach the same conclusion.
The lack of personnel with techno-legal skills has led to a rise in the cyber-crime rates in India. Section 4 of the Information Technology Act, 2000 also talks about the legal recognition of electronic records and states that electronic matter is at par with matter in written form.
Digital forensics is concerned with digital evidence. Section 79A of the IT Act provides the definition of electronic evidence as any information which is either stored, or transmitted in electronic form inclusive of digital audio, digital video, cell phones, computer evidence, digital fax machines etc. Similar definition can be found in Section 3 of the Indian Evidence Act,1872. Section 79A also empowers the Central Government to appoint any agency of the Central and State government as Examiner of Electronic Records.
Section 65A and 65B of the Indian Evidence Act was added by the IT Act, 2000 and deals with the admissibility of electronic records. In the case of State of Delhi v. Mohd. Afzal & Ors., it was held that electronic records can be admitted as evidence. The person challenging the accuracy of the electronic record on any ground must prove the same beyond reasonable doubt. Along with this, the admissibility of storage devices with the digital content from the crime scene can also be admissible in court (Section 65B). Certain computer outputs such as computer printouts, floppy disk, CDs are admissible without proof or production of actual records.
The Central Bureau of Investigation can also be approached for any serious economic offences such as fake currency notes, bank frauds and other financial scams. For this purpose, there are different units named Cyber-crimes Research and Development Unit (CCRDU), Cyber Forensics Laboratory (CFL) and Cyber-crime Investigation Cell (CCIC). CCRDU mainly collects the information on cyber-crime cases and reports it for further investigation. The CCIC has the power to investigate criminal cyber offences and also reports the cyber-crime in India to Interpol. The CFL provides on-site assistance for computer search and provides testimony in the court. It also conducts criminal investigation for various law enforcement agencies. The CBI has also signed a memorandum of understanding with the Data and Security Council of India to seek expert advice in cyber-crime cases and update the officials about the latest technology.
The lack of expertise among the cyber-crime investigation personnel was clearly evident in the Aarushi Talwar murder case. The tampering with the digital and physical evidence, and the non-submission of routers and computers seized by the CBI led to flaws in the case and elongated trials. In the case of State of Punjab v. Amritsar Beverages Ltd. the Supreme Court expressed that the officers lack expertise and insight into digital evidence techniques. The IT Act does not solve all types of problems related to cyber-crime or cyber forensics. Thus, digital forensics being a part of the law enforcement mechanism needs to include the best practices and provide training to the personnel in order to have a fair trial and speed up the process.
By- Mona Das