NATIONAL ACADEMY OF

DIRECT TAXES

Cyber Forensics Training Centre

Basics of Digital Forensics &
Handling of Digital Evidence

M Karthik Manickam I.R.S

Faculty, NADT
karthik.manickam@incometax.gov.in
Whatsapp: 9445953349 2
 Objectives

Digital

Environment Evidence Extraction

3
 Digital Data
• Data – facts, information, knowledge, instructions,
etc., collected together for reference or analysis
• Digital Data - is the discrete, discontinuous
representation of information or works.
Numbers and letters are commonly used
representations. Others\Digital Data.jpg
• Others\Wooden-antique-almirah.jpg
• Forensics - use of scientific knowledge or methods
to establish facts i.e. detect a tax evasion or any
offence - admissible as evidence in a court of law

4
 Locard’s Principle
Every contact leaves a trace
“ ”

•One of the basic principles of forensic is that of Locard’s which

states that: when two items or persons come in contact there
will be an exchange of physical trace. Something is brought, and
something is carried away. Meaning that, a suspect can be tied to
an act of tax evasion or any offence by detecting these traces.

Similarly, any interaction with a system cause some

changes/traces -
• User interaction
• System interaction (e.g., network connections, emails,
servers,etc.,)

5
 Technologies – Source of Digital Data

• Financial transactions through internet/networks

• E-mail correspondences , Chats, Video Conference

• Computerized books of accounts – Ex. TALLY ERP

• Storage and backup devices i.e. USB, DVD, Memory Cards,

Hard Disks, Servers, etc.

• Cloud based services to maintain servers, manage and access

databases and run the applications.

• Use of Wifi and other networks for exchange of data

 Technologies – Source of Digital Data

• ERPs for product planning,

material purchasing,
inventory control,
distribution, accounting,
marketing, finance and HR.
• Modern digital devices - GPS
• Use of social media
platforms
• Use of business intelligence
and analytics
7
 Investigation in Direct Tax
Administration
• Macro Level
• Micro level
– Assessment/ Tax audit
– Surveys
– Search and Seizure actions

8
 Impact of Technology in present
day Investigation
• Digital data is easy to modify, alter, delete, password
protect or hide. HIGHLY VOLATILE, and at time
difficult to locate.
• Issues and Challenges
– Invisible,Obscurity
– Volume
– Data Integrity/manipulation
– Fragile devices
– Data motility
– Remote access/ services
– Storage/Cloud storage
– Formats and compatibility
– Evidentiary value – legal issues
9
 Investigating without
Forensic Technology
Capacity of an average Size of a Storage Disk 1000 GB
Approx. No of Characters in an A4 Page
4 KB
[52 lines x 80 Characters = 4160 bytes
Thickness of an A4 Sheet 0.004”
If printed out and stacked one up on another, height of print
5”
outs of 5 MB Data [1250 times of that of 4 KB
Height of Print out of 5 GB data [1000 times of 5 MB] 5,000”
Height of Print out of 1000 GB Data [200 times of 5 GB] 10,00,000”
Height of City Centre Qutub Minar 2,867”

Height of 1000 GB print out on A4 sheets is

Approximately 350 times of Qutub Minar

10
 Can we turn the challenge into an
advantage!
Digital Forensics as Powerful tool in the hands
of tax administrators to fight a tax evasion act
– Help reconstruct past event or activity – trail/trace
– Brings out evidence of violations and illegal activity
– Complements traditional methods of investigation
– Points out at overall integrity of infrastructure

11
 Digital Forensics
• Digital Forensics is the process of identifying
and collecting digital evidence from any
medium, while preserving its integrity for
examination and reporting.
• It can be used individually as key evidence or
alongside more traditional methods of
evidence gathering, where it could serve as a
complement to other types of evidence.

12
 Digital Evidence
• Defined in Sec 79A of Information Technology Act
• ‘any information of probative value that is either
stored or transmitted in electronic form’ and
includes computer evidence, digital audio, digital
video, cell phones, digital fax machines.
• Electronic form -means any information
generated, sent, received or stored in media,
magnetic, optical, computer memory, micro film,
computer generated micro fiche or similar device

13
 Electronic Record
• Electronic record has been defined in the
Information Technology Act - to include data,
record or data generated, image or sound stored,
received or sent in an electronic form or micro film
or computer generated micro fiche.
• This definition of electronic record is wide enough
to cover person in possession of computer, storage
device, server, mobile phone, i-Pod or any such
digital device.
• Electronic record as admissible evidence at par with
a document
14
 Branches of Digital Forensics
Disk
Network
Database
• Hard disks Device
• Enterprise
• Portable • OS Email
• Cloud
• PDA
storage devices • Database
• Email
• Smart phone
• Outlook
• Cell phone

15
 Branches of Digital Forensics
• Disk Forensics: extracting information
from storage media like hard
disks/DVDs/Memory Cards/ Flash
Drives/ USB devices
• Network Forensics: process of
capturing information that moves
over a network.
• Database Forensics: stydying the
databases to whether any
manipulations done

16
 Branches of Digital Forensics
• Device Forensics: gathering digital evidences
available in different types of devices such as Mobile
Phones, PDAs, ipods, Fax Machines etc.
• Email Forensics: Recovery & Analysis of emails
including deleted emails

17
 Legal Provisions associated with
Digital Evidence
• Information Technology Act
• Income Tax Act
• Indian Evidence Act
• Indian Penal Code
• Bankers Book Evidence Act
• Reserve Bank of India Act

18
S.no Section Act Provision in brief
no

1 2 (12A) Income Tax Act Defines books / books of accounts in electronic

form

2 2(22A) Income Tax Act Defines records and includes electronic records
3 132(1)iib Income Tax Act Affording facility to access electronic records at the
time of search and seizure proceedings

4 275 B Income Tax Act Prosecution in case of violation of 132(1)(iib)

5 2(1)(t) Information Tech Act Defines electronic records

6 4 Information Tech Act Legal recognition to electronic record

7 7 Information Tech Act Retention of electronic record

8 43 Information Tech Act Penalty for damage to computer, computer system,

etc.,

9 65 Information Tech Act Tampering with Computer Source Documents

66 Computer Related Offences 19
Sno Section no Act Provision in brief

10 2nd Indian Evidence act Electronic record given a legal status as evidence
schedule

11 65A,65B Indian evidence act Admissibility of electronic evidence

12 67A Indian evidence act Presumptions related to digital signature

13 85A,B,C Indian evidence act Presumptions related to electronic agreement,

signatures and records

14 88A Indian evidence act Presumptions related to electronic messages

16 Indian penal code Amendment in offences under section 29A,175,176,

177,178,179, 180, 182,187, 191,192,197,
201,202,203,204 20
Steps in Digital Forensics

21
Steps in Digital Forensics

22
 Issues of Digital Evidence
 Finding source of digital evidence – Discrete/Disguised
 Preserving it – Volatile, Extremely fragile, Easily
tampered
Damages due to shock, vibrations, high powered
electro-magnetic fields, direct exposure to sun,
storage in improper conditions.
 Presenting it in a manner admissible in a court of law
(admissible as evidence)
 Recovery of hidden/deleted evidence
 Voluminous
 Password protected
23
Digital Evidence Identification

24
Disguised Device Models

25
Disguised Device Models

26
Disguised Device Models

27
Disguised Device Models

28
Disguised Device Models

29
 Fundamentals of handling –
Digital Evidence
Write Blocking
• It is essential that no changes should be
made while handling digital evidence. A
change of a single Bit may render the
whole evidence inadmissible.
• This can be achieved by write blocking
the storage media which is intended to
be acquired/seized by adopting a
technology commonly referred to as
―Write Block
• This is a technology, which ensures that
nothing is written on a particular
storage media that has been write
blocked.
30
 Fundamentals of handling –
Digital Evidence

Duplication/Acquisition of Evidence- Bit stream

flow technology
• The original evidence vis a vis image
• How Bit stream imaging differs from copying
• Bit stream imaging: This is a process by which a
storage media is copied by reading each bit and
then transferring it to another storage media
thereby ensuring that an exact copy of the original
digital evidence is prepared.
• Bit Stream Imaging is the safest technique to
acquire digital evidence sources and it is a mirror
image of the copied disk with the same hash value.
31
Imaging with Encase tool

32
 Fundamentals of handling –
Digital Evidence
For Authentication and Seizure of Evidence
-Mathematical Hashing
• For evidence authentication, it must be proven to be genuine
to be admissible in a court of law.
• The pre-acquisition hash is computed to maintain the
authenticity and integrity of the evidence when it is seized/
received for the Examination.
• EVIDENCE IS AUTHENTICATED WITH PRECOMPUTED HASH
VALUE.
• Mathematical hashing is equivalent to one-way encryption.
Every digital evidence at the lowest level translates into a big
numerical number. When the digital device or data is
encrypted using a hashing algorithm, it results in a new
number of a fixed length called the dark message digest. 33
Hang him not, kill him

Message Digest

Test.doc Hasher 00F0C7E92A1847548C00

6C180165DFB1
(MD5)
after modification

Message Digest

Test.doc 6FB3938D0271301C6C4
AC847908AB26D

Hang him, not kill him

34
 Other issues of handling
Digital Evidence
• Pre Investigation Preparations
Understanding the digital environment
Kit bags containing Tools– New HDD,
Pendrives, Laptop, Printer, Digital Camera,
etc.
Technical support of manpower
Anti Static Bag, Faraday Bag

35
 Understanding the Digital
Environment
• Illustration
You are entering a single room premise where you
find only one Computer (Desktop) system
All data related to the business of the assessee
including BoA or any incriminating material is
stored in that system
Now, What you will start doing!!!!?

Write Blocker
36
 Understanding the Digital
Environment
• Illustraion 1
You are entering a single room premise where you
find only one Computer (Desktop) system
All data related to the business of the assessee
including BoA is stored in that system
An incriminating evidence indicating offence of
some act was found in that system
Now What To Do!!!!?
Primary Evidence vs Secondary Evidence
s.62 & s.63
37
 Understanding the Digital
Environment
• Illustraion 2
You are entering a head office premise where you
find a building with 3 floors
It is presumed presence of more than 20
computers are in 2nd and 3rd Floor of the building
What is expected from the team to do?

38
 Understanding the Digital
Environment

Shut Down and Switch On Protocol

LAN Disconnection

Physical Servers – Accounts/Mail/File

39
 Understanding the Digital
Environment
• Identify the location of servers: Identify
different servers along with their physical
location and find out which servers are related
to the case under investigation such as File
server, Database Servers, Mail Servers and
Accounting Servers etc.
• There is high probability of main storage server
and accounting server being in the same server
room. A typical server room will contain rack
mounted servers with networking hardware.
40
 Understanding the Digital
Environment
• Illustration 3
After entering a premise, as pre action
intelligence, crucial system is identified but while
booting password protected
After booting, still asking OS (Windows) Password
After bypassing OS password, while browsing
through storage disk you find password protected
PDF or Excel file which seems to be crucial
Password of mail ids of main or crucial persons

41
• Collect Passwords:
– BIOS password: The first thing to do is to ask the assessee to provide password. If he
doesn’t, we can remove the BIOS password by removing the CMOS battery for half an hour,
again put it in the system and restart the system. The BIOS password will be removed.
– Operating System password: Ask the assessee for the password. If he does not provide the
password, then there are some password crackers for normal use operating system such as
Windows XP, and Windows Vista.
– Password for MS office files: Ask the assessee. If he does not provide the same, then there
are some password cracker tools such as Rainbow Table.
– Password for Tally files and any customized software: In this case, it is somewhat difficult to
crack. We may ask the assessee for the passwords. But with some efforts, Tally file
passwords can also be cracked.
– Password for Gmail, Hotmail etc
– Password for Online Accounting Software
• The best option is to ask the assessee to provide password. The assessee is bound
by law to provide such password.
• Else make the assessee to provide password!!

42
 Password Extraction
 Psychological Handling
 Evidence Gathering
 Good- Bad Cop
 IPC Section Note.docx
 Password Manager History
 Password Cracker Tools

43
• Securing Mail Boxes: Acquire the user id and
password of email account of assessee and
some important persons of the business
concern, if there is any, and change the
password immediately to secure the mail box.
The changed passwords should be noted down
at a secured place for further analysis of
emails.
• MBOX App – To view in mail environment
44
• Illustration 4
You are entering into a premise which is a single
retail (textile/jewellery) shop and find books of
accounts maintained in the system. What to do
now?
You are entering into a number of premises which
are chain of a retail business (Ex. Chit Fund) and
find books of accounts maintained in TALLY in
Head Office premise. What you will do now?

45
 Understanding the Digital
Environment

Customised Software to run business

other than regular BoA application

Cloud Application/Servers

46
• Identify Customized Software Used - collect
information such as vendor of the software‘s,
database used by the software, their file
format and passwords. If the software are
operated with smart card/dongle keys, (small
hardware token keys generally validated
through the USB port); then one must take
possession of the smart card/dongle keys as in
the absence of such keys software will not
function.
47
• Source of Customized Software – Identify the
source programmer of the software provider
and summon the person. Take sworn
statement of that person about the
customized software and all the manipulations
that can be done.

48
• Identifying Cloud Data - Cloud data is any data
which is stored on a remote server. The types
of data typically stored on remote servers can
be email, ERP application data or company
intranet.
– Physically hosted server
– Cloud hosted data
– Remote Desktop Connection

49
 Cloud Application/Server
 Email
 Internet Browser History
 Registry Analysis (Metadata)
 Bill Payment (Account Statement)
 User Credentials Evidence gathered
 Network Forensics – Upload/Download
Data size of particular IP Address

50
• Illustration 5
 You are going to a residential premise of main assessee and
taken complete control of it. You find a Mercendes Benz car
parked in front of the house. What you will do with that?
 GPS location history of the car
 Forensics of it reveals number of locations out of which you
find 1 location is unknown to you and also appears unusual
 After reaching that location, you find some old godown
having one locked room.
 You find Rs.50 crores cash i.e. Black Money

51
• Illustration 6
 You are going to a residential premise of main
assessee and taken complete control of it. You find
nothing in the premise after rummage. What you will
do?
 You find assessee is so cool and is not bothered
about your search and watching TV in his bedroom
all along.
 Can you able to make any inference now?
 SMART TV!!!
52
 Principles of Evidential Value
• No actions performed by investigators should change data
contained on digital devices or storage media.

• Individuals accessing original data must be competent to do

so and have the ability to explain their actions.

• An audit trail or other record of applied processes, suitable

for independent third-party review, must be created and
preserved, accurately documenting each investigative step.

• The person in charge of the investigation has overall

responsibility for ensuring the above-mentioned procedures
are followed and in compliance with governing laws.
53
 Gathering Digital Evidence –
Standard Operating Procedure
• Entry and Element of Surprise
• Secure the premises both physically and
electronically to prevent destruction of
evidence
• Protocols of E discovery
 Take control of mobile phones – flight mode,
pattern,etc.,
 Isolate computers at the premises
 Identify location of servers and collect
access card
 Disable internet connection/LAN/WAN 54
• Photograph of the server room and other
major facility should be taken
• On system and shut system protocols
• Systems Environment and safeguards
• Ascertaining system and database
administrators of the organisation
• Key persons – privileged hierarchy
• Rule of remote access and siphoning or
deletion of data
• Password – all kinds
• Presence of Cloud connectivity 55
• In case of a computer, search for all wireless/wired networks
connected to the computer. Document all connections to the
computer. In case computer system is connected to a network,
ask the system/network administrator to isolate the system from
the rest of the network.
• If the system cannot be taken off the network or in switched on
mode, live imaging of relevant data can be carried out using
appropriate tools.
• In case of live systems also recover volatile memory dump/RAM
Memory dump using appropriate tools.
• In case of switched on computers, if live imaging is not possible,
remove the power supply from the back of the computer without
closing down any programs. When removing the power supply
cable, always remove the end attached to the computer and not
that attached to the socket, this will avoid any data being written
to the hard drive if an uninterruptible power protection device is
fitted. 56
• In case of hard disks taken out from switched off
PC‘s, record unique identifiers like make, model
and serial number.
• Get the signatures of the assessee and witness on
the hard disk using a permanent marker
• Search for Non-electronic evidences like diaries,
notebooks or pieces of papers with passwords.
• Prioritisation of imaging of computers
• Statements from key persons- owners, directors,
key authorised persons managing the systems and
data
• Use of password cracking tools
57
 Handling Servers & ERP
• Most mid-to-large size businesses in India tend to
employ some ERP system other than Tally for
various reasons. Such ERP system almost
invariably is a RDBMS (relational database
management system) with a front end in the form
of Windows/ Java/ Web based application.
– Custom made ERP systems:
– Readymade ERP systems: Systems such as SAP,
Microsoft Dynamics, Oracle Financials, RAMCO are
examples of ERP stacks which can be bought and
implemented.

58
 The structure of a typical high level
ERP is something like –

• It is very much possible that all 3 tiers are hosted on separate

servers.
• From data perspective - Database Tier is most important.
Hence backup of the RDBMS is must. Usually if RDBMS table
structure is known standard issue reports such as ‘Purchase
order details by year‘, ‘trial balance by year‘, ‘cash
transactions by year‘ can be extracted from the database itself.
• But if the goal is to recreate the complete ERP application
off-site then imaging all the machines involved from ‘Database‘
and ‘Business logic‘ tier and one of the client machines is must.
This is the bare minimum strategy required to recreate the
entire system offline.
59
• Following are the big 3 ERP systems used by
mid-to-large size businesses in India which
have relational databases as their back-end.
• SAP
• Microsoft Dynamics
• Oracle Applications
• There are small India specific ERP software
developers like Udyog, Ramco, Quadra
which are also used to a lesser extent. All of
them follow a multi-tier software
architecture.
60
• For Income Tax Department, backup perspective
taking back-up of database tier is a must.
• In many cases Business logic tier and database
tier are part of the same system. In that case
imaging done for a single machine would suffice.
• If that's not the case then separate imaging
would need to be taken for machine hosting
business logic and machine hosting database.
• You can take help of the system administrator to
take backup of the database tier and structure of
the same and also take help of the business
applications manager to recreate the
environment at your office. 61
• Where customized accounting package or ERP is being used,
a dummy server (assessee may be asked to help) with the
same application and database software on an ordinary
computer with proper license can be prepared. After the
dummy server is ready, the cloned copy of the server can be
attached with this dummy server and the database inside
this cloned copy can be easily linked with the accounting
package or ERP. This will give us a complete working copy of
their application without disturbing their ongoing business.
• In case of customised software, we can also export all the
reports, such as balance sheet, P&L account, ledger etc for
each year and each company, to a readable format such
as .xls, .pdf or .txt format on the premise and can write that
data to a CD/DVD or Hard Disk Drive with no multisession.
• In certain cases, we can also go for backup of module
specific data, since ERP has various modules like
Purchase, Sales etc 62
 Handling ERP Servers
• Three tier system
• Understand different modules
• Identify the number of databases in the list
• Identify no of admin users and specifically
the SUPER USER
• Generate T- Codes list
• Easy to trace/trail the manipulations –
Audit Trail

63
 Digital Evidence Collection Form
• It ensures proper documentation of all the
information about the evidence that is visible to
the naked eye. It should contain the following
details:
– Case Name/Date of Search/Name of the Authorised
Officer and Address of acquisition
– System Information like Device
Type/Manufacturer/Model Number/Serial
Number/BIOS Date(Time)
– Type of Media
– Details of Forensic Software and Version Number
64
Digital evidence collection form

65
Mobile device evidence collection form

66
67
 Certificate u/s.65B
• DEMO\Forms\65 b.pdf

68
 Chain of Custody Form
• Chain of custody refers to the chronological
documentation that shows the people who have been
entrusted with the evidence. It should document the
details of the people who seized the equipment, the
details of people who transferred it from the premise
to forensic labs, people who are analyzing the
evidence, the details on when all it was opened and so
on.
• Because evidence can be used in a court to convict
persons of crimes, it must be handled scrupulously
careful manner to avoid later allegations of tampering
or misconduct.
69
Chain of custody form

70
Checklist for Fool proof Chain of Custody

1. Take photographs and systematically record observations

2. Guard against thefts and mechanical failure
3. House Multiple copies in different locations
4. Use Good Physical Security and data encryption
5. Protect digital magnetic media from external electric and
magnetic fields
6. Account for all people with physical or electronic access
to the data
7. Keep the number of people involved in collecting and
handling the devices and data to a minimum

71
 Case Studies
• Casino
• Secret Premise – Parallel Books of Accounts
• Excel Sheet – Running cash book
• Secret Mail id – Foreign Bank Accounts
• Billing software vs BoA (TALLY)
• Damaged hard disk
• Back up of BoA in Google Drive/Cloud
• Youtube video - violation
72
 Digital Evidence Presentation
• Description of items, process adopted for analysis,
chain of custody, findings, glossary of terms etc.
• Copies of Digital Evidence Collection Form
• Key digital evidences retrieved from deleted files and
link to the case
• Whether digital evidences have been confronted to
the assessee, key persons, etc., against relevant
portions of the Income tax act
• Linking of circumstantial evidences and key physical
evidences found/ seized with digital evidences
73
 Digital Evidence Presentation

• Format
• Authenticity
• Hard Copy / Soft Copy
• Software used versions
• CV of the expert and qualifications
• Hash results
• All storage media details
• Report should be in simple terms
• Supported by photographs
74
 Preserving/Storing
Digital Evidence
• Store the evidence in a secure
area that is
• Cool & Dry
• Away from influences of
Electrostatic and Magnetic
fields: Magnets, Generators.
• Prevent from scratches,
overheating , short circuits, etc
• Should not be stored in metal case
as it interferes with magnetic
properties
• Store in plastic or wooden cases
 Packaging/Transportation
• Use bubble wraps and other
protective packing
• For magnetic media devices, use
anti-static bubble wrap
• While transporting, hook the
computer/ evidence pack securely
on the floor of the vehicle where
the ride is smooth.
• Avoid exposure to shock/
vibrations during transport
• Avoid exposure to direct sunlight
during transportation/ storage
 International Best Practices Flowchart

©2016 Deloitte Shared Services India LLP International Best Practices – Incident Response and Crime Scene Management 77
 Discovery of items to be seized

Secure scene, equipment and power supply

78
 Discovery of items to be seized

Secure scene, equipment and power supply No

Is the device Is expert advise No help

Switched on? Available? From accused /user

No Yes YesNEVER SWITCHDoON

not operate the device

Follow expert Allow printer to

Never switch on
Advise Complete run, if any

Pull the power plug from the cabinet (hard shut-down)

In case of laptops remove battery and pull power plug
79
Pull the power plug from the cabinet (hard shut-down).
In case of laptops remove battery and pull power plug

Label all cables & connectors, and photograph

Remove individual cables and connectors

Properly pack and label each exhibits

Complete all documentation

Transport and store all exhibits safely

Maintain chain of custody documentation

80
81
 Prescribed tools for
Digital Forensics Lab
• EnCase • TrueBack
• FTK Imager • CyberCheck
• Cellebrite UFED • TrueImager
• IDEA Caseware • TrueLock
• Tableau Data • F-RAT
Visualisation
• Advik CDR
• Abbyy Flexi Capture
“No matter how good you are, you can be
traced”
THANK YOU

M Karthik Manickam
Deputy Director, I&CT