LEGAL ASPECTS OF

DIGITAL FORENSICS

DR. NAGARATHNA. A
[Email - nagarathna@nls.ac.in]
CO-ORDINATOR ,
ADVANCED CENTRE ON CYBER LAW &
FORENSICS & ASSOCIATE PROFESSOR OF
LAW, NATIONAL LAW SCHOOL OF INDIA
UNIVERSITY, BENGALURU.
FORENSICS ???

The use of science and technology in

investigation of crimes

and establishment of facts in criminal

cases [sometimes civil too]
The word forensics means
= “to bring to the court.”
 Forensics -
is the process of using scientific
knowledge for

collecting,
analyzing, and
presenting evidence to the courts.
COMPUTER / CYBER
FORENSICS
 Cyber Forensics
 Involves collection of evidence from computers and other
electronic/ digital storage media.

 Itaims to examine digital media in a forensically sound manner

with the object of
- identifying,
- recovering,
- preserving,
- analyzing and
- presenting facts and opinions [USING THEM] - about the
information.
Involves -
techniques and principles of data
recovery

guidelines and practices

designed to create a legal audit
trail.
 As an evidence
 Subject to the usual legal requirements – of –

- AUTHENTICITY

- RELIABLY OBTAINED,

&

- ADMISSIBILITY
SOPs

DELHI HC

KARNATKA HC - Mr. Virendra

Khanna vs State Of Karnataka, 2021.
Digital forensics and
digital evidence ….hence
are connected aspects
Legal provisions – relating to search and seizure

ITACT
CRIMINAL PROCEDURE CODE
INDIAN EVIDENCE ACT
Cr p c
Collection of material and documentary
evidence

Section 91, 93
Section 165, 166 and 100

Foreigncountires
S. 166A & B [105K]
IEA
Primaryevidence
Secondary evidence

Expert opinion[S.45]
Print outs from computers = secondary
evidence [S.65A&B]
 EXPERT EVIDENCE
No definition
Expertise – skill in a particular
subject & specialized knowledge.
Assists court with their opinion.
65B CASES
Afzal guru case – PARLIAMENT
ATTACK CASE. [NO 65B … bsnl ..] =
court said = not required. = held liable.
2005

ANVAR V. BASHEER - …. = 65B

mandatory = 2013 [restrospective effect]
IEA - S. 45. Opinions of experts.

When the Court has to form an opinion upon

a point of foreign law or of science or art, or
as to identity of handwriting or finger
impressions, the opinions upon that point of
persons specially skilled in such foreign law,
science or art, or in questions as to identity of
handwriting or finger impressions are relevant
facts. Such persons are called experts
Examiner of electronic evidence

ITACT
IEA
S. 45A - Opinion of examiner of Expert evidence
–

When in a proceeding the court has to

form an opinion on any matter relating to
any information transmitted or stored in
any computer resource or any other
electronic or digital form, the opinion of
the examiner of e-evidence referred in s.
79A of IT Act is a relevant fact.
IT ACT - S. 79A – Central Govt to notify examiner
of electronic evidence:
The central govt may, for the purposes of
providing expert opinion on electronic form
evidence before any court or other authority
specify, by notification in the official gazette, any
dept, body or agency of the central govt or a state
govt as an examiner of electronic evidence.
Explanation – for the purposes of this section
“electronic form evidence” means any information
of probative value that is either stored or
transmitted in electronic form and includes
computer evidence, digital audio, digital video, cell
phones, digital fax machines.
Some labs recognized as EXAMINER OF EE:
1.Cyber Forensic Laboratory, Indian Computer
Emergency Response Team (CERT-In), Electronics
Niketan, 6 CGO Complex, Lodhi Road, New Delhi.
2.Regional Forensic Science Laboratory, Northern Range,
Dharamshala, District- Kangra (Himanchal Pradesh),
3.Cyber Forensic Laboratory, under Army Cyber Group,
Directorate General of Military Operations, Signals Enclave,
Rao Tula Ram Marg, New Delhi
4.StateForensic Science Laboratory, Madiwala,
Bangaluru,
5.Central Forensic Science Laboratory, Hyderabad
6.Directorate of Forensic Science, Gandhi Nagar (Gujarat), in
the State of Gujarat
 CONCERNS

INSTITUTIONS NOT INDIVIDUALS

RECOGNISED

PRIVATE ENTITIES NOT RECOGNISED

LACK OF ACCESS TO A COMMON MAN

ETC.
 Additional legal requirements
 IT ACT

77B – Inspector/above rank = IO

S. 80 - Search and seizure by IO [inspector
or above rank]
S.80 – search warrant ?
S. 76 – confiscation
SEIZURE
Permission under law
[search warrant, etc]?
Impact of PUTTASWAMY
JUDGEMENT ?
Secure – physically and electronically
Forensic duplication [imaging]
Documentation
Labeling
Packaging
Transportation
Forensic method of collection of evidence
– some steps to be followed

Preserve everything but change nothing

Avoid tampering of evidence – from the point

of its collection to production before court

Steps to be followed – from live system and

switched off system – differs
Volatile data forensics- SOME tools

•Helixpro
•FTK Imager
•Win32dd.exe
•C.O.F.E.E
•Memoryze/auditviewer
Imaging
Of hard disk
Or
Of required files
 USE - Write blocker
Prevents any writes to the seized media

Suspect hard disk connected to the

forensic computer via write blocker
Hashing
Seized
evidence’s integrity = WILL BE
PROVED through this procedure

Itproduces fixed length unique value

representing the data on the seized media.

•Any changes in the evidence will result

in change in the hash value
Panchanama (Seizure Memo) and
Seizure Proceedings
ADD IN IT:

Time Zone/System Time

Serial number for each seized device
Chain of Custody & Digital Evidence Collection
forms
Chain of custody
 Documentation – as to - who handled the seized digital
evidence.
 who,
 when,
 what,
 where, and
 why

 ETC DETAILS
If the chain of evidence is not properly
maintained, it may draw an adverse
inference against the prosecution’s case.
Digital Evidence Collection (DEC) form

ADD - DEVICE DETAILS SUCH AS:

 •Type
 •Manufacturer
 •Model Number
 ETC
CYBER FORENSICS & RELATED LEGAL
ASPECTS - RELATING GUIDELINES BY
HC OF KARNATAKA

VIRENDRA KHANNA
V.
STATE OF KARNATAKA
APPEAL NUMBER : WP NO.11759/2020
[DATE OF JUDGEMENT/ORDER : 12/03/2021]
What are the protection and safeguard that the
Investigating Officer would have to take in respect of the
smartphone and/or electronic equipment?
carry out the search in a proper and scientific manner,
more so since what has to be searched in the electronic
equipment, smartphone or email account.
Apparently, there are no rules formulated by the police
department regarding the manner of carrying out a
search and/or for preservations of the evidence gathered
during the said search in respect of smartphone,
electronic equipment or email account.
It would be in the interest of all the stakeholders that
detailed guidelines are prepared by the police department
in relation to the same.
 Pending such formulation, it would be required that the
following minimum guidelines are implemented:
 In the case of a personal computer or a laptop:
 When carrying out a search of the premises, as regards any
electronic equipment, Smartphone or e-mail account, the
search team to be accompanied by a qualified Forensic
Examiner.
 When carrying out a search of the premises, the IO should
not use the computer or attempt to search a computer for
evidence. The usage of the computer and/or search should
be conducted by a properly authorized and qualified person,
like a properly qualified forensic examiner.
 …… In the unlikely event of the Forensic examiner not
being available, then unplug the computer, pack the
computer and the wires in separate faraday covers after
labeling them.
….To ascertain as to whether the said
equipment is connected to any remote
storage devices or shared network drives, if
so to seize the remote storage devices as
also the shared network devices.

To seize the wireless access points,

routers, modems, and any equipment
connected to such access points, routers,
modems which may some times be hidden.
….
Mobile devices: ….., the following additional steps to be
taken:
1. Prevent the device from communicating to network
and/or receiving any wireless communication either
through wifi or mobile data by packing the same in a
faraday bag.
2. Keep the device charged throughout, since if the battery
drains out, the data available in the volatile memory could
be lost.
3. Look for sim-slots remove the sim card so as to prevent
any access to the mobile network, pack the sim card
separately in a faraday bag.
4. If the device is in power-off mode, the battery could also
be removed and kept separately.
5. If the device is powered on, then put it in an aeroplane
mode in android device or airplane mode in a IOS device.
 ALSO – In all the cases above, the seized equipment should
be kept as far as possible dust-free environment and
temperature controlled.in a
 While conducting the search, the IO to seize any electronic
storage devices like CD, DVD, Blu-Ray, pen drive, external
hard drive, USB thumb drives, solid-state drives etc., located
on the premises, label and pack them separately in a faraday
bag.
 The computers, storage media, laptop, etc., to be kept away
from magnets, radio transmitters, police radios etc., since
they could have an adverse impact on the data in the said
devices.
 To carry out a search of the premises to obtain instructions
manuals, documentation, etc., as also to ascertain if a
password is written down somewhere since many a time
person owning equipment would have written the password
in a book, writing pad or the like at the said location.
 The entire process and procedure followed to be
documented in writing from the time of entry of the
investigation/search team into the premises until they exit.
SIMILAR GUIDELINES from other
courts too…

Need more clearer guidelines and

application
CONCERNS CONTINUE….
Jurisdiction related
Availability of forensic experts and infrastructure.
Use authorised Experts and labs
Lack of corroborative evidences may affect outcome
of the case
Need to comply with both forensic as well as legal
procedure
Adhere to internationally/Nationally/formally
acclaimed standard operating procedure
Any questions ???

Thank you ….