top of page


Introduction to Cyber Crime

The first recorded Cyber Crime took place in the year 1820! That is not surprising, considering the fact that the Abacus, which is thought to be the earliest form of a Computer, has been around since 3500 B.C., in India, Japan and China. The era of the modern Computers, however, began with the Analytical Engine of Charles Babbage.

In 1820, Joseph-Marie Jacquard, a textile manufacturer in France, produced the loom. This device allowed the repetition of a series of steps in the weaving of special fabrics. This resulted in a fear, amongst Jacquard's employees, that their traditional employment and livelihood were being threatened. They committed acts of sabotage to discourage Jacquard from further use of the new technology. This is the first recorded.


The term ‘CYBERSPACE’ was coined by the science fiction author William Gibson in his 1982 novel Nuromancer to describe the environment within which computer hackers operate.

In the novel, the activity of hacking-securing unauthorised access to the contents of computer systems- is couched in very physical terms.

The image is of the hacker overcoming physical security barriers to penetrate into the heart of the computer systems and make changes to the physical structure thereby modifying the operation of the system. When departing, the hacker might even remove and take away elements of the system.


Today Computers have come a long way, with neural networks and nano-computing promising to turn every atom, in a glass of water, into a Computer capable of performing a billion operations per second.

Cyber Crime is an evil, having its origin in the growing dependence on computers in modern life. In a day and age when everything from Microwave Ovens and Refrigerators to Nuclear Power Plants are being run on Computers, Cyber Crime has assumed rather sinister implications.

Major Cyber Crimes, in the recent past, include the Citibank rip off.

US $ 10 million were fraudulently transferred out of the Bank and into a bank account in Switzerland.

A Russian hacker group, led by Vladimir Kevin, a renowned hacker, perpetrated the attack. The group compromised the Bank's security systems. Vladimir was allegedly using his Office Computer at AO Saturn, a Computer Firm in St. Petersburg, Russia, to break into the Citibank Computers. He was finally arrested at the Heathrow Airport on his way to Switzerland


At the onset, let us satisfactorily define "Cyber Crime" and differentiate it from "Conventional Crime". Computer crime can involve criminal activities that are traditional in nature, such as theft, fraud, forgery, defamation and mischief, all of which are subject to the provisions of The Indian Penal Code. The abuse of Computers has also given birth to a gamut of new age crimes, that are addressed by the Information Technology Act, 2000.

Defining Cyber Crimes, as "acts that are punishable by the Information Technology Act" would be unsuitable as the Indian Penal Code also covers many cyber crimes, such as E-mail Spoofing and Cyber Defamation, sending threatening E-mails etc. A simple, yet sturdy definition, of Cyber crime would be "unlawful acts wherein the computer is either a tool or a target or both".

Let us examine the acts wherein the computer is a tool for an unlawful act. This kind of activity usually involves a modification of a conventional crime by using computers. Some examples are:


This would include cheating, Credit Card frauds, money laundering etc. To cite a recent case, a Website offered to sell Alphonso mangoes at a throwaway price. Distrusting such a transaction, very few people responded to or supplied the Website with their Credit Card numbers. These people were actually sent the Alphonso mangoes. The word about this Website now spread like wildfire. Thousands of people from all over the country responded and ordered mangoes by providing their Credit

Card numbers. The owners, of what was later, proven to be a bogus Website, then fled taking the numerous Credit Card numbers and proceeded to spend huge amounts of money, much to the chagrin of the Card Owners.


This would include pornographic Websites; pornographic magazines produced by using Computers (to publish and print the material) and the Internet (to download and transmit pornographic pictures, photos, writings etc). Recent Indian incidents revolving around Cyber pornography include the Air Force Balbharati School case. A student of the Air Force Balbharati School, Delhi, was teased by all his classmates for having a pockmarked face. Tired of the cruel jokes, he decided to get back at his tormentors. He scanned photographs of his classmates and teachers, morphed them with nude photographs and put them up on a Website that he uploaded on to a free Web hosting service. It was only after the father of one of the class girls featured on the Website objected and lodged a Complaint with the police that any action was taken.

In another incident, in Mumbai a Swiss couple would gather slum children and then would force them to appear for obscene photographs. They would then upload these photographs to websites specially designed for paedophiles. The Mumbai police arrested the couple for pornography.


This would include sale of Narcotics, Weapons and Wildlife etc., by posting information on Websites, Auction Websites, and Bulletin Boards or simply by using E-mail communications. Many of the Auction Sites even in India are believed to be selling goods unlawfully.


There are millions of Websites; all hosted on servers abroad, that offer online gambling. In fact, it is believed that many of these Websites are actually fronts for money laundering.


These include software piracy, copyright infringement, trademarks violations, theft of computer source code etc.


A spoofed E-mail is one that appears to originate from one source but actually has been sent from another source. E.g. Pooja has an E-mail address Her enemy, Sameer spoofs her E-mail and sends obscene messages to all her acquaintances. Since the E-mails appear to have originated from Pooja, her friends could take offence and relationships could be spoiled for life.

E-mail spoofing can also cause monetary damage. In an American case, a teenager made millions of dollars by spreading false information about certain Companies whose shares he had short sold. This misinformation was spread by sending spoofed E-mails, purportedly from news agencies like Reuters, to Share Brokers and Investors who were informed that the Companies were doing very badly. Even after the truth came out, the values of the shares did not go back to the earlier levels and thousands of Investors lost a lot of money.


Counterfeit currency notes, postage and revenue stamps, mark sheets etc can be forged, using sophisticated computers, printers and scanners. Outside many colleges across India, one finds touts soliciting the sale of fake mark sheets or even certificates. These are fraudulently made by using the computers, and high quality scanners and printers. In fact, this has becoming a booming business involving thousands of Rupees being given to student gangs in exchange for these bogus but authentic looking certificates.


This occurs when defamation takes place with the help of computers and / or the Internet. E.g. someone publishes defamatory matter about someone on a Website or sends E-mails containing defamatory information to sundry and or all of that person's friends.

In a recent occurrence, X, a young girl, was about to be married to y. She was really pleased because despite it being an arranged marriage, she had liked the boy. He had seemed to be open-minded and pleasant. Then, one day when she met Y, he looked worried and even a little upset. He was not really interested in talking to her. When asked he told her that, members of his family had been receiving E-mails that contained malicious things about X’s character. Some of them spoke of affairs, which she had had in the past. He told her that, his parents were justifiably very upset and were also considering breaking off the engagement. Fortunately, Y was able to prevail upon his parents and the other elders of his house to approach the police instead of blindly believing what was contained in the mails.

During investigation, it was revealed that the person sending those E-mails was none other than X's stepfather. He had sent these E-mails so as to break up the marriage. The girl's marriage would have caused him to lose control of her property of which he was the guardian till she got married.

Another famous case of cyber defamation occurred in America. All friends and relatives of a lady were beset with obscene e-mail messages appearing to originate from her account. These mails were giving the lady in question a bad name among her friends. The lady was an activist against pornography. In reality, a group of people, displeased with her views, and angry with her for opposing them, had decided to get back at her by using such underhanded methods. In addition to sending spoofed obscene E-mails, they also put up Websites about her, that basically maligned her character and sent E-mails to her family and friends containing matter defaming her.


The Oxford dictionary defines stalking as "pursuing stealthily". Cyber stalking involves following a person's movements across the Internet by posting messages (sometimes threatening) on the Bulletin Boards frequented by the victim, entering the Chat-Rooms frequented by the victim, constantly bombarding the victim with E-mails etc.



It seems really difficult to believe but it is true. Most amateur hackers and cyber criminals are teenagers. To them, who have just begun to understand what appears to be a lot about computers, it is a matter of pride to have hacked into a computer system or a website. There is also that little issue of appearing really smart among friends. These young rebels may also commit cyber crimes without really knowing that they are doing anything wrong.


Hacktivists are hackers with a particular (mostly political) motive. In other cases this reason can be social activism, religious activism, etc. The attacks on approximately 200 prominent Indian websites by a group of hackers known as Pakistani Cyber Warriors are a good example of political hacktivists at work.


One can hardly believe how spiteful displeased employees can become. Till now they had the option of going on strike against their bosses. Now, with the increase independence on computers and the automation of processes, it is easier for disgruntled employees to do more harm to their employers by committing computer related crimes, which can bring entire systems down.




The importance of collection and presentment evidence in a court of law cannot be overemphasized in any criminal prosecution. The cybercrime are no exception to this. Effective combating of cybercrimes requires prompt discovery, safe custody and presentment in acceptable form in a court, of evidence related to those crimes. As computers and related storage and communication devices proliferate in our society, so does the use of those devices in conducting criminal activities. The number of criminals who use computers, laptops, network servers and even cellular phones in commission of their crimes is increasing alarmingly.

The computer may be contraband, fruits of the crime, a tool of the offence, or a storage container holding evidence of the offence. Computers may provide the means of committing crime. For example, the criminal might use Internet to deliver a death threat via e-mail, to launch hacker attacks againt another computer, to disseminate computer viruses, or to transmit some hate materials against some targets. Computers may also serve as mere storage devices for evidence of crime. For example, a computer may contain the details of a money laundering operation undertaken by a smuggler of a list of contacts who owes money to a drug kingpin. These details are vital for initiation of any successful action, in a court of law, against these criminals.

However, the evidence available in the computers or related to a cybercrime is different in nature from that related to real world crimes. These differences pervade all the stages of evidence discovery, collection, storage and presentation in court. All the stakeholders need to know these differences and the methods used for collection and presentation etc. so that they preserve the evidence of any crimes perpetuated against them or investigated by them. Similarly, the judiciary also must know the basics of the evidence produced before them. In this Chapter, we shall undertake to analyse, briefly, various aspects related to evidence in the cyber world.


In real world crimes there are following types of evidence:

1. Direct Evidence

2. Hearsay Evidence

3. Circumstantial Evidence

4. Oral and Documentary Evidence

5. Scientific Evidence

6. Real and Digital Evidence


The very characteristics that make Internet and computer networks extremely useful also make it difficult for the investigators to discover and collect evidences of crimes committed against, or by means of them. It is easy to delete a file in a computer and thereby making the data not available to any investigator who snoops around. Unlike in the real world crimes, there may not be tangible evidences like a paper record or weapon, in cybercrimes. The virtual digital records have to be collected, preserved and produced in the court to the satisfaction of the court. These involves tremendous problems unless all the people involved are aware of what is required of them., right from the victim of the crime to the investigator and judge. The science of Computer Forensics is fast becoming a very necessary skill set for law enforcement department, government entities, and corporations worldwide. Various challenges involved in cyber evidence collection and production are dealt in brief in the following subparagraphs.


Far more information is retained on a computer than most people realise. It is also more difficult to completely remove information than is generally thought. For these reasons, computer forensics can often find evidence of, or even completely recover, lost or deleted information, even if the information was intentionally deleted. Therefore, computers can act as a reservoir of evidence for the enforcement agencies, if only one knows how to and where to look for it. Computer forensics is the scince and technology of unearthing evidence from computer systems. It is a process of methodically examining computer media for evidence. It is the recognition, collection, preservation, analysis and presentation of cyber evidence.

Like in the real world evidences, the first step involved in the cyber evidence collection is the discovery of evidence. For an investigator to discover evidence, it is important for the victim of the crime to report the matter in the earliest possible time. Reporting cybercrimes are still very low for various reasons. Firstly most of the victims does not know about the crime and even when they come to know of it, it becomes too late for anything to be done. Another reason is that the corporate bodies do not want to involve police in the investigation since any adverse publicity on their systems can have negative reaction from their customers. Reporting a security breach puts a company’s reputation at risk. Corporate bodies feel that calling law enforcement is as good as advertising that you’ve been hacked- the kiss of death for any business that relies on trust. System administrators and corporate managers also believe that by avoiding police involvement they can stave off negative press.

It is needless to mention that reporting cyebercrimes as and when they occur will go a long way in checking this menace. In their White Paper on Computer Crime Statistics, the International Computer Security Association, points out that.

Most computer crimes go undetected by their victims.

Of the attacks which are detected, few are reported

This kind of situation is ideal for the criminals to enlarge their activities. Therefore, it is the duty of every person dealing with computers and networks to report to the concerned authorities any violations or crimes as soon as they notice it. Especially the organisations that use computer networks in doing their business or other functions can be more serious and proactive in this direction. Organisations can initiate few basic steps to facilitate reporting and investigation of cybercrimes. They are:

ESTABLISH AN INCIDENT-RESPONSE POLICY: A predefined policy will help management and system administrators better understand their company’s security needs and the risk in calling the police. This guidance will facilitate a speedier incident response and reduce confusion during the investigation and recovery process.

UNDERSTAND WHAT INFORMATION INVESTIGATORS WILL NEED: Most times, investigators know next to nothing about a victim’s systems. They’ll need every thing from a network map and a software inventory, to the descriptions and versions of operating systems, to a list of all staff members with access to critical information systems, to a copy of all systems logs.

MAINTAIN UP-TO-DATE HUMAN RESOURCES RECORDS: Since many computer crimes involve employees or other “insiders” investigators will need all the information that is available about employees and contractors with access to restricted systems. Vital information includes employees’ personal and biographical data, job descriptions, access rights and written acknowledgments of network-usage policy. This information, contained in most personnel files, provides many of the required background pieces vital to an investigation.

As a preventive measure against internal security breaches, companies should conduct extensive background checks on prospective employees. A background check will often reveal if an applicant has a criminal record or a history of questionable computer activities.

ARCHIVE SYSTEMS LOGDS: An organization’s systems logs contain a wealth of information on how internal users and external hackers exploit IT assets. They often show an attacker’s IP address, the time he accessed the system, the targeted servers the applications executed and more. Without logs, law enforcement will have no real starting point its investigation.


This is a delicate and precise process. Just as carelessness will negate the value the value of fingerprints at a robbery scent, haphazard collection of digital evidence can have the sane or worse affect in a computer- crime case. Given the fragility of digital evidence, only properly trained investigators and administrators should attempt to recover evidence. The problem is that organizations are often more concerned with restoring a systems to full operation than preserving the system for proper evidence collection. Evidence collection and systems recovery aren’t necessarily conflicting processes. Incorporating the nedds of computer forensics and criminal investigations in the systems-recovery process makes the gathering of evidence and the restring of the normal operations a relatively smooth exercise. If investigators are brought in promptly, a computer forensics specialist can collect a complete image of the compromised system without significant delays in uptime.


What follows from the above discussion on preservation of cyber evidence by the victims themselves is that everyone needs to know what are cyber evidence. Cyber evidence could be either physical or logical. Hardware components and the media in which the data is contained constitute the physical evidence. The physical side of computer forensics involves what is called search and seizure of computer crime, and searches for, and takes into custody computer hardware and media that are involved in the crime. In contrast, the logical side of computer forensics deals with the extraction of raw data from any relevant information resource. This is referred to as information discovery and normally inrmally involves an investigator combing through log files, searching the Internet, retrieving data from a database, etc.


Once the crime is reported to law enforcement agencies the focus is shifted to them. More than the victims, it is this group of players who must have thorough knowledge in computer forensics. Also it is to be kept in mind that computer forensics is not limited to cybercrimes alone. Investigation of any criminal activity may produce electronic evidence. The computer may be contraband, fruits of the crime, a tool of the offense, or a storage container holding evidence of the offense. Therefore the investigating officers must posses the necessary skills to recognise cyber evidence and to collect the relevant evidence without affecting their integrity.


Computers and related evidence rangs from the mainframe computer to the pocket-sized personal data assistant to the floppy diskette, CD or the smallest electronic chip device. Images, audio, text and other data on these media are easily altered or destroyed. It is imperative that law enforcement officers recognize, protect, seize and search such devices in accordance with applicable statutes, policies and best practices and guidelines. Answers to the following questions will better determine the role of the computer in the crime:

Is the computer contraband of fruits of a crime?

For example, was the computer software or hardware?

Is the computer system a tool of the offence?

For example, was the system actively used by the defendant to commit the offense? Were fake Ids of other counterfeit documents prepared using the computer, scanner, and color printer?

Is the computer system only incidental to the offense, i.e., being used to store evidence of the offense?

For example, is a drug dealer maintaining his trafficking records in his computer?

Is the computer system both instrumental to the offense and a storage device for evidence?

For example did the computer hacker use computer to attack other systems and also use is to store stolen credit information?

Once the computer’s role is understood, the following assential questions should be answered:

Is there probable cause to seize hardware?

Is there probable cause to seize software?

Is there probable cause to seize data?

For example, is it practical to search the computer system on site or must the examination be conducted at a fied office or lab?

If law enforcement officers remove the system from the premises to conduct the search, must they ruturn the computer system, or copies of the seized date, to its owner/user before trial.

Considering the incredible storage capacities of computers, how will experts search this this data in an efficient, timely manner?

These answers will also help in formulating a plan according to which the investigator can proceed towards actual collection of evidence through search and seizure.



Once the required evidence has been identified, the investigator must ensure that the same is collected through search and seizure of hardware or through information discovery of logical evidence. Using evidence obtained from a computer in a legal proceeding requires:

Probable cause for issuance of a warrant or an exception to the warrant requirement. If one you encounter potential evidence that may be outside the scope of existing warrant or legal authority, an additional warrant may become necessary.

Use of appropriate collection techniques so as not alter or destroy evidence

Forensic examination of the system completed by trained personnel in a speedy fashion, with expert testimony available at trial.

What has to be borne in mind, before everything else, is the fact that validity of any evidence in the court of law depends on the legality of the method through which it is collected. Therefore, he must ensure that necessary procedures are adhered to before proceeding to actual collection. For example, in India the law relating to evidence is the Indian Evidence Act and Code of Criminal procedure. One must ensure that these enactments are not violated while collecting the cyber evidence. Apart from these general provisions, Indian Information Technology Act, 2000 prescribes as follows:


1. Notwithsthatanding anything contained in the Code of Criminal Procedure, 1973, any police officer, not below the rank of a Deputy Superintendent of Police, or any other officer of the Central Government or a State Government authorised by the Central Government in this behalf may enter any public place and search and arrest without warrant any person found therein who is reasonably suspected of having committed or of committing or of being about to commit any offence under this Act.

EXPLANATION.- For the purpose of this sub-section, the expression “public place” includes any public conveyance, any hotel . any shop or any other place intended for use by, or accessible to the public.

2. where any person is arrested under sub-section (!) by an officer other than a police officer, such officer shall, without unnecessary delay, take or send the officer-in-charge of a police stastion.

3. The provisions of the Code of Criminal Procedure, 1973 shall, subject to the provisions of this section, apply, so far as may be, in relation to any entry, search or arrest, made under this section.

Therefore in Indian context, any search of seizure of cyber evidence must be carried out as per the provisions of Criminal Procedure Code. Only expectation to this requirement is where an officer, not below the rank of Deputy Superintendent of Police any other officer specially authorised by the Central Government in this behalf, is permitted to enter and public places and carryout search and arrest vide Section 80 of the Information Technology Act, reproduced above. In India there is no much case law involving the validity of the cyber evidence. However, in US there were many a cases in which the validity of the cyber evidence was challenged, especially on the ground of violations of US Constitution’s Fourth Amendment principle of “Reasonable expectation of privacy. This inquiry embraces two discrete questions: first, whether the individual’s conduct reflects an actual subjetive expectation of privacy and second, whether the individual’s subjective execration of privacy is one that society is prepared to recognize as reasonable in most cases, the difficulty of contesting a defendant’s subjective exception of privacy focuses the analysis on the objective aspect of the Katz test, i.e., whether the individual’s expectation of privacy was reasonable.

Do individuals have a reasonable expectation of privacy in the contents of their laptop computers, floppy disks or pagers? When confronted with this issue, courts have analogized electronic storage devices to closed containers, and have reasoned that accessing the information stored within an electronic storage device is akin to opening a closed container. Because individuals generally retain a reasonable expectation of privacy in the contents of closed containers, they also generally retain a reasonable expectation of privacy in data held within electronic storage devices. Accordingly, accessing information stored in a computer ordinarily will implicate the owner’s reasonable expectation of privacy in the information. Courts in US have reached in finding reasonable expectation of privacy in files stored on hard drive of personal computer and in data stored in a pager. It was held that An individual has the same expectation of privacy in a pager, computer, or other electronic data storage and retrieval device as in a closed container.

Though US courts have generally agreed that electronic storage devices can be analogized to closed containers, they have reached differing conclusions over whether each individual file stored on computer or disk should be treated as a separate closed container. In a case where private parties had searched certain files and found child pornography, the Fifth, Circuit court held that the police did not exceed the scope of the private search when they examined additional files on any disk that had been, in part, privately searched. Analogizing a disk to a closed container, the court explained police do not exceed the private search when they examine more items within a closed container than did the private searchers. Similarly it was held in another case that when a warrantless search of a portion of a computer and zip disk had been justified, the defendant no longer retained any reasonable expectation of privacy in the remaining contents of the computer and disk, and thus a comprehensive by law enforcement personnel did not violate the Fourth Amendment. However, this view was rejected by the Tenth Circuit court by holding that agent exceeded the scope of a warrant to search for evidence of drug sales when he abandoned that search and instead searched for evidence of child pornography.

Although individuals generally retain a reasonable expectation of privacy in computers under their control, special circumstances may eliminate that expectation. For example it was held that the defendant did not have a reasonable expectation of privacy in use of a private computer network when undercover federal agents looked over his shoulder, when he did not own the computer he used, and when he knew that the system administrator could monitor his activities. Similarly it has been held that individuals generally do not enjoy any reasonable expectation of privacy in the contents of computers they have stolen. If the sender cannot reasonable expect, in United States Vs. Horowitz, the FBI searched a competitor’s computers and found confidential pricing information relating to the defendant’s employer, e-mailed to the competitor by the defendant. the Fourth Circuit disagreed with the contention of the defendant that the search violated his Fourth Amendment rights and held that the defendants had relinquished his interest in and control over the information by sending it to the competitor for the competitor’s future use.


Once the necessary legal requirements are fulfilled the actual search and seizure process starts. Firstly we shall deal with on-site physical seizure. Thomas Rude of CISSP suggests following steps as guidelines for conducting such an operation by the investigating agencies.




Preparation for Examination


Search and seizure involves the recovering and processing of physical computer evidence from a computer crime scene. There are some thumb rules that may be kept in mind by the investigator while carrying out search and seizer operations in cyber evidence collection. They are:

1. Do not alter original evidence.

2. Do not allow a suspect to interact with a crime scene computer.

3. Always back up a crime scene computer; if a crime scene computer is on, do not turn it off until any valuable data in temporary memory have been saved.

4. Document all investigative activities.

5. The storage of computer evidence.


There are many other electronic storage devises that may contain evidence to a cybercrime. This is becoming applicable more and more with the advancements in convergence technologies. Some of these devices are Wireless telephones, Electronic- paging devices, Fax machines, Caller ID devices, and Smart cards. The precautions that are to be followed while accessing the information contained in these devices as evidences are also similar to that of computers. The ultimate aim should be maintaining the integrity of the evidence by fulfilling all the legal requirements as to search and seizure and also as to examining the data without changing it.


Cybercrime investigations of ten involve electronic surveillance also. In computer crime cases, investigators may want to monitor a hacker as he breaks into a victim computer system, or set up a cloned e-mail box monitor a suspect sending or receiving child pornography over the Internet. In a more traditional context, agents may wish to wiretap a suspect’s telephone, or learn whom the suspect has called, and when. It is to be remembered that even when these surveillance measures are resorted to, the investigators must ensure that are proceeding legally by fulfilling all the prescribed conditions. If this has not been ensured, the final outputs might get rejected from the court as tainted evidence.

In USA there are two specific enactments dealing with this aspect of evidence collection. There are the wiretap statute, 18 U.S.C. $$ 2510-2522 and the Pen /Trap statute, 18 U.S.C. $$ 3121-3127. In India, though there is no specific enactment dealing with this aspect there are legal provisions that generally applicable for any kind of electronic surveillance in communication networks, which needs to be adhered to.


As with physical computer evidence (such as computer systems, hard drives, media, etc.,) data must also g through an accounting procedure to ensure that the chain of custody is maintained, and be introduced into the lab environment. The Procedure that is to be followed for such accounting of data is generally as follows:

  • Backup the Information Discovery File(s). All the forensic examinations on discovered files must be carried out on backed up copies. Whenever possible, backups should be implemented in a raw, uncompressed format, creating duplicates that better mirror their originals. It may be noted that this backup is different from the backup what we mentioned in the search and seizure stage.

  • Start the Lab Evidence Log. A lab evidence log that details discovered information must be kept within the lab. Current date and time, description of each information discovery file, including the file’s format (e.g., ASCII, EBCDIC, binary, Postscript, etc.) and name of the investigator checking in the file(s) must form part of this log. A revision control system, such as Revision Control System (RCS) or Source Code Control System (SCCS), provides an excellent way to ensure the integrity of any information discovery file (binary or text). With such systems, backup copies of original files are automatically managed: only one user at a time can have any given file checked out, and there is a simple audit trail maintained to show who has what files checked out at any point in time.

  • Mathematically Authenticate the Information Discovery File(s). At some point the investigator needs to authenticate any data located during an information discovery. Such authentication is necessary to confirm that no alteration of electronic evidence has taken place since the evidence has been in the investigator’s care. There are utilities available to create digital fingerprints of files, md5sum utility is one such tool that uses MD5 algorithm in creating 128-bit hashes of files. Because the MD5 algorithm is computationally secure (which is to say, it would take an impractical amount of time to generate a file that is to say, it would take an impractical amount of time to generate a file that matches a pre-determined MD5 hash value), it provides an excellent way to prove the authenticity of forensic evidence.

  • Proceed with the Forensic Examination of each File. Once these preliminary steps are ensured the investigator may proceed with forensic examination of the seized data using the backups mentioned above. During each step the details must be entered in the lab evidence log.

There are various tools that are being developed for the use of cyber investigators in conducting the examination of the seized data. These tools provide enormous possibilities in unearthing even information that were deleted long back. In fact, deleting a file simply moves that file to the recycle bin on a Windows PC. Even after emptying the recycle bin, deleted documents are still stored in the computer’s memory and are easy for investigators to recover. Some of the tools that are available for deciphering the evidence from seized data are:



Network sniffer (hardware)

Allows user to “recreate” the crime by keeping a record of packet sessions across networks.

Portable disk duplicator and/or duplication software.

Preserves the original crime scene by allowing investigators to copy hard drives in the field and the lab for later analysis.

Chain-of-custody documentation hard-ware

Videotapes every mouse click of the investigative process to make court testimony more creditable.

Case management software

Helps link seemingly unrelated pieces of evidence.

John R. Vacca, in his book on computer forensics, provides a provisional list of actions involved in principle forensic methods, as follows:

1. Safe seizure of computer systems and files, to avoid contamination and/or interference.

2. Safe collection of data and software

3. Safe and non-contaminating copying of disks and other data media

4. Reviewing and reporting of data media

5. Sourcing and reviewing of backup and archived files

6. Recovery of materials from swap and cache files

7. Recovery of deleted/damaged files-physical methods

8. Core-dump: collecting an image of the contents of the active memory of a computer at a particular time.

9. Estimating if files have been used to generate forged output

10. Reviewing of single computers for proper working during relevant period, including service logs, fault records, and the like

11. Proving/testing of reports produced by complex client/server applications

12. Reviewing of complex computer systems and networks for proper working including service logs, fault records, and the like

13. Review of system/program documentation for design methods, testing, audit, revision, and operations management

14. Reviewing of applications programs for proper working during relevant period, including service logs, fault records, and the like

15. Identification and examination of audit trails

16. Identification and review of monitoring trails

17. Telecoms call path tracing (PTTs or path-tracing telecoms and telecom utilities companies only)

18. Reviewing of access control services-quality and resilience of facilities hardware and software, identification/authentication services)

19. Reviewing and assessment of access control services – quality of security management

20. Reviewing and assessment of encryption methods – resilience and implementation

21. Setting up of proactive monitoring to detect unauthorized or suspect activity within application programs and operating systems, and across local area and wide area networks

22. Monitoring of e-mail

23. Use of special alarm or trace programs

24. Use of honey pots

25. Interaction with third parties (suppliers, emergency response teams, and law enforcement agencies)

26. Reviewing and assessment of measuring devices and other sources of real evidence, including service logs, fault records, and the like

27. Use of routine search programs to examine the contents of a file

28. Use of purpose-written search programs to examine the contents of a file

29. Reconciliation of multi-source files

30. Examination of telecom devices, location of associated activity logs and other records perhaps held by third parties

31. Event reconstruction

32. Complex computer intrusion

33. Complex fraud

34. System failure

35. Disaster affecting computer-driven machinery or process

36. Review if expert or rule-based systems

37. Reverse compilation of suspect code

38. Use of computer programs that purport to provide simulations or animations of events: review of accuracy, reliability and quality

(v) International Issues in Evidence Collection

One of the most important characteristics of the cyber evidence is its global reach. Unlike physical evidence that is generally limited to a very small geographical area, the virtual evidence is spread across the cyberspace and thus poses several problems for the investigators. For example, a Russian hacker may use Internet to hack a German computer network in order steal money from a US bank. Similarly a kidnapper of an Indian Boy at Mumbai may send his ransom notes through e-mail through an accomplice based in South Africa. Or he may even choose to ‘launder’ the message by routing ti through many a computers owned by unsuspected persons in all parts of the globe, just like the net may be used for laundering black money.

When the investigating agencies suspect that the evidence to a crime committed in the cyberspace is stored in a computer located in another country, the territorial reach becomes a problem. Usually the practice being followed is that the investigating country approaches the concerned law enforcement agencies of the country in which the evidence is located, for their consent and help in seizing the same. However, there is a general informal agreement among investigating agencies that access to publicly available materials such as those posted to a public Web site, and access to materials with the consent of the owner/custodian of those materials, are permissible without prior consultations. Department of Justice, USA, advices U.S. law enforcement agencies that they should only make direct contact with an ISP located in another country, only with (1) prior permission of the foreign government; (2) approval of DOJ’s Office of International Affairs (OIA) (which would know of particular sensitivities and/or accepted practices); or (3) other clear indicia that such practice would not be objectionable in that country.

When investigators have reason to believe that evidence exists on a computer or computer network located in some foreign country, and expects a delay before that evidence is secured in that country, a request for preservation of the evidence should be made as soon as possible to the law enforcement agencies of that country. Such request will have varying degrees of success based on several factors, most notably whether that country has a data preservation law, and whether the requesting country has sufficient law enforcement contacts in that country to ensure prompt execution of the request.

(vi) International Cooperation in Electronic Evidence Collection

The nations across the globe are slowly realizing the need for greater coordination among their enforcement agencies to ensure prompt discovery and seizure of cyber evidence. Some efforts in this direction are beginning to bear fruit. The Council of Europe Cybercrime Convention, completed in 2001, obligates all signatories to have the ability to affect cross-border preservation requests, and Article 23 provides that “The Parties shall co-operate with each other, in accordance with the provisions of the Convention and through the application of relevant international instruments on international co-operation in criminal matters, arrangements agreed on the basis of uniform or reciprocal legislation, and domestic laws, to the widest extent possible for the purposes of investigations or proceedings concerning criminal offences related to computer systems and data, or for the collection of evidence in electronic form of a criminal offence”. Similarly, Article 25 Clause (1) provides that “The Parties shall afford one another mutual assistance to the widest extent possible for the purpose of investigations or proceedings concerning criminal offences related to computer systems and data, or for the collection of evidence in electronic form of a criminal offence”. The Convention obligates all signatory countries to have a 24-hour point of contact for cybercrime cases, and international 24-hour response capabilities to secure preservations, or in emergencies. The international Network of 24-hour Points of Contact established by the High-tech Crime Subgroup of the G8 countries can also be of assistance. This network, created in 1997, is comprised of approximately twenty-eight member countries, and continues to grow every year.

India is yet to enter into any formal international regimes of cooperation in cybercrime prevention and evidence collection. However, there are many informal contacts that are being generated through mutual assistance. The cooperation between FBI and CBI in fighting cybercrime through mutual assistance and training inputs etc. is an example for this kind of informal developments. However, India needs to actively peruse the possibility of a true international agreement on mutual assistance in preventing cybercrimes, may be under the aegis of United Nations.


We have analysed the precautions and procedures that are to be adhered to while discovering and examining computer evidence. Now let us look into the admissibility of these computer-generated evidences in a court of law, because the ultimate aim is to obtain evidence admissible in court. The second and Third Schedules to the Information Technology Act, 2000 have carried out necessary amendments in the Indian Evidence Act, 1872 and the Banker’s Books Evidence Act, 1891, respectively, so, as to make computer generated evidences admissible in a court of law. The Second Schedule carries out amendments in relevant Sections and also inserts many a new Sections in the Indian Evidence Act. Most important among the amendments is the insertion of Sections 65A and 65B containing special provisions as to evidence relating to electronic records. These Sections are as follows:

Section 65A. Special Provisions as to Evidence Relating to Electronic Record:

The contents of electronic records may be proved in accordance with the provisions of Section 65B.


(1) Notwithstanding anything contained in this Act, any information contained in an electronic record which is printed on a paper, stored, recorded or copied in optical or magnetic media produced by a computer (hereinafter referred to as the computer output) shall be deemed to be also a document, if the conditions mentioned in this section are satisfied in relation to the information and computer in question and shall be admissible in any proceedings, without further proof or production of the original, as evidence of any contents of the original or of any fact stated therein or which direct evidence would be admissible.

(2) The conditions referred to in sub-section (1) in respect of a computer output shall be the following, namely:-

(a)The computer output containing the information was produced by the computer during the period over which the computer was used regularly to store or process information for the purposes of any activities regularly carried on over that period by the person having lawful control over the use of the computer;

(b)During the said period, information of the kind contained in the electronic record or of the kind from which the information so contained is derived was regularly fed into the computer in the ordinary course of the said activities;

(c) Throughout the material part of the said period, the computer was operating properly or, if not, then in respect of any period in which it was not operating properly or was out of operation during that part of the period, was not such as to affect the electronic record or the accuracy of its contents; and

(d)The information contained in the electronic record reproduces or is derived from such information fed into the computer in the ordinary course of the said activities.

(3) Where over any period, the functions of storing or processing information for the purposes of any activities of any regularly carried on over that period as mentioned in clause (a) of sub-section (2) was regularly performed by computer, whether-

(a) by a combination of computers operating over that period; or

(b) by different computers operating in succession over that period; or

(c) by different combinations of computers operating in succession over that period; or

(d) in any other manner involving the successive operation over that period, in whatever order, of one or more computers and one or more combinations of computers.

all the computers used for that purpose during that period shall be treated for the purposes of this section as constituting a single computer; and references in this section to a computer shall be construed accordingly.

(4) In any proceedings where it is desired to give a statement in evidence by virtue of this section, a certificate doing any of the following things, that is to say,-

(a) identifying the electronic record containing the statement and describing the manner in which it was produced;

(b) giving such particulars of any device involve in the production of that electronic record as may be appropriate for the purpose of showing that the electronic record was produced by a computer;

(c) dealing with any of the matters to which the conditions mentioned in sub-section (2) relate,

and purporting to be signed by a person occupying a responsible official position in relation to the operation of the relevant device or the management of the relevant activities (whichever is appropriate) shall be evidence of any matter stated in the certificate; and for the purpose of this sub-section it shall be sufficient for a matter to be stated to the best of the knowledge and belief of the person stating it.

(5). For the purposes of this section,-

(a) information shall be taken to be supplied to a computer if it is supplied thereto in any appropriate form and whether it is so supplied directly or (with or without human intervention) by means of any appropriate equipment;

(b) whether in the course of activities carried on by any official, information is supplied with a view to its being stored or processed for the purposes of those activities by a computer operated otherwise than in the course of those activities, that information, if duly supplied to that computer, shall be taken to be supplied to that computer, shall be taken to supplied to it in the course of those activities;

(c) a computer output shall be taken to have been produced by a computer whether it was produced by it directly or (with or without human intervention) by means of any appropriate equipment.

Explanation.- For the purposes of this section any reference to information being derived from other information shall be a reference to its being derived therefrom by calculation, comparison or any other process;

In India, case laws are yet to develop in this field. In USA, courts have dealt this aspect in detail and followed two different lines in admitting the computer-generated evidence. Firstly, the courts generally have admitted computer records upon a showing that the records fall within the business records exception under Federal Rule of Evidence 803(6), which states as follows:

Records of regularly conducted activity. A memorandum, report, record, or data compilation, in any form, of acts, events, conditions, opinions, or diagnoses, made at or near the time b, or from information transmitted by, a person with knowledge, if kept in the course of a regularly conducted business activity, and if it was the regular practice of that business activity to make the memorandum report, record, or data compilation, all as shown by the testimony of the custodian or other qualified witness, or by certification that complies with Rule 902(11), Ruls 902(12), or a statute permitting certification, unless the source of information or the method or circumstances of preparation indicate lack of trustworthiness. The term business as used in this paragraph includes business, institution, association, profession, occupation, and calling of every kind, whether or not conducted for profit.

Applying this test, the courts have indicated that computer recorded generally can be admitted as business records if they were kept pursuant to a routine procedure for motives that tend to assure their accuracy.

The second rule of admissibility of computer records in US is based on the assumption that they are hearsay evidence. When a computer record contains the assertions of a person.

Author: Navin Kumar Jaggi


Noté 0 étoile sur 5.
Pas encore de note

Ajouter une note
bottom of page