Obstacles to cybercrime investigations include anonymity afforded by technology, difficulties with attribution, challenges with backtracking or tracing crimes to their source, identifying responsible internet service providers, lack of harmonized cybercrime laws, technical challenges, limited abilities of law enforcement agencies, "brain drain" of skilled investigators, issues with sovereignty and jurisdiction in cyberspace. Jurisdiction over cybercrimes is complicated, as national laws may not apply to foreign citizens committing crimes outside a country. International cooperation on legal standards and law enforcement is needed to address these obstacles.

1. Subject - Cyber Laws & Rights
M. tech. 3rd Sem., ISM.
By: Prashant Vats,
M.tech., Ph.D.
INDIRA GANDHI DELHI TECHNICAL UNIVERSITY
FOR WOMEN

2. Obstacles to Cybercrime
Investigations

3. Issues relating to Investigation

4. 1. Anonymity
• There are several obstacles that may be encountered during cybercrime
investigations.
• One such obstacle is created by the anonymity that information and
communication technology affords to users.
• Anonymity enables individuals to engage in activities without revealing themselves
and/or their actions to others.
• There are several anonymization techniques that cybercriminals use One such
technique is the use of proxy servers.
• A proxy server is an intermediary server that is used to connect a client (i.e., a
computer) with a server that the client is requesting resources from.
• Anonymizers, or anonymous proxy servers, hide users' identity data by masking
their IP address and substituting it with a different IP address.
• Cybercriminals can also use anonymity networks to encrypt (i.e. block access)
traffic and hide Internet Protocol address (or IP address), "a unique identifier
assigned to a computer [or other Internet-connected digital device] by the Internet
service provider when it connects to the Internet" , in an effort to conceal their
Internet activities and locations.
• Well-known examples of anonymity networks are Tor , Freenet , and the Invisible
Internet Project (known as I2P ).
• These anonymity networks not only "mask users' identities, but also host their
websites via their 'hidden services' capabilities, which mean[s] [that these] sites
can only be accessed by people on" these anonymizing networks.
• These anonymity networks are thus used to access darknet (or Dark Web) sites

5. 2. Attribution
• Attribution is another obstacle encountered during cybercrime
investigations.
• Attribution is the determination of who and/or what is responsible
for the cybercrime.
• This process seeks to attribute the cybercrime to a particular digital
device, user of the device, and/or others responsible for the
cybercrime (e.g., if the cybercrime is state-sponsored or directed).
• The use of anonymity-enhancing tools can make the identification
of the devices and/or persons responsible for the cybercrime
difficult.
• Attribution is further complicated through the use of malware-
infected zombie computers (or botnets;) or digital devices
controlled by remote access tools (i.e., malware that is used to
create a backdoor on an infected device to enable the distributor of
the malware to gain access to and control of systems).
• These devices can be used, unbeknownst to the user whose device
is infected, to commit cybercrimes.

6. 3. Backtracking or Tracing
• Back-tracing (or traceback) is the process of tracing illicit acts back to the
source (i.e., perpetrator and/or digital device) of the cybercrime.
• Traceback occurs after a cybercrime has occurred or when it is detected.
• A preliminary investigation is conducted to reveal information about the
cybercrime through an examination of log files (i.e., event logs, which are
files systems produce of activity), which can reveal information about the
cybercrime (i.e., how it occurred).
• For instance, event logs "automatically record… events that occur within a
computer to provide an audit trail that can be used to monitor,
understand, and diagnose activities and problems within the system“
• Examples of these logs are application logs, which record "events that are
logged by programs and applications," and security logs that "record all
login attempts (both valid and invalid) and the creation, opening or
deletion of files, programmes or other objects by a computer user“.
• These event logs may reveal the IP address used in the cybercrime.
• Traceback can be time-consuming. The time it takes to complete this
process depends on the knowledge, skills, and abilities of the preparators
and the measures they have taken to conceal their identities and
activities.
• Depending on the tactics used by cybercriminals to perpetrate the illicit
acts, tracing may not lead to a single identifiable source.

7. 4. Identifying the Internet service provider (ISP)
• To identify the Internet service provider (ISP) associated with the IP
address, the cybercrime investigator can use ICANN's WHOIS query tool .
• The Internet Corporation For Assigned Names and Numbers '
(ICANN) Internet Assigned Number Authority (IANA) manages the
allocation of IP addresses, among other things, to Regional Internet
Registries (RIRs), which are responsible for overseeing the registration of
IP address in their regions.
• RIRs provide access to WHOIS services via their websites.
• WHOIS data is the registration information that has been provided by
individuals, corporations, organizations, and governments when
registering domain names (e.g., gmail.com), which includes names and
contact information (e.g., phone numbers, addresses, and emails) (ICANN
WHOIS, n.d.).
• The WHOIS query tool can be used to identify the contact information and
location of the organization associated with a domain name .
• The WHOIS query tool can also be used to identify the contact information
and location of the organization associated with an IP address.
• Once an ISP has been identified, cybercrime investigators may contact the
ISP associated with the IP address to retrieve the information about the
subscriber using that IP address

8. 5. Lack of harmonized national cybercrime law
• The lack of harmonized national cybercrime laws,
international standardization of evidentiary requirements
(both in terms of admissibility in a court of law, and in
terms of international state responsibility), mutual legal
assistance on cybercrime matters, and timely collection,
preservation, and sharing of digital evidence between
countries, also serve as obstacles to cybercrime
investigations.
• In regard to certain types of cybercrime, especially
cybercrimes that are politically motivated, a general lack of
will of countries to cooperate in these cases has been
observed ( in case of Hacktivism, Terrorism, Espionage,
Disinformation Campaigns, and Warfare in Cyberspace).

9. 6. Technical Challenges
• Cybercrime investigators also face technical challenges.
For example, numerous digital devices have proprietary
operating systems and software that require the use of
specialized tools to identify, collect, and preserve
digital evidence for Digital Forensics for further
information about digital evidence, digital devices, and
digital forensics tools.
• What is more, investigators may not have the
necessary equipment and digital forensics tools needed
to adequately conduct cybercrime investigations
involving digital devices against Cybercrime.

10. 7. limited abilities of law enforcement agencies
• Other obstacles to cybercrime investigations include the
existing limited abilities of law enforcement agencies to
conduct these investigations .
• In countries where national specialized units exist, they
only investigate a limited number of cybercrime cases. The
prevalence of information and communication technology
in criminal investigations makes such a practice ineffective.
• The training of national law enforcement officers in non-
specialized areas of policing and non-technical specialized
units (e.g., drug crime, organized crime, crimes against
children) on cybercrime, ICT-related investigations, and
digital forensics is one way to strengthen national capacity
and the ways in which to deal with the current deficits in
national capacity to investigate cybercrimes.

11. 8. Brain Drain of highly trained and skilled cybercrime
investigators
• Specifically, information and communication technology is
continuously evolving.
• Because of this, cybercrime investigators must be "lifelong
learners," continuously training to remain current on
technologies, cybercriminals, and their motives, targets,
tactics, and methods of operation (M.O.).
• Furthermore, government and national security agencies
are experiencing what is known as a "brain drain," whereby
highly trained and skilled cybercrime investigators are
leaving these agencies to join the private sector, which
provides better financial compensation for their
knowledge, skills, and abilities.
• These capacity and staffing issues need to be considered by
countries as they serve as significant obstacles to
cybercrime investigations

12. Issues relating to Jurisdiction

13. Sovereignty and jurisdiction
• Territorial sovereignty refers to the state's complete and exclusive exercise
of authority and power over its geographic territory.
• The safeguarding of sovereignty factors prominently in international and
regional cybercrime instruments.
• Territorial sovereignty can be applied to cyberspace, particularly to states'
information and communications technology (ICT) infrastructure.
• State sovereignty can be violated when third parties gain unauthorized
access to ICT in foreign countries without the knowledge and permission
of the host country and/or its law enforcement agents.
• This violation happens even if this unauthorized access occurs pursuant to
an investigation of a cybercrime committed in a different country in an
effort by that country to locate the source of the cyberattack and/or stop
the cyberattack from occurring (a tactic known as hackback or hacking
back).
• Jurisdiction, which is linked to sovereignty (UNODC, 2013, note 9, p. 184),
provides states with the power and authority to define and preserve the
duties and rights of people within its territory, enforce laws, and punish
violations of laws.
• Cybercrime jurisdiction is established by other factors, such as the
nationality of the offender ( principle of nationality; active personality
principle), the nationality of the victim ( principle of nationality; passive
personality principle), and the impacts of the cybercrime on the interests
and security of the state ( protective principle)

14. Jurisdiction Issues
• Jurisdiction is one of the debatable issues in the case of cyber crime
due to the very universal nature of the cyber crime.
• With the ever-growing arm of the cyber space the territorial
concept seems to vanish.
• New Methods dispute resolution should give way to the
conventional methods.
• Thus, the Information Technology Act, 2000 is silent on these issues
• Though S. 75 provides for extra-territorial operations of this law, but
they could be meaningful only when backed with provisions
recognizing orders and warrants for Information issued by
competent authorities outside their jurisdiction and measure for
cooperation‘s for exchange of material and evidence of computers
crimes between law enforcement agencies.

15. Jurisdiction over cyber crime and
national laws
• Jurisdiction is the power or authority of the
court to hear and determine the cause and
adjudicate upon the matter that are litigated
before it or the power of the court to take
cognizance of the matter brought before it but
when it comes to determine the jurisdiction in
context of cyber space it becomes strenuous
part of law.

16. In common parlance Jurisdictions is of two types:
• Subject jurisdiction allows the court to decide cases of
a particular category and to check whether the claim is
actionable in the court where the case has been filed.
• Personal jurisdiction allows a court to decide on
matters related to citizens or people of its territory, the
person having some connection to that territory,
irrespective of where the person is presently located.
Every state exercises the personal jurisdiction over the
people within its territory

17. • Section 20 serves important ingredients for the purpose of institution of other suit
in a court within the local limits of whose jurisdiction'[1]:
• the defendant or each of the defendants resides, or carries on business, or
personally works for gain at the time of the commencement of suit.
• Any of the defendants, where there are more than one defendants resides, or
carries on business, or personally works for gain at the time of the commencement
of suit provided that in such cases either the leave of the court is given, or the
defendants who do not reside, or carry on business, or personally works for gain,
as aforesaid, acquiesce in such institution or, the cause of action wholly or partially
arises.
• However, this section doesn't seem to be fit in virtual world. The issue with the
cyber space jurisdiction is the presence of multiple parties across various part of
the globe who only have virtual connections among them therefore we cannot
have a clear idea about the parties and the place of suing so that the jurisdiction of
the court could be determined to try such cases.
• The substantive source of cyber law in India is the Information Technology Act,
2000 (IT Act) which came into force on 17 October 2000. The objective of the Act
is to provide legal recognition to e- commerce and to facilitate storage of
electronic records with the Government.
• The IT Act also penalizes various cybercrimes and provides strict punishments. In
pursuant to this there are certain provision under this act which renders the idea
of jurisdiction of court for the trial of cases pertaining cyber crimes in India as well
as outside India.

18. • Sec (48) of the act provides for the Establishment of
Cyber Appellate Tribunal[4].
(1) The Central Government shall, by notification,
establish one or more appellate tribunals to be known
as the Cyber Regulations Appellate Tribunal.
Comment- This tribunal is established by the
government under this Act and the government itself
decides the matters and places as to where the
tribunal would exercise its jurisdiction. It is considered
as the first appellate tribunal where the appeal from
the orders of control board or the adjudicating officers
is preferred. Further any person aggrieved by the
decision of appellate tribunal may prefer appeal in High
Court within sixty days from the date of
communication of such decision or order.

19. • The Information Technology Act 2000 seems exhaustive when it comes to
adjudicate the matter where the parties are Indian citizen and the offence
or any contravention has been committed in India as the Indian Courts
follow the Principle of lex foris that means the law of the country but it
still creates confusion in order to exercise its extra territorial jurisdiction
where the offence has been committed outside India or by any non-
citizen.
• For instance, if an American citizen damaged the reputation of one of the
Indian Politician by publishing lewd comments through the social media
and the aggrieved person approached to Indian court for the justice. It is
obvious that IT act, 2000 provides for extra territorial jurisdiction but the
issue arises here that how far would it be effective to bring the American
citizen to India to be prosecuted for cyber defamation as the IT Act is not
applicable to the American citizen.
• Apart of IT Act 2000, there are other relevant legislation under Indian laws
that gives the authority to India Courts to adjudicate the matters related
to cyber-crimes such as:
• Sec 3 and 4 of Indian penal code 1882 also deals with the extra territorial
jurisdiction of Indian courts.
• Section 188 of CrPC 1973 provides that even if a citizen of India outside
the country commits the offence, the same is subject to the jurisdiction of
courts in India. Section 178 deals with the crime or part of it committed in
India and Section 179 deals with the consequences of crime in Indian
Territory.

20. • Relevant cases laws:
• SMC Pneumatics (India) Pvt. Ltd. v. Jogesh Kwatra[7]
This is a case related to cyber defamation. This is first case of its kind from India. In
this case, the defendant was an employee of the plaintiff's company who used to
send derogatory, obscene, vulgar, and abusive emails to his employers and also to
different subsidiaries of the said company all over the world. The motive behind
sending those emails was to malign the reputation of the company and its
Managing Director all over the world.
• The High Court of Delhi assumed jurisdiction over a matter of defamation of
reputation of corporate through e-mails. An ex-parte injunction was granted by the
court.
• SIL Import v. Exim Aides Silk Importers
• In this case the court successfully highlighted the need of interpretation of the
statute by judiciary in the light of technological advancement that has occurred so
far . Until there is specific legislation in regard to the jurisdiction of the Indian
Courts with respect to Internet disputes, or unless India is a signatory to an
International Treaty under which the jurisdiction of the national courts and
circumstances under which they can be exercised are spelt out, the Indian courts
will have to give a wide interpretation to the existing statutes, for exercising
Internet disputes.

21. • Impresario Entertainment & Hospitality Pvt. Ltd. vs S&D
Hospitality
• Facts – in this case the plaintiff's company offers restaurant services
which has its registered office in Mumbai and is carrying its
business in New Delhi and a restaurant under the name and style of
'SOCIAL' which it has trademark and has various branches as well.
The plaintiff came to know about the defendant's restaurant in
Hyderabad under the name 'SOCIAL MONKEY.
• Also, it has a popular beverage by the name A GAME OF SLING and
the defendant has named a beverage as Hyderabad Sling which is
identical or deceptively similar to the plaintiff's beverage. Both
these outlets had entered into contract with websites like Zomato
and Dine Out and so the information of both, along with menu and
contact info was made available on the websites of Zomato and
Dine Out.

22. India and international convention over cyber
jurisdiction:
• Convention on Cyber crime, 2001 also known as the Budapest Convention, is the
first international treaty which discusses about the Internet and cybercrime by
considering national laws, increasing cooperation among nations and improving
investigative techniques.
• It was signed by the Council of Europe in Strasbourg, France, Canada, Japan,
Philippines, South Africa and the United States.
• However, countries like India and Brazil have declined to adopt the Convention on
the grounds that they didn't participate in its drafting but due to increasing
incident of cyber crimes India has been reconsidering its stand on the convention
since 2018.
• Article 22 The Convention on Cyber Crime, 2001 allows the country to have
jurisdiction if the cyber crime is committed:
• In its territory;
• On board a ship flying the flag of the country;
• On board an aircraft registered under the laws of the country
• By one of the countries nationals, if the offence is punishable under criminal law
where it was committed or if the offence is committed outside the territorial
jurisdiction of any State.

23. United Nations Convention against Transnational
Organized Crime (UNTOC):
• this treaty was adopted by resolution of the UN General
Assembly in November 2000.
• India being a signatory to this joined in 2002.
• UNTOC is also known as the Palermo Convention, under
this the state parties are obliged to enact domestic criminal
offences that target organized criminal groups and to adopt
new frameworks for extradition, mutual legal assistance,
and law enforcement cooperation.
• Although the treaty does not explicitly address cyber-crime,
its provisions are highly relevant.
• In pursuant to this treaty Indian Parliament enacted the
Information Technology Act 2000.

24. For more on cyber jurisdiction issues
please search
• Sec 20 of code of civil procedure 1908
• Information technology Act 2000
• ibid
• Supra note 2
• Sec 3 and 4 Indian penal code,1860
• Section 178, 179 and 188 of Code of Criminal Procedure, 1973.
• Being Suit No. 1279/2001 available at
https://indiankanoon.org/doc/(Accessed on 31ST January, 2020)
• (1999) 4 SCC 567
• CS(COMM) 111/2017
• CS (OS) No 894 of 2008
• ETS185–Cybercrime (Convention) budapest, 23.XI.2001
• General Assembly resolution 55/25 of 15 November 2000

25. Issues relating to Evidence in cyber
Crimes

26. Handling of digital evidence
• In the private sector, the response to cybersecurity incidents (e.g., a
distributed denial of service attack, unauthorized access to systems, or
data breach) includes specific procedures that should be followed to
contain the incident, to investigate it and/or to resolve the cybersecurity
incident (Cyber Security Coalition, 2015).
• There two primary ways of handling a cybersecurity incident:
• recover quickly or gather evidence
• The first approach, recover quickly, is not concerned with the preservation
and/or collection of data but the containment of the incident to minimize
harm.
• Because of its primary focus on swift response and recovery, vital evidence
could be lost.
• The second approach, monitors the cybersecurity incident and focuses on
digital forensic applications in order to gather evidence of and information
about the incident.
• Because of its primary focus of evidence collection, the recovery from the
cybersecurity incident is delayed.
• These approaches are not exclusive to the private sector. The approach
taken by the private sector varies by organization and the priorities of the
organization.

27. • Digital evidence is volatile and fragile and the improper handling of
this evidence can alter it.
• Because of its volatility and fragility, protocols need to be followed
to ensure that data is not modified during its handling (i.e., during
its access, collection, packaging, transfer, and storage).
• These protocols delineate the steps to be followed when handling
digital evidence.
• There are four phases involved in the initial handling of digital
evidence:
• identification,
• collection,
• acquisition, and
• preservation
• ISO/IEC 27037 ;
Handling of digital evidence

28. ISO/IEC 27037:2012
(Information technology — Security techniques — Guidelines for
identification, collection, acquisition and preservation of digital evidence)
• ISO/IEC 27037:2012 provides guidelines for
specific activities in the handling of digital
evidence, which are identification, collection,
acquisition and preservation of potential digital
evidence that can be of evidential value.
• It provides guidance to individuals with respect to
common situations encountered throughout the
digital evidence handling process and assists
organizations in their disciplinary procedures and
in facilitating the exchange of potential digital
evidence between jurisdictions.

29. ISO/IEC 27037:2012
(Information technology — Security techniques — Guidelines for
identification, collection, acquisition and preservation of digital evidence)
• ISO/IEC 27037:2012 gives guidance for the following
devices and circumstances:
• Digital storage media used in standard computers like hard
drives, floppy disks, optical and magneto optical disks, data
devices with similar functions,
• Mobile phones, Personal Digital Assistants (PDAs), Personal
Electronic Devices (PEDs), memory cards,
• Mobile navigation systems,
• Digital still and video cameras (including CCTV),
• Standard computer with network connections,
• Networks based on TCP/IP and other digital protocols, and
• Devices with similar functions as above.

30. Protocols for the collecting volatile evidence.
• There are protocols for the collecting volatile evidence.
• Volatile evidence should be collected based on the order of
volatility; that is, the most volatile evidence should be collected
first, and the least volatile should be collected last. T
• The Request for Comments (RFC) 3227 document provides the
following sample of the order of volatile data (from most to least
volatile) for standard systems):
• registers, cache
• routing table, ...[address resolution protocol or ARP] cache, process
table, kernel statistics, memory
• temporary file systems
• disk
• remote logging and monitoring data that is relevant to the system
in question
• physical configuration, network topology
• archival media

31. Identification of Digital Evidence
• In the identification phase, preliminary information is obtained
about the cybercrime case prior to collecting digital evidence.
• This preliminary information is similar to that which is sought
during a traditional criminal investigation.
• The investigator seeks to answer the following questions:
• Who was involved?
• What happened?
• When did the cybercrime occur?
• Where did the cybercrime occur?
• How did the cybercrime occur?
• The answers to these questions will provide investigators with
guidance on how to proceed with the case. For example, the
answer to the question "where did this crime occur?" - that is,
within or outside of a country's - will inform the investigator on how
to proceed with the case (e.g., which agencies should be involved
and/or contacted).

32. • In the identification phase, cybercrime investigators use many traditional
investigative techniques, especially with respect to information and
evidence gathering.
• For example, victims, witnesses, and suspects of a cybercrime are
interviewed to gather information and evidence of the cybercrime under
investigation.
• Undercover law enforcement investigations have also been conducted to
identify, investigate, and prosecute cybercriminals.
• Additionally, cybercrime investigators have conducted covert surveillance.
This tactic is a "particularly intrusive method for collecting evidence.
• The use of covert surveillance measures involves a careful balancing of a
suspect's right to privacy against the need to investigate serious
criminality.
• Provisions on covert surveillance should fully respect "the rights of the
suspect. There have been various decisions of international human rights
bodies and courts on the permissibility of covert surveillance and the
parameters of these measures“
• Even malware has been used by law enforcement agencies to conduct
surveillance in order to gather information about and evidence of
cybercrime. For example, US law enforcement agencies are using
networking investigation techniques (NITs), "specially designed exploits or
malware," in their investigations of online child sexual exploitation and
abuse.

33. • Before digital evidence collection begins, the investigator must
define the types of evidence sought.
• Digital evidence can be found on digital devices, such as computers,
external hard drives, flash drives, routers, smartphones, tablets,
cameras, smart televisions, Internet-enabled home appliances (e.g.,
refrigerators and washing machines), and gaming consoles (to name
a few), as well as public resources (e.g., social media platforms,
websites, and discussion forums) and private resources (e.g.
Internet service providers logs of user activity; communication
service providers business records; and cloud storage providers
records of user activity and content).
• Many applications, websites, and digital devices utilize cloud
storage services. Users' data can thus be stored wholly or in
fragments by many different providers in servers in multiple
locations.
• Because of this, retrieving data from these providers is challenging .
• The evidence sought will depend on the cybercrime under
investigation.
• If the cybercrime under investigation is identity-related fraud, then
digital devices that are seized will be searched for evidence of this
crime (e.g., evidence of a fraudulent transactions or fraudulent
transactions).

34. 2. Collection of Digital Evidence
• With respect to cybercrime, the crime scene is not limited to the physical
location of digital devices used in the commissions of the cybercrime
and/or that were the target of the cybercrime.
• The cybercrime crime scene also includes the digital devices that
potentially hold digital evidence, and spans multiple digital devices,
systems, and servers.
• The crime scene is secured when a cybercrime is observed, reported,
and/or suspected.
• The first responder identifies and protects the crime scene from
contamination and preserves volatile evidence by isolating the users of all
digital devices found at the crime scene (e.g., holding them in a separate
room or location).
• The users must not be given the opportunity to further operate the digital
devices. Neither should the first responder nor the investigator seek the
assistance of any user during the search and documentation process.
• The investigator, if different from the first responder, searches the crime
scene and identifies the evidence.

35. • Before evidence is collected, the crime scene is documented.
• Documentation is needed throughout the entire investigative
process (before, during, and after the evidence has been acquired).
• This documentation should include detailed information about the
digital devices collected, including the operational state of the
device - on, off, standby mode - and its physical characteristics, such
as make, model, serial number, connections, and any markings or
other damage.
• In addition to written notes, sketches, photographs and/or video
recordings of the crime scene and evidence are also needed to
document the scene and evidence.
• Collecting volatile data can alter the memory content of digital
devices and data within them.
• The investigator, or crime scene technician, collects the evidence.
• The collection procedures vary depending on the type of digital
device, and the public and private resources where digital evidence
resides (e.g., computers, phones, social media, and cloud; for
different digital forensics practices pertaining to multimedia, video,
mobile).

36. • Law enforcement agencies have standard operating procedures that detail
the steps to be taken when handling digital evidence on mobile devices,
Internet-enabled objects (e.g., watches, fitness trackers, and home
appliances), the cloud, and social media platforms.
• A standard operating procedure (SOP) is designed to assist investigators by
including the policies and sequential acts that should be followed to
investigate cybercrime in a manner that ensures the admissibility of
collected evidence in a court of law, as well as the tools and other
resources needed to conduct the investigation .
• Unique constraints that could be encountered during the investigation
should be identified.
• For instance, cybercrime investigators could encounter multiple digital
devices, operating systems, and complex network configurations, which
will require specialized knowledge, variations in collection procedures, and
assistance in identifying connections between systems and devices (e.g., a
topology of networks).
• Anti-forensics techniques such as steganography (i.e., the stealthy
concealment of data by both hiding content and making it invisible)
and encryption (i.e., "physically blocking third-party access to a file, either
by using a password or by rendering the file or aspects of the file
unusable;"

37. • Because of this, the investigator should be prepared for these
situations and have the necessary human and technical resources
needed to deal with these constraints.
• The actions taken by the investigator in these cases (e.g., the ability
of the investigator to obtain the passwords to those devices and/or
decrypt the files), if any, depends on national laws .
• Digital forensics tools can assist in this endeavour by, for example,
identifying steganography and decrypting files, as well as perform
other critical digital forensics tasks.
• Examples of such tools include Forensic Toolkit (FTK) by Access
Data, Volatile Framework, X-Ways Forensics.
• Along with these resources, a forensic toolkit is needed, which
contains the objects needed to document the crime scene, tools
need to disassemble devices and remove other forms of evidence
from the crime scene, and material needed to label and package
evidence (e.g., for smartphones, a Faraday bag, which blocks
wireless signals to and from the digital device, and a power bank
are needed and used to transport them), among other items .

38. • The actual collection of the evidence involves the preservation of volatile evidence
and the powering down of digital devices.
• The state of operation of the digital devices encountered will dictate the collection
procedures.
• For instance, if a computer is encountered, if the device is on, volatile evidence
(e.g., temporary files, register, cache, and network status and connections, to
name a few) is preserved before powering down the device and collecting.
• If the device is off, then it remains off and is collected.
• There are circumstances where digital devices will not and cannot be collected
(e.g., due to size and/or complexity of the systems and/or their hardware and
software configurations, because these systems provide critical services).
• In these situations, volatile and non-volatile data are collected through special
procedures that require live acquisition
• The type of digital device encountered during an investigation will also dictate the
manner in which digital evidence is collected (see, for example, SWGDE Best
Practices for Mobile Device Evidence Preservation and Acquisition, 2018; SWGDE
Best Practices for the Acquisition of Data from Novel Digital Devices;).
• Commands can be used to obtain volatile data from live systems. For example, for
Windows operating systems the command ipconfig is used to obtain network
information, whereas for Unix operating systems, the command ifconfig is used.
• For both Windows and Unix, the command netstat is used to obtain information
about active network connections.

39. • In addition to digital devices, other relevant items (e.g.,
notes and/or notebooks that might include passwords
or other information about online credentials,
telephones, fax machines, printers, routers, etc.)
should be collected as well.
• The actions taken by the investigator during the
collection of evidence should be documented.
• Each device should be labelled (along with its
connecting cables and power cords), packaged, and
transported back to a digital forensics laboratory.
• Once the items are transported to the laboratory, they
are "inventoried, recorded, and secured in a locked
room…away from extreme temperatures, humidity,
dust, and other possible contaminants".

40. Acquisition of Digital Evidence
• Different approaches to performing
acquisition exist.
• The approach taken depends on the type of
digital device.
• For example, the procedure for acquiring
evidence from a computer hard drive is
different from the procedure required to
obtain digital evidence from mobile devices,
such as smartphones.

41. Preservation of Digital Evidence
• Evidence preservation seeks to protect digital
evidence from modification.
• The integrity of digital evidence should be
maintained in each phase of the handling of
digital evidence.

42. Analysis and Reporting of Digital
evidence
• In addition to the handling of digital evidence, the digital forensics process
also involves the examination and interpretation of digital evidence
( analysis phase), and the communication of the findings of the analysis
( reporting phase).
• During the analysis phase, digital evidence is extracted from the device,
data is analysed, and events are reconstructed.
• The results of the analysis are documented in a report. The reports should
be as clear and precise as possible.
• Demonstrative material (e.g., figures, graphs, outputs of tools) and
supporting documents, such as chain of custody documentation should be
included, along with a detailed explanation of the methods used and steps
taken to examine and extract data .
• The findings should be explained in light of the objectives of the analysis
(i.e., the purpose of the investigation and the case under investigation).
• Information about the limitations of the findings should also be included
in the report. The content of the report varies by jurisdiction depending
on national policies (wherever present) regarding investigations and digital
forensics.

43. India’s Stand on Digital Evidence
• The Information Technology (IT) Act 2000 was amended to allow for the
admissibility of digital evidence. An amendment to the Indian Evidence Act 1872,
the Indian Penal Code 1860 and the Banker's Book Evidence Act 1891 provides the
legislative framework for transactions in electronic world.
• Section 65 of the Evidence Act sets out the situations in which primary evidence of
the document need not be produced, and secondary evidence - as listed in section
63 of the Evidence Act - can be offered. This includes situations when the original
document
• Is in hostile possession.
• Or has been proved by the prejudiced party itself or any of its representatives.
• Is lost or destroyed.
• Cannot be easily moved, i.e. physically brought to the court.
• Is a public document of the state.
• Can be proved by certified copies when the law narrowly permits; and
• Is a collection of several documents.
• New sections 65-A and 65-B are introduced to the Evidence Act, under the Second
Schedule to the IT Act.
• Section 65-A provides that the contents of electronic records may be proved in
accordance with the provisions of Section 65-B. Section 65-B provides that
notwithstanding anything contained in the Evidence Act, any information
contained in an electronic, is deemed to be a document and is admissible in
evidence without further proof of the original's production, provided that the
conditions set out in Section 65-B are satisfied.

44. ELECTRONIC EVIDENCE -CASE LAW'S
• Amitabh Bagchi Vs. Ena Bagchi (AIR 2005 Cal 11) [Sections 65-A and 65-B
of Evidence Act, 1872 were analyzed.] The court held that the physical
presence of person in Court may not be required for purpose of adducing
evidence and the same can be done through medium like video
conferencing. Sections 65-A and 65-B provide provisions for evidences
relating to electronic records and admissibility of electronic records, and
that definition of electronic records includes video conferencing.
• State of Maharashtra vs. Dr Praful B Desai (AIR 2003 SC 2053) [The
question involved whether a witness can be examined by means of a video
conference.] The Supreme Court observed that video conferencing is an
advancement of science and technology which permits seeing, hearing
and talking with someone who is not physically present with the same
facility and ease as if they were physically present. The legal requirement
for the presence of the witness does not mean actual physical presence.
The court allowed the examination of a witness through video
conferencing and concluded that there is no reason why the examination
of a witness by video conferencing should not be an essential part of
electronic evidence.

45. • DHARAMBIR Vs. CENTRAL BUREAU OF INVESTIGATION (148 (2008) DLT
289).
• The court arrived at the conclusion that when Section 65-B talks of an
electronic record produced by a computer referred to as the computer
output) it would also include a hard disc in which information was stored
or was earlier stored or continues to be stored.
• It distinguished as there being two levels of an electronic record.
• One is the hard disc which once used itself becomes an electronic record
in relation to the information regarding the changes the hard disc has
been subject to and which information is retrievable from the hard disc by
using a software program.
• The other level of electronic record is the active accessible information
recorded in the hard disc in the form of a text file, or sound file or a video
file etc.
• Such information that is accessible can be converted or copied as such to
another magnetic or electronic device like a CD, pen drive etc.
• Even a blank hard disc which contains no information but was once used
for recording information can also be copied by producing a cloned had or
a mirror image.

46. Thank you