Admissibility of Electronic Evidence

Chapter VII
CYBER FORENSICS AND ADMISSIBILITY OF

DIGITAL EVIDENCE
We need coverage to throw away old garments which have had their
day and no longer fit the requirements of the new generation.
- Fridtjot Nansen.
7.1 INTRODUCTION
In the past decade, cybercrime has become an increasingly debated topic and
research across the world. It is clear that the rapid growth of the Internet has created
unprecedented new opportunities for potential cyber criminals and terrorist groups.
These development present serious challenges for low and criminal justice system as
if struggles to answer the questions of ‗where‘ crime takes place and ―who‖ is the
offender in cyberspace. Therefore, criminology itself may need to start looking for
some new tools for their cybercrimes.
In general, the investigation of cybercrimes, particularly the gathering,

processing and presentation of appropriate evidence before the court for a criminal
prosecution are a herculean task and complex issue since the intangible and transient
nature of data in cyberspace. The technology renders the process of investigation and
recording of evidence extremely vulnerable to defense claims of errors, i.e. technical
malfunction, prejudicial interference, or fabrication of computer data. Gaining a
realistic measures of cybercrime and cyber terrorism, this Chapter a humble attempt
has been made to trace out the incriminating materials and electronic records for the
administration of justice.
7.2 ORIGIN AND EVOLUTION OF CYBER FORENSICS
The exact date of the onset of practice of forensic science is unclear. There
are many different fields in which forensic science can be applied i.e. medical
Cyber Forensics and Admissibility of Digital Evidence
forensics, ballistic forensics and cyber forensics itself. In the Chinese book Hsi
Duan Yu (The Washing Away of Wrongs), which appeared about 1248 AD, the
author highlighted the details methods to distinguish the effects of different ways
of dying, for example death by drowning as opposed to death by strangulation 1.
Nearly 700 years later, the first crime laboratory was established in the United
States by the Los Angeles Sheriff Department in 19302. Howard Schmidt, who
served as an advisor to President George W. Bush and President Barack Obama,
is credited with establishing the first U.S. government digital forensics
laboratory.3 Although forensic science has been evolving for many centuries,
digital forensics is a relatively new development.
Before addressing the definitions of cyber forensics it is necessary for the

researcher to trace out the evolution of cyber forensic. A comprehensive discussion
about the origin and evolution of forensic science, particularly cyber forensics would
help us to develop an articulation about the nature of cyber forensics, its application
and limitations. The field of contemporary cyber forensics is in a transitional state. In
general, cyber forensics has been evolved when reporting of incidents of cybercrimes
started; as to gather evidences from the host or target computer and the Internet.
Although Internet is a universal abstract, even then, internationally, there is not even a
single unanimously accepted document providing standards or best practices, nor is
there a generally accepted governing body for the field.
The 1980s saw the beginnings of a need for dealing with the techniques for
crimes committed through/against the computer. In 1984 in the United Kingdom,
New Scotland Yard formed a Computer Crime Unit4, and thereafter in the same year
the Federal Bureau of Investigation established a Magnetic Media Program (MMP),
their first computer forensics initiative and it was responsible for computer forensics
1
Stuart Kind and Michael Overman, Science against Crime, Doubleday Publisher, New York, 1972.
2
Peter De Forest, R.E. Gaensslen and Henry C. Lee, Forensic Science: An Introduction to
Criminalistics, McGraw Hill Publications, New York, 1983.
3
Greg Gogolin, Digital Forensics Explained, CRC Press, New York, 2012, p. 2.
4
It is the only dedicated unit in the United Kingdom and has certain national responsibilities including
liaison with telecommunication organisations, training, network crimes abroad, virus collation and
coordination of major enquiries. It was one of the first active and dedicated units to be formed and its
methodologies have become models for organisation and techniques for similar units being formed in
other countries. Retrieved from ieeexplore.ieee.org/document/576554/, on 25/06/2017 at 14:56 hrs.
~158~
examinations5. The Magnetic Media Program later became the Computer Analysis
and Response Team (CART). The late 80‘and early 90‘s saw the proliferation of the
platform, and in the early 90‘s, the widespread recognition that new techniques were
required for preserving digital evidence.
The first specific forensic imaging tool IMDUMP6 which was the first
software for taking bit-stream back-up, developed by Michael White in the USA,
superseded in 1991 as a tool called safe back7. In the United Kingdom in the same
year, i.e. 1991 another disk imaging application called the data image back-up system
(DIBS)8 was produced computer forensics practitioners begin to organise and evaluate
their techniques and practices; In 1993 the first International Law Enforcement
Conference on Computer Evidence (ILECCE) was hosted by the FBI. This was
attended by 70 representatives of various U.S. federal, state and local law
enforcement agencies. All agreed that standards for computer forensic science were
lacking and needed. This conference again convened in Baltimore, Maryland, in 1995,
Australia in 1996 and the Netherlands in 1997, and ultimately resulted in the
formation of the International Organization on Computer Evidence (IOCE). In
addition, a Scientific Working Group on Digital Evidence (SWGDE) was formed to
address these same issues among federal law enforcement agencies. 9 Around this time
audio and video technologies were moving from analogue to digital, which led
practitioners to consider whether the same principles of computer forensics applied to
all types of digital evidences.
Efforts to define the principles of computer forensics resulted in 1999 in the

adoption by the IOCE of proposals authored by member organisations, the Scientific
5
Darren R. Hayes, A Practical Guide to Computer Forensics Investigations, Pearson Publications,
2015, p. 15.
6
George Mohay (et al), Computer and Intrusion Forensics, Artech House, London, 2003, p. 115.
7
G. Mohay (et al), ―Computer and intrusion Forensics‖, Artech House Inc., Norwood Am. USA, 2003.
8
Image-based backup system is a backup process for a computer or virtual machine that creates a copy
of the operating system and all the data associated with it, including the system state and application
configurations. The backup is saved as a single file that is called an image. A system image is a file or
set of files containing everything on a PC‘s hard drive, or just from one single partition. A system
imaging program looks at the hard drive, copying everything bit by bit. Retrieved from
http://searchdatabackup.techtarget.com/definition/image-based-backup, on 26/06/2017 at 15:24 hrs.
9
M.G Noblett (et al), Recovering and Examining Computer Forensic Evidence (on-line). Forensic
Science Communications, Vol. 2(4), 2000. Available at http://www.fbi.gov.hq/lab/fsc/
backissu/oct2000/computer.htm.
~159~
Working Group on Digital Evidence (SWGDE), from the USA, and the Association
of Chief Police Officers (ACPO), from the UK10. The ACPO proposal has evolved
into what is known as the ―Good Practice Guide for Computer based Electronic
Evidence‖11. In 2002, based on the IOCEs 2000 submission, the G8 issued the ―G8
Proposed principles for the procedures relating to digital evidence‖. In Australia, the
move towards formal standardisation of the management and treatment of digital
evidence has begun with the 2003 definition of guidelines for the management of e-
evidence.12
The academic history of computer forensics goes back to the late 80‘s and
early 90‘s with work by Collier and Spaul13, Sommer14 and Spafford15. By the late
90‘s very little had been published in the open literature on computer forensics 16,
however the new millennium has seen an upturn in both digital forensics targeted
publications and conferences, including the first two specifically targeted journals.
The first digital forensics targeted conference, The Digital Forensics Research
Workshop, was established in 2001, followed by the International Journal of Digital
Evidence in 2002 and the International Journal of Digital Investigation in 2004. That
digital forensics has been made the subject of a recent special issue of the
Communications of the Association of Computing Machinery (CACM)17, is
indicative of the transition of the field towards the mainstream.
10
Brill, A.E., M. Pollitt, and C.M. Whitcomb, The Evolution of Computer Forensic Best Practices: An
Update on Programs and Publications, Journal of Digital Forensic Practice, Vol. 1(1), 2006, pp. 2-11.
11
Good Practise Guide for Computer based Electronic Evidence, 2006; Retrieved from:
http://www.acpo.police.uk/asp/policies/Data/gpg_computer_based_evidence_v3.pdf, on 26/06/2017 at
16:26 hrs.
12
Standards Australia Handbook: HB-171: Guidelines for the Management of IT Evidence, 2003.
Retrieved from http://unpan1.un.org/intradoc/groups/public/documents/APCITY/UNPAN016411.pdf,
on 25/06/2017 at 15:58 hrs.
13
Collier, P.A. and B.J. Spaul, A Forensic Methodology for Countering Computer Crime, Journal of
Forensic Science, Vol. 32(1), 1992.
14
P. Sommer, Computer Forensics: an Introduction, 1997; Available from: http://www.virtualcity.co.
uk/vcaforens.htm, on 26/06/2017 at 17:24 hrs.
15
E.H. Spafford, and S.A. Weeber, Software Forensics: Can we Track Code to its Authors?, Computers
and Security, Vol. 12(6), 1993, pp. 585-595.
16
G. Mohay, From Computer Forensics to Digital Forensics, in 1st International Conference on
Information Security and Computer Forensics, Chennai, India, 2006.
17
ACM, Next-generation Cyber Forensics, Communications of the ACM, Vol. 49(2), 2006.
~160~
Following Daubert18, the decision in Kumho Tire v. Carmichaet19, extended

the Daubert standard to the qualification of expert witnesses by its interpretation of
Federal Rule of Evidence. The majority of jurisdictions in the country favour the
Daubert standard over the ―general accepted practices‖ standard set forth in Frye v.
United States20, The computer forensics are the art and science of applying computer
science to aid the legal process. Although plenty of science is attributable to computer
forensic, most successful investigators possess a nose for investigations and a skill for
solving puzzle, which is where the art comes in21.
7.3 DEFINITIONS AND CONCEPTIONS OF CYBER FORENSICS
In general, the way e-evidences are scientifically contacted, systematically

arranged and effectively presented before the court is known as cyber-forensic. Now
before going through the nature and characteristics of the cyber-forensics, it is here
necessary to observe the various definitions of cyber forensics given by prolific
writers and renowned organisation etc. Some of the working definitions of cyber
forensics are as follows:
The American Heritage Dictionary defines forensics as ‗relating to the use of

science or technology in the investigation and establishment of facts or evidence in a
court of law‘22.
According to Encyclopedia Britannica, computer forensics is the investigation

of computer system believed to be involved in cyber rime. Forensics software
18
509 U.S. 579, 595(1993). The decision in Daubert set forth a five pronged standard for judges to
determine whether scientific evidence is admissible in Federal Court, as:
a) Testing: Has the scientific procedure been independently tested?
b) Peer Review: Has the scientific procedure been published and subjected to Peer review?
c) Error rate: Is there a known error rate, or potential to know the error rate. Associated with the
use of the scientific procedure?
d) Standards: Are there standards and protocols for the execution of the Methodology of the
scientific procedure?
e) Acceptance: Is the scientific procedure generally accepted by the Relevant Scientific
Community?
19
526 U.S. 137 (1999).
20
Sean L. Harrington, Collaborating with a Digital Forensics Expert: Ultimate Tag-Team or Disastrous
Duo, 38 Wm. Mitchell Law Review, Vol. 38, 2011, pp. 353, 367-69.
21
Chris L.T. Brown: “Computer Evidence Collection and Preservation”.
22
Ibrahim M. Baggily, Richard Mislan, Marcus Rogers, Mobile Phone Forensics Tool Testing: A
Database Driven Approach, International Journal Of Digital Evidence, Fall, Volume 6 Issue 2, 2007.
~161~
provides a variety of tools for investigating a suspect PC, such program may copy the
entire hard drive to another system for inspection, allowing the original to remain
unaltered23.
Judd Robbins, a prominent computer forensics investigator, defines computer

forensics as ―the application of computer investigation and analysis techniques in the
interests of determining potential legal evidence‖24.
According to Steve Hailey of Cyber security Institute25, computer forensics is

―The preservation, identification, extraction, interpretation, and documentation of
computer evidence, to include the rules of evidence, legal processes, integrity of
evidence, factual reporting of the information found, and providing expert opinion in
a court of law or other legal and/or administrative proceeding as to what was
found.‖26
Nablett defined computer forensic science as the science of acquiring,

preserving, retrieving and presenting data that has been processed electronically and
stored on computer media27. According to According to Chris L. T. Brown the
computer forensics is the art and science of applying computer science to aid the legal
process28.
Jerry Wegman, an Associate Professor of Business Law, states that the,

computer forensics has developed as an indispensable tool for law enforcement. But
in the digital world, as in the physical world, the goals of law enforcement are
23
Techepedia.
24
Ravi Kumar Jain ―Cyber Forensics: Invstigatin Crimes in the Cyber World‖. Usha (Ed.), Cyber
Forensics.Digital Experience, The ICFAI University Press, Hyderabad , 2008, p. 7.
25
Steve Hailey is an Information Technology veteran of thirty years, with twenty-three years of
experience developing and delivering technical training. Steve has twenty-seven years of data recovery
experience, and has been conducting digital forensic analysis professionally for sixteen years. He is a
highly skilled expert witness and dynamic instructor, bringing to bear his combined skills in
information security and digital forensic analysis. He currently instructs the information security and
digital forensics curriculum at Edmonds Community College in Washington State. Retrieved from
http://www.cybersecurityinstitute.biz/experts.htm, on 26/06/2017 at 18:20 hrs.
26
S. Hailey, What is Computer Forensics, 2003. Retrieved from http://www.cybersecurityinstitute.
biz/forensics.htm, on 26/06/2017 at 18:15 hrs.
27
Michael G. Noblett, Mark M. Pollit and Lawrence A. Presley, Recovering and Examining Computer
Forensic Evidence, Forensic Science Communications, Vol.2 No.4 (October), 2000.
28
Chris L.T.Brown ―Computer Evidence Collection and Preservation”.
~162~
balanced with the goals of maintaining personal liberty and privacy. Computer
forensic investigators must be aware of the legal environment in which they work, or
they risk having the evidence they obtain being ruled inadmissible29. Ms. Erin
Kenneally further opined about computer forensics as ―Since forensic science is the
application of a scientific discipline to the law, the essence of all forensic disciplines
concerns the principles applied to the detection, collection, preservation, and analysis
of evidence to ensure its admissibility in legal proceedings. Computer forensics refers
to the tools and techniques to recover, preserve, and examine data stored or
transmitted in binary form.‖30
In Digital Forensics Research Workshop31, computer forensics is defined as

―the use of scientifically derived and proven methods towards the preservation,
collection, validation, identification, analysis, interpretation, documentation and
presentation of digital evidence derived from digital source for the purpose of
facilitating or furthering the reconstruction of events found to be criminal, or helping
to anticipate unauthorised actions shown to be disruptive to planned operations.‖
Computer forensics is the process of using scientific knowledge in the

collection, analysis and presentation of digital evidence to the courts. It is new in the
field of forensic science but it changes faster than traditional forensic disciplines and
has created a number of challenges to the existing legal and forensic practices. A
successful computer forensic investigation often depends on a systemic and well-
defined approach. Cyber forensics is an electronic discovery technique used to
determine and reveal technical criminal involving electronic data storage extraction
for legal purposes. It is an art of collecting analysing, preserving and presenting
digital evidence collected from a computer in a legally acceptable manner. The
process of computer forensics is the quite complex and involves various activities
thus, due care must be taken so that the evidence is not altered or tampered with in
29
Jerry Wegman, Computer Forensics: Admissibility of Evidence in Criminal Cases, Journal of Legal,
Ethical and Regulatory Issues, Vol. 8(1), 2005. Retrieved from https://www.forensicmag.com/article/
2014/03/professional-ethics-digital-forensics-discipline-part-1, on 28/06/2017 at 23:52 hrs.
30
Erin Kenneally, Computer Forensics, The Magazine of Usenix & Sage, Volume 27, number 4,
August 2002.
31
The Digital Forensic Research Conference, New York, Aug 7th - 8th, 2001.
~163~
every way. In other words it can be said that it is the science to locating and analysing
types of data from different device, which specialists them interpret to serve as legal
evidence. At a basic level, computer forensics is the analysis of information contained
within and created with computer systems and computing devices, typically in the
interest of figuring out what32.
7.4 TYPES OF CYBER FORENSICS
There isn‘t any single approved technology to collect digital evidences

through cyber forensics. It is so because computer is a device with very complex
assembling of different apparatus. The vast nature of cyberspace does also make the
situation tough. Thus, different methods and tools are applied for the extraction of e-
evidences from various sources. Saying ‗cyberspace‘ is very simple but there are
numerous routes to it, hence, if there is any criminal activity committed through the
cyberspace, firstly, we have to ascertain the specificity and then switch towards the
use of appropriate tools adoption of procedures etc. Based on the methods and sources
used for the collection of evidences or data during the investigation, cyber forensics
can be categorised as follows:—
1) Data forensics,
2) System forensics,
3) Network forensics,
4) Internet forensics and
5) Anti-forensics
7.4.1 Data Forensics
Literally, data forensics means the cyber forensics for gathering evidences
from data stored in computer or computer system. Data forensics deals with
recovering deleted files, passwords and cryptographic keys from the systems storage
devices or secondary memory disks like floppy disks, hard drives, USB drives, and
32
Steve Haile , International Journal of Advanced Computer Science and Applications, Vol. 2, No.11,
2011.
~164~
other similar devices. It is like disk autopsy where the investigators dig into system
logs33, application logs34 and memory devices to view and analyse the time at which
files are accessed, created and modified. The analysis also aims at finding out what
changes are made to particular files and other memory components within a
prescribed time period. This enables to determine activity at user level and application
level to understand the degree of damage that malicious activities can cause. It also
involves analysing stored e-mails and messages to obtain the source of information
and the content.
Disk storage and RAM35 are the two most commonly data repositories, but
there are a great number of places, even outside the system if it is connected to a
network, from where useful data can be traced. A forensic examination of a database
may relate to the timestamps that apply to the update time of a row in a relational
table being inspected and tested for validity in order to verify the actions of a database
user. The forensic study of relational databases requires a knowledge of the standard
used to encode data on the computer disk.
33
The system log (syslog) contains a record of the operating system (OS) events that indicates how the
system processes and drivers were loaded, it also contains the events that are logged by the operating
system components. These events are often predetermined by the operating system itself. Syslog files
may contain information about device changes, device drivers, system changes, events, operations and
more. The syslog shows informational, error and warning events related to the computer OS. By
reviewing the data contained in the log, an administrator or user troubleshooting the system can
identify the cause of a problem or whether the system processes are loading successfully. Retrieved
from https://www.techopedia.com/definition/1858/system-log-syslog, on 28/06/2017 at 23:23 hrs.
34
An application log is a file of events that are logged by a software application. It contains errors,
informational events and warnings. The format and content of an application log are determined by the
developer of the software program, rather than the OS. An application normally contains code to write
various types of events to an application log file. The log file can reveal message flow issues and
application problems. It can also contain information about user and system actions that have occurred.
Logged events typically include the following:
 Warnings about low disk space,
 An operation that has been carried out,
 Any significant problems - known as an error events - that prevent the application from
starting,
 A success audit to indicate a security event such as a successful logon and
 A failure audit to indicate an event such as a logon failure.
Retrieved from https://www.techopedia.com/definition/1819/application-log, on 28/06/2017 at 23:29
hrs.
35
RAM (pronounced ramm) is an acronym for random access memory, a type of computer memory
that can be accessed randomly; that is, any byte of memory can be accessed without touching the
preceding bytes. RAM is the most common type of memory found in computers and other devices,
such as printers. Retrieved from www.webopedia.com/TERM/R/RAM.html, on 01/07/2017 at 16:03 hrs.
~165~
All data is volatile, however, as time passes the veracity of the information
goes down, and the ability to recall or validate the data also decreases. When looking
at stored information it is extremely difficult to verify that it has not been subverted or
changed. However, there are certain types of data which are generally more persistent,
or long-lasting, than others. Backup tapes36, for instance, can typically be counted
upon to remain unchanged longer than things in RAM.
While conducting the database forensics of the computer in question firstly it

should be taken offline. There are some potential problems with this, as if the system
is online, and the potential e-evidences may be destroyed by generating errors,
repeatedly retrying connections, or in general causing the system to change.
Alternately you might try cutting it off at router and keep it on a LAN37, but DNS38
and network services as well as other systems in area can still cause problems.
7.4.2 Systems Forensics
No computer system can run without an operating system (OS) and this
system forensics is used to extract evidence from the operating system components,
such as BIOS39, system registries40, file system logs, event driven logs (for various
program execution) and file metadata. Here the investigator looks for changes in the
36
Tape backup systems exist for needs ranging from backing up the hard disk on a personal computer
to backing up large amounts of data storage for archiving and disaster recovery purposes in a large
enterprise. Tape backups can also restore data to storage devices when needed. Tape can be one of the
best options for fixing an unstructured data backup problem because of its inexpensive operational and
ownership cost, capacity and speed. Magnetic tape is especially attractive in an era of massive data
growth. Retrieved from http://searchdatabackup.techtarget.com/definition/tape-backup on 01/07/2017
at 16:00 hrs.
37
Local Area Network
38
DNS is an abbreviation for Domain Name System, a system for naming computers
and network services that is organised into a hierarchy of domains. The DNS translates Internet domain
and host names to IP addresses and vice versa. DNS automatically converts between the names we type
in our Web browser address bar to the IP addresses of Web servers hosting those sites.
39
Basic Input/Output System is non-volatile firmware used to perform hardware initialisation during
the booting process (power-on startup), and to provide runtime services for operating systems and
programs. The BIOS firmware comes pre-installed on a personal computer‘s system board, and it is the
first software run when powered on. BIOS is the program a personal computer‘s microprocessor uses to
get the computer system started when it is turned on. It also manages data flow between the computer‘s
operating system and attached devices such as the hard disk, video adapter, keyboard, mouse and
printer. Retrieved from https://www.google.co.in/?gfe_rd=cr&ei=AbVUWYvfNtGL8QeI3bL4BQ
#q=BIOS, on 29/07/2017 at 13:41 hrs.
40
The system registry is one of the most important parts of a Windows-based computer system. Not to
be tampered with lightly, the registry is a system-defined database used by the Windows operating
system to store configuration information. Retrieved from www.webopedia.com/DidYouKnow/
Hardware_Software/windows_system_registry.asp, on 29/06/2017 at 14:09 hrs.
~166~
user behaviour as seen by system logs, away from the standard expected behaviour in
a standard environment. Every activity on a computer system or computer network is
facilitated by the OS, as such most of the digital evidence can be found in the
computer‘s file system. The operating system maintains a log of events that helps in
monitoring, administering and troubleshooting the system in addition to helping users
get information about important processes. The system log (syslog) contains a record
of the OS events that indicates how the system processes and drivers were loaded.
The log contains information about the software, hardware, system processes and
system components. It also indicates whether the processes loaded successfully or not.
Log files are generated by all data processing equipment every time an activity
takes place. It is an electronic fingerprint with an added element of time and
chronological order; then we can know at what time that fingerprint was generated, so
we are able to reconstruct what happened and in what order. Analysing logs is the
primary way of doing forensics, and properly managed logs can also be used as
evidence in a court of law for prosecution purposes. System log data can be critical
for identifying the cause of the breach and collecting evidence for use in the legal
system.
7.4.3 Network Forensics
Network forensics deals with the collection and analysis of data from
computers in a networked environment. In a networked arrangement, it is possible for
a criminal to take over other s system to do his job without having to run the risk of
being caught directly. However, network forensics observes the system activities in
the entire network by analysing evidence from normal operation using system logs,
firewall logs41 and intrusion detection systems, and or by using specific surveillance
programs like snuffers and extended logs, and by dissecting IP header and data link
41
Firewall logs reveal a lot of information about the security threat attempts at the periphery of the
network and on the nature of traffic coming in and going out of the firewall. The analyzed firewall logs
information, provides real-time information to the Administrators on the security threat attempts and so
that they can swiftly initiate remediation action. It allows to plan the bandwidth requirement based on
the bandwidth usage across the firewalls. Retrieved from https://www.manageengine.com/
products/firewall/firewall-logs.html, on 29/06/2017 at 14:32 hrs.
~167~
headers to obtain source and destination IP address and MAC address 42. IP address
provides the logical; address of a computer, and MAC address provides the physical
address of a computer in a network. This enables investigators to conduct activity
analysis of various computers on the network and locate, the exact user/computer,
which initiated malicious activates. For example, origin of Mellisa43 and Love Bug44
Viruses were identified in this way.
Network forensics is a comparatively new field of forensic science. It is a sub-

branch of digital forensics relating to the monitoring and analysis of computer
network traffic for the purposes of information gathering, legal evidence, or intrusion
detection. Unlike other areas of digital forensics, network investigations deal with
volatile and dynamic information. Network traffic is transmitted and then lost, so
network forensics is often a pro-active investigation. The growing popularity of the
Internet in homes means that computing has become network-centric and data is now
available outside of disk-based digital evidence. Network forensics can be performed
as a standalone investigation or alongside a computer forensics analysis (where it is
often used to reveal links between digital devices or reconstruct how a crime was
committed).
42
Media Access Control, address is a globally unique identifier assigned to network devices, and
therefore it is often referred to as hardware or physical address. MAC addresses are 6-byte (48-bits) in
length, and are written in MM:MM:MM:SS:SS:SS format. The first 3-bytes are ID number of the
manufacturer, which is assigned by an Internet standards body. The second 3-bytes are serial number
assigned by the manufacturer. MAC layer represents layer 2 of the TCP/IP (adopted from OSI
Reference Model), where IP represents layer 3. MAC address can be thought of as supporting hardware
implementation whereas IP address supports software implementation. MAC addresses are
permanently burned into hardware by hardware manufacturer, but IP addresses are assigned to the
network devices by a network administrator. Retrieved from https://www.iplocation.net/mac-address,
on 29/06/2017 at 14:46 hrs.
43
Melissa is a fast-spreading macro virus that is distributed as an e-mail attachment that, when opened,
disables a number of safeguards in Word 97 or Word 2000, and, if the user has the Microsoft Outlook
e-mail program, causes the virus to be resent to the first 50 people in each of the user‘s address books.
Retrieved from https://www.google.co.in/?gfe_rd=cr&ei=TcRUWY_rEurx8AfUjIFw#q=melissa+virus
on 29/06/2017 at 14:50 hrs.
44
A computer virus which exploits and shut down computer systems from Hong Kong to the Houses of
Parliament on 4th May, 2000 and caused untold millions of pounds worth of delays and damage to
stored files across the world. The virus, nicknamed ―the love bug‖ after its apparent Philippine origins,
is carried in an email with the heading ―ILOVEYOU‖. The text of the message reads: ―Kindly check
the attached love letter from me!‖ A click on the attached file launches the virus, which promptly
spreads by sending itself to everyone in the recipient‘s email address book, overloading email systems.
Once embedded in a host computer, the virus can download more dangerous software from a remote
website, rename files and redirect internet browsers. Retrieved from https://www.youtube.com/
watch?v=h2d8cevZDIQ on 29/06/2017 at 15:00 hrs.
~168~
It has generally two uses. The first, relating to security— involves monitoring
a network for anomalous traffic and identifying intrusions. An attacker might be able
to erase all log files on a compromised host; network-based evidence might therefore
be the only evidence available for forensic analysis. The second form relates to law
enforcement, where the case analysis of captured network traffic may include
reassembling transferred files, searching for keywords and communication such as
emails or chat sessions
Network forensics is the capture, recording, and analysis of network events in

order to discover the source of security attacks or other problem incidents. Systems
used to collect network data for forensics use usually come in two forms:
i „Catch-it-as-you-can‟ systems, in which all packets passing through

certain traffic point are captured and written to storage with analysis
being done subsequently in batch mode. This approach requires large
amounts of storage, usually involving a RAID system.
ii „Stop, look and listen‟ systems, in which each packet is analysed in a
rudimentary way in memory and only certain information saved for
future analysis. This approach requires less storage but may require a
faster processor to keep up with incoming traffic.
7.4.4 Internet Forensics
The internet can be a rich source of digital evidence including web browsing,
email, newsgroup, synchronous chat45 and peer-to-peer traffic46. For example, web
45
Text only web based synchronous forum that enables multiple users to be online and in the same
online ‗room‘ typing their comments to each other. As soon as the user clicks ‗enter‘ his/her text
message appears immediately on the screen of all users who are in the ‗room‘. Messages appear in the
order in which they were entered. Retrieved from https://www.d.umn.edu/~hrallis/
professional/presentations/cotfsp06/indiv_tools/sync_chat.htm on 29/06/2017 at 17:45 hrs.
46
In a peer to peer (P2P) network traffic, the ‗peers‘ are decentralised computer systems which are
connected to each other via the Internet where files can be shared directly between systems on the
network, i.e. each computer on a P2P network becomes a file server as well as a client. The only
requirements for a computer to join a peer-to-peer network are an Internet connection and P2P
software, as Kazaa, Limewire, BearShare, Morpheus, and Acquisition. Once connected to the network,
P2P software allows you to search for files on other people‘s computers. Meanwhile, other users on the
network can search for files on your computer, within a single folder which you have designated to
share. Retrieved from https://techterms.com/definition/p2p on 29/06/2017 at 17:56 hrs.
~169~
server logs can be used to show when (or if) a suspect accessed information related to
criminal activity. Email accounts can often contain useful evidence; but email headers
are easily faked and, so, network forensics may be used to prove the exact origin of
incriminating material. Network forensics can also be used in order to find out who is
using a particular computer by extracting user account information from the network
traffic. Internet forensics employs a combination of advanced computing techniques
and human intuition to unearth clues about computers and people involved in a cyber
crime, most notably fraud and identity theft on the internet. If involves analysis of
internet service provider logs. Here the investigators analyse the URLs47, E-mail
headers, DN servers48, activity patterns, and signatures to trace the origin of a
particular scimitar or a malicious program. Website analysis looks into the HTML49
code, black box analysis50, content mapping, and hidden directories. Web-browser
analysis, browser-configuration analysis, server-analysis, etc. are done to identify
people, places and patterns of activates on the internet.
47
Uniform Resource Locator provides a way to locate a resource on the web, the hypertext system that
operates over the internet. The URL contains the name of the protocol to be used to access the resource
and a resource name. The first part of a URL identifies what protocol to use. The second part identifies
the IP address or domain name where the resource is located. Retrieved from
http://searchnetworking.techtarget.com/definition/URL on 29/07/2017 at 17:59 hrs.
48
A DNS server is a computer server that contains a database of public IP addresses and their
associated hostnames, and in most cases, serves to resolve, or translate, those common names to IP
addresses as requested. DNS servers run special software and communicate with each other using
special protocols. Retrieved from https://www.lifewire.com/what-is-a-dns-server-2625854 on
29/06/2017 at 18:05 hrs.
49
Hypertext Markup Language is the set of markup symbols or codes inserted in a file intended for
display on a World Wide Web browser page. The markup tells the Web browser how to display a Web
page‘s words and images for the user. Each individual markup code is referred to as an element.
Retrieved from http://webdesign.about.com/od/beginninghtmlglossary/g/html-codes-definition.htm on
29/06/2017 at 18:14 hrs.
50
Black Box Testing, also known as Behavioural Testing, is a software testing method in which the
internal structure/ design/ implementation of the item being tested is not known to the tester. These
tests can be functional or non-functional, though usually functional. This method is named so because
the software program, in the eyes of the tester, is like a black box; inside which one cannot see. This
method attempts to find errors in the following categories:
 Incorrect or missing functions
 Interface errors
 Errors in data structures or external database access
 Behaviour or performance errors
 Initialisation and termination errors
Retrieved from http://softwaretestingfundamentals.com/black-box-testing/ on 29/06/2017 at 18:22 hrs.
~170~
7.4.5 Anti-Forensic
If Newton‘s third law of motion, i.e. ‗for every action there is an equal and
opposite reaction‘, is applied to the investigation of criminal cases, then it would be
anti-forensics. It is the collection of various tools and techniques that frustrate
forensic tools, investigation and investigators. The main purpose of anti-forensics is to
antagonise forensics.
In the world of digital forensics, evidence resides mainly on the computer

storage devices to the form of files, logs, registry key entries, and other elements
portraying a particular activity. Let us contrast Locard‘s principle of criminal
investigation51 to the digital world. We have two ‗windows computers‘ called
computer A and computer B. Map a share from computer A to computer B we should
see the IP of computer A. On the contrary, if we type ‗net; session‘ command on
computer B, we should see the IP of computer A and vice-versa. Relating the example
to Locard‘s principle of criminal investigation, here, one computer could be the
‗crime scene‘ and the other could be the ‗perpetrator‘. Evidence of our computer
activity was left behind on both the computers, which could be used in a digital
forensic investigation.
We could only speculate what real need for anti-forensics is; some
probabilities or rather assumptions are as follows:
(a) Protect privacy: Some people believe in their privacy at home.
(b) Protect assts and intellectual property: For example, encryption and digital
watermarking.
(c) Safeguard national security: Anti-forensics might be useful to protect secret

government document or hide traces of top secret operations.
51
Dr. Edmond Locard (13 December 1877 – 4 May 1966) was a pioneer in forensic science who
became known as the Sherlock Holmes of France. He formulated the basic principle of forensic science
as: ―Every contact leaves a trace‖. Locard speculated that every time you make contact with another
person, place, or thing, it results in an exchange of physical materials.
~171~
(d) Espionage: Anti-forensics might play an important role in national,

international, and corporate intelligence operations.
(e) Defend criminal activity: Hide traces of wrongdoing.
(f) Nurture cyber warfare; Hacktivism, political power, and supremacy.
7.5 PROCEDURES AND TECHNIQUES OF CYBER FORENSICS
The application of cyber-forensics is a broad and evolving field that

necessitates a broad and evolving tool kit. There are a variety of options available to
an investigator for computer, mobile, and malware forensics that provide insight into
what a device has been used for and how the actions can be explained. Developing
and maintaining strong skills in digital forensics is an arduous task and can consume a
lot of time and energy. Particularly when it comes to malware investigation, digital
forensic investigators find themselves up against a difficult environment and
prodigious challenge. Proficiency in using a variety of tools positions an investigator
to be able to best meet the challenges inherent in the cyber world. There are a lot of
potential places to look for clues of Internet behavior including chat and messaging
logs, peer to peer (P2P) actions, search engine searches, Internet history, social
networking activity, and virus and malware footprints.
Law enforcement investigative techniques are generally sub-divided into

coercive and covert techniques, the former involving powers of search and seizure,
while the latter involving interception and surveillance. In contrast to other forms of
crime, the investigation of cybercrimes wills more frequently involver the deployment
of techniques falling into both categories of activity. Covert techniques are generally
used at an earlier stage in the investigative process, for the gathering of intelligence as
much as evidence, while coercive techniques are used primarily together evidence
once the relevant ICT resources have been identified.52 S. Barish, ―We have to take
every precaution to make sure the data we collect is accurate, trusted, and are not
modified from the time of collection onward. By recording each step in the collection
52
Ian Walden, Computer crimes and Digital Investigations, Oxford University Press, 2007, p. 353.
~172~
and processing of forensic data, and tracking its movement, who accessed it, and what
was done to it, we help preserve the chain of custody‖53
There are various components of computer, computer resources and computer

network, i.e. hard-disk, caches54, cookies55, RAM, IP address etc. There is no single
process to acquire e-evidences from different components. Some of the forensics tools
and their procedures has been discussed as follows:
7.5.1 Procedure for Data forensics: During data collection, the analyst should
make multiple copies of the relevant files or file systems— typically a master
copy and a working copy.56 The analyst can then use the working copy
without affecting the original files or the master copy. It is often important to
collect not only the files, but also significant timestamps for the files, such as
when the files were last modified or accessed. Other technical issues related to
file collection, such as finding hidden files and copying files from redundant
array of inexpensive disks57 (RAID) implementations, are significant
techniques.
Files can be copied from media using two different techniques:
53
Stephen Barish, Windows Forensics: A Case Study, Part 1, http://www.securityfocus.
Cominfocus,1653.
54
The ―Temporary Internet Files‖ folder in Internet browsers stores every piece of information you
come across while surfing the web This includes websites, cookies, images and sounds which are kept
for faster loading the next time the website is visited. This cache of Internet browsing information can
be viewed on your Internet browser, and deleted if desired. Internet Explorer and Mozilla Firefox both
have incorporated simple ways to access and view Internet cache history. Retrieved from
https://www.techwalla.com/articles/how-to-view-the-cache-history, on 01/07/2017 at 14:35 hrs.
55
Cookies are small files which are stored on a user‘s computer. They are designed to hold a modest
amount of data specific to a particular client and website, and can be accessed either by the web server
or the client computer. This allows the server to deliver a page tailored to a particular user, or the page
itself can contain some script which is aware of the data in the cookie and so is able to carry
information from one visit to the website (or related site) to the next. Retrieved from
http://www.whatarecookies.com/ on 01/07/2017 at 14:45 hrs.
56
The purpose of the master copy is to generate additional working copies if the first working copy can
no longer be used because of alteration or other reasons.
57
RAID (redundant array of independent disks; originally redundant array of inexpensive disks) is a
way of storing the same data in different places on multiple hard disks to protect data in the case of a
drive failure. However, not all RAID levels provide redundancy. Redundancy is a system design in
which a component is duplicated so if it fails there will be a backup. Retrieved from
http://whatis.techtarget.com/definition/redundancy on 01/07/2017 at 14:25 hrs.
~173~
i Logical Backup. A logical backup copies the directories and files of a

logical volume. It does not capture other data that may be present on
the media, such as deleted files or residual data stored in slack space.
For logical backups of live systems, analysts can use standard system
backup software. However, performing a backup could affect the
performance of the system and consume significant amounts of
network bandwidth, depending on whether the backup is performed
locally or remotely.
ii Bit Stream Imaging. Also known as disk imaging, bit stream imaging
generates a bit-for-bit copy of the original media, including free space
and slack space. Bit stream images require more storage space and take
longer to perform than logical backups. If evidence may be needed for
prosecution or disciplinary actions, the analyst should get a bit stream
image of the original media, label the original media, and store it
securely as evidence. All subsequent analysis should be performed
using the copied media to ensure that the original media is not
modified and that a copy of the original media can always be recreated
if necessary. All steps that were taken to create the image copy should
be documented. Doing so should allow any analyst to produce an exact
duplicate of the original media using the same procedures. In addition,
proper documentation can be used to demonstrate that evidence was
not mishandled during the collection process.
During backups and imaging, the integrity of the original media should
be maintained. To ensure that the backup or imaging process does not alter
data on the original media, analysts can use a write-blocker while backing up
or imaging the media. A write-blocker is a hardware or software-based tool
that prevents a computer from writing to computer storage media connected to
it. Hardware write-blockers are physically connected to the computer and the
storage media being processed to prevent any writes to that media.58 Software
58
Examples of hardware write-blockers are FastBloc (http://www.guidancesoftware.com/
lawenforcement/ef_index.asp), NoWrite (http://www.mykeytech.com/nowrite.html), and SCSIBlock
(http://www.digitalintelligence.com/products/scsiblock/).
~174~
write-blockers are installed on the analyst‘s forensic system and currently are
available only for MS-DOS and Windows systems.
7.5.2 Forensics for Internet History: When anyone used Internet, the browsing
history becomes saved in the memory of computer and the previously opened
website can be traced easily but sometimes various forensic procedures are to
be applied. Where an examiner looks for Internet History depends on the
browsers that were used on the suspect computer. Generally browsers leave
artifacts in index.dat files, and the examiner has to remember that there are
multiple index.dat files on a Windows computer, and they are used for
different purposes. Information that is captured includes the URL of the last
several websites visited, the last time it was visited, and how many times it
was visited. Files that were opened with browsers can also be logged in the
index.dat file. Although it is also often possible to determine whether a web
address was typed or accessed via hyperlink, it is important to remember that
Internet history is limited and information may also be traced out in Temp
folders, related to websites visited.
Cookies are another way to determine what websites have been visited,
as websites commonly place one or more cookies on a website. Cookies may
also provide user-names for websites that are used by the person operating the
computer.
Other things that can provide clues to Internet history are browser add-
ons such as toolbars, extensions, players, and applications. There are add-on
tools that assist in activities such as file sharing, pirating video and intellectual
property, and customisation. In addition, bookmarks, favorites, shortcuts,
stored passwords, and browser settings can also provide support for user
activities. Websites store IP addresses which can be helpful for tracing out the
geographical location and kind of device of the user.
7.5.3 Forensics for Malware and Viruses: The presence of malware and
viruses can serve multiple purposes for an investigator. It is possible that the
investigator is attempting to determine whether the computer owner is
malware author or manager; another situation is to determine the source of
~175~
infections. Yet another situation is that the computer owner during the trial of
cybercrime may claim a malware defence, i.e. there must have been viruses on
his computer.
Investigating the virus defense is not as difficult as it would seem.

Firstly, the person claiming a virus defense would have to have a virus on his
or her computer. Secondly, the virus needs to be active and capable of
performing the activity that the person claims. A tool like NetStat can be
useful in determining whether this is the case. If the virus does not exist on the
computer, and it is not active and capable of performing the activity the person
claims, the person is in for a world of hurt. On the contrary, if both of these
things turn out to be true, the only thing left to check is whether the person
self-infected his or her computer, computer system or computer network to
take the defence of alibi. If the investigator cannot prove self-infection, then it
would be very difficult to convince the court that the virus defense is a ploy
cooked up by the suspect.
Determining how malware impacts a machine in terms of files that are

modified, settings that are changed, and new files that are created can take,
considerable effort. One way to do this is the virgin method, which is to build
a fresh machine with a clean install, create a hash set of the files on the
computer (the virgin hash set), infect the computer with the malware, hash all
of the files on the computer, and then filter out the files that are in the virgin
hash set. The remaining files will be those that were modified or created.
Forensic tools such as Guidance Software‘s EnCase59 and Access Data‘s
Forensics Toolkit60 (FTK) can be used to calculate the hash values for all of
the files on a computer.
59
EnCase is the shared technology within a suite of digital investigations products by Guidance
Software. The software comes in several products designed for forensic, cyber security, security
analytics, and e-discovery use. The company also offers EnCase training and certification. Retrieved
from https://en.wikipedia.org/wiki/EnCase, on 01/07/2014 at 15:08 hrs.
60
AccessData has developed other industry-leading solutions to assist in password recovery. These
solutions are used in many different environments to provide specific, password-cracking related
functions. Law enforcement and corporate security professionals performing computer forensic
investigations, utilize these solutions to access password-protected files. Likewise, administrators can
~176~
7.5.4 Intrusion Detection Systems: These are great sources for the collection of
digital evidence. They collect information from a variety of system and
network sources then analyse the information for signs of intrusion and
misuse. There are two types of Intrusion Detection Systems – (i) Host-Based
and (ii) Network-Based.
(i) The host-based intrusion detection architecture where the system is used to
analyse data that originates on computers (hosts). Thus, this architecture is
used for detecting insider attacks and misuse. For example, and employee
who abuses their privileges, or students changing their grades. Host-based
systems examine events like what files are accessed and what applications are
executed. Logs are used to gather this event data. However, the audit policy is
very important because it defines which end-user actions will result in an
event record being written to an event log, for example, logging all accesses
of mission-critical files. Host-based intrusion detection systems reside on
every system and usually report to a central command console. To detect
misuse, signatures, or pre-defined patterns of misuse are compared with the
data from the log files. When there is a correlation, either the security
administrator is notified of the potential misuse, or a predefined response to
the misuse is enacted.
(ii) The network-based intrusion detection architecture where the system is used
to analyse network packets. Network-based architectures are used to detect
access attempts and denial of service attempts originating outside the
network. This architecture consists of sensors deployed throughout a network.
These sensors then report to a central command console. Similar to host-
based architectures, packet content signatures are used to identify misuse.
These signatures are based on the contents of packets, headers and flow of
traffic. However, it is important to note that encryption prevents detection of
any patterns in the contents of the packet.
also utilize these solutions to recover system passwords, lost personal passwords and more. Retrieved
from http://accessdata.com/products-services/forensic-toolkit-ftk, on 01/07/2017 at 15:24 hrs.
~177~
7.6 DIGITAL EVIDENCE
In an adversarial system of judicial enquiry, the ultimate aim of the evidence

adducing process is to facilitate the judge to judge to arrive at a national conclusion
with regard to the fact disputed by the contestants. The rules regarding presentation of
evidence in a court proceeding must strengthen this process and therefore there is a
need for some principles that can be adhrered by the Court. The possibility of legal
intervention in the circumstances where evidence and proof need to be adduced in a
Court of law, demands the existence of uniform procedures rules and law for
admissibility of digital evidence consisting of data61, electronic form62 and electronic
record.63 In India, the law of evidence is mainly contained in the Indian Evidence Act,
1872.
Digital evidence is any probative information stored or transmitted digitally

and a party to a judicial dispute in court can use the same during the trial. During the
past few decades, the use of digital evidence has increased exponentially. Courts
permit the use of digital evidence such as e-mails, digital photographs, word
processing documents, instant message histories, spreadsheets, the internet browser
histories, databases, the contents of computer memory, and computer backup.
Under the Section 3 of the Indian Evidence Act, 1872 the definition of
documentary evidence has been amended to include all documents, including
electronic records produced for inspection by the court. evidence has been defined as:
‗Evidence means and includes: (1) all statements which the court permits or requires
to be made before it by witnesses, in relation to matter‘s of fact under inquiry; such
statements are called oral evidence; (2) all documents including electronic record
produced for the inspection of the court. Such documents are called documentary
evidence‘64.
61
Section 2(o) of the Information Technology Act, 2000.
62
Section 2(r) of the Ibid.
63
Section 2(v) of the Ibid.
64
The Indian Evidence Act, 1872.
~178~
Prashant Mali cyber security expert observed as information of probative

value that is stored or transmitted in binary form.65 Evidence is not only limited to that
found on computers but may also extend to include evidence on digital devices such
as telecommunication or electronic multimedia device.
Pollit, the renowned scholar of cyber laws opined that electronic or digital
evidence is any probative information stored or transmitted in digital form66 i.e. stored
in computer hard drive, optical disks, floppy disks, remote internet storage, handheld
devices, memory cards network servers, emails etc67.
Further, digital evidence as defined by J.W. Chisum is any data stored or

transmitted using a computer that support or refute a theory of how an offense
occurred or that address critical elements of the offense such as intent or alibi.68
Digital evidence is becoming a reliable and essential form of evidence that

should not be overlooked. It must be authentic, accurate and complete in presentation.
With regard to admissibility, it must be in consonance with the law of evidence. The
principles of preserving forensics evidence are that the evidence must be collected as
early as possible and without giving any scope for manipulation and chain-of-
custody69 i.e., series of incidents and its relevance to the case must be established. If
the forensic expert fails to show the chain-of-custody, the evidence will lack
authenticity and therefore may not be admissible in the court of law. A sloppy chain
of custody shows the poor expertise of the forensic examiner in collecting the
evidence. This growing complexity makes harder to create and maintain a reliable
chain of custody and exposes a wide gap between general evidentiary criteria based
on traditional forensic procedures and the scientific community point of view about
65
Prashant Mali, Electronic Evidence and Cyber law, CSI Communications, 2012, p. 30.
66
M.M. Pollitt, Report on Digital Evidence, 2010.
67
M.C.S. Lange, and K.M. Nimsger, Electronic Evidence and Discover: What Every Lawyer Should
Know Now, 2009, p. 72.
68
J.W. Chisum, Crime Reconstruction and Evidence Dynamics, Presented at the Academy of
Behavioral Profiling Annual Meeting, Monterey, CA, 1999.
69
‗Chain of custody‟ in legal contexts refers to the chronological documentation or paper trail, showing
the seizure, custody, control, transfer, analysis, and disposition of physical or electronic evidence.
Particularly important in criminal cases, the concept is also applied in civil litigation. It also means
the movement and location of physical evidence from the time it is obtained until the time it is presente
d in court.
~179~
the risks and conditions necessaries to consider reliable any contemporary digital
evidence.
According to Lochard‘s Exchange Principle70, anyone, or anything entering a

crime scene takes something of the crime scene with them, and leaves something of
them behind when they leave. In the digital realm, similar exchanges of evidence
occur. As an example, data from an offender‘s computer is recorded by a web server
and/or data from web servers is stored on the offender‘s computer when the offender
visits a specific web page. From the above, we can conclude that digital evidence may
take the form of content which has been created by an author, and the truth of which
has to supported by witness testimony viva voce the content of a letter, an email, or
this like or it may be in the form of a data message or record produced in the ordinary
course of business, such as a web log, automatic number identification logs, date and
time stamp, automated transactional record, and so on.
Having carried out the investigations and obtained what appears to be

sufficient evidence the next stage in the criminal justice process is the prosecution of
the computer criminal, a process of presenting evidence to a court or tribunal of fact.
Evidential rules tend to be very specific to each jurisdiction, but as with many areas of
law, a broad distinction can be made between civil and common law systems. In civil
law systems, criminal proceedings are generally based upon a judge(s) acting as an
70
‗Locard‘s exchange principle‘ is a concept that was developed by Dr. Edmond Locard.
Dr. Locard (13 December 1877 – 4 May 1966) was a pioneer in forensic science who became known as
the Sherlock Holmes of France. He formulated the basic principle of forensic science as: ―Every
contact leaves a trace‖. Dr. Locard speculated that every time you make contact with another person,
place, or thing, it results in an exchange of physical materials. He believed that no matter where
a criminal goes or what a criminal does, by coming into contact with things, a criminal can leave all
sorts of evidence, including DNA, fingerprints, footprints, hair, skin cells, blood, bodily fluids, pieces
of clothing, fibers and more. At the same time, they will also take something away from the scene with
them. Paul L. Kirk (in Crime investigation: physical evidence and the police laboratory, Interscience
Publishers, Inc., New York, 1953) expressed the principle as follows:
―Wherever he steps, whatever he touches, whatever he leaves, even unconsciously, will serve
as a silent witness against him. Not only his fingerprints or his footprints, but his hair, the
fibers from his clothes, the glass he breaks, the tool mark he leaves, the paint he scratches,
the blood or semen he deposits or collects. All of these and more bear mute witness against
him. This is evidence that does not forget. It is not confused by the excitement of the
moment. It is not absent because human witnesses are. It is factual evidence. Physical
evidence cannot be wrong, it cannot perjure itself, it cannot be wholly absent. Only human
failure to find it, study and understand it, can diminish its value.‖
~180~
investigator, gathering, processing and evaluating the evidence. By contrast, common

law criminal proceedings are generally adversarial, with evidence being presented and
challenged by the prosecutor and the defendant‘s legal advisers before a jury and/or
judge. Prosecuting counsel will present evidence with the objective of showing to the
requisite criminal standard, of ‗beyond reasonable doubt‘, that the defendant is guilty
of committing all, or some, of the offences for which he has been charged. On the
other hand, defence counsel will be concerned, unless a guilty plea is submitted, to
tender evidence that either challenges or contradicts the version of events indicated by
the prosecution or offers an alternative version, with the objective of raising sufficient
doubt in the minds of the court for the defendant to be acquitted. The process is
governed by a complex set of rules and procedures designed, primarily, to safeguard
the rights of the defendant. Computer-derived evidence, whether obtained from the
victim, accused, third parties or generated by the investigators themselves, may
present a range of issues that need to be addressed, whether by the prosecution,
defence or court.
This research is to examine the legal framework governing the use of

computer-derived evidence in criminal proceedings before the courts, in the first
instance, from pre-trial to the hearing. Pre-trial issues revolve first around the need for
each side to disclose relevant material to the other side. Once disclosure has occurred,
each side may apply to the court for certain evidence to be excluded from
consideration on various grounds, raising questions of admissibility. The value or
weight given to the evidence that is considered by the court will be the next potential
point for argument, raising questions of probative value. The critical role of expert
witnesses and the manner in which computer-derived evidence is presented in court
will complete our examination of evidential issues. The availability of evidence
obtained through the forensic process, will often dictate the charges lay against the
perpetrator. Several general characteristics of evidence including digital evidence are
as follows:
~181~
7.7 SALIENT FEATURES OF INDIAN EVIDENCE LAW
(i) Meaning of Evidence
The expression evidence signifies the state of fact which tends to render
evidence or generate proof. According to Sir James Fitzjames Stephen the word
evidence is used in three sense:
(1) Words uttered, and things exhibited in court,
(2) facts proved by those words or things which are regarded as

ground word of inference as to other facts not so proved, and
(3) relevancy of particular fact to matter under enquiry.71
The Indian Evidence Act, 1872 defined that evidence is divided into two
category:
(i) Oral or personal
(ii) Documentary
(ii) Admissibility
Admissibility is concerned with the ability to submit evidence into court for
consideration by the judge. In civil law systems, the investigating judge generally
determines the issue; while in common law systems, complex admissibility rules have
historically existed to govern the issue, based in statute and judicial precedents. Our
interest in questions of admissibility concern the extent to which the forensic product
derived from computers and networks may be excluded from the court. Indeed,
challenges to the admissibility of such evidence are a key defence strategy in
cybercrime prosecutions.72 The more vulnerable computer and network-derived
71
G.P. Sahoo. Legal Dimensions of Cybercrime, Satyam International, New Delhi, 2017, p. 219.
72
R. Smith (et al.), Cyber Criminals on Trial, Cambridge University Press, 2004, p. 62.
~182~
evidence is to exclusion, the more problematic will be the prosecution of computer

and cybercrimes.
The evidential exclusions can be broadly distinguished into two categories: the
first focuses on the material itself, the second on the circumstances surrounding the
obtaining of the material for use as evidence. In the first, the unreliability of the
material is the primary policy concern, either because the person was not witness to
the facts, as in hearsay, or because the reliability of the source from which it is
derived is considered vulnerable, as computers was treated in the early years. In the
second, the policy concerns are the activities of the investigators in obtaining the
material.
(iii) Authenticity
Authenticity is concerned with the origin of the material and can be further
subdivided into two tests. The first authenticity test is the need to establish a link
between the material being adduced as evidence and the accused. Such evidence
depends on investigators being able to adequately address the ‗identity problem‘
considered in previous discussion. The location of the source computer may mean that
multiple users had potential access to the machine at the relevant time, which can
make it difficult to show ‗beyond reasonable doubt‘. In Vatsal Patel,73 the accused
was a contract programmer at Dun and Bradstreet who was alleged to have installed
‗wrecking programs‘ on the organisation‘s network to delete completed development
work, in order to extend the period of his lucrative contract. He was acquitted,
however, because the prosecution was unable to prove that it was Patel who had
initiated the programs, partly due to the physical position of the relevant terminal
behind a concrete pillar. In Caffrey74 the jury acquitted the defendant of as 3(1)
offence under the Computer Misuse Act, 1990 even though the prosecution expert
witness stated that no evidence of the presence of a ‗Trojan horse‘ virus could be
found. The defendant argued that it was impossible to test every file on the computer
73
Aylesburg Crown Court, July 2, 1993. Reported in Computers and Law, Vol. 5, No. 1, 1993.
74
Southwark Crown Court, October 17, 2003.
~183~
and that the virus could be designed to self-destruct leaving no trace, which seems to
have sown sufficient doubt in the minds of the jurors.
A second authenticity test is to link the material to the relevant computer or

system, the ‗computer source‘ test. This is partly an extension of the person/material
test, since people operate in a networked environment through computers, whether
using a traditional PC or a mobile phone. For example, what is displayed on a
computer screen when a ‗webpage‘ is downloaded over the Internet may potentially
comprise a mosaic of material drawn from different computers based in different
jurisdictions, the image being assembled only at the moment it is requested.75
(iv) Integrity
In terms of integrity, the concern is to be able to show that the material is

accurate and complete. From a forensic standpoint, the acquisition process should
change the original evidence as little as possible and any changes should be
documented and assessed in the context of the final analytical results. Provided the
acquisition process preserves a complete and accurate representation of the original
data, and its authenticity and integrity can be validated, it is generally considered
forensically sound. When preserving volatile data, digital investigators must record
the date-time when data were preserved as well as description about the tools used.
While the burden of proof has been shifted, the party adducing computer-derived
evidence may still need to ensure that they have the necessary evidence, whether oral
or documented, to be able to refute any serious challenge raised as to the integrity of
evidence derived from a computer or network. For a complex system, this may
require an array of witnesses with familiarity with the different components.
(v) Accountability
Accountability is concerned with the circumstances under which evidence is

obtained and subsequently handled, Computer-derived evidence is notoriously
75
In a web environment, image files (<IMG SRC….>) are often stored separately from text files (<A
HREF….>). Ian Walden, Computer Crimes and Digital Investigations, Oxford University Press,
Footnote 194, p. 381.
~184~
vulnerable to alteration, which extends from the manner of obtaining it, the
acquisition process discussed in previously, to the handling of such evidence by
investigators, prosecutors and expert witnesses at all stages until trial, the ‗chain of
custody test‘.76 This could be particularly relevant where a digital copy of an original
item of evidence was being relied upon in court.77
Alterations made to a file once it is in the possession of an investigator

obviously create a strong basis upon which to raise a challenge to the probative value
of evidence. Law enforcement agencies therefore need to follow procedures designed
to minimise such accountability threats and ensure the provenance of any adduced
evidence, including disk ‗imaging‘78 techniques and filming screen shots.79
(vi) Expert witnesses
The complexities of obtaining and presenting computer-derived evidence to a

court will mean that in many cases experts will be required to assist the court. The
expert will be required to explain to the judge and jury in court the evidence being
adduced, since much computer-derived evidence is unintelligible to the normal
person.80 An expert essentially acts as an interpreter, addressing those matters ‗likely
to be outside the experience of and knowledge of a judge or jury‘. 81 The role of an
expert is not simply to present facts, but also to offer opinions and interpretations on
matters on which he has expertise.82 Indeed, the ability to state opinions distinguishes
an expert from the general rule applicable to witnesses that they should only give
evidence of facts they have perceived, although it must be clear to the court on what
facts any expert opinions are based.83 In the adversarial common law system, both the
76
P. Sommer, ‗Digital Footprint: Accessing Computer Evidence‘, Criminal Law Review, Special
Edition, December, 1998.
77
Kajala v. Noble (1982) 75 Cr App R 149.
78
Where a complete copy of computer‘s permanent memory is preserved. Also referred to as ‗bit
stream imaging methodology‘.
79
Using Lotus Screen Cam.
80
N. Barrett, Traces of Guilt, Bantam Press, 2004, who describes ‗expert witnesses‘ as having three
principal tasks: to describe the computer and its operation of relevance to the case; to assist counsel‘s
understanding; and to appear in court and address any questions put (pp. 69-70).
81
Lord Mansfield in Folkes v. Chadd (1782) 3 Doug KB 157.
82
As a consequence, such evidence is sometimes referred to as ‗opinion evidence‘.
83
Golizadeh (1995) Crim LR 232, where it was held that there is no requirement to actually produce
the computer print-out that contained the facts on which the expert‘s opinion was derived.
~185~
prosecution and defence teams will need to make use of the services of ‗expert
witnesses‘, although they are both under a duty to be impartial. By contrast, in civil
law systems, such as France and Germany, an official expert will be nominated by the
court that has a different status from a witness.84
One problem with experts in the fields of computer and communications

technologies is the huge range of systems and applications that may be involved and
therefore the range of skills being required of an expert. An expert in Unix systems,
for example, may not be able to assess IP-based transmission protocols and networks.
The technology is also developing so rapidly that an expert‘s knowledge if he is no
longer actively working in an area may become outdated relatively rapidly. Therefore,
a complex case may require the use of a series of experts.85 The role of the expert in
determining certain matters is restricted, and should not supplant what is more
properly an issue to be decided by the court. For example, a cyber-forensic expert
may be able to indicate that relevant evidence was written by the same person, based
on common traits in the forensic data, but will not be in a position to give his opinion
as to whom that person is, since this may be based on other evidence adduced by the
prosecution.86
7.7.1 Direct Evidence: Direct evidence is also called positive evidence. Direct
evidence is the testimony of the witnesses as to the principal fact to be proved.
It is the evidence of a person who says that he saw or/and heard about the
commission of the act which constitutes the alleged crime. It is evidence about
the real point in controversy, for example, ‗A‘ is tried for setting fire to the
house. ‗B‘ deposes that he saw ‗A‘ setting fire to the home. This is the
instance of direct or positive evidence, as the witness is depositing exactly to
the precise point in issue. It also includes the production of an original
document.
84
However, variations exist in both systems. J. Spencer, ‗Evidence‘ in Delmas-Marry and Spencer, JR
(eds), European Criminal Procedures, Cambridge University Press 2002, at p 632 et seq.
85
A. Kelman and R. Sizer, The Computer in Court, Ashgate, 1982.
86
Doheny (1997) 1 Cr App R 369, ap p. 374, which concerned DNA material.
~186~
7.7.2 Hearsay Evidence: The term hearsay evidence in contradiction to direct

evidence is used with reference to written as well as spoken information and
denotes evidence which does not derive its value solely from the witness
himself, but depends in part on the competency of some other person also. In
layman‘s term it is an evidence which is given by a person who himself has
not perceived it, but gained the information from some other source.87
7.7.3 Circumstantial Evidence: Circumstantial evidence is another indirect type of

evidence that accrues out of the peculiar facts or circumstance of particular
situation or case and is relevant in proving a fact in dispute. For example, if a
witness states that he saw the accused stabbing the deceased, then it is direct
evidence and if the state that he did not see him stabbing but saw the accused
coming out of the room where murder took place, with a blood sustained
knife, is an example of circumstantial evidence. Circumstantial evidence is not
to be conferred with hearsay or secondary evidence. The circumstantial
evidence is always direct and primary. The circumstantial evidence is strictly
analysed to posses the inferential quality.88
7.7.4 Scientific Evidence: This type of evidence is commonly known as expert

evidence.89 It throws light on complex issues and facts revolving around
matters of science and its application. An expert in the concerned field of
knowledge (for example medical expert and forensic expert) appears in the
forum and deposes her understanding about the issues or facts of the matter in
question.
7.7.5 Real and Digital Evidence: Real evidence is any material evidence, which is
objectively or externally demonstrable and is perceivable in nature. The
proliferation of computers and influence of Information Technology in human
lives has raised the need of admitting evidence in judicial proceeding. With
more and more activities being carried out in the cyberspace, the real evidence
to these transactions is not available and the only alternative is the
admissibility of digital evidence.
87
Talat Fatima, Cyber Crimes, Eastern Book Company, 2011, p.42.
88
Gulab Chand v. Kudi Lal, AIR 1959 MP 151.
89
Ss. 45-51 of the Indian Evidence Act, 1872.
~187~
In the context of electronic evidence, it is ss.22A and 47A of the Evidence

Act90 that are of special relevance. Section 22A provides that oral admissions as to
the contents of the electronic record would not be relevant unless the very
genuineness of the record is in question. Similarly, when an issue involves a person‘s
digital signature, the opinion of the certifying authority which issued the digital
signature is construed to be a relevant fact as per s.47A. Other sections of the
91
Evidence Act that deal with electronic evidence are sections 34, 35, 92 and 39.93
Presumptions about gazettes in electronic form,94 electronic agreements,95 electronic
records and digital signatures,96 messages97 and as to electronic records (older that
five years)98 also find a place in the Evidence Act. Section 131 is about the
circumstance when another person, who is in possession of documents and electronic
records, could refuse to produce it before court.
7.7.6 Amended Provisions: The Information Technology Act 2000 by introducing

various amendments in the Indian Evidence Act, 1872 has given it a new dimension
in the light of functional equivalence principle. Through these amendments, the
Indian Evidence Act, has been substituted on the following sections:
(i) Section 3. Electronic records will be read as follows:
―All documents including electronic records produced for the inspection of the
Court‖99.
(ii) Section 17. Admission defined.- An admission is a statement, [oral or

documentary or contained in electronic form], which suggests any inference
90
Inserted by Act 21 of 2000 (Information Technology Act), section 92 and Schedule II (w.e.f. 17-10-
2000)
91
Entries in books of accounts including those maintained in an electronic form are relevant but not
sufficient.
92
Entry in public [record or an electronic record] made in performance of duty is relevant.
93
Evidence to be given when statement forms part of a conversation, document, electronic record, book
or series of letters or papers.
94
Section 81 A of the Evidence Act, 1872 (Act 1 of 1872).
95
Ibid, Section 85 A.
96
Ibid, Section 85 B.
97
Ibid, Section 88 A.
98
Ibid, Section 90 A.
99
Subs. by the Information Technology Act, 2000, (Act No. 21 of 2000), Sec. 92 and Sch. II (w.e.f.
17.10.2000).
~188~
as to any fact in issue or relevant fact, and which is made by any of the
persons, and under the circumstances, hereinafter mentioned.
(iii) Section 22A. When oral admission as to contents of electronic records are
relevant.- Oral admissions as to the contents of electronic records are not
relevant, unless the genuineness of the electronic record produced is in
question.]
(iv) Section 45A. Opinion of Examiner of Electronic Evidence.—When in a

proceeding, the Court has to form an opinion on any matter relating to any
information transmitted or stored in any computer resource or any other
electronic or digital form, the opinion of the Examiner of Electronic Evidence
referred to in Section 79A of the Information Technology Act. 2000 (21 of
2000) is a relevant fact.
Explanation.—For the purposes of this section, an Examiner of Electronic

Evidence shall be an expert.]
(v) Section 47A100. Opinion as to 101[electronic signature] when relevant.— When

102
the Court has to form an opinion as to the [electronic signature] of any
person, the opinion of the Certifying Authority which has issued the
103
[Electronic Signature Certificate] is a relevant fact.
(vi) Section 65A104. Special provisions as to evidence relating to electronic

record.—The contents of electronic records may be proved in accordance with
the provisions of Section 65-B.
(vii) Section 65B. Admissibility of electronic records.-
100
Ins, by the Information Technology Act, 2000, (Act No. 21 of 2000), S. 92 and Sch. II (w.e.f.
7.10.2000).
101
Subs. for ―digital signature‖ by Information Technology (Amendment) Act, 2008 (Act No. 10 of
2009), Sec. 52 (c) (I) (w.e.f. 27.10.2009).
102
Subs. for ―digital signature‖ by Information Technology (Amendment) Act, 2008 (Act No. 10 of
2009), Sec. 52 (c) (i) (w.e.f. 27.10.2009).
103
Subs. for ―Digital Signature Certificate‖ by Sec. 52 (c) (ii), ibid (w.e.f. 27.10.2009).
104
Sections 65-A and 65-B ins, by the Information Technology Act, 2000, (Act No. 21 of 2000), S. 92
and Sch. II (w.e.f. 17.10.2000).
~189~
(1) Notwithstanding anything contained in this Act, any information

contained in an electronic record which is printed on a paper, stored,
recorded or copied in optical or magnetic media produced by a
computer (hereinafter referred to as the computer output) shall be
deemed to be also a document, if the conditions mentioned in this
section are satisfied in relation to the information and computer in
question and shall be admissible in any proceedings, without further
proof or production of the original, as evidence of any contents of the
original or of any fact stated therein of which direct evidence would be
admissible.
(2) The conditions referred to in sub-section (1) in respect of a computer

output shall be the following, namely :—
(a) the computer output containing the information was produced

by the computer during the period over which the computer
was used regularly to store or process information for the
purposes of any activities regularly carried on over that period
by the person having lawful control over the use of the
computer;
(b) during the said period, information of the kind contained in the
electronic record or of the kind from which the information so
contained is derived was regularly fed into the computer in the
ordinary course of the said activities;
(c) throughout the material part of the said period, the computer
was operating properly or, if not; then in respect of any period
in which it was not operating properly or was out of operation
during that part of the period, was not such as to affect the
electronic record or the accuracy of its contents; and
~190~
(d) the information contained in the electronic record reproduces

or is derived from such information fed into the‟ computer in
the ordinary course of the said activities.
(3) Where over any period, the function of storing or processing

information for the purposes of any activities regularly carried on over
that period as mentioned in clause (a) of sub-section (2) was regularly
performed by computers, whether—
(a) by a combination of computers operating over that period; or
(b) by different computers operating in succession over that

period; or
(c) by different combinations of computers operating in succession

over that period; or
(d) in any other manner involving the successive operation over

that period, in whatever order, of one or more computers and
one or more combinations of computers, all the computers used
for that purpose during that period shall be treated for the
purposes of this section as constituting a single computer; and
references in this section to a computer shall be construed
accordingly.
(4) In any proceedings where it is desired to give a statement in evidence

by virtue of this section, a certificate doing any of the following things,
that is to say——
(a) identifying the electronic record containing the statement and

describing the manner in which it was produced;
(b) giving such particulars of any device involved in the production

of that electronic record as may be appropriate for the purpose
~191~
of showing that the electronic record was produced by a

computer;
(c) dealing with any of the matters to which the conditions

mentioned in sub-section (2) relate, and purporting to be
signed by a person occupying a responsible official position in
relation to the operation of the relevant device or the
management of the relevant activities (whichever is
appropriate) shall be evidence of any matter stated in the
certificate; and for the purposes of this sub-section it shall be
sufficient for a matter to be stated to the best of the knowledge
and belief of the person stating it.
(5) For the purposes of this section.—
(a) information shall be taken to be supplied to a computer if it is

supplied thereto in any appropriate form and whether it is so
supplied directly or (with or without human intervention) by
means of any appropriate equipment;
(b) whether in the course of activities carried on by any official,

information is supplied with a view to its being stored or
processed for the purposes of those activities by a computer
operated otherwise than in the course of those activities, that
information, if duly supplied to that computer, shall be taken to
be supplied to it in the course of those activities;
(c) a computer output shall be taken to have been produced by a

computer whether it was produced by it directly or (with or
without human intervention) by means of any appropriate
equipment.
~192~
Explanation.—For the purposes of this section any reference to information

being derived from other information shall be a reference to its being derived
therefrom by calculation, comparison or any other process].
(viii) Section 81A. Presumption as to Gazettes in electronic forms.—The Court

shall presume the genuineness of every electronic record purporting to be the
Official Gazette, or purporting to be electronic record directed by any law to
be kept by any person, if such electronic record is kept substantially in the
form required by law and is produced from proper custody.
(ix) Section 90A. Presumption as to electronic records five years old.— Where any
electronic record, purporting or proved to be five years old, is produced from
any custody which the Court in the particular case considers proper, the
105
Court may presume that the [electronic signature] which purports to be the
106
[electronic signature] of any particular person was so affixed by him or any
person authorised by him in this behalf.
Explanation.—Electronic records are said to be in proper custody if they are in

the place in which, and under the care of the person with whom, they naturally
be; but no custody is improper if it is proved to have had a legitimate origin, or
the circumstances of the particular case are such as to render such an origin
probable.
7.8 JUDICIAL RESPONSE
One of the most important characteristics of the cybercrime is its global reach.
Unlike physical evidence that is generally limited to a very small geographical area,
the virtual evidence is spread across the cyberspace and thus poses several problems
for the investigators. For example, a Russian hacker may use Internet to hack a
German computer network in order to steal money from a US bank. Similarly a
kidnapper of an Indian boy at send his ransom notes through email through an
105
Substituted for ―digital signature‖ by Information Technology (Amendment) Act, 2008 (Act No. 10
of 2009), S. 52 (h) (w.e.f. 27.10.2009).
106
Inserted by the Information Technology Act, 2000, (Act No. 21 of 2000), S. 92 and Sch. II (w.e.f.
17.10.2000).
~193~
accomplice based in South Africa or he may choose to launder the message by routing
it through many a computers owned by unsuspected persons in all parts of the globe,
just like the net may be used for money laundering107.
Digital evidence has been offered an increasing number of criminal and civil
court cases over the last decade digital evidence must meet the standards of other
scientific and technical evidence to be admissible in court judges and juries make
decisions based upon their understanding of evidence that is presented at trial
Familiarity with ICTs due to the everyday use of computers, the Internet, mobile
phones, and other digital devices and network services might be interpreted by a fact-
finder as understanding how evidence is derived from these digital sources. An
understanding of how digital evidence is derived is a critical factor in weighing the
probative and prejudicial value of this evidence when introduced in court. In this
chapter issue of digital evidence has been discussed in the light of decided cases in
U.K., U.S.A. and India.
7.8.1 Judicial response in U.K.
The UK Civil Evidence Act, 1984, provides law for computer evidences, if it
satisfies two tests: Firstly, there must be no reasonable ground for believing that the
statement is inaccurate because of improper use of the computer. Secondly, the
computer must have been operating properly at all material times or at least the part
that was not operating properly must not have affected the production to the document
or the accuracy of the contest. Certain case-laws as follows:
In the case of R v. Gold108, Robert Schifreen and Stephen Gold, using

conventional home computers and modems gained unauthorised access to British
Telecom‘s Prestel interactive viewdata service during the year 1984-85. While at a
trade show, Schifreen by doing what latterly became known as shoulder surfing, had
observed the password of a Prestel engineer: the username was 22222222 and the
password was 1234. This later gave rise to subsequent accusations that BT had not
107
Talat Fatima, Cyber Crimes, Eastern Book Company, 2011, p. 40l.
108
(1988) 1 AC 1063.
~194~
taken security seriously. Armed with this information, the pair explored the system,
even gaining access to the personal message box of Prince Philip. Prestel installed
monitors on the suspect accounts and passed information thus obtained to the police.
The pair was charged under section 1 of the Forgery and Counterfeiting Act
1981 with defrauding BT by manufacturing a ―false instrument‖, namely the internal
condition of BT‘s equipment after it had processed Gold‘s eavesdropped password.
Tried at Southwark Crown Court, they were convicted on specimen charges (five
against Schifreen, four against Gold) and fined, respectively, £750 and £600.
Although the fines imposed were modest, they elected to appeal to the Criminal
Division of the Court of Appeal. Their counsel cited the lack of evidence showing the
two had attempted to obtain material gain from their exploits, and claimed the Forgery
and Counterfeiting Act had been misapplied to their conduct. They were acquitted by
the Lord Justice Lane, but the prosecution appealed to the House of Lords. In 1988,
the Lords upheld the acquittal.
In R v. Whiteley109 the defendant was convicted of causing damage through

gaining unauthorised access to the Joint Academic Network System and deleting and
amending a substantial number of files. It was held that the alteration of magnetic
particles on the disk impaired the value and usefulness of the disk and constituted
damage. The attempt to exclude Criminal Damage Act, 1971 in the computer context
may not be effective. It is suggested that damage to data held on a computer disk
might still be regarded as adversely affecting its physical condition.
In R v. Shepherd110 the accused Mrs. Shepherd was alleged to have shoplifted

from Marks and Spencer store in London, she contended that she had thrown her
receipt away. The prosecution relied upon the store‘s central computer system‘s
record. The question before the House of Lords was whether this evidence should
satisfy the requirements of section 69 of the 1984 Act. Lord Griffiths made the
following statement:111 ―If the prosecution wishes to rely upon a document produced
109
1991 93 Cr App Rep 25.
110
(1993) 1 All ER 225.
111
Id at p. 230. However, this statement is not absolutely correct. Some computer evidence may be
adduced not for any fact therein, but as an actual fact. For e.g. a bank statement showing an entry of X
sum of money into a bank account. This evidence is not a statement that the account is credited, rather
~195~
by a computer, they must comply with section 69 in all cases.‖ Section 69 poses a
negative requirement that, unless the evidence sought to be adduced meets the criteria,
it is inadmissible. It is a powerful tool to ensure that both prosecution and defence rely
only on approximately reliable evidence. A critical analysis of the types of evidence
used in a digital case reveals that there will be little evidence that will not be required
to meet the requirements of this section. The evidence may include logs stored on the
client‘s, host‘s, victim‘s, or accused‘s computers. It will also possibly include data or
programmes to which the prosecution alleges the defendant gained access. In such
circumstances, the prosecution may, unwisely, rely on ‗date-stamps‘. Thus, the issue
was adjudicated by relying on the electronic evidence.
Case law of R. v. Cochrane112 illustrates the utility of focusing on one

computer in a chain to ‗break‘ the continuity. Apart from the certification
implications, to prove beyond reasonable doubt, that the defendant was responsible
for unauthorised access to the victim‘s computer, the prosecution can be forced to
prove continuity of evidence. That is, the prosecution should be able to follow or trace
a line of access from the hacker‘s own computer to the victim‘s. Any discontinuity
may raise the court‘s reasonable doubt that the defendant in the court was not the
person responsible for the final unauthorised access. In cases of hacking, it is also
well-known that hackers rarely attempt to gain access to their victim‘s computer
directly. Instead, their preferred method is to login to one computer on the Internet
and from there login to another and so on. This process is repeated many times. And
each new login made by the hacker presents another piece of evidence that the
prosecution may have to prove to establish continuity from the first to the final
unauthorised access.
the fact. U.K. Courts have admitted evidence which is alleged to have been modified without clearing
the section 69 hurdle.
112
(1993) Criminal Law Review 48.
~196~
7.8.2 Judicial response in U.S.A.
The US Federal Rules of Evidence provide that the evidence adduced must be
sufficient to support a finding that the computer record is what its proponent's claims
it is and the only requirement is that he should have firsthand knowledge of the
information of which he is testifying. In order for the electronic evidence to be
admissible, it must comply with the ‗best evidence rule‘ and ‗chain of custody‘ must
be so that rules out any tampering. In most simplistic understanding best evidence is
considered to be in the original form. ―If data are stored in a computer or similar
device, any printout or other output readable by sight, shown to reflect the data
accurately, is an original.‖
―A duplicate is admissible to the same extent as an original unless: (1) a

genuine question is raised as to the authenticity of the original or (2) in the
circumstances it would be unfair to admit the duplicate in lieu of the original.‖
In a leading case of Lorraine v. Markel American Insurance Company113,

Grimm J. describes a model for addressing admission of electronic evidence. Lorraine
model suggests that admissibility of electronic evidence focuses first on relevance,
asking whether the electronic evidence has any tendency to make some fact that that
is of consequence of litigation more or less probable than it would be otherwise.
Secondly, it should address authenticity asking if the electronic evidence can be
presented purporting its authenticity. Thirdly, the issues of hearsay concerns
associated with the electronic evidence must be addressed properly, asking if it is a
statement by the declaring, other than one made by the declaring while testifying at
the trial or hearing, offered for the truth of the matter asserted, and, if the electronic
information is hearsay, whether an exclusion or exception to the hearsay rule applies.
Fourthly, the application of the original documents rule must be taken care of. Fifthly,
and finally, it should be considered whether the probative value of the electronic
evidence is substantially outweighed by the danger of unfair prejudice, confusion, or
waste of time. Careful consideration of these traditional evidentiary principles will
permit a proponent to successfully admit electronic evidence.
113
241 F.R.D. 534 (D. Md. 2007)
~197~
In Hall v. Great-West114 the U.S Eleventh Circuit Court observed that in civil
litigation, computer forensics plays an important role. A missed item of evidence can
be the difference between a substantial jury verdict and a dismissal of a case. Any
litigation matter that involves digital evidence, whether located in a computer, laptop,
table computer, smart phone, thumb drive, portable drive, SD card, and others is
fertile ground for discoverable evidence. Even deleted items are very relevant when
examining claims. Issues of spoliation arise on every case where a party purposely
deletes digital evidence. Even criminal cases such as computer trespass (hacking, or
violation of the Computer Fraud and Abuse Act, 1986), access device fraud, credit
card fraud, and others provide for civil remedies to the victims. Also, in cases of
divorce a spouse may have illegally obtained access to the other spouse's email, or
social network (such as Facebook, Twitter, MySpace) in violation of the law. A
computer forensics expert will examine digital evidence, some of which may be
deleted or hidden.
In United States v. Cotterman115 United States Court of Appeals for the Ninth
Circuit held that property, such as a laptop and other electronic storage devices,
presented for inspection when entering the United States at border may not be subject
to forensic examination without a reason for suspicion, a holding that weakened the
border search exception of the Fourth Amendment to the United States Constitution.
In 2007, Lorraine v. Markel American Insurance Company116 the United

States District Court for Maryland handed down a landmark decision in that clarified
the rules regarding the discovery of electronically stored information. In American
federal courts, the law of evidence is set out in the Federal Rules of Evidence.
Lorraine held when electronically stored information is offered as evidence, the
following tests need to be affirmed for it to be admissible: (i) is the information
relevant; (ii) is it authentic; (iii) is it hearsay; (iv) is it original or, if it is a duplicate, is
there admissible secondary evidence to support it; and (v) does its probative value
survive the test of unfair prejudice.
114
No. 07-14123 (11th Cir. 2008)
115
(9th Cir. en banc 2013)
116
241 F.R.D. 534 (D. Md. 2007)
~198~
Robert and Carleen Thomas, residents of California, were charged with

violation of the obscenity laws in Tennessee in U.S. v. Thomas117 when a Memphis
law enforcement officer downloaded sexually explicit materials from their California
bulletin board service (BBS) to a computer in Tennessee. This was the first time when
prosecutor had brought charges in an obscenity case in the location where the material
was downloaded rather than where it originated. The accused were convicted, and
they appealed; the appeals court upheld the conviction and sentences; the U.S
Supreme Court rejected their appeal.
A legal issue in presenting evidence is the ―best evidence rule‖ which states
that to prove the contents of a document, recording or photograph, the ―original‖
document, recording or photograph is ordinarily required. For example, in United
States v. Bennett118 a federal agent testified about information that he viewed on the
screen of a GPS on the defendant‘s boat in order to prove he had imported drugs
across international waters. It was decided the agent‘s testimony violated the best
evidence rule because he had only observed a graphical representation of data from
the GPS instead of actually observing the professed path the boat had been following
during the encounter. Since the U.S. sought to prove the contents of the GPS, the best
evidence rule was invoked and required the government to present the actual GPS
data or printout of the data, rather than the testimony from the federal agent.
In the case of English v. State of Georgia119 court observed the technician who
produced the computer enhanced image testified as to the process used and said that it
was a fair and accurate representation of what appeared in the videotape copy.
Accordingly, the computer enhanced image was admissible.
In the case of State of Arizona v. Paxton120, the Court held ruled that the
expert evidence was relevant and admissible because if the seat cover was off the
driver‘s seat up to three months before the murder, it was likely off at the time of the
murder, especially given the fact that the straps were broken. The Court expressed no
117
74 F. 3d 701 (6th Cir. 1996).
118
363 F.3d 947 (9th Cir. 2004).
119
205 Ga. App. 599 (1992)
120
186 Ariz. 580 (1996)
~199~
concern with the admissibility of the forensic digital analysis of the photographs. The
conviction was upheld.
In the case Commonwealth of Pennsylvania v. Auker121, the Court noted that

expert testimony is permitted as an aid to the jury when the subject matter is distinctly
related to a science, skill or occupation beyond the knowledge or experience of the
average lay person. Where a witness has a reasonable pretension to specialised
knowledge on a subject in issue, the witness may testify and the jury will assign the
appropriate weight to that evidence. Expertise, whether gathered from formal
education or by experience, is expertise. Here, the Chevrolet representative had
specialized knowledge and was properly permitted to express an opinion as to the
make and year of the car depicted in the video. The Court expressed no concern with
the admissibility of the digital image enhancement evidence.
Court observed in the case of R. v. Cooper122 that in its opinion the

digitisation, blowing up, and lightening of the images on the videotape does no more
than enhance or clarifies the images. The digitised images are the same images seen
on the videotape and one needs only to compare the faces to see that the images have
not been changed. Digitisation is clearly a useful tool to assist the court in viewing
and comparing the videotape images. Accordingly it was concluded that Constable
Frederick‘s video slides and other work product are admissible into evidence.
7.8.3 Judicial response in India
Law aren‘t exhaustive always, to cope up the changing pace of information

technology and society; to block the loopholes of legislations, judiciary comes
forward for interpretation so that laws may be inclusive to cover the incidents of cyber
terrorism. As we all know that laws can‘t be amended on daily or monthly basis so the
role of judiciary for the interpretation becomes more relevant. Legislative have certain
limitations for amending laws on regularity basis as per according the changes in
society, furthermore, no law can be interpreted for achieving the purpose of every
121
545 Pa. 521 (1996)
122
(2000) B.C.J. 446 (March 2, 2000, British Columbia Supreme Court).
~200~
individual case. Thus, judiciary has more responsibility for giving verdict in favour of
justice as well as to recognise digital evidences. For any piece of evidence to be
introduced in court, it must meet certain standards of legal permissibility that allow
the court to receive and consider it. Broadly speaking, one of the prime considerations
before evidence is considered admissible is its relevance to the matter at issue. Here,
under this heading, a humble attempt has been made to discuss various case laws
dealing with admissibility of digital evidence.
In the very popular case of Twentieth century Film Fox Corporation v. NRI
Film Production Association (Pvt) Ltd.123 the court observed that following conditions
must be complied in order to authenticate the video conferencing:
(i) Before a witness is examined in terms of the audio-video with as is to file an

affidavit or an undertaking duly verified before a notary or a judge that the
person who is shown as the wetness is the same person who is going to depose
on the screen. A copy is to be made avertable to the other side.
(ii) The person who examines the wetness on the screen is also supposed to file on
undertaking before examine the weather with a copy to the other side with
regarded to identification.
(iii) The witness has to be examined during working hours of Indian court oath is
to be administration through the media.
(iv) The witness should not plead any innocence on account of time difference
between Indian and United State America.
(v) Before examination of the witness a set of plaint written statement and other
document must be sent to the witness so that the witness has acquainted with
the document and an acknowledgement is to filed before the court in this
reject
(vi) The learned judge is to record such remarks as is material regarding the demur
of the wetness on the screen.
123
AIR 2003 KANT 148.
~201~
In State of Maharashtra v. Dr. Praful B. Desai124 question raised whether a

witness can be examined by means of a video conference is advanced of science and
technology which permits society. Hearing and talking with someone who is not
physically present which the some facility and ease as if they were physically present.
The presence of the witness does not means actual physical presence. The court
allowed the witness through video conferencing and concluded that is no reason why
the examination of a witness by video conference should not be essential part of
electronic evidence.
The case of State v. Navjot Sandhu125, popularly known as Parliament Attack

Case, which lead to the conviction of the Respondent under various provisions of the
Indian Penal Code, 1860 and the Prevention of Terrorism Act, 2002. One of the
pieces of evidence relied by the prosecution and subsequently forming the basis of
conviction was the call records of the accused. In appeal before the Supreme Court
has occasion to adjudicate on the admissibility of the call records as electronic
evidence. The Court held that printouts taken from the computers/servers by
mechanical process and certified by a responsible official of the service providing
Company can be led into evidence through a witness who can identify the signatures
of the certifying officer or otherwise speak to the facts based on his personal
knowledge. This would make the call records admissible. The Supreme Court went
further on to state that irrespective of the compliance of the requirements of Section
65B of the Evidence Act which is a provision dealing with admissibility of electronic
records, there is no bar to adducing secondary evidence under the other provisions of
the Evidence Act, namely Sections 63 and 65.126
In Amitabh Bagchi v. Ena Bagchi127 the court observed that the importance of
Section 65B of Indian Evidence Act, 1872. Accordingly the court held that physical
presence of person in court may not be required for purpose of adducing evidence and
124
AIR 2003 SC 2053.
125
AIR 2005 SC 3820.
126
The Court held that merely because a certificate containing the details in sub-Section (4) of Section
65B is not filed in the instant case, does not mean that secondary evidence cannot be given even if the
law permits such evidence to be given in the circumstances mentioned in the relevant provisions,
namely Sections 63 and 65.
127
AIR 2005 Cal 11.
~202~
the same can be done through medium like video conferencing Section65A and 65B
provide provisions for evidence relating to elective records a and admissibility of
electronic record and that definition of electronic records includes video conferencing.
In Jagjit Singh v. State of Haryana128, the Speaker of the Legislative

Assembly of the State of Haryana disqualified a Member for defection. The Supreme
Court, whilst hearing the matter, also considered the appreciation of digital evidence
in the form of transcripts of digital media including the Zee News television channel,
the Aaj Tak television channel, and the Haryana News of Punjab Today television
channel. Y.K. Sabharwal, CJ, indicated the extent of the relevant digital materials.
The court determined that the electronic evidence placed on the record was
admissible, and upheld the reliance placed by the Speaker on the interview recorded
on the CDs for reaching the conclusion that the persons recorded on the CDs were the
same as those taking action, and their voices were identical. The Supreme Court
found no infirmity in the reliance placed on digital evidence by the Speaker, and the
conclusions reached by Y.K. Sabharwal, CJ, in paragraph 31 bear repeating in full:
In Bodola Muroli Krishna v. Smt Bodola Prathima129 court held that the
amendments carried to the evidence act by introduction of sections 65A and 65B are
in relation to e-record. Section 67A and Section 73A were introduced as regards proof
and verification of digital signatures. As regards presumption to be drawn about such
records Sections 85A, 85B, 85C, 88A, 90A has been added. Section 81A was inserted
which provides that the presumption of genuineness is attached to be the official
gazette or electronic gazette- the court shall presume the genuineness of any
electronic record, if it is kept in the form and the manner as required by law and is
produced from proper custody. The court shall presume execution of an electronic
agreement if the electronic signatures of the parties to electronic agreement have
authenticated it.
128
(2006) 11 SCC 1.
129
2007 (2) ALD 72.
~203~
In Dharambir v. CBI130 it has been observed that an admission is a statement,

oral or documentary or contained in electronic form which suggests any inference as
to any fact in issues or relevant fact and which is made by any of the persons and
under the circumstances, herein after mentioned. Now admission could be in
electronic form which could be in oral (audio) or documentary (textual) form131. A
digitally singed electronic record is hence relevant132. In the case court arrived at a
conclusion that section 65b not only includes e-records but along with it also includes
hard disc. And there are two levels of e-records. The court arrived at the conclusion
that when Section 65-B talks of an electronic record produced by a computer referred
to as the computer output) it would also include a hard disc in which information was
stored or was earlier stored or continues to be stored. First is hard disc itself and
second is in the form of text file or sound file or sound file or video file etc. that is
accessible are converted via hard disc.
In Kailash v. Suresh Chandra133 The subsection (2) of section 65B extends

the concept of admissibility of electronic record generated by a single computer as
articulated in subsection (2) to include admissibility of electronic record generated by
a combination of computers operating in succession or any other manner involving
one or more computers and combinations of one or more computer over a time period
in question irrespective of the number of computers used, all such computers used
shall be taken as if constituting a single computer it shall provide for admissibility of
electronic records generated from anyone of the computers of a Local Area
Networking, World Area Networking or any such computer network. Sub-section (4)
highlights the ways to certify a statement given in an electronic record for the purpose
of its admissibility in any preceding the said certificate must identify signature by a
person occupying a responsible official position in relation to the operation of the
relevant device or the management of the relevant activities of such a system.
130
148 (2008) DLT 289.
131
Ibid. Section 17.
132
Ibid. Section 22 and Section 22A.
133
MANU/MP/1139/2011.
~204~
In Anvar P.V. v. P.K. Basheer134 speeches, songs and announcements were

recorded using other instruments and by feeding them into a computer. CDs were
made therefore which were made therefore which were produced in court without due
certification. Those CDs cannot be admitted to evidence, since the mandatory
requirements of sec. 65B of Indian Evidence Act are not satisfied. New rules of
admissibility as per Anvar P.V. has now overruled the position in law as in State v.
Navjot Sandhu. The Court has now held that any documentary evidence in the form of
an electronic record can be proved only in accordance with the procedure prescribed
under Section 65B of the Evidence Act. To reach this conclusion the Court reasoned
that Section 65B of the Evidence Act has been inserted by way of an amendment by
the Information Technology Act, 2000. Inasmuch it is a special provision which
governs digital evidence and will override the general provisions with respect to
adducing secondary evidence under the Evidence Act. The Court further goes on to
hold that provisions such as Section 45A of the Information Technology Act, 2000
which provide for the opinion of examiner of electronic evidence can only be availed
once the provisions of Section 65B are satisfied. Hence compliance with Section 65B
is now mandatory for persons who intend to rely upon emails, websites or any
electronic record in a civil or criminal trial to which provisions of the Indian Evidence
Act.
It was held in S. Ramachandran v. E. V. Velu135, that any documentary

evidence by way of an electronic record under Evidence Act, in view of Section.59
and Section 65 (a) can be proved only in accordance with the procedure established
under Section 65(b) which deals with the admissibility of electronic record136. A very
significant provision that has been inserted in Indian evidence regarding the
admissibility of electronic records in any proceedings Section 65B— admissibility of
electronic records for the purpose of aforesaid Sub-Section (1) an electronic record
shall be deemed to be a document, if any information contained in said electronic
record is printed on a paper, stored, recorded or copied in optical or magnetic media
produced by computer (computer output). The Sub-Section (2) lays down the
conditions that used to satisfy the condition for acceptance of computer generated
output:
134
MANU/SC/0834/2014.
135
MANU/TN/1631/2014.
136
Ibid. Section 59.
~205~
(i) Proper identification of the computer which has produced the said computer
output containing the information;
(ii) The said out was produced during the period over which the computer was
used regularly to store or process information;
(iii) Confirmation that the person was having lawful control over the use of such
computer during the said period;
(iv) The said computer output in the form of an electronic record containing
information results from such information fed into the computer in the
ordinary course of the objective behind subsection (2) is to identify whether
the computer in question has properly processed stored and reproduced
whatever information it received.
In the case Tomaso Bruno & Anr. v. State of U.P.137 the court had convicted the
accused persons under Section 302 read with Section 34 of the Indian Penal Code
against which an appeal was preferred before the High Court. The High Court by
impugned judgment confirmed the conviction and sentence. Appellants before the
Supreme Court contended that all the circumstances relied upon by the prosecution
ought to be firmly established by evidence and the circumstances must be of such
nature as to form a complete chain pointing to the guilt of the accused and the courts
below ignored the conditions required to be satisfied in a case based on circumstantial
evidence. It was further contended that non-production of CCTV footage being an
important piece of evidence casts a serious doubt in the prosecution case and non-
production of such best possible evidence is fatal to the prosecution case. Non-
production of CCTV footage, non-collection of call records (details) and SIM details
of mobile phones seized from the accused cannot be said to be mere instances of
faulty investigation but amount to withholding of best evidence. As per Section 114
137
MANU/SC/0057/2015. See also Deviben Ahir and Ors. v. State of Gujarat, MANU/GJ/0349/2017;
Hemlatabai Ravikant Darne and Ors. v. Prakash Gurudas Timblo and Ors. MANU/MH/0509/2017;
Mehid Masroor Biswas v. State of Karnataka, MANU/KA/0509/2017; Murugesan v. Arumugham and
Ors, MANU/TN/1399/2017; Janardhanan Pillai and Ors. v. Salini and Ors, MANU/KE/1671/2016:
K. Ramajayam v. The Inspector of Police, MANU/TN/0112/2016; Kamal Patel v. Ram Kishore Dogne,
MANU/MP/0050/2016; Abdul Fareed and Ors. v. State of U.P. and Ors, MANU/UP/2212/2016;
Ashwani Kumar v. State of Haryana, MANU/PH/1887/2016; Bajaj Auto Limited v. TVS Motor
Company Limited, MANU/TN/0453/2016: ELI Lilly and Company and Ors. v. Maiden
Pharmaceuticals Limited, MANU/DE/3031/2016.
~206~
(g) of the Evidence Act, if a party in possession of best evidence which would throw
light in controversy withholds it, the court can draw an adverse inference against him
notwithstanding that the onus of proving does not lie on him. The presumption under
Section 114 (g) of the Evidence Act is only a permissible inference and not a
necessary inference. Notwithstanding the fact that the burden lies upon the accused to
establish the defence plea of alibi in the facts and circumstances of the case,
prosecution in possession of the best evidence–CCTV footage ought to have produced
the same. Admittedly, there was no eye-witness and the prosecution case was based
on circumstantial evidence. An important circumstance relied upon by the prosecution
and accepted by the Courts below was that the offence had taken place inside the
privacy of the hotel room in which the accused and the deceased were staying
together and only the accused had the opportunity to commit the offence. To invoke
Section 106 of the Evidence Act, the main point to be established by the prosecution
was that the accused persons were present in the hotel room at the relevant time.
It was accordingly held by the apex court that with the advancement of
information technology, scientific temper in the individual and at the institutional
level is to pervade the methods of investigation. With the increasing impact of
technology in everyday life and as a result, the production of electronic evidence in
cases has become relevant to establish the guilt of the accused or the liability of the
defendant. Electronic documents are admissible as material evidence. The computer
generated electronic records in evidence are admissible at a trial if proved in the
manner specified by Section 65B of the Evidence Act. Secondary evidence of
contents of document can also be led under Section 65 of the Evidence Act.
Production of scientific and electronic evidence in court as contemplated under
Section 65B of the Evidence Act is of great help to the investigating agency and also
to the prosecution.
The prosecution in the case of The State of Maharashtra and Ors. v. Rajesh and
Ors.138 relied on the CCTV139 footage recovered from the petrol pump wherein the
138
2016 (3) Bom. C. R. (Cri) 55, MANU/MH/0660/2016. See also Mohammad Akbar v. Ashok Sahu
and Ors, MANU/CG/0405/2016; Nepal Singh v. The State of Tripura, MANU/TR/0233/2016;
Radhanath Yadav and Ors. v. State of Assam, MANU/GH/0532/2016; Rakesh Jain v. State of
Haryana, MANU/PH/0164/2016; Saidai Sa. Duraisamy v. Stalin M.K. and Ors,
MANU/TN/3269/2016: Smitha Gireesh v. U.O.I and Ors MANU/DE/1440/2016; State of Rajasthan v.
~207~
accused had refueled the vehicle. Bharat Petroleum Corporation had given the
contract to the Kores India Limited for installation of CCTV Cameras at the premises
of petrol pump. Eight numbers of CCTV cameras, NVR 140 and monitor, etc. were
supplied at their petrol pump by the Kores India Limited. All the cameras were
functioning 24×7 hours and in case of any malfunctioning in the system, pump
operators had to lodge the complaint to the Bharat Petroleum through the Broma
Software. Prosecution affirmatively stated that till date of commission of the said
crime there was no occasion to lodge complaint about the malfunctioning of the
CCTV cameras and its system installed at their petrol pump.
The court observed that In fact, there is a revolution in the way the evidence is
produced before the court, it makes the systems function faster and more effective and
any documentary evidence by way of an electronic record under the Evidence Act, in
view of Sections 59 and 65A, can be proved only in accordance with the procedure
prescribed under Section 65B. The purpose of these provisions is to sanctify
secondary evidence in electronic form, generated by a computer. It may be noted that
the Section starts with a non obstante clause. Thus, notwithstanding anything
contained in the Evidence Act, any information contained in an electronic record
which is printed on a paper, stored, recorded or copied in optical or magnetic media
produced by a computer shall be deemed to be a document only if the conditions
mentioned under Sub-section (2) are satisfied, without further proof or production of
the original. The very admissibility of such a document, i.e., electronic record which
is called as computer output, depends on the satisfaction of the four conditions under
Section 65B (2).
Ramsahay and Ors, MANU/RH/0350/2016; Subhash Chand v. State of H.P., MANU/HP/1641/2016;

Sunil Panchal v. State of Rajasthan, MANU/RH/0987/2016; The State of Maharashtra and Ors v.
Rajesh and Ors, MANU/MH/0660/2016; Faim and Ors. v. The State of Maharashtra,
MANU/MH/3080/2015; Hosamanera Prakash and Ors. v. State of Karnataka, MANU/KA/1122/2015.
139
Closed-circuit television (CCTV), also known as video surveillance, is the use of video cameras to
transmit a signal to a specific place, on a limited set of monitors.
140
A network video recorder (NVR) is a software program that records video in a digital format to
a disk drive, USB flash drive, SD memory card or other mass storage device. An NVR contains no
dedicated video capture hardware. However, the software is typically run on a dedicated device,
usually with an embedded operating system. Alternatively, to help support increased functionality and
serviceability, standard operating systems are used with standard processors and video management
software. An NVR is typically deployed in an IP video surveillance system. Retrieved from
https://en.wikipedia.org/wiki/Network_video_recorder on 06/07/2017 at 15:35 hrs.
~208~
7.9 APPRAISAL
Cyber forensics involves the identification, documentation, and interpretation

of computer media for using them as evidence and it is the process of identifying,
collecting, preserving, analysing and presenting the computer-related evidence in a
manner that is legally acceptable by court. Forensic sciences have been developed to
ensure that criminals are hunted down and brought to the court of law. This branch of
science provides two benefits and messages to the society at large, firstly, to
demonstrate that criminals would be punished for their acts and no one can get away
without being punished for his/her crimes; secondly, the authorities have enough
capabilities and will go to any extent to protect the society from and adversaries and
maintain law and order for harmonious co-existence of human beings.
However, the growth of network-based crime has raised some unique and
difficult issues in respect of the appropriate balance between the needs to those
investigating and prosecuting such crime. Law enforcement agencies have been
looking towards intermediaries to assist them in the investigative process, either in
terms of gathering data transmitted by the suspects themselves or providing data
generated by the communication service providers about the communication activates
so suspects. Law enforcement will have to expand their investigative practices to
competently respond to the problem at hand, much insight can be gained from the past
incidents of cyber crimes and cyber forensics when developing sound policy to guide
investigators in the future. Cyber forensics as a discipline requires technology savvy
investigating authorities, highly trained professional operating in an organised and
comprehensive manner and cyber policing should be promoted and cybercrimes are to
be tried by special cyber courts.
The growing number of cybercrimes and cyber terrorism indicates setting up

of support group consisting of officers from various investigative agencies, state
police headquarters and detective department of computer investigation. These trained
police officers are needed to understand the nature of crime at the threshold and
proceed with the investigation in a correct and required manner. Failing which, it will
result in a botched up investigation at the outset leaving evidences and a total failure
~209~
to convict the criminal. Where the China have a cyber army comprising 20,000 cyber
experts and USA have total strength of about 12,000; on the other hand India have
only 600 cyber experts. Thus, the appropriate authorities must pay attention for this
problem, because without cyber experts we can‘t create deterrence. Special measures
should be taken while conducting cyber forensics investigation. It must be kept in
mind that only collection of evidences is not required. The agency is required to
ascertain that whether or not the evidences so gathered are admissible in the court of
law. For the purpose of admissibility they are supposed to make provisions so that
those evidences are not tampered or destroyed. Evidences are to undergo a strict test
of admissibility. Hence they must draw a clear picture of sequence of events leading
to one and only one conclusion of the accused being guilty.
Cyber forensics became more challenging since new forms and techniques of
data storage are continuously being changed and new technologies are being
developed. One of the major challenges faced by the investigators and courts is the
lack of legal framework. In India after the enactment of Information Technology Act,
2000 subject to satisfaction of the provisions laid down under section 65B and ratio
decidendi stipulated in Anwar P.V. v. P.K. Basheer, amendments in the Indian
Evidence Act, 1872 and the Indian Penal Code, 1860, electronic record is admissible
evidence. However, the major problem is to jurisdictional issues. The tasks of
identifying cyber-criminals and bringing them to justice pose formidable challenges to
law enforcement agencies across the globe and require a degree and timeliness of
cooperation that has been until only recently regarded as difficult, if not impossible, to
achieve.
~210~

Admissibility of Electronic Evidence

Uploaded by

Copyright:

Available Formats

Admissibility of Electronic Evidence

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Admissibility of Electronic Evidence

Uploaded by

Copyright:

Available Formats

Chapter VII

CYBER FORENSICS AND ADMISSIBILITY OF

In general, the investigation of cybercrimes, particularly the gathering,

7.2 ORIGIN AND EVOLUTION OF CYBER FORENSICS

Before addressing the definitions of cyber forensics it is necessary for the

Efforts to define the principles of computer forensics resulted in 1999 in the

Following Daubert18, the decision in Kumho Tire v. Carmichaet19, extended

7.3 DEFINITIONS AND CONCEPTIONS OF CYBER FORENSICS

In general, the way e-evidences are scientifically contacted, systematically

The American Heritage Dictionary defines forensics as ‗relating to the use of

According to Encyclopedia Britannica, computer forensics is the investigation

Judd Robbins, a prominent computer forensics investigator, defines computer

According to Steve Hailey of Cyber security Institute25, computer forensics is

Nablett defined computer forensic science as the science of acquiring,

Jerry Wegman, an Associate Professor of Business Law, states that the,

In Digital Forensics Research Workshop31, computer forensics is defined as

Computer forensics is the process of using scientific knowledge in the

7.4 TYPES OF CYBER FORENSICS

There isn‘t any single approved technology to collect digital evidences

4) Internet forensics and

7.4.1 Data Forensics

While conducting the database forensics of the computer in question firstly it

7.4.2 Systems Forensics

7.4.3 Network Forensics

Network forensics is a comparatively new field of forensic science. It is a sub-

Network forensics is the capture, recording, and analysis of network events in

i „Catch-it-as-you-can‟ systems, in which all packets passing through

7.4.4 Internet Forensics

In the world of digital forensics, evidence resides mainly on the computer

(a) Protect privacy: Some people believe in their privacy at home.

(c) Safeguard national security: Anti-forensics might be useful to protect secret

(d) Espionage: Anti-forensics might play an important role in national,

(e) Defend criminal activity: Hide traces of wrongdoing.

(f) Nurture cyber warfare; Hacktivism, political power, and supremacy.

7.5 PROCEDURES AND TECHNIQUES OF CYBER FORENSICS

The application of cyber-forensics is a broad and evolving field that

Law enforcement investigative techniques are generally sub-divided into

There are various components of computer, computer resources and computer

Files can be copied from media using two different techniques:

i Logical Backup. A logical backup copies the directories and files of a

Investigating the virus defense is not as difficult as it would seem.

Determining how malware impacts a machine in terms of files that are

7.6 DIGITAL EVIDENCE

In an adversarial system of judicial enquiry, the ultimate aim of the evidence

Digital evidence is any probative information stored or transmitted digitally

Prashant Mali cyber security expert observed as information of probative

Further, digital evidence as defined by J.W. Chisum is any data stored or

Digital evidence is becoming a reliable and essential form of evidence that

According to Lochard‘s Exchange Principle70, anyone, or anything entering a

Having carried out the investigations and obtained what appears to be

investigator, gathering, processing and evaluating the evidence. By contrast, common

This research is to examine the legal framework governing the use of

7.7 SALIENT FEATURES OF INDIAN EVIDENCE LAW

(i) Meaning of Evidence

(1) Words uttered, and things exhibited in court,

(2) facts proved by those words or things which are regarded as

(3) relevancy of particular fact to matter under enquiry.71

(i) Oral or personal

evidence is to exclusion, the more problematic will be the prosecution of computer