This write up draws from the recent Delhi Police Standing Orders on preservation of electronic evidence. With the increased use of communication devices/computers and digital storage devices in homes and offices, now every second case involves electronic evidence. The investigation of such crimes and collection of evidence is extremely challenging as most evidence is intangible in nature, and often in ephemeral (short-lived) form. It’s extremely important for Magistrates to be technocrats and to be aware of these, so that these standards can be enforced and vital evidence is not lost.
The stages of a digital crime scene search and seizure broadly are:
A. Preparation/Planning stage.
B. Collection Stage.
C. Preservation/Transportation stage.
Best Practices for search and seizure of digital evidence.
1. Preparation/Planning stage.
1.1. If the Investigating Officer (“IO”) has to seize a computer, he has to first examine whether the computer is live or off-line. If the computer is online, it is important to make an image of the computer and not perform any tasks on the computer. (An Image is an exact replicate of the machine, on which further analysis can be done by the forensic teams without affecting the integrity of the original). The Image is made with the help of forensic experts, after necessary write-blockers (devices that ensure that nothing is written onto the drive/computer under seizure and it remains intact) Once the image is procured, the original can be preserved, and the image can be presented in the Court (as output of electronic evidence) after compliance of the requirements of Section 65-B of the Indian Evidence Act (“IEA”).
1.2. Hash value generation is extremely important. Every machine/file would have a specific hash value and specifying the hash value on the chain of custody document ensures that there is no tampering with the machine along the way and the hash value for the image is the same even when the same is produced in the court during the evidentiary hearings.
1.3. The certificate of Section 65-B IEA ought to made by the person producing the computer output and incharge of the computer, and in a position to certify the integrity of the machine as well as the output produced.
2. Collection of electronic evidence
2.1. Date of time of seizure is extremely important.
2.2. All the steps towards collection of electronic evidence should be documented clearly, step by step.
2.3. The suspects should not be allowed to work on the terminals/computers.
3. Preservation/Transportation Stage
3.1. IO should note down the serial number of the machines clearly, not only on the Panchnama, but also Chain of Custody document (that establishes integrity of the machine as it moves from the scene of crime to the IO, to the Malkhana, Forensic Lab and then back to the Court) and the Seizure Memo.
3.2. IO should protect the device from external electric and magnetic fields. This can be achieved by putting the devices in special bags. Also devices, wherever possible, should be put on airplane mode, which not only conserves battery but protects the device from further tampering, or even remote deletion.
DOs and DONTs:
In relation to seizure of a Laptop/Computer:
A. Check whether the Laptop is ON or OFF
B. if ON, then:
1. Take a screenshot of the screen
2. Note down the programmes running on RAM
3. Remove the battery from the laptop (in case of desktop, unplug the power supply)(this may seem counter-intuitive as normal instinct would be shut the laptop down step by step; however, forensics tells us that a lot of data can be lost while shutting a system down properly, but if the same is done by pulling the battery out, or pulling the power plug, the contents of the RAM (temporary memory) automatically get saved in a particular file on the laptop which can be retrieved for analysis later.
4. Note down serial numbers and other details.
3. If the Laptop is OFF – then safely secure the laptop, remove battery, note down serial numbers, secure machine and transport.
In relation to a Mobile Phone/Tablet/Ipad
A. Check whether device is ON or OFF
B. if ON, then:
1. Leave it ON,
2. Photograph the device
3. Note down serial number etc, if any.
4. Label and collect all the cables.
5. If possible keep device charged. (If Device goes off, it may not turn back on, or it may be password protected and difficult to crack at the time of forensic analysis).
6. Seize the phone in a Faraday’s Bag (that protects phone from external signals) and/or any other anti-static bag.
In relation to CCTV Footage/Digital Video Recorder
1. Immediately after the FIR, the IO should identify all the CCTV Cameras in and around the relevant spot without any delay. (Time is of the essence in this regard as most CCTVs are over-written between 3-7 days)
2. IO should call the District Cyber Crime Cell Team for collection of CCTV hard-disks.
3. Original should be retained and mirror copies prepared for filing in the Court. Original, being primary evidence, should be preserved carefully in anti-static bags.
4. IO should compare the time-stamp on video with the time-line of the case otherwise.
These are some of the directions to the Investigating Officers. An understanding of these by the Magistrates would go a long way in preventing obliteration of crucial electronic evidence.