Digital Forensics: Electronic Evidence

Questions and Answers

What is the primary reason digital/electronic evidence is considered fragile?

• It requires special tools to retrieve, examine and preserve it.
• It is stored on devices that quickly become obsolete.
• It is easily damaged by physical forces.
• It can be easily altered, damaged, or destroyed. (correct)

What types of devices would be subject to seizure in a digital forensic investigation?

• Only computers and hard drives.
• Files stored in cloud accounts.
• Smart cards, web pages, and memory cards. (correct)
• Only devices owned by the suspect.

What two categories can digital evidence be broadly classified into?

• Evidence at rest and evidence in transit. (correct)
• Volatile and non-volatile evidence.
• Admissible and inadmissible evidence.
• Primary and secondary evidence.

Which of the following is the correct order of volatility when collecting digital evidence, from most to least volatile?

CPU cache, memory, hard disk data. (D)

Why is maintaining a 'chain of custody' crucial for digital evidence?

To document who handled the evidence, when, and what was done to it, ensuring its integrity. (B)

What is the main purpose of 'hashing' in digital forensics?

To establish the integrity of the seized evidence. (B)

According to Section 2(t) of the IT Act, what constitutes an 'electronic record'?

Data generated, image, or sound stored in electronic form or micro film. (A)

Under S. 88A of the Indian Evidence Act, what presumption is made regarding electronic messages?

The electronic message corresponds with the message fed into the computer for transmission. (A)

In the context of Section 65B of the Indian Evidence Act (IEA), what condition applies when a 'computer' forms part of a 'computer system' or 'network', making it impossible to bring the entire system to court?

Information must be provided in accordance with S.65B(1) and S.65B(4). (B)

According to the understanding of digital evidence in the Arjun Panditrao Khotkar v. Kailash Kushanrao Gorantyal case, what is the critical clarification regarding Section 65-B(4) of the Indian Evidence Act concerning the presentation of a device in court?

The Section 65-B(4) certificate is unnecessary if the device on which an electronic document is stored is produced in court by a witness. (C)

Flashcards

Electronic form evidence

Any information of probative value that is either stored or transmitted in electronic form. Includes computer evidence, digital audio, digital video, cell phones and digital fax machines.

Digital evidence

Information and data of value to an investigation that is stored on, received, or transmitted by an electronic device.

Digital Evidence

Data or information that exists in digital format, that can be relied upon and used in a court of law.

Data at rest

Data at rest is obtained from any device that stores digital information.

Data intercepted while being transmitted

Interception of data transmission and communications of information that is stored/transmitted electronically.

Digital traces

File fragments, activity logs, timestamps and metadata

Acquisition

A process to make an exact (bit-by-bit) verified copy of the media. It is called making an 'image.'

Chain of Custody

Documentation that shows the people who have been entrusted with the evidence.

Digital Integrity

Ensuring digital data has not been altered in an unauthorized manner since its creation, transmission or by an authorized source.

Section 65B(3)

The function of storing or processing information for the purposes of any activities regularly carried on over that period performed by computers.

Study Notes

Digital Forensics

• Includes collection, preservation, and appreciation of electronic evidence.

What is Digital Evidence?

• Digital evidence, also known as computer or electronic evidence, refers to any information of probative value that is stored or transmitted in digital form.
• It includes computer evidence, digital audio, digital video, cell phones, and digital fax machines.
• It is essentially information and data of value to an investigation that is stored, received, or transmitted by an electronic device.
• It is broken down into digits, specifically binary units of 0s and 1s, and saved/retrieved using software or code.
• It is useful for court of law.

Categories of Digital Evidence

• Digital evidence exists in digital format that can be relied upon and used in a court of law.
• It is divided into two major groups:
  • Evidence from data at rest which is obtained from any device that stores digital information.
  • Data intercepted while being transmitted, involving the interception of data transmission and communications.

Challenges with Digital Evidence

• Digital evidence has a wider scope and can be more personally sensitive.
• It is mobile and requires different training and tools compared to physical evidence.
• Every aspect of modern life incorporates technology.
• Almost every action contains a cyber element.
• Digital devices may be used as a tool, a target, or both in the commission of a crime.
• Due to its nature, digital/electronic evidence is fragile, easily alterable, damageable, and destructible.
• Special tools are needed to retrieve and handle it correctly so it can be admissible in a Court of Law.
• It is difficult to find a case today that does not have a nexus to computer technology.
• Evidence of crime can be tied to devices, sent through email, or stored in the cloud.

Importance of Digital Evidence

• Activities in the digital realm leave digital traces like file fragments, activity logs, timestamps, and metadata.
• Digital traces can be useful as evidence in establishing the origins of documents/software for legal purposes and determining activities in criminal cases.
• Digital traces can be a means for cyber-criminals to reconstruct information or identify credentials on their victims.
• The prolific usage of electronic devices contributes to humongous amounts of data being generated.
• There is the expectation of identifying digital evidence in almost any investigation.
• If identified, collected, and analyzed in a forensically sound manner, electronic evidence is crucial in criminal, civil, and corporate investigations.

Uniqueness of Electronic Evidence

• Digital evidence is intangible, volatile, and fragile.
• It requires special tools for extraction, collection, and preservation.

Types of Digital Evidence

• Volatile evidence includes memory, network connections, running processes, and open files.
• Non-volatile evidence includes hard drives, USB storage, floppy disks, and CDs/DVDs.

Order of Volatility

• The order of volatility, from most to least, is:
  • CPU cache and register content, routing tables, ARP cache, process tables, kernel statistics
  • Memory, temporary file systems, swap space
  • Data on hard disks, remotely logged data, raw disk blocks

Non-Volatile Evidence

• Types of non-volatile evidence includes an HDD, RAM, archive media, paging file, logs stored on remote systems, and cache.

Meta Data

• Meta data includes the filename, author, date or location for the data

Types of Evidence

• Traditional evidence may be divided into oral and documentary parts.
• Electronic records produced for inspection of the Court are evidence.
• Electronic evidence encompasses digital information created or stored when a computer is used for a task.
• Includes info databases, operating systems, apps, programs, electronic and voicemail messages, and records.
• It can also involve instructions residing in computer memory.
• Electronic evidence is increasingly helpful as substantial evidence in terrorism cases, proving the guilt of the accused better than traditional evidence.

Computer-Stored Declarations vs. Computer-Generated Output

• Computer-stored declarations include accounting records, invoices, charts, graphs, and summaries.
• Computer-generated output includes automated telephone call records, computer-enhanced photographic images, and computerized test-scoring.

Computer Interactions

• Locard's Exchange Principle states that when two objects come into contact, there is always a transference of material from each object onto the other.
• Each user's interaction with digital devices leaves user and usage data, and remnants of digital data within the device.

Forensics Linkages

• Forensics Linkages considers the person, platform, application, data, and time.

Forensic Processes

• The four forensic processes are: identification and collection, analysis, reporting, and presentation.

Incidents and Seizure (Collection)

• An incident in IT is an adverse event impacting services, data integrity, or confidentiality for a digital system.
• Requirement to preserve, protect, and produce digital data concerning users.

Digital Evidence Documentation

• The documentation should include identification and preparation, search and seizure, preservation, examination, analysis, and reporting.

Areas Where Data is Typically Found

• Found in email messages, office files, deleted files, encrypted files, compressed files, and temp files.
• Can also be found in recycle bins, pictures, videos, web history, cache files, cookies, registry, and unallocated space.
• Can also be found in slack space, Web/e-mail server access logs, and domain access logs.

Seizable Items

• Seizable items include floppy disks, hard drives, CDs, DVDs, and USB memory devices.
• Can also include magnetic tapes, RFID tags, PDAs, smart cards, web pages, and memory cards.
• Also includes voice mail, e-diaries, scanners, printers, fax machines, photocopiers, digital phone sets, and iPods.
• Also includes a cellphone, DigiCam, external drives and other external devices, wireless network cards, power supply units, and CPUs.

Measures for Seizure

• Measures for seizure include an enumerated list of data/devices and associated media.
• Verified data extraction of logical and physical evidence (hash and authoritative time/data).
• Chain-of-custody.
• Transfer documentation and administrative records.
• The collection team may or may not perform further forensics process.

Collection & Chain of Custody

• Collection & Chain of Custody is important for digital evidence.

Chain of Custody & Evidence Handling

• Chain of custody refers to the documentation that shows the people who have been entrusted with evidence.
• Electronic data is easily tampered with or get damaged, so must verify who/what/when/where was evidence was transferred.
• Prevents the integrity of the evidence from being compromised.
• The people included in the chain of custody are: People who seized equipment, are in charge of transferring evidence, and are in charge of analyzing the evidence.

Important Points on Chain of Custody

• Always accompany evidence with their chain of custody forms.
• Provide positive identification of evidence at all times legible and written in permanent ink.
• Establish integrity of the seized evidence through a forensically proven procedure -"hashing".
• Hashing helps prove the integrity of the evidence.
• Compare the original date hash value to ensure value remains unchanged to identify any modifications.

Chain of Custody Form

• Chain of custody form contains crime number, name of the I.O., PF number, date/time of seizure.
• Form also contains technical information such as manufacturer, model, serial number and PF number.
• Finally shows reason/action, from whom/by whom evidence was received, date, time and remarks.

Key Elements That Require Documentation

• Documentation is needed for how the evidence was collected, transported, stored, and tracked.
• List when it was collected and who has access to the evidence.

Digital Evidence Collection Form

• The Digital Evidence Collection Form has fields for crime number, PS location, IO name, location, date, time, the item and custodian/suspect.
• It has yes/no for laptop/desktop/HDD only/external HDD/other.
• Also acquisition time/date, software/version used, if write protect was used, and the HDD size
• Also lists image file name and notes.

Acquisitions

• An exact (bit-by-bit) verified copy of the media is made.
• This process is called creating an "image".
• The process of retrieving data and making an image is acquisition.
• It ensures nothing is added/written to the evidence during the process.

Steps for Volatile Evidence Acquisition

• Steps include Risk Assessment, install Volatile Data Capture Device, Run Volatile Data Collection Script, stop the device, Remove device and finally Verify data output

Imaging of the Disk

• Active and deleted source files are used to create sterile target disk

Integrity of Digital Evidence

• It is important to maintain the integrity of digital evidence because it can be easily altered, destroyed, or manufactured by even novice users.
• The digital requirement preserves, archives and protects the integrity of methods use.
• Digital integrity is the property whereby data has not been altered in an unauthorized by an authorized source since the time it was created or transmitted .

Integrity of Digital Evidence

• Digital data is vulnerable to intentional or unintentional alteration.
• The integrity of digital evidence from seizure until analysis must be maintained.
• Examiners have to ensure that digital evidence is not compromised during forensic analysis.
• It requires a unique digitized tag, with the digital fingerprint being its digest.

Integrity of Evidence

• Various methods can determine a documents integrity levels such as; Checksum, One-Way Hash and Digital Signature

Reliability of Evidence

• Reliability is a pre-requisite for getting evidence admitted.
• Judges should be "gatekeepers of scientific evidence".
• Judges have a duty to ensure that scientific evidence is relevant and reliable.
• The four-part reliability test considers whether the scientific theory is empirically tested, known error rate, technique review/publication, and expert qualifications.

Daubert on Evidence

• Daubert has been extensively discussed in Selvi V. State of Karnataka - (2010) 7 SCC 263
• The legal questions address involuntary administration of scientific techniques, such as narcoanalysis and polygraph examinations.
• The Apex Court echoed the concerns expressed by the Supreme Court of Canada in R v. Beland, [1987] 36 C.C.C. (3d) 481, where it was observed that reliance on scientific techniques could cloud human judgment on account of an "aura of infallibility".

Data and Medium

• All data is information that cannot exist without a physical medium or a carrier.

Digitized documents

• Hearsay challenges arose as more documents became digitized.
• The law had mostly anticipated cases on primary form (i.e original documents)
• Conditions where made to be secondary conditions ( i.e more documents were electronically stored).
• As a result of adduction of secondary evidence, the supreme court noted that ""there is a revolution for the way evidence is presented to a court" in the Anvar case

Myths of Primary and Secondary Evidence

• Myths of Primary and Secondary Evidence are that the evidence is the document itself and the primary format electronic record is computer readable.
• Both have can have little or no disctinction between them
• The understanding that its secondary evidence can only be produced in court with regard to electronic records only.

Electronic Records

• Amendments include including electronic records
• The definition of documentary evidence is amended to included what is " produced for court".
• The evidence act assigns the same meaning when used in information technology
• Only evidence can be given if they are relevant and admissibility of their evidence

Essence

• If data, information, facts, instructions or contrent is kept, sent and received through eletronic, manetic, optical and digital media then becomes eletronic evidence.
• Only in a special procedure of the indian evidence act can information from the electronic recod be proved.

Section 3 of the Indian Evidence Act

• "Evidence" Includes -
  • Statements that can be made or required by court witnesses = oral evidence
  • Documents including eletronic records produced in court are documentary evidence

Admissibility of Electronic Records

• In the Indialn evidence act any documentary evidence by way of an electronic record can only be proved.
• Providing all facts are except contents, any evidence can made through oral evidence
• Can be proven from 65A or 65B of that act

Admissibility of Evidence

• Congress 65A and 65B are incorporated ( a special provision)
• 65B Requires requires procedure to administer with eletronic court of law ( provides technical and non technical)

Certificates of Section A

• Shri. ........'s Electronic record from statement is from .... with a tru replication device
• 65 A(4) B and C provide a computer output ( from a description devicve with contents is a true relplication device)
• Has down rules that the adisibility must be followd
• Witness emails can be obtained ( 65b is abtained via email)
• banks need to maintain records on printers

Implciations of Judgement

• Anjums panel interpretation is dealing with 65B from
• Apex court has three judge in abshar and a second devision

Electronic Records

• Electronic records are anything stored or transmitted in electronic form.
• Section 2(t) IT act shows how any of the types of record was create, record, sent or saved
• From its simplest terms the media can be from an electronic record

Electronically

• Section of 2(1) describes anything with infromation is stored is sent, recieved (simular device)

S.65B(1)

• This states that any data printed on paper/ magnetic ,optical device would be deemed admissible
• Any type of information contained in an elctronic recortd would also be admissible

Content in detail

• Information includes "Data , text images courts files software and more
• Data is how facts, knowledge and what is being preared, in a formilzed mannar in the memory from the computer

S.2.1

• Electron recod would be a generated sound , image ( stored or sent in either form) will all should be deemed a document and question should be in the current court's question

Court decision

• After further review courts determined and gave their decision based on whether the certificate has to be made at the latest during the trial.
• Court also gave the provision that someone was mistaken and not files with doc then can file after
• Exercise in trials should not be irreversible

Conclusion

• Court stated that certificate reuqired must be completed before trial
• Must lead in other mannar with secondary evidence and follow

Overuling judgement

• Show everone trys and gets the certificate ( high court) will refuse then give summons

When is the certificate not obtainable?

• Discusion on 2 maximums after the court desiccs and reviews the situation
• Legal is where the IMPOSIBILLIA is a factor.

Outcome

• Is that party must be released from the situation ( if not in his contrl).

Presumptions

• Under act the has been changed to digital evidence
• Under provisions of it court presumed from the record
• Courts presumes from record if there contracts have the digital signatures of all parrties.

Secure Electronic Records And Digital Signatures

• Where where a security procedure has been applied to an electronic record.
• The act show record will be presumed and related

Electronic Records Five Years Old

• Where something was stored more than 5 years , the digital signature at time is affixed under their belief