Precautions for collecting digital/cyber evidences


There is a strong dependence on electronics and the internet in the present era. Each day, quantum amount of data is being uploaded, transferred and deleted from the internet. The array of information on our lives on the internet is large, ranging from saved passwords on websites, geographical location, pictures and other media files, bank details, and other such information is circulated in the domain of the internet.

We are continuously at risk of losing such data or such data being wrongly utilized or stolen. The main issue with respect to cyber-crimes is that the perpetrator hides behind the veil of technology. Their identity is protected through layers of codes and algorithms so in such instances, it is like a task to find a needle in the haystack. It is important that the cyber forensic team should not contaminate or delete or damage any digital data that is a physical evidence in these cases. 

Cyber-crimes have been exemplified in the past years and they threaten the very institution of crime scene investigation departments. There are various complexities or challenges faced by CSI teams in course of collecting digital evidence. There is also an internationally accepted procedure for documenting a crime scene, collection, package, transportation, and transportation of digital evidence. The current criminal investigation department related to cyber-crimes lacks the practical knowledge, expertise and experience to tackle cyber-attacks.


Our day to day conversations, emails, texts, geographical positions, private bank details and pictures are linked to the internet, each information is stored in form of a code or a piece of data imbibed in an algorithm. In the normal course of things, we are not burdened with the risk of such information being leaked, we tend to overlook the underlying mechanism of sharing internet based information. The 21st century, has been plagued with numerous instances of cyber-attacks, whether it be a celebrity’s personal information or leak of bank details, more and more people are threatened by their personal information being compromised. The accountants at KPMG reported a 55% increase on the value of internet-based frauds in United Kingdom, adding to a total of £1.1 billion. The highlight of the report presented by KPMG was the case of Mr. Feezan Hameed, who had swindled a reported £133 million from the Royal Bank of Scotland, through fraudulent interfering with the network system of the bank and the bank customers, and duping them into leaking their private bank details, while their money was being transferred. Hameed would pretend to be a member of the bank; as the head of the fraud department he would convince customers to reveal their sensitive bank details in the false context of protecting their sensitive information against any cyber threats. Simultaneously, his partner would transfer thousands of pounds from the concerned accounts to its offshore accounts. A string of such stints allowed them to be millionaires overnight, while leaving only a few traces of evidence along the way.

Complexities in collecting digital evidence


The main complexity of tackling cyber-crime is that it does not have a finite set of boundaries, a person sitting in front of a computer, miles away from the targeted location can interfere money transactions, traffic control, geographical locations and other personal details of targeted persons. Cyber criminals maintain anonymity behind thinly veiled codes, algorithms, and wades of data. Due to lack of a strong international body there has been a lacuna created in the international forum and as a consequence, hundreds of such crimes go unpunished. Another issue that plagues the system is the collection, analysis of evidence and its admissibility in a court of law is highly a technical and challenging task. In case of cyber-crimes, the physical evidence left behind is not always in abundance or necessarily provide any hint towards the criminal. Forensic experts require to adopt utmost caution and care with handling such evidence, since digital data is sensitive and a wrong manner of preservation or collection of evidence may delete the digital evidence.

Internationally accepted model for collecting digital evidence


In order to narrow the vision of culpability, digital forensics relies on digital evidence, in the nature of digital audio, computer codes or algorithms, digital video, etc. The Technological Working Group for Electronic Crime Scene Investigation (TWGECSI) is a multidisciplinary expert in the field of electronic crime scene investigation which has formulated the draft set of guidelines for the United States Justice Department to correctly investigate cyber-crimes. It lays down internationally accepted procedures and precautionary measures that are required to be taken in course of documenting, collecting, packaging, transporting and storing digital evidence. The process of documentation provides a detailed and exact historical record of the evidence found at a crime scene and is an accurate representation of the condition of the computer, phone, storage media or any other such physical evidence. Every minute detail is ought to be documented for instance, the position of the mouse, number of storage devices to the computer, or the location of the mouse with respect to the computer and the power status of the computer. A detailed series of visual recording to be conducted in order to embed the accuracy of the crime scene.

Collection of evidence is based on state laws and departmental guidelines, in case of digital evidence, the forensic team requires to handle the physical evidence carefully, such as the set-up of the computer, media storage devices, phones and etc. as to not destroy any data , for instance, in the event a computer is powered on and an application is running, the forensic team ought not to disturb the status quo, as it may destroy the evidence that exists in the computer as a result of a code or an algorithm.

Non-electronic evidences, such as handwritten passwords, computer hardware, graphical or textual computer print outs, photographs, etc. are ought to be documented and preserved for further reference. In case of stand-alone and laptop computer evidence, the forensic team should take notes with respect to all actions they observe at the crime scene and record the status of the computer, for instance, whether the power is on, off or at sleep, and then decide the required procedure to collect the evidence, in a manner that does not distort it.

The digital evidence may range from audio recordings, media storage, external storage, GPS devices, etc. In the event the peripheral evidences are directly connected to the main device, for instance, a pen-drive inserted in a computer, the said evidence should be packed and stored in the same manner. The said device ought not to be hindered with, or else if not handled properly, the forensic team may lose valuable data. Lastly, when handling such removable data, the forensic team is required to ensure that the associated device which created the media, for instance, tpa drive, Zip.doc, doc.x, JAX, ORB, syquest, is not disturbed.

The fragile electrical devices that are sensitive to heat, humidity, physical shock, and magnetic sources and utmost care is required while transporting, storing and packaging the physical evidence. In the event the device is powered on, it is advised that the concerned evidence be packaged as it is, otherwise it may run the risk of corrupting or deleting the data.

In case of transporting of the physical evidence, the forensic team ought to keep the package away from any magnetic source, heat, excessive cold temperature, and excessive humid conditions, as to not corrupt the data and maintain a historical record of the chain of custody of such physical evidences.

Rise of cybercrime in India


India is the emerging target for international hackers and other such bodies, among the ranks of United States of America, Europe and Russia. In 2015 alone, India recorded high of 11,592 and 8,121 cases under the Information Technology Act and the Indian Penal Code, respectively. As a response, in 2016, the National Critical Information Infrastructure Protection Centre (NCIIPC) has been recognized as the nodal agency under the National Technical Research Organization for the protection of critical information. In order to break down the web of cyber-attacks, India incorporated provisions on the appreciation of digital evidence within its legal framework. The IT Act, 2000, is based on the United Nations Commission on International Trade Law (UNCITRAL) model.

The number of reported cyber-crime cases soar to a five-digit number, whereas the conviction rate based on forensic evidence is a two-digit number. The lack of a strong forensic investigation branch leads to the lack of evidence being provided and accepted in courts. Each nodal or sub-regional criminal investigation department ought to follow an interdisciplinary set of guidelines which should be in consonance with an international set. A few universities have organized special camps or workshops that educate cyber-crime and forensic department officials of the tools and technology available and required to tackle cyber-attacks. Raksha Shakti University organized a police workshop for educating their cyber-crime cell. However, more such workshops are needed to bolster the necessary expertise to carry out an investigation. Our dependency towards the internet is up surging, and all our confidential or private details are stored in the heaps of data which is found online, it is necessary that we have a strong security that guards us against any malicious cyber-attack.


Written by-

Rishi Raju JGLS’14

Edited by Poloumi Bhadra





Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s