Digital Evidence – Across Borders
The Lochard’s principle of forensics is that the perpetrator of a crime will bring something into the crime scene and leave with something from it.
Commander Mukesh Saini (Retd.)
The Lochard’s principle of forensics is that the perpetrator of a crime will bring something into the crime scene and leave with something from it. These evidences are without prejudice and just because they are not detected do not mean they do not exist. This principle is true for cybercrime investigation also. The large amount of logging takes place inside computers and network devices, which can leave almost irrefutable trail of digital evidences from scene of crime to the criminal. The challenge is identifying, collecting and preserving the evidence and later during the trial passing the test of courts. This is all the more relevant when such evidence is collected from a country having different procedures of evidence handling than the country where the case will be tried.
Unlike the real world, a cybercrime can be committed even without visiting the country of the victim. In another situation of cybercrime, criminal and victim may be present under the jurisdiction of the same court but still digital evidences of the crime may be spread across the globe. Under third situation criminals can gang-up virtually from across the world, commit a cybercrime and disperse, they may not even know each other in physical world. Therefore the task of an investigator is far more challenging to not only identify and gather digital evidences from the computers, mobile devices, servers, routers and gateways but also to accomplish this task to convince the court that the digital evidences are not tampered and correctly collected according to the established scientific procedures.
The technique and acceptable procedure for handling of evidence can be different in different country. This can diminish or destroy the evidentiary value of such electronic evidence. There are several cases when courts have not accepted evidences collected are not according to the Indian procedures. To add to the complexity, digital evidences are fragile, volatile and can be tampered easily, sometimes even without such intentions. Therefore special expertise is required to collect the electronic evidence according to the procedure which meets the requirement of all the courts of the world.
Leaving the task of analysis of evidence to the investigators, the digital evidence may identified, collected, acquired, preserved and transported by person who may not be from Law Enforcement Agency. This person is called ‘Digital Evidence First Responder’ (DEFR). It is therefore necessary that DEFR whether from Law Enforcement Agency (LEA) or not must have expertise on digital evidence and associated procedures.
To manage these challenges, especially handling evidences under multi-jurisdictional situation, the Organisation of International Standards, after years of efforts, have published ISO/IEC 27037 – Guidelines for identification, collection, acquisition, and preservation of digital evidence. The document provides, after due deliberations with all member countries, including India, a standardised approach which if followed by DEFR can provide assurance to the respective courts about the reliability and creditability of the digital evidence. The standard provides necessary guidance as how to identify, collect, acquire and preserve digital evidences from computers, mobile devices, navigation systems, digital still and video cameras (including CCTV).
ISO/IEC 27037 is technology neutral and does not recommend any specific product. A digital evidence handled in accordance with international standard ISO 27037 provides a kind of assurance to the court that irrespective of the fact that who and from which country such evidence is collected, it has maintained its evidentiary value. The standard does not supersede the national laws but add to the procedural aspects of handling of digital evidences. This also means that an accused in his defence can show the court that the investigators have not followed the procedures given in the ISO/IEC 27037, hence the electronic evidence has lost is evidentiary value, because the standard is based on the least common denominator of electronic evidence handling and anything short can have impact on the weight of electronic evidence. Interestingly there is a British Standard BS 10008 which deals with the evidential weight and legal admissibility of the electronic information.
In India, the section 65B of the Evidence Act lays down the procedure for admissibility of electronic evidence. The section 85B of the Evidence Act in fact prohibit the courts from presuming electronic evidences as genuine unless it is signed by ‘secure’ digital signature. It means that the presenter of electronic evidence have to prove that the digital evidence is genuine and has not been tampered. It is here ISO/IEC 27037 can be a very powerful tool in the hands of the investigators to prove truthfulness of the evidence, even if it is collected from outside the jurisdiction of the court.
ISO/IEC 27037 being an internationally accepted standard is an important instrument to provide reliable standardised approach towards handling of digital evidences and will have impact on admissibility and reliability of evidence in any court proceeding. It is therefore necessary that all investigating officers that they must familiarise themselves with the bare minimum requirements which must be met in respect of handling of digital evidences to be acceptable in any court of the world. This can be very critical especially handling issues related to terrorism, money laundering, drug trades and such other trans-national crimes.
|ISO/IEC 27037||Guidelines for identification, collection, acquisition, and preservation of digitalevidence||Published|
|ISO/IEC 27038||Specification for digital redaction||Final Draft|
|ISO/IEC 27041||Guidelines for the analysis and interpretation of digital evidence||Draft|
|ISO/IEC 27042||Guidelines for the analysis and interpretation of digital evidence||Draft|
|ISO/IEC 27043||Digital evidence investigation principles and processes||Draft|
|NIST SP 800-101||Guidelines on Cell Phone Forensics||Published|
|NIST SP 800-86||Guide to Integrating Forensic Techniques into Incident Response||Published|
|NIST SP 800-72||Guidelines on PDA Forensics||Published|
|BS 10008||Evidential Weight and Legal Admissibility of Electronic Information||Published|
The author is former National Information Security Coordinator, Government of India.