.

Whether in the case of a Cyber Crime pursued by the Police or a Computer Audit pursued by an auditor, "Evidence" plays a vital part in securing the interests of the Information Asset owner. Naavi discusses the legal requirements and the devices required for the purpose of collecting judicially acceptable Cyber Evidence.

It is more than three years since law was passed in India to recognize electronic documents as admissible evidence in  a Court of law. The necessary amendments were made to the Indian Evidence Act 1872 by the Information Technology Act 2000 (ITA-2000).

In the case of electronic documents produced as "Primary Evidence", the document itself must be produced to the Court. However, such electronic document obviously has to be carried on a media and can be read only with the assistance of an appropriate Computer with appropriate operating software and application software.

In many cases even in non-electronic documents, a document may be in a language other than the language of the Court in which case it needs to be translated and submitted for the understanding of the Court by an "Expert". Normally the person making submission of the document also submits the translation from one of the "Experts". If the counter party does not accept the "Expert's opinion", the court may have to listen to another "Expert" and his interpretation and come to its own conclusion of what is the correct interpretation of a document.

In the case of the Electronic documents, under the same analogy, "Presentation" of document is the responsibility of the prosecution or the person making use of the document in support of his contention before the Court. Based on his "Reading" of the documents, he submits his case. This may however be disputed by the counter party. In such a case, it becomes necessary for the Court to "Get the document Read by an expert"  to its satisfaction. It is necessary to have some clarity on the legal aspects of such documents presented to the Court because most of the court battles are expected to revolve around "Proper Reading " of the documents and "Possible manipulation of the documents".

In making presentation of an "Electronic Document", the presentor may submit a readable form of the document in the form of a "Print Out". Question arises in such a case whether the print out is a "Primary Evidence" or a "Secondary Evidence".

According to Indian Evidence Act, section 65 refers to "Cases in which secondary evidence relating to documents may be given". However, the modifications made to this section by ITA-2000 have added Sections 65 A and Section 65 B.

Though these sections have been numbered as A and B of 65, these are not to be treated as sub sections of Section 65. As per schedule II to ITA-2000, serial number 9, it appears that 65A and 65B are to be treated as independent sections.

According to Section 65 A therefore, " Contents of electronic records may be proved in accordance with the provisions of Section 65B".

Whether by design or otherwise, Section 65B clearly states that " Not withstanding anything contained in this (Ed:Indian Evidence Act) Act, any information contained in an electronic record which is printed on a paper, stored, recorded or copied in optical or magnetic media produced by a computer (herein after called the Computer Output) shall be deemed to be also a document...."

However, for the "Computer Output" to be considered as admissible evidence, the conditions mentioned in the Section 65 B (2) needs to be satisfied.

Section 65B(2) contains a series of certifications which is to be provided by the person who is having lawful control over the use of the Computer generating the said computer output and is not easy to be fulfilled without extreme care.

It is in this context that the responsibility of the Law Enforcement Authorities in India becomes onerous while collecting the evidence.

In a typical incident when a Cyber Crime is reported, the Police will have to quickly examine a large number of Computers and storage media and gather leads from which further investigations have to be made. Any delay may result in the evidence getting obliterated in the ordinary course of usage of the suspect hard disk or the media.

Any such investigation has to cover the following main aspects of Cyber Forensics, namely,

1. Collection of suspect evidence

2. Recovery of erased/hidden/encrypted data 

3. Analysis of suspect evidence
 

If the process of such collection, recovery and analysis is not undertaken properly, the evidence may be rejected in the Court of law as not satisfying the conditions of Section 65B of the Indian Evidence Act.

In the evolution of the Indian challenge to Cyber Crimes, it may be said that during the last three years, Police in different parts of the Country have been exposed to the reality of Cyber Crimes and more and more cases are being registered for investigation. However, if the Law enforcement does not focus on the technical aspects of evidence collection and management, they will soon find that they will be unable to prove any electronic document in a Court of Law.

The undersigned who has been working with a missionary zeal for dissemination of knowledge on Cyber Crime Risks and Cyber Law Compliance in India, has already (through www.ceac4india.com) provided a mechanism for archiving Cyber evidence of certain kind such as web pages and e-mails.

Now he has embarked on the next step of assisting the Law Enforcement in India with suitable Computer hardware and software that would enhance the quality of "Cyber Evidence" that can be produced to a court of law in case of any Cyber Crime.

These Cyber Forensic gadgets are not only products that are required by the Law Enforcement authorities, but also the  IT Auditors in the Corporate world. Hence this information is likely to be of interest to both the Law Enforcement Authorities as well as the Information System Auditors.

More information on the hardware and software would follow in subsequent articles.

Naavi

January 5, 2003

---