In recent days, Law
Enforcement in India has successfully investigated several Cyber Crimes. Time
has however come now to extend this success to successful prosecution of
criminals in a Court of Law. In this phase of Cyber Crime Management, it is
important to recognize that "Evidence" plays a vital role in securing the
interests of the Information Asset owner and the success of the Investigator.
It is more than three years
since law was passed in India to recognize electronic documents as admissible
evidence in a Court of law. The necessary amendments were made to the Indian
Evidence Act 1872 by the Information Technology Act 2000 (ITA-2000).
According to the provisions
of Indian law, in the case of electronic documents produced as "Primary
Evidence", the document itself must be produced to the Court. However, such
electronic document obviously has to be carried on a media and can be read
only with the assistance of an appropriate Computer with appropriate operating
and application software.
In many cases even in
non-electronic documents, a document may be in a language other than the
language of the Court in which case it needs to be translated and submitted
for the understanding of the Court by an "Expert". In such cases, the person
making submission of the document normally submits the translation from one of
the "Experts". If the counter party does not accept the "Expert's opinion",
the court may have to listen to the interpretation of another "Expert" and
come to its own conclusion of what is the correct meaning of a document in a
language foreign to the Court.
In the case of the Electronic
documents, under the same analogy, "Presentation" of document is the
responsibility of the prosecution or the person making use of the document in
support of his contention before the Court. Based on his "Reading" of the
documents, he submits his case. This may however be disputed by the counter
party. In such a case, it becomes necessary for the Court to "Get the document
Read by another expert" to its satisfaction. It is necessary to have some
clarity on the legal aspects of such documents presented to the Court because
most of the court battles are expected to revolve around "Proper Reading " of
the documents and "Possible manipulation of the documents".
In making presentation of an
"Electronic Document", the presentor may submit a readable form of the
document in the form of a "Print Out". Question arises in such a case whether
the print out is a "Primary Evidence" or a "Secondary Evidence".
According to Indian Evidence
Act, section 65 refers to "Cases in which secondary evidence relating to
documents may be given". However, the modifications made to this section by
ITA-2000 have added Sections 65 A and Section 65 B.
Though these sections have
been numbered as A and B of 65, these are not to be treated as sub sections of
Section 65. As per schedule II to ITA-2000, serial number 9, it appears that
65A and 65B are to be treated as independent sections.
According to Section 65 A
therefore, " Contents of electronic records may be proved in accordance with
the provisions of Section 65B".
Whether by design or
otherwise, Section 65B clearly states that " Not withstanding anything
contained in this (Ed:Indian Evidence Act) Act, any information contained in
an electronic record which is printed on a paper, stored, recorded or copied
in optical or magnetic media produced by a computer (herein after called the
Computer Output) shall be deemed to be also a document...."
However, for the "Computer
Output" to be considered as admissible evidence, the conditions mentioned in
the Section 65 B (2) needs to be satisfied.
Section 65B(2) contains a
series of certifications which are to be provided by the person who is having
lawful control over the use of the Computer generating the said computer
output and is not easy to be fulfilled without extreme care.
It is in this context that
the responsibility of the Law Enforcement Authorities in India becomes onerous
while collecting the evidence.
In a typical incident when a
Cyber Crime is reported, the Police will have to quickly examine a large
number of Computers and storage media and gather leads from which further
investigations have to be made. Any delay may result in the evidence getting
obliterated in the ordinary course of usage of the suspect hard disk or the
media.
Any such investigation has to
cover the following main aspects of Cyber Forensics, namely,
1.
Collection of suspect evidence
2.
Recovery of erased/hidden/encrypted data
3.
Analysis of suspect evidence .
If the process of such
collection, recovery and analysis is not undertaken properly, the evidence may
be rejected in the Court of law as not satisfying the conditions of Section
65B of the Indian Evidence Act.
In the evolution of the
Indian challenge to Cyber Crimes, it may be said that during the last three
years, Police in different parts of the Country have been exposed to the
reality of Cyber Crimes and more and more cases are being registered for
investigation. However, if the Law enforcement does not focus on the technical
aspects of evidence collection and management, they will soon find that they
will be unable to prove any electronic document in a Court of Law.
Some of the Cyber Crimes
being reported belong to the category where an incriminating or defamatory
information is posted on a website or a message board. In such cases the
“Evidence of Crime” is available on the web. But this evidence is likely to be
removed after the offence comes to the knowledge of the Police. It becomes
necessary to capture such transient evidence in a manner as to be capable of
being proved in a Court of Law. Since any evidence gathered by the Complainant
or the prosecution could be challenged as “Self Serving”, it would be
necessary to use third party trusted services such as www.ceac4india.com to
archive the transient evidence and make it presentable.
Some of the Crimes such as
Computer Frauds however consist of “Modification of Electronic Documents in a
Computer”. Some Crimes involve e-mails and documents created in a Computer and
later deleted. It is therefore important for the Law Enforcement Authorities
to device effective means of gathering such evidences which are hidden inside
Computers in a hard disk.
This requires some Cyber
Forensic tools that are specially created for the purpose of capturing
“Forensic Quality Evidence”. These Cyber Forensic gadgets are not only
products that are required by the Law Enforcement authorities, but also
the Information System Auditors in the Corporate world.
Forensic Quality Data Capture
In most of the incidents of
Cyber Crime investigation by the Police or suspected fraud in a Corporate
network, it becomes necessary to seize the suspect Computer or its hard disk
for a detailed examination.
Some times even in an
"Intelligence gathering Mission" it may be necessary to subject a hard disk
for a detailed examination.
The practical problem in most
such cases is that if the computer is seized immediately, it may disrupt the
operations of the enterprise seriously. If the Police make this as a common
practice, then no Company would be comfortable in preferring a complaint in
case of a computer crime. ISP s and other intermediaries would refuse to allow
such seizure of hard disks/storage devices since it will stop their operations
forthwith.
A similar problem also arises
in case of an auditor who suspects some fraud in a hard disk but needs access
to the same for a prolonged time for further analysis.
It therefore becomes
necessary for the investigator or the auditor to make a "Copy" of the original
"Evidence" and carry on his investigations on the "Copy". The question then
arises that if he stumbles upon some evidence during his examination and then
comes back to seize the original hard disk, the data on the original hard disk
may no longer contain the evidence he had unearthed during the investigation.
Even assuming that the
"Original Hard Disk" itself had been seized and the investigations have
unearthed some evidence, there would be a charge from the accused that the
evidence was in the custody of the Police/Auditor and could have been tampered
with.
It becomes absolutely
essential therefore for the investigator to preserve the original evidence and
at the same time subject it to any type of analysis he may like without
disrupting the regular user of the system and the hard disk.
A device required for this
purpose is one which makes one or more "Bit Image” copies of the suspect hard
disk in the presence of the asset owner which can later be used for invasive
analysis without jeopardizing the evidentiary value of the data.
For this purpose it would
also be necessary to create a "hash code" for the "original" being copied so
that the duplicates can be proved to contain the exact data as found in the
original and any analytical result arising out of the duplicate is acceptable
against the original also.
Intelligent Computer
Solutions (ICS) a company based in USA manufactures the necessary tools that
ideally fit the requirements of the Law Enforcement Authorities.
ICS has developed the hard
drive duplication technology (patented under US patent no C,131,141) that has
been in use by Law Enforcement agencies in several countries and Commercial
enterprises including companies such as Intel. These devices are now available
in India for the first time.
The two key products offered
by ICS are the Solo2
and Link Mater.
Solo2 is a handheld
software duplication device made for computer disk drive data seizure. Image
capture operations can be performed from a suspect's drive to another hard
drive with duplication speeds in excess of 1.8 GB/Min.
This is powered by the
Company's patented Image MASSter technology and provides for MD5 and SHA1
hashing (approved by ITA-2000) for data integrity checking. Upon copying of
the suspect disk to an evidence disk, a report can be generated along with the
hash code which can be jointly authenticated by the system owner and the
investigator to avoid any disputes on the integrity of the data transfer.
Since the copying is a "Bit
Image Copy Process", the evidence disk can be analysed with data recovery
tools for recovering deleted information. Multiple clones can be generated so
that different investigators can simultaneously work on the copies all of
which are legally acceptable clones of the original.
Solo 2 is connected directly to the suspect drive and in order to prevent accidental writing on the suspect
drive, an accessory namely "Drive Lock" is used in between
the
suspect disk and Solo2.
The Link Masster is a
software acquisition device made for seizing data from computers that cannot
be opened in the field. It is ideally suited for acquiring data from a Laptop.
This can perform high-speed data transfer (upto 3.5 GB per minute) between any
suspect hard disk drives through the computer's USB/Firewire port. It
Supports MD5 and, SHA1 hashing during and after the acquisition. A bootable CD
is supplied to boot the suspect's computer and run the LinkMASSter acquisition
program.
Both devices captures data
from suspect's hard drive in Single Capture mode and Multi Capture mode (which
can capture more than one source drive to a single evidence drive).
Additionally, there are desk
top models of disk duplication which will enable creation of multiple evidence
disks which can be sent for Forensic Analysis to different labs
These devices are the primary
hardware requirements for data capture and disk duplication and have been
forensically tested and industrially accepted as reliable for judicial
evidence.
Once Data is captured using
these devices, with a Certificate recording the hash code at the time of
seizure, the data can be subjected to analysis using standard software such as
“Encase”. It is also being integrated with “Cyber Check” (Developed by C-DAC,
India)
These data analysis software
are capable of “Un-deleting” the deleted files, reading hidden files,
recovering passwords, searching through a mass of data for key words and so
on.
With the availability of the
ICS hardware tools the recommended procedure for seizure of data is as
follows.
1.Create two
copies of the suspect hard disk at the place of the asset owner from whom the
evidence disks are desired to be seized, in the presence of a representative
of the owner.
2.Create a
certificate of duplication along with hash code and get it authenticated by
the asset owner.
3.Seize the
original hard disk and seal it in the presence of the asset owner.
4.Return one
copy of the duplicated hard disk to the asset owner so that he can continue
his operations.
5.Carry the
second duplicate to the Cyber Crime Police Station where further copies may be
created if required.
6.Run
analysis software on the duplicates and record observations. Send copies to
other Forensic labs if required.
7.Present
the observations along with the analysed disk, the original disk in sealed
form along with the certificate of hash code acknowledged by the asset owner
and the investigator at the time of the seizure and the analyst before running
his analytical tools.
Naavi
April 7, 2004
