The Karnataka High Court in the course of a judgement has urged the Police to prepare a detailed guideline for seizure of electronic evidence and pending such development, has issued its own minimum guidelines to be implemented.
The judgement has also made some references to the Privacy aspects involved in Forensics and provide some clarity on Polygraph test as well as whether password to a computer device can be refused by the device owner under Privacy issues.
The judgement is likely to be a reference judgement to many Cyber Law practitioners and Forensic investigators.
The single bench of Justice Suraj Govindaraj said “It would be in the interest of all the stakeholders that detailed guidelines on seizure of electronic evidence by the Police are prepared by the police”.
The copy of the judgement is available here
The Case involved the arrest of an IT professional, subjecting him to a polygraph test to which he has not consented, forcing him to part with the password for his mobile etc. The conduct of the Polygraph test without consent was rejected by the Court.
It did refer to the Puttaswamy Judgement and debated if forcing the password to be disclosed would be a violation of the Privacy.
The Court gave the following opinions on different questions that arose during the investigation.
- The Investigating Officer, during the course of an investigation could always issue any direction and/or make a request to the accused or other persons connected with the matter to furnish information to provide material objects or the like. This includes a request to furnish the password.
- The Court cannot per-se/suo moto issue any directions to the accused to furnish the passwords and direction to cooperate would not amount to a direction to furnish password.
- In the event the accused not providing the password, the IO can approach the Court seeking for necessary directions to the accused to provide the same. The investigating officer could approach the concerned court seeking for issuance of a search warrant to carry out a search of the electronic equipment.
- In terms of section 102 of CrPC, if there are any emergency circumstances, including the “Suspicion of any commission of an offence” ,the Police officer could seize the equipment. In such scenario. there must be a recording in writing made by the IO specifying in writing the reasons etc. In normal course IO may issue a notice under section 91 of CrPC calling upon the accused to produce the particular document and if not produced, seek a search warrant from a Court. The data gathered during the course of investigation should not by itself be a proof of guilt which has to be separately established.
- The Use of data during the course of investigation would not amount to a violation of the right to privacy and would come under the exceptions carved out in the Puttaswamy case. However, in no case could such details be provided by the IO to any third party without written permission of a Court. In case of dereliction of this duty the IO can be proceeded against.
- The Investigating agency would be at liberty to engage a specialized agency required to crack the password if the password given is wrong.
- Provision of the password does not amount to providing testimony. The data available on the mobile or computer has to be separately proved.
The Court however did not highlight the role of a non cooperating intermediary and whether he could be proceeded against as an abetter.
Following the above observations, Court felt that the following minimum guidelines may be implemented by the Police for seizure.
17.5.1: When carrying out a search of the premises as regards any electronic equipment, Smartphone or e-mail account the search team to be accompanied by a qualified Forensic Examiner.
17.5.2. When carrying out a search of the premises, the investigating officer should not use the computer or attempt to search a computer for evidence. The usage of the computer and/or search should be conducted by a properly authorized and qualified person, like a properly qualified forensic examiner.
17.5.3. At the time of search, the place where the computer is stored or kept is to be photographed in such a manner that the connections of wires including power, network,. etc., are captured in such photographs.
17.5.4. The front and back of the computer and or the laptop while connected to all the peripherals are to be taken.
17.5.5. A diagram should be prepared showing the manner in which the computer and/or the laptop is connected.
17.5.6. If the computer or laptop is in the power-off mode, the same should not be powered on.
17.5.7. If the computer is powered on and the screen is blank, the mouse could be moved and as and when the image appears on the screen, the photograph of the screen to be taken.
17.5.8. If the computer is powered on, the investigating officer should not power off the computer. As far as possible, the investigating officer to secure the services of a computer forensic examiner to download the data available in the volatile memory i.e., RAM since the said data would be lost on the powering down of the computer or laptop.
17.5.9. If the computer is switched on and connected to a network the investigating officer to secure the services of a forensic examiner to capture the volatile net work data like IP address, actual net work connections, net work logs, etc.,
17.5.10. The MAC address also to be identified and secured,
17.5.11. In the unlikely event of the Forensic examiner not being available, then unplug the computer, pack the computer and the wires in separate faraday overs after labeling them.
17.5.12. In case of a laptop if the removal of the power cord does not shut down the laptop to locate and remove the battery.
17.5.13. If the laptop battery cannot be removed, then shut down the laptop and pack it in a faraday bag so as to block any communication to the said laptop since most of the laptops, nowadays have wireless communication enabled even when the laptop is in the stand by mode.
17.6. Seizure of networked devices: Apart from the above steps taken as regards seizure of the computer, laptop, etc., if the said equipment is connected to a network:
17.6.1. To ascertain as to whether the said equipment is connected to any remote storage devices or shared network drives, if so to seize the remote storage devices as also the shared network devices.
17.6.2. To seize the wireless access points, routers, modems, and any equipment connected to such access points, routers, modems which any some times be hidden.
17.6.3. To ascertain if any unsecured wireless network can be accessed from the location. If so identify the same and secure the unsecured wireless devices since the accused might have used the said unsecured wireless devices.
17.6.4. To ascertain who is maintaining the network and to identify who is running the network – get all the details relating to the operations of the network and role of the equipment to be seized from such network manager.
17.6.5. To obtain from the network manager, network logs of the machine to be searched and/or seized so as to ascertain the access made by the ·said machine of the net work.
17.7. Mobile devices:
Mobile devices would mean an include smartphone mobile phone, tablets GPS units, etc., during the course of seizure of any of the mobile devices apart from the steps taken in respect of a computer and/or laptop, the following additional steps to be taken.
17.7.1 Prevent the device from communicating to network and/or receiving any wireless communication either through wifi or mobile data by packing the same in a faraday bag.
17.7.2. Keep the device charged throughout, since if the battery drains out, the data available in the volatile memory could be lost.
17.7.3. Look for slim-slots remove the sim card so as to prevent any access to the mobile network, pack the sim card separately in a faraday bag.
17.7.4. If the device is in power off mode, the battery could also be removed and kept separately.
17.7.5. If the device is powered on, then put it in an aeroplane mode in android device or airplane mode in a lOS device.
17.8. In an the cases above, the seized equipment should be kept as far as possible in a dust free environment and temperature controlled.
17.9. While conducting the search, the investigating officer to seize any electronic storage devices like CD, DVD, Blu-Ray, pen drive, external hard drive, USB thumb drives, solid-state drives etc., located in the premises, label and pack them separately in a faraday bag.
17.10. The computer storage media, laptop, etc., to be kept away from magnets, radio transmitters, police radios etc., since they could have an adverse impact on the data in the said devices.
17.11. To carry out a search of the premises to obtain instructions manuals, documentation, etc., as also to ascertain if a password is written down somewhere since many a time person owning equipment would have written the password in a bo0k, writing pad or the like at the said location.
17.12. The entire process and procedure followed to be documented in writing from the time of entry of the investigation/search team in to the premises until they exit.
It appears that the Police did not invoke Section 69/69A of the ITA 2000 with a due notification from an appropriate authority.
It is to be appreciated that the honorable judge has taken enormous efforts to put together a guideline which will be useful to the Police.
Naavi