ICS Products and Law Enforcement



In recent days, Law Enforcement in India has successfully investigated several Cyber Crimes. Time  has however come now to extend this success to successful prosecution of criminals in a Court of Law. In this phase of Cyber Crime Management, it is important to recognize that "Evidence" plays a vital role in securing the interests of the Information Asset owner and the success of the Investigator.

It is more than three years since law was passed in India to recognize electronic documents as admissible evidence in  a Court of law. The necessary amendments were made to the Indian Evidence Act 1872 by the Information Technology Act 2000 (ITA-2000).

According to the provisions of Indian law, in the case of electronic documents produced as "Primary Evidence", the document itself must be produced to the Court. However, such electronic document obviously has to be carried on a media and can be read only with the assistance of an appropriate Computer with appropriate operating and application software.

In many cases even in non-electronic documents, a document may be in a language other than the language of the Court in which case it needs to be translated and submitted for the understanding of the Court by an "Expert".  In such cases,  the person making submission of the document normally submits the translation from one of the "Experts". If the counter party does not accept the "Expert's opinion", the court may have to listen to the interpretation of another "Expert" and come to its own conclusion of what is the correct meaning  of a document in a language foreign to the Court.

In the case of the Electronic documents, under the same analogy, "Presentation" of document is the responsibility of the prosecution or the person making use of the document in support of his contention before the Court. Based on his "Reading" of the documents, he submits his case. This may however be disputed by the counter party. In such a case, it becomes necessary for the Court to "Get the document Read by another  expert"  to its satisfaction. It is necessary to have some clarity on the legal aspects of such documents presented to the Court because most of the court battles are expected to revolve around "Proper Reading " of the documents and "Possible manipulation of the documents".

In making presentation of an "Electronic Document", the presentor may submit a readable form of the document in the form of a "Print Out". Question arises in such a case whether the print out is a "Primary Evidence" or a "Secondary Evidence".

According to Indian Evidence Act, section 65 refers to "Cases in which secondary evidence relating to documents may be given". However, the modifications made to this section by ITA-2000 have added Sections 65 A and Section 65 B.

Though these sections have been numbered as A and B of 65, these are not to be treated as sub sections of Section 65. As per schedule II to ITA-2000, serial number 9, it appears that 65A and 65B are to be treated as independent sections.

According to Section 65 A therefore, " Contents of electronic records may be proved in accordance with the provisions of Section 65B".

Whether by design or otherwise, Section 65B clearly states that " Not withstanding anything contained in this (Ed:Indian Evidence Act) Act, any information contained in an electronic record which is printed on a paper, stored, recorded or copied in optical or magnetic media produced by a computer (herein after called the Computer Output) shall be deemed to be also a document...."

However, for the "Computer Output" to be considered as admissible evidence, the conditions mentioned in the Section 65 B (2) needs to be satisfied.

Section 65B(2) contains a series of certifications which are to be provided by the person who is having lawful control over the use of the Computer generating the said computer output and is not easy to be fulfilled without extreme care.

It is in this context that the responsibility of the Law Enforcement Authorities in India becomes onerous while collecting the evidence.

In a typical incident when a Cyber Crime is reported, the Police will have to quickly examine a large number of Computers and storage media and gather leads from which further investigations have to be made. Any delay may result in the evidence getting obliterated in the ordinary course of usage of the suspect hard disk or the media.

Any such investigation has to cover the following main aspects of Cyber Forensics, namely,

1. Collection of suspect evidence

2. Recovery of erased/hidden/encrypted data 

3. Analysis of suspect evidence             .

If the process of such collection, recovery and analysis is not undertaken properly, the evidence may be rejected in the Court of law as not satisfying the conditions of Section 65B of the Indian Evidence Act.

In the evolution of the Indian challenge to Cyber Crimes, it may be said that during the last three years, Police in different parts of the Country have been exposed to the reality of Cyber Crimes and more and more cases are being registered for investigation. However, if the Law enforcement does not focus on the technical aspects of evidence collection and management, they will soon find that they will be unable to prove any electronic document in a Court of Law.

Some of the Cyber Crimes being reported belong to the category where an incriminating or defamatory information is posted on a website or a message board. In such cases the “Evidence of Crime” is available on the web. But this evidence is likely to be removed after the offence comes to the knowledge of the Police. It becomes necessary to capture such transient evidence in a manner as to be capable of being proved in a Court of Law. Since any evidence gathered by the Complainant or the prosecution could be challenged as “Self Serving”, it would be necessary to use third party trusted services such as www.ceac4india.com to archive the transient evidence and make it presentable.

Some of the Crimes such as Computer Frauds however consist of “Modification of Electronic Documents in a Computer”. Some Crimes involve e-mails and documents created in a Computer and later deleted. It is therefore important for the Law Enforcement Authorities to device effective means of gathering such evidences which are hidden inside Computers in a hard disk.

This requires some Cyber Forensic tools that are specially created for the purpose of capturing “Forensic Quality Evidence”. These Cyber Forensic gadgets are not only products that are required by the Law Enforcement authorities, but also the Information System Auditors in the Corporate world.

Forensic Quality Data Capture

In most of the incidents of Cyber Crime investigation by the Police or suspected fraud in a Corporate network, it becomes necessary to seize the suspect Computer or its hard disk for a detailed examination.

Some times even in an "Intelligence gathering Mission" it may be necessary to subject a hard disk for a detailed examination.

The practical problem in most such cases is that if  the computer is seized immediately, it may disrupt the operations of the enterprise seriously. If the Police make this as a common practice, then no Company would be comfortable in preferring a complaint  in case of a computer crime. ISP s and other intermediaries would refuse to allow such seizure of hard disks/storage devices since it will stop their operations forthwith.

A similar problem also arises in case of an auditor who suspects some fraud in a hard disk but needs access to the same for a prolonged time for further analysis.

It therefore becomes necessary for the investigator or the auditor to make a "Copy" of the original "Evidence" and carry on his investigations on the "Copy". The question then arises that if he stumbles upon some evidence during his examination and then comes back to seize the original hard disk, the data on the original hard disk may no longer contain the evidence he had unearthed during the investigation.

Even assuming that the "Original Hard Disk" itself had been seized and the investigations have unearthed some evidence, there would be a charge from the accused that the evidence was in the custody of the Police/Auditor and could have been tampered with.

It becomes absolutely essential therefore for the investigator to preserve the original evidence and at the same time subject it to any type of analysis he may like without disrupting the regular user of the system and the hard disk.

A device required for this purpose is one which makes one or more  "Bit Image” copies of the suspect hard disk in the presence of the asset owner which can later be used for invasive analysis without jeopardizing the evidentiary value of the data.

For this purpose it would also be necessary to create a "hash code" for the "original" being copied so that the duplicates can be proved to contain the exact data as found in the original and any analytical result arising out of the duplicate is acceptable against the original also.

Intelligent Computer Solutions (ICS) a company based in USA manufactures the necessary tools that ideally fit the requirements of the Law Enforcement Authorities.

ICS has developed the hard drive duplication technology (patented under US patent no C,131,141) that has been in use by Law Enforcement agencies in several countries and Commercial enterprises including companies such as Intel. These devices are now available in India for the first time.

Image MASSter Solo 2 Forensic unitThe two key products offered by ICS are the  Solo2 and Link Mater.

 Solo2  is a handheld software duplication device made for computer disk drive data seizure. Image capture operations can be performed from a suspect's drive to another hard drive with duplication speeds in excess of 1.8 GB/Min.

This is powered by the Company's patented Image MASSter technology and provides for MD5 and SHA1 hashing (approved by ITA-2000) for data integrity checking. Upon copying of the suspect disk to an evidence disk, a report can be generated along with the hash code which can be jointly authenticated by the system owner and the investigator to avoid any disputes on the integrity of the data transfer.

Since the copying is a "Bit Image Copy Process", the evidence disk can be analysed with data recovery tools for recovering deleted information. Multiple clones can be generated so that different investigators can simultaneously work on the copies all of which are legally acceptable clones of the original.

Solo 2 is connected directly to the suspect drive and in order to prevent accidental writing on the suspect drive,  an accessory namely "Drive Lock" is used in between Solo-2 Forensic option: USB/FireWire Connection (LinkMasster Forensic)the suspect disk and Solo2.

The Link Masster is a software acquisition device made for seizing data from computers that cannot be opened in the field. It is ideally suited for acquiring data from a Laptop. This can perform high-speed data transfer (upto 3.5 GB per minute) between any suspect hard disk drives through the computer's  USB/Firewire port. It Supports MD5 and, SHA1 hashing during and after the acquisition. A bootable CD is supplied to boot the suspect's computer and run the LinkMASSter acquisition program.

Both devices captures data from suspect's hard drive in Single Capture mode and Multi Capture mode (which can capture more than one source drive to a single evidence drive).

Additionally, there are desk top models of disk duplication which will enable creation of multiple evidence disks which can be sent for Forensic Analysis to different labs

These devices are the primary hardware requirements for data capture and disk duplication and have been forensically tested and industrially accepted as reliable for judicial evidence.

Once Data is captured using these devices, with a Certificate recording the hash code at the time of seizure, the data can be subjected to analysis using standard software such as  “Encase”. It is also being integrated with “Cyber Check” (Developed by C-DAC, India)

These data analysis software are capable of “Un-deleting” the deleted files, reading hidden files, recovering passwords, searching through a mass of data for key words and so on.

With the availability of the ICS hardware tools the recommended procedure for seizure of data is as follows.

1.Create two copies of the suspect hard disk at the place of the asset owner from whom the evidence disks are desired to be seized, in the presence of a representative of the owner.

2.Create a certificate of duplication along with hash code and get it authenticated by the asset owner.

3.Seize the original hard disk and seal it in the presence of the asset owner.

4.Return one copy of the duplicated hard disk to the asset owner so that he can continue his operations.

5.Carry the second duplicate to the Cyber Crime Police Station where further copies may be created if required.

6.Run analysis software on the duplicates and record observations. Send copies to other Forensic labs if required.

7.Present the observations along with the analysed disk, the original disk in sealed form along with the certificate of hash code acknowledged by the asset owner and the investigator at the time of the seizure and the analyst before running his analytical tools.


April 7, 2004

For Structured Online Courses in Cyber laws, Visit Cyber Law College.com


Back To Naavi.org