More Clarification on Section 65B Certification… For Forensic Labs

Section 65B Certification of electronic evidence produced in a Court proceeding in India has been a matter of intense discussion in the circle of Forensic experts, Law Enforcement and of course the Legal fraternity.

Historically, the undersigned was the first person to produce a report under Section 65B of Indian Evidence Act in a Court in India. (Suhas Katti Case in 2004). Subsequently, it has been followed by many other Certificates issued under the banner of Cyber Evidence Archival Center (CEAC)  in the last 12 or more years.

During this time, the undersigned has handled many interesting CEAC certifications including  Web site pages, E Mails, Mobile data, Corporate Computer data, Personal Computer data, YouTube Videos, CCTV Videos, Extracts from Forensic software, Remote Desktop views etc. Some certifications are straight forward web pages as they appear, some are extracted with the use of some forensic software etc. Some electronic documents are text documents that can be easily printed out and some are audio and video files which have to be rendered only in soft copy format.

Every one of these different types of documents,  have been a challenge in terms of meeting the Section 65B requirements. Some times it has been necessary to structure solutions  to extract the electronic documents as per the best understanding of the requirements of Section 65B as perceived by the undersigned .

As a result of such long experience over the past 12 plus years, the undersigned has developed  specific procedures  to present the “Computer Output” as required under Section 65B of Indian Evidence Act.

I am aware that there are legal luminaries who have special expertise in Indian Evidence Act and some of them may hold views different from mine on some aspects of how the section 65B  has to be interpreted.  It is possible that for various reasons, many of them had not focussed on the issue of Section 65B until recently when Supreme Court drew its attention to the mandatory need for Section 65B certification for all electronic evidences presented to the Court. (Refer Basheer Case).

I was however drawn into it right from 2002 when CEAC was formed as a service and has therefore the procedures developed must be considered as an evolution of the system over a long period.  (It is not out of place to mention that I had proposed CEAC to be public private partnership with the the Ministry of IT at that time through the then CCA though it could not be implemented while it continued as a private service.)

At this point of time, Naavi’s approach to Section 65B certification used by CEAC should perhaps be considered as one of the approaches that needs to be accepted as a major school of thought  even if other experts have a different view point. However, we can  say that Jurisprudence on this aspect is still under development and different experts arguing differently and different Courts interpreting differently could be common. Some time in the future, I suppose the honourable Supreme Court will look into many of my articles including this one and give its own interpretation which itself may undergo many iterations over time.

With this humble submission, I would like to present below my view on one hypothetical case based on a reference received by me regarding submission of forensic reports by Forensic Labs and Government owned establishments such as CFSL or other equivalent organizations.

In the reference, there were the following aspects.

  1. The evidence consists of a Call Data Record (CDR) extracted from a Mobile Service Provider (MSP). (Perhaps this includes  Tower data record along with the billing and usage records)
  2. Mobiles seized from the accused sent to the lab for analysis
  3. Hard disks seized from the accused sent to the lab for analysis.

For the sake of discussion, I consider the following hypothetical requirement of the law enforcement.

The accused has used the mobile phone/s to make calls to say other co-accused or to the victim to further commit an offence which may be a Cyber Crime or a Physical Crime. . The CDR was collected from the MSP and handed over to the lab for further analysis. Mobiles and Hard disks were seized from the accused by the Police and sent to the lab. The CDR evidence is to be used along with the forensic analysis of the mobile where there may be contact details, some SMS/WhatsApp messages. It is possible that some of this data might have been deleted and has to be recovered using appropriate recovery software. Some of the recovered data may be fragments needing further interpretation. The Computer hard disk will also have many items related to the mobile and CDR either in active files or deleted and recovered. There could also be a back up of phone data in the computer of the accused whose hard disks have been seized.

The question that was posed in a reference was

a) Who will provide Sec 65B certificate for the CDR

b) Will the Lab provide Section 65B certificate for its report?

I will try to provide my views on these queries to the best of my knowledge and experience.

Though the final report is provided by the Lab, the CDR is handed over to them as an input along with other seized hard disks.

The CDR is an extract from the systems of the MSP and has to be therefore certified under Section 65B by the MSP’s person in charge.

If the MSP admin allows the files to be viewed by an independent expert, then the independent expert may take on record what he has seen, the circumstances under which he saw the documents, record it and add it under his Section 65B certification.

The CDR as presented by the MSP may be in say an excel form which the lab may use as an input and analyze through a CDR analysis software. This may display many results that appear in the screen of the analyst’s computer which he may record and use in his report.

Similarly, the mobile data or hard disk data may be analysed by the analyst using forensic software of different descriptions. The software may discover deleted files and show on the analyst’s screen. Some of these electronic documents as it appears on the analysts’ screen may be captured and used as a part of the analyst’s report.

At the end of this exercise, the analyst will come to some conclusion in his report and answer the queries raised by the investigating officer.

In such a scenario, the question of how Section 65B certification has to be used by the Lab expert is a matter of discussion.

Now in the above case, the report could be considered as a combination of

a) Matter of fact observation when some content is displayed on the screen of the analyst under certain standard conditions.

b) Certain content displayed which may require an “Expert Knowledge” to draw a meaning.

Section 65B is mainly concerned with the presentation of an electronic document lying inside a computer as a “Computer Output” that can be experienced (Read, heard, seen) by the observer, for the purpose of admissibility by a Court.

“Interpretation” and drawing conclusions which are not obvious from the visible computer outputs (presented either as a print out or soft copy) is a subject matter of an expert in the domain. The matter of fact part of the report also requires certain expertise but the level of expertise required for interpreting the data may be higher or it may be completely an expertise outside the computer domain.

For better clarity, let us take an illustration where a lab analyst extracts an image of a wounded person from the computer and renders it as a computer output in his Section 65B Certified report. Another expert say a doctor views the photograph and opines that this wound appears to have been caused by such and such a weapon etc…

Here there are clearly,  two experts … First, the computer expert who discovered the image from a pile of deleted images and the second expert who had nothing to do with Sec 65B Certified report but is an expert in another domain.

Some times, the division of roles of the “Observer” who extracts the information and the “expert” who interprets the document may not be so clear. It may be the same person who uses a forensic tool to extract fragments of a file containing log records and uses his computer expertise to interpret that the log record extracts mean certain things.

The Forensic lab analyst  has such dual role and hence his report has this dual characteristic of being a report both as an observer of a “matter of fact” and as an expert “Who interprets the fact”.

Another illustration that explains this situation is as follows.

Let us say there is a photographer who takes photographs. If it is a digital photograph, he can give a “matter of fact section 65B certification” stating this is a faithful reproduction of a photograph which I took using such and such camera on such and such date and time at such and such place. This  is the typical certificate  where the certifier does not express any opinion on who is there in the photograph, what is happening, Is it a marriage? or Is it a quarrel? etc.

Let us now say that the photograph is a video in which two persons are speaking in French. Let’s say the photographer fortunately knows French language and can interpret what the two are talking. He therefore produces a report in which the video is enclosed and states that the two persons were planning a terrorist attack. His certificate is now more than a Matter of fact certificate and includes his own expert view based on his language expertise.

The report that normally a Forensic lab person gives has this dual element of expertise, where in the first place, there is a simple expertise of using some tool and making some electronic documents appear on the screen which is then printed with a CTRL+P command and in the second place, involving  a “Forensic Expertise” where he adds his “Opinion” into the report.

A Good lab report has to be structured in such a manner that these two aspects are clearly brought out in the report itself so that the Court can use the “Matter of Fact” report and discard the expert report if it deems fit. Alternatively Court may accept the matter of fact part of the report but approach another expert for interpretation to substitute the expert opinion part of the report.  This means that the report may be taken as evidence in part and rejected in part. It may also be possible that the defense may accept the report of the “matter of fact part” but challenge only the “Expert opinion” part.

It is a moot point at this point of time if the reports provided by CFSL or other organizations which normally provide such forensic certificates have a system of structuring their reports as described above. It is possible that they simply enclose the evidentiary objects examined and directly go to give its point by point reply to the investigating officers, queries on the evidence.

Once we understand this nature of the Lab report, we can address the issue of whether Section 65B certificate is required for the lab report or not.

If the Analyst has reproduced any extracts of electronic documents as part of his report and relied on such extracts, then Section 65B certificate is required.

If the Analyst does not use any electronic document as part of his report and only gives out his views in isolation, then he need not provide Section 65B certificate.

In such a case he can be cross examined as a witness and further information can be sought.

In the case of a self evident/self sufficient “Matter of Fact Certificate”, the parties/Court may decide not to put the analyst as a witness and examine him, since there is no dispute on the matter of fact part of the report.

In most of the practical cases, a forensic lab will have electronic documents discovered by them based on which they provide their opinion. Hence their reports will have elements of both a “Matter of Fact Certification” and a “Forensic Expert Opinion”.  Hence Section 65B certification as well as presentation as a witness may be required.

Where there is a case when there is a web page which has been certified by an independent observer like CEAC as it appears to the public on the web with only simple tools such as a standard computer, running on  a standard operating system and a standard browser application, the Section 65B certificate may be accepted without the need for cross examination of the certifier (unless the defense wants to challenge the witness and probably allege fabrication of evidence).

In such cases, the parties may accept the computer output for admissibility and argue on the content as they require. Eg: One may say that the words used are defamatory and obscene and the other may say it is not. The judge has to take the call.

In the Suhas Katti case, I had produced an extract from a web page which the advocates argued whether it was obscene or not. I had no role in deciding whether it was obscene content. Similarly, I had recorded the IP address visible in the header information of the message and given my limited expert view with the use of a “Whois query tool” to say this IP address appears to belong to BSNL, Mumbai. This was a low level forensic expertise. I was however examined in this case as an “Expert” and cross examined but there was no disagreement on the evidence produced. The only objection raised by the defense was that I was not a Government employee and the Court felt that expert can be a private person.

I have presented the detailed view point above to indicate that the Section 65B certificate is meant for replacing the need for the Judge to interpret the “Original Binary Content of an electronic document” and enable him/her take a view on the electronic document on the basis of a print out or soft copy of what the binary content means when rendered on the screen of a computer  as a “Computer Output”. This is with the limited objective that the electronic evidence can be admitted and trial can proceed. (Readers may kindly read my earlier articles on the subject also links to which is provided below)

The Forensic labs therefore learn to structure their reports appropriately to indicate that part of the report is simply to render the “electronic document” as a computer output as is visible to a low level expert while in some cases, the report continues with an expert view where the “Opinion” of the observer is added as an “Expert”.

What I have presented here as a requirement for Forensic labs should also apply to a “Digital Evidence Examiner” accredited under Section 79A of the ITA 2008 and summoned by the Court for its assistance.

Comments are welcome.

Naavi

Related Articles

1. Basheer Case Judgement and Section 65B of Indian Evidence Act…Cyber Jurisprudence develops

2. Section 65B of Indian Evidence Act on Electronic Evidence Explained

3. Clarification on Section 65B… Who should sign the Certificate?

4. The Role of “Notified Digital Evidence Examiners”

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.