Cybercrime investigation is no exception to Lochard’s principle of forensics. The principle states that the perpetrator of a crime will bring something into the crime scene and leave with something from it. These pieces of evidence are without prejudice and just because they are not detected do not mean they do not exist. The principle, hence, is as true for cybercrime investigation. A large amount of logging takes place inside computers and network devices, which can leave an almost irrefutable trail of digital evidence from the scene of the crime to the criminal.
The challenge is identifying, collecting and preserving the evidence and later during the trial passing the test of courts. This is all the more relevant when such evidence is collected from a country having different procedures of evidence handling than the country where the case will be tried.
Cybercrime and challenges
Unlike the real world, cybercrime can be committed even without visiting the country of the victim. In another situation of cyber-crime, criminal and victim may be present under the jurisdiction of the same court but still, digital evidence of the crime may be spread across the globe. Under third situation criminals can gang-up virtually from across the world, commit a cyber-crime and disperse, they may not even know each other in the physical world.
Therefore the task of an investigator is far more challenging to not only identify and gather digital evidence from the computers, mobile devices, servers, routers and gateways but also to accomplish this task to convince the court that the digital evidence has not tampered and correctly collected according to the established scientific procedures.
The technique and acceptable procedure for handling of evidence can be different in different countries. This can diminish or destroy the evidentiary value of such electronic evidence. There are several cases when courts have not accepted evidence collected if not according to the Indian procedures. To add to the complexity, digital evidence is fragile, volatile and can be tampered easily, sometimes even without such intentions. Therefore special expertise is required to collect electronic evidence according to a procedure which meets the requirement of all the courts of the world.
Leaving the task of analysis of evidence to the investigators, the digital evidence may be identified, collected, acquired, preserved and transported by person who may not be from Law Enforcement Agency(LEA). This person is called ‘Digital Evidence First Responder’ (DEFR). It is, therefore, necessary that DEFR whether from LEA or not, must have expertise on digital evidence and associated procedures.
To manage these cybercrime challenges, especially handling evidence under the multi-jurisdictional situation, the Organisation of International Standards, after years of efforts, has published ISO/IEC 27037 – Guidelines for identification, collection, acquisition, and preservation of digital evidence. The document provides, after due deliberations with all member countries, including India, a standardised approach which if followed by DEFR can provide assurance to the respective courts about the reliability and creditability of the digital evidence. The standard provides necessary guidance as to how to identify, collect, acquire and preserve digital evidence from computers, mobile devices, navigation systems, digital still and video cameras (including CCTV). ISO/IEC 27037 is technology-neutral and does not recommend any specific product.
A piece of cybercrime digital evidence handled in accordance with international standard ISO 27037 provides a kind of assurance to the court that irrespective of the fact that who and from which country such evidence is collected, it has maintained its evidentiary value. The standard does not supersede the national laws but adds to the procedural aspects of the handling of digital evidence.
This also leads to a probability that an accused in his cybercrime defence can point to the court that the investigators have not followed the procedures given in the ISO/IEC 27037, hence the electronic evidence has lost is evidentiary value, because the standard is based on the least common denominator of electronic evidence handling and anything short can have an impact on the weight of electronic evidence. Obviously, comprehensive adherence to procedures is material to prove any cybercrime. Interestingly, there is a British Standard BS 10008 which deals with the evidential weight and legal admissibility of the electronic information.
In India, the section 65B of the Evidence Act lays down the procedure for admissibility of electronic evidence. The section 85B of the Evidence Act, in fact, prohibits the courts from presuming electronic evidence as genuine unless it is signed by ‘secure’ digital signature. It means that the presenter of electronic evidence has to prove that digital evidence is genuine and has not been tampered. It is here ISO/IEC 27037 can be a very powerful tool in the hands of the investigators to prove truthfulness of the evidence, even if it is collected from outside the jurisdiction of the court.
ISO/IEC 27037 being an internationally accepted standard is an important instrument to provide a reliable standardised approach towards handling of digital evidence and will have an impact on admissibility and reliability of evidence in any court proceeding. It is, therefore, necessary that all investigating officers that they must familiarise themselves with bare minimum requirements which must be met in respect of the handling of digital evidence to be acceptable in any court of the world. This can be very critical especially handling issues related to terrorism, money laundering, drug trade and such other trans-national crimes.
The author, is a former National Information Security Coordinator of the Government of India