The Lochard’s principle of forensics is that the perpetrator of a crime will bring something into the crime scene and leave with something from it. These evidences are without prejudice and just because they are not detected do not mean they do not exist. This principle is true for cyber- crime investigation also. The large amount of logging takes place inside computers and network devices, which can leave almost irrefutable trail of digital evidence from scene of crime to the criminal. The challenge is identifying, collecting and preserving the evidence and later during the trial passing the test of courts. This is all the more relevant when such evidence is collected from a country having different procedures of evidence handling than the country where the case will be tried.
Unlike the real world, a cyber- crime can be committed even without visiting the country of the victim. In another situation of cyber-crime, criminal and victim may be present under the jurisdiction of the same court but still digital evidence of the crime may be spread across the globe. Under third situation criminals can gang-up virtually from across the world, commit a cyber-crime and disperse, they may not even know each other in physical world. Therefore the task of an investigator is far more challenging to not only identify and gather digital evidence from the computers, mobile devices, servers, routers and gateways but also to accomplish this task to convince the court that the digital evidence is not tampered and correctly collected according to the established scientific procedures.
The technique and acceptable procedure for handling of evidence can be different in different countries. This can diminish or destroy the evidentiary value of such electronic evidence. There are several cases when courts have not accepted evidence collected if not according to the Indian procedures. To add to the complexity, digital evidence is fragile, volatile and can be tampered easily, sometimes even without such intentions. Therefore special expertise is required to collect electronic evidence according to procedure which meets the requirement of all the courts of the world.
Leaving the task of analysis of evidence to the investigators, the digital evidence may be identified, collected, acquired, preserved and transported by person who may not be from Law Enforcement Agency(LEA). This person is called ‘Digital Evidence First Responder’ (DEFR). It is therefore necessary that DEFR whether from LEA or not, must have expertise on digital evidence and associated procedures. To manage these challenges, especially handling evidence under multi-jurisdictional situation, the Organisation of International Standards, after years of efforts, have published ISO/IEC 27037 – Guidelines for identification, collection, acquisition, and preservation of digital evidence. The document provides, after due deliberations with all member countries, including India, a standardised approach which if followed by DEFR can provide assurance to the respective courts about the reliability and creditability of the digital evidence. The standard provides necessary guidance as how to identify, collect, acquire and preserve digital evidence from computers, mobile devices, navigation systems, digital still and video cameras (including CCTV).
ISO/IEC 27037 is technology neutral and does not recommend any specific product. A digital evidence handled in accordance with international standard ISO 27037 provides a kind of assurance to the court that irrespective of the fact that who and from which country such evidence is collected, it has maintained its evidentiary value. The standard does not supersede the national laws but adds to the procedural aspects of handling of digital evidence. This also leads to a probability that an accused in his defence can point to the court that the investigators have not followed the procedures given in the ISO/IEC 27037, hence the electronic evidence has lost is evidentiary value, because the standard is based on the least common denominator of electronic evidence handling and anything short can have impact on the weight of electronic evidence. Obviously, comprehensive adherence to procedures is material. Interestingly, there is a British Standard BS 10008 which deals with the evidential weight and legal admissibility of the electronic information.
In India, the section 65B of the Evidence Act lays down the procedure for admissibility of electronic evidence. The section 85B of the Evidence Act, in fact, prohibits the courts from presuming electronic evidence as genuine unless it is signed by ‘secure’ digital signature. It means that the presenter of electronic evidence has to prove that the digital evidence is genuine and has not been tampered. It is here ISO/IEC 27037 can be a very powerful tool in the hands of the investigators to prove truthfulness of the evidence, even if it is collected from outside the jurisdiction of the court.
ISO/IEC 27037 being an internationally accepted standard is an important instrument to provide reliable standardised approach towards handling of digital evidence and will have impact on admissibility and reliability of evidence in any court proceeding. It is therefore necessary that all investigating officers that they must familiarise themselves with bare minimum requirements which must be met in respect of handling of digital evidence to be acceptable in any court of the world. This can be very critical especially handling issues related to terrorism, money laundering, drug trade and such other trans-national crimes.
The author , Commander Mukesh Saini (Retd.) is a former National Information Security Coordinator of the Government of India