INVESTIGATION PROCEDURE

There are different stages of a criminal proceeding, in a criminal matter.

Investigation is the first stage which is instigated after the police get information
of any crime, which is subject to the order of the magistrate or without the order
of magistrate. There is no uniform process of investigation. Different techniques
are used by the police while investigating a crime. Investigation is a skill and
requires special knowledge in the field in which the investigation officer is
investigating. There are established procedures for the investigation of
traditional crimes, in the Code of Criminal Procedure. In case of traditional
crimes, the physical evidences are generally found at the crime scene. The
collection of those evidences needs lot of commonsense and less technical
knowledge. But the process of investigation is completely different in the case
of cybercrime.

The investigation in cybercrime requires special skill and scientific tools without
which investigation is impossible. The Information Technology Act, 2000
provides certain provisions on investigation of cybercrime. Certain changes
have also been done in the CrPC and the Evidence Act with regard to this.

Investigation in Cybercrime

Crimes became more complex with the advancement of technology, and criminals
became more sophisticated, as their modus operandi is incomparable to the
normal investigation methods. Information technology provides a chance to the
criminals to commit crimes such as attacks against the security of critical
infrastructures like tele-communication, banking and emergency services. Such
crimes could also be committed through computer networks across the national
borders, affecting individuals and that may also result in compromising the
security and the economy of the nation.
The criminal offence is committed in one country extents to the other country
and even to many other countries. The speed and accuracy is additionally in no
time and excellent.

The Information Technology Act, 2000 has set up a special procedure for
investigation and further proceeding in cybercrime contended which makes
cybercrime investigation slow. Section 78 of the Act describes that the
investigation of cybercrime shall be done by an inspector. Before the
Amendment of 2008 in IT Act, the power of investigation was with the Deputy
Superintendent of Police. The object behind this amendment is to bring the
cybercrime for investigation in mainstream as sort of conventional crime. This
gives power to the inspector to register and investigate the cybercrime just like
other traditional crimes. There are various problems and various minute
processes required for the investigation of cybercrime. No single proceeding is
often laid down within the investigation of the cybercrime.

With the rise in the domain of the internet, it is now possible for an individual
sitting in one country to hack into someone’s account in another country.
Therefore, to fight against cybercrime, the CBI has created a specialized
structure. They are:

1. Cyber Crimes Research and Development Unit (CCRDU)

2. Cyber Crime Investigation Cell (CCIC)

3. Cyber Forensics Laboratory

4. Network Monitoring Centre

1. Cyber Crimes Research and Development Unit: This unit has the

responsibility of keeping track of the changes and developments that take
place in this ever changing area.
 They are:
 To ensure cooperation and tie-ups with the State Police Forces.
 To collect information about cases of cybercrimes reported to the
police for investigation.
 To find out about the follow up actions takes by the investigating
officer in every case.
 To tie-up with software experts to locate and identify areas where
the attention of the state police is required.
 Entail the collection of information relating to cases that happens
in other countries and prepare a monthly cyber Crime Digest.

2. Cyber Crime Investigation Cell: The CCIC was established in 1999.

However, it came into action in 2000. It works as a part of the economic
offences division and has an all India jurisdiction. It can investigate cyber
crimes under the IT Act 2000. It is additionally a round-the-clock Nodal
Point of contact for Interpol to report cybercrimes in India and is
additionally a member of Cyber Crime Technology Information Network
System, Japan.
3. Cyber Forensics Laboratory: The CFL was established in 2003 and it has
following functions:

 Provide media analysis in support of the criminal investigations

done by the CBI and other Law Enforcement Agencies.

 Provide on-site assistance for computer search & seizure upon

request.

 Provide consultation on investigations in which media analysis is

probable or occurring.
  Provide expert testimony.

 Provide adequate research and development in Cyber Forensics.

The collected information is used as evidence in the court of Law.

4. Network Monitoring Centre: Its function is to police the internet and

search for any unusual activities using a network monitoring tool.

To ensure that such evidences are admissible in the court, it should be ensured
that all the process and formalities are followed properly. This means that every
document is seized in a proper legal manner and the chain of custody is
not broken.

The purpose of the organs of the cybercrime department is to police the internet
to ensure that cybercrime can be stopped before it is committed.

Investigation of Cybercrime

- Investigation Process and Methods

The IT Act, 200 is both substantive and procedural nature. It describes the
offences and the penalties and punishments and procedure regarding the
investigation of the cybercrime as well. Section(s) 78 and 80 deals with
the power of investigation and search & arrest of accuse. But the
provisions of this Act are not sufficient enough to meet the requirements,
therefore the Criminal procedure Code and the Indian Penal Code is
additionally amended to bring the Cyber crime within the ambit
of this laws which are subject to the traditional crime. That means all the
traditional procedural laws regarding the investigation of crime are also
applicable to cybercrime investigation.
- Search and Seizer in Cyber Crime investigation
The Cybercrime has no physical boundaries. The criminals seeking
information stored in computers with dial-in-access can access the
information virtually from anywhere. The quantity of data that can be
stolen or the level and amount of damage that can be caused by malicious
programming code may be limited only by the speed of the network and
the criminal’s equipment.
i. Advance Planning for Search:
The plan should include following:
 The place where the Investigating Officer is required to carry
out search;
 List of computer or computer networks or any other
electronic memory devices that are suspected to be found;
 Mostly, a forensic team accompany them in that search, but
when it is not possible information may be collected about
the type, make, model, operating system, network
architecture, type and location of data storage, remote access
possibilities etc., which may be passed on to Forensic
Experts as that might help making necessary preparation to
gather and preserve evidence.
 The Investigator or expert must carry necessary media,
software, and other specialized items, also some special
packing materials which can prevent loss of data as that can
be destroyed by dust, jerks and electrostatic environment.
ii. Precautions at the search location
 Taking control of the Location: The IO must ensure that suspect
or an accused do not touch any part of the computer or
accessory attached to it either physically or through wireless
means. The Investigator needs to be extremely alert and may
seek guidance from an expert and take steps as per their
 instructions. This should be paid attention that individuals
present at the site of the search are separated from their
computers and all devices must be kept out of their reach. The
information in a computer network need not be stored at the
same site. The data could reside at a foreign location even in a
different country. Therefore, it may be important to find out the
location of storage and take action accordingly. If in case,
storage of data is suspected to be located outside the country, it
will be necessary to alert the Interpol and take necessary steps
to issue letters under Section 166A of Code of Criminal
Procedure. Before starting the search, the Investigator needs to
decide whether to seize data on site, or seize hardware for
examination at a Computer Forensic Laboratory. When there is
any doubt, a Computer Forensics Specialist at the scene is used,
to determine whether they need to seize data or seize hardware,
if a specialist is not available, then they have to seize
everything.
 Networked Computers: The computer must not be disconnected
if networks or mainframes are involved, disconnecting a
computer from a network may damage the network, and cause
harm to the data. It is generally not suggested to seize a
mainframe because it requires disconnecting all the computers
attached to it. Hardware seizure with computers on a network
can be very complicated. They are required to take the help of a
Computer Forensics Specialist in these cases.
iii. Preparation for the Search
The Investigators must carry the following items with them that
will facilitate the search:
  Disks or Cartridges: To store copies of files from the
computer.
 Labels: to label cables, where they plug in, disks, various
parts of the computer and to write or protect disks.
 Screwdrivers and other tools: To dismantle the hardware for
seizure.
 Gloves: To take latent prints from disks or other storage
media or hardware.
 Packing materials: Rubber bands, tape, boxes, bubble wrap,
anti-static wrap or paper bags.
 Camera equipment: to videotape and photograph the place
of investigation.
 Custody report sheets and other paper to make a list of
seized evidence.
iv. Steps for the Search:
 Labelling & Photographing the Set-up: IO is supposed to
take some general photographs of the search place to
document its pre-search condition for legal purposes, and to
provide it as a reference during investigation. This
documentation may prove essential when the system will be
re-connected in the Forensic Laboratory. The IO should
make sure to get close-ups of the front and back of all
equipment and the way it is connected. He should pay
special attention to DIP switches on the rear of certain
equipments that must be in a certain configuration. These
switch settings could accidentally move in transport that
might create problems for the examiner.
 Labelling all Parts: The IO is supposed to label each part
before he starts dismantling any of the equipment. All the
connectors and plugs at both ends, the computer are
supposed to be labelled so that re-assembly is easy and
accurate.
 Power System Down: If a computer is off, it should not be
turned on. Hackers can make those computers erase data if a
particular disk is not in the drive when the machine is booted
up or if a particular password is not entered. One should
check before turning off, if it is on, otherwise it may destroy
data. The IO needs to shut the machine down through the
operating system rather than just pulling the plug or he can
instead disconnect it from the back of the machine, this is
because if the machine is plugged into a back-up power
supply it may initiate a shutdown process that could destroy
files.
 Dismantle the System: The system can be dismantled into
separate components for transportation, once it is labelled
and powered down. If a computer is at a business location
and a part of a network, then a proper procedure should be
followed to properly disconnect the computer from the
network.
 Seize Documentation: All manuals for the computer, its
peripheral devices, and especially the software and operating
system are seized. The examiners at the Forensic Laboratory
need to refer to the manual to know the kind of hardware and
its technicalities. Other documents like notes, passwords,
and journals are also seized. Sticky notes, or other pieces of
 paper around the computer that may have passwords or login
ID’s written on them, are also supposed to be seized.

These are the techniques to search and seizer in investigation of cyber crime.
Application of these techniques of search and seizer can make the
investigation effective.

Cyber Forensics

The word ‘forensic’ can be understood as, the application of scientific methods
and techniques in the investigation of crime. It provides a new and different way
to the investigator for investigating the crime by using modern technique. Use
of forensic tools is important to make the investigation in technical crimes. The
criminals these days are using modern techniques to commit crimes. Therefore,
Forensic Science offers a useful way to trace the truth. This technology is very
useful in the traditional offences also, because it has invented and discovered
various things, which can be used to know the truth behind the incident, act or
crime.

 Computer Forensics
Computer forensics is the study of computer technology. Computer
forensics is the science of applying computer science to aid the legal
process. It is more than the technological, systematic inspection of the
computer system. Computer forensics requires expertise and tools that
goes beyond the traditional data collection and preservation techniques
available to end-users or system support personnel. Computer Forensics
is just the appliance of computer investigation and analysis techniques
within the interests of determining potential legal evidence.
 IP Address: When a cybercrime is committed using a particular device,
one of the most useful ways to trace the user by detecting the IP address.
IP address means Internet Protocol Address. Every computer or devices
communicate through the IP address that’s allotted either on a static or
dynamic basis and this is the reason why law enforcement agencies
throughout the world use IP address to trace cyber criminals. This is the
common mode to trace out the person, who is behind the any crime
committed through internet.
There are two types of IP address
a. Statics and
b. Dynamic

A static address is one that is allotted and configured by the administrator

or ISP (Internet Service Provider) by editing computer’s network settings.
It produces a single and constant identifiable IP Address that is easily
attributable to the computer using the same.

A Dynamic IP Address is assigned by the Dynamic Host Configuration

Protocol (DHCP). This is a service running on the network. DHCP runs
on network hardware such as routers or dedicated DHCP servers. A
computer using Dynamic IP Address is allotted a new IP Address for
every new session during its lease period.

However, the investigator should not solely rely on the IP address

because when different devices are connected to a router then all of those
devises share the same IP address, and this IP address is different from te
IP address provided by the ISP. They are internal IP address and external
IP address. It gets very difficult to find out the true user of the particular
IP address.
Therefore, though the IP address is a way to find out the real user of the
device, but that cannot be sole way on which the investigator can rely to
trace the person.
  General stages in Digital Forensic Investigation
A computer forensic investigator follows certain procedures:
a. Identifying the crime, along with the computer and other
tools use in committing the crime.
b. Gathering evidence and building up a suitable chain of
custody.
c. Once the data is recovered, it must be imaged, duplicated
and replicated and then the duplicated evidence is analyzed.
d. After that, the forensic investigator must act as an expert
witness and present the evidence in court.

The forensic investigator becomes a tool which law enforcement agency

uses to track and prosecute cyber criminals.

Challenges faced

1. Jurisdiction and problem

Jurisdiction is a very important notion while execution of any law in any
country. Jurisdiction is of two types that are territorial and personal.
Cybercrime often transgress the national boundaries there is when
jurisdiction becomes a complicated matter. Countries differ in civil &
criminal offences standards, substantive & procedural law, data collection
& preservation practices and other evidentiary and juridical factors.
Moreover, it's often ambiguous on whose responsibility it's to deal with a
specific crime or conduct an investigation, or the way to collaborate
through extradition and mutual assistance policies. This plays out not
only on world level, but also within nations where multiple law
enforcement departments are implicated. Due to the nature of cybercrime
the traditional notion of jurisdiction is needed to be changed. The
traditional notion of jurisdiction is predicted on territorial theory and
 physical presence theory. The territorial theory protects the territorial
integrity of the state, it gives power to investigate and inquire any crime
within the territory of the state. In physical presence theory, the presence
of person or property in a state is a basic ground upon which a legal
authority exercises its jurisdiction. But cyber crime is different therefore
both the theories are useless in certain situations.
2. Impact of the internet upon the territorial notions of jurisdiction
Internet communications goes beyond state boundaries creating a new
realm of human activities and weakening the legitimacy of applying laws
based on territorial boundaries. Some territorial-based law makers and
law enforcement authorities take this as new environment threat. A state
is territorial in nature while the internet is not restricted to territorial
boundaries.
Considering the problem of jurisdiction the CrPC and IPC was amended
at the time of enactment of the IT Act 2000. Chapter XIII, Section(s) 178-
186 and Section 188 were meant to enlarge the ambit of the local
jurisdiction. Apart from dealing with the crimes committed in India, the
CrPC also supplements Section 4 of IPC which contains the extension of
the IPC to extra-territorial crimes. The amended Section gives power to
the Indian Court to deal with the matter if the affected computer recourse
is situated in India. The rules under this section show the legitimate right
of a sovereign state on its citizens, not only on its lands but also on any
foreign land. Thus, the amendment somewhere tried to provide the
jurisdiction, but the execution of this section is still not possible without
the co-operation of other State.
3. Electronic/ Digital Evidences
Electronic evidences are all such materials that exist in electronic, or
digital, form. It can be stored or transmitted. It can be in different forms
like computer files, transmissions, logs, metadata, or network data.
Digital forensics deals with recovering of volatile and easily
contaminated information that may have evidential value. Forensics
techniques includes creation of bit-for-bit copies of stored and deleted
information, cryptographic file hashes or digital signatures that can
demonstrate changes in information and write-blocking to ensure that the
original information do not get changed.
In cyber crime the evidence may be in any form.
Digital evidence is any information stored or transmitted in digital form
that a party to the case may use in the trial. Whenever any digital
evidence submitted in the court of law, then before accepting it, the Court
will determine if the evidence is relevant or whether it is admissible as
evidence. Court also determines, whether it is hearsay evidence and
whether original is required or a copy is acceptable.
The Amendment in the Evidence Act, 1872 has brought the electronic
document under the preview of evidence. The definition of documentary
evidence has been amended to include electronic record produced for
inspection by the court.
Section 3 of Indian Evidence Act, 1872 defines evidence as,
“Evidence means an includes
1) All statements which the court permit or require to be made before it
by witness in relation to matter of fact under inquiry; such statements are
called oral evidence;
2) All documents including electronic records produced for the
inspection of the court. Such documents are called documentary
evidence.”
The Indian Evidence Act includes certain new sections as Section 65A
and 65B and these sections provide that the content of electronic records
may be proved in the court of Law.
Sec. 65B (1): Notwithstanding anything contained in this Act, any
information contained in an electronic record which is printed on a
paper, stored, recorded or copied in optical or magnetic media produced
by a computer shall be deemed to be also a document, if the conditions
mentioned in this section are satisfied in relation to the information and
computer in question and shall be admissible in any proceedings, without
further proof or production of the original, as evidence of any contents of
the original or of any fact stated therein of which direct evidence would
be admissible.
Sec. 65B (2): This Section lists the technological conditions upon which a
duplicate copy (including a print-out) of an original electronic record may
be used.
Sec. 65 (3): This Section lists what computers shall constitute as single
computer:
 by a combination of computers operating over that period; or
 by different computers operating in succession over that period;
or
 by different combinations of computers operating in succession
over that period; or
 in any other manner involving the successive operation over that
period, in whatever order, of one or more computers and one or
more combinations of computers.

Sec. 65 (4) States that for the purpose of admissibility of evidence, a

certificate shall have the following matters as necessary:

 Identifying the relevant electronic records containing the

statement and describing the manner in which it was produced
  giving the particulars of device involved in the production of
that electronic record
 dealing with any of the matters to which the conditions
mentioned in subsection (2) relate

and purporting to be signed by a person occupying a responsible official

position in relation to the operation of the relevant device or the
management of the relevant activities (whichever is appropriate) shall be
evidence of any matter stated in the certificate; and for the purposes of
this sub-section it shall be sufficient for a matter to be stated to the best
of the knowledge and belief of the person stating it.

The Section 17 of the Indian Evidence Act deals with admission, this
Section now includes the statement in electronic form.
Section 22A of Indian Evidence Act, 1872, deals with the relevancy of
oral evidence regarding the content of electronic record. It says the
contents of electronic records are not relevant, unless the genuineness of
the electronic record produced is in question.
Section 88A of the evidence Act, 1872 grants discretion to the court to
presume that an electronic massage forwarded by the originator through
an electronic mail server to the addressee correspondents with the
massage as fed into his computer transmission. Section 88A clarifies that
the court shall not make any presumption as to the person by whom such
electronic massage is sent. The law thus accepts the vulnerability of
fabrication of electronic message.
The next amendment in the Indian Evidence Act 1872, is Section 45A of
the Evidence Act, which provides, 45A.
Opinion of Examiner of Electronic Evidence.- When in a proceeding, the
court has to form an opinion on any matter relating to any information
 transmitted or stored in any computer resource or any other electronic or
digital form, the opinion of the Examiner of Electronic Evidence referred
to in section 79A of the Information Technology Act, 2000(21 of 2000) is
a relevant fact.
Thus, the various provisions of the evidence Act deals with the electronic
or digital evidence.

General Problems in Investigation

- The police force is not properly trained on modern methods of criminal

investigation and is not trained to gather scientific evidence to present a
strong case in the court. This is why the gap continues between reporting
of crime, arresting a criminal and a successful prosecution of the accused.
- The training is restricted to traditional methods and is not extending to
modern techniques of criminal investigation. Further, the method and
content of data collected during investigation and recorded varies from
State to State. With the cross border crime that occurs frequently, the
tracing of criminals is a challenge for any State police, in the absence of
criminal data sharing and co-operation. The data collected and recorded
by the National Crime Records Bureau (NCRB) is basic and data access
at all levels is limited. Therefore, the Police machinery needs to develop
its way of working. State needs to provide technical training to
investigate the cyber crime.
- It is very difficult to collect the evidence. Even if it is collected the next
difficulty is to preserve it until submitted in the court.
- Quality of investigation and documentation:
 Police are not able to undertake effective investigation because of
the lack of modern gadgets such as cameras, video equipment etc.
 Forensic science laboratories have scarcity of equipments, even at
district level there is no lab available which can render timely
assistance to the investigating police.
 Further, there is scarcity of forensic and cyber experts in police
departments of various States. The result is that Police heavily
focuses on oral evidence, instead of focusing on scientific and
circumstantial evidence.
 Sufficient care and effort is not given to examine and record the
statements of witnesses.
 The statements/FIRs/reports recorded are not uploaded on the
computer immediately either because lack of computer network or
because of lack of training or for because of lack of specific
instructions.

There is a need to bring change in the traditional method of

investigation and use scientific method to ensure proper and fast
conviction of the cybercriminal.