National Crime Records Bureau (NCRB)

National Cybercrime Training Centre (NCTC)

Course Reference Guide

Track: Responders Track

Level: Basic
Chapter 6: Crime Scene
Management
 Crime Scene Management

Table of Contents
1. Incident Response Procedures & Crime Scene Management ..................................... 4
1.1. Defining Incident Response (IR)........................................................................... 4
2. Steps to Follow by the First Responder at the Scene of Crime .................................... 4
2.1. Steps to follow ........................................................................................................ 4
2.2. Planning and Organization .................................................................................... 4
2.3. Preservation of the Scene and Evidence ............................................................... 6
2.4. Documenting and Recording Crime Scene ........................................................... 7
2.5. Identifying Potential Evidence .............................................................................. 9
2.6. Labeling and Seizing Evidence ............................................................................. 11
2.7. Acquisition and Authorization ............................................................................ 14
2.8. Packing of Evidence ............................................................................................. 14
2.9. Transporting and Storing Evidence .................................................................... 15
3. Important Documents for First Responder ................................................................17
3.1. Chain of Custody Form .........................................................................................17
3.2. Registering an FIR at the Police Station ............................................................. 18
3.3. Drafting an FIR .................................................................................................... 19
3.4. Documents to be sent with FIR ........................................................................... 23
4. SOP for Handling the Digital Crime Scene/Digital Evidence.................................... 27
4.1. Consequences of Tampering Digital Evidence .................................................... 27
5. Reference: ................................................................................................................... 30

2|Page
Crime Scene Management

3|Page
 Crime Scene Management

1. Incident Response Procedures & Crime Scene Management

1.1. Defining Incident Response (IR)
As an Investigating Officer, the first step towards investigating a crime is to
perform Incident Response process. In generic terms, Incident Response is an
organized procedure for handling any kind of incidents, breaches and threats.

However, from Law Enforcement Agencies (LEA) Perspective, Incident Response

refers to an organized procedure wherein the first responder that is, a Police
Official arrives at the scene of crime for the first time. The Investigating Officer
secures the scene of crime and seizes the evidence and maintains the Chain of
Custody by following a set of defined Standard Operating Procedures (SOP).

2. Steps to Follow by the First Responder at the Scene of Crime

Before arriving at the crime scene, the Investigation Officer or the first responder
should be well prepared for examining and securing the scene of crime, seize evidence
and properly record and document the scene of crime.

2.1. Steps to follow

The steps to follow for incident response are as follows:

1. Planning and Organisation of Crime Investigation

2. Preserving the Scene of Crime and Recording Evidence
3. Documenting Crime Scene
4. Identifying Evidence
5. Labeling and Seizing Evidence
6. Acquiring and Authorizing Evidence
7. Packing, Transporting and Storing Evidence

2.2. Planning and Organization

Prior to arriving at the scene of crime, you as the Investigating Officer must plan
the approach to handle the scene of crime depending on the type of crime. Some
of the questions that you may ask before starting the investigation are:

1. What is believed to have taken place?

4|Page
 Crime Scene Management

2. What is the magnitude of the problem?

3. Is any specialized expertise or medical assistance required?
4. Are there any particular dangers at the scene of crime?
5. What other assistance might be required?
6. Is it an indoor or outdoor scene?
7. Is it a remote location?
8. What local resources would be available?
9. Does anybody else need to be informed?
10. What are the weather conditions, which means checking for hot
or cold climate conditions?
11. What equipment is required?

After collecting this information, you need to ensure that you carry the required
toolkit.

Things to Carry in the Digital Crime Scene Toolkit

When you go to a crime scene, you should carry a toolkit that is relevant to the
crime. Special tools and equipment are required to collect electronic evidence.
The investigating officer should have access to the tools and equipment
necessary to document, seize, disconnect, remove, package and transport
digital evidence from the scene of crime.

A digital crime scene toolkit comprises of a variety of nonmagnetic tools. These

include:

1. Write Blocker 2. Faraday Bag

3. Antistatic Bag 4. Signal Jammer
5. External Hard-disk 2 TB 6. Extra Hard-disk
7. Live Forensics Tools 8. Acquisition Software
9. Converter / Adapter: SATA to 10. Toolkit containing screwdrivers
USB, IDE to USB, SCSI to USB (non-magnetic), pliers, forceps,
scissors, clips, pins, cutters, etc.

5|Page
 Crime Scene Management

Besides the digital crime scene toolkit, the investigating officer should also
carry general crime scene tools which are as follows:

a. Crime scene securing tapes

b. Digital camera
c. Video camera
d. Note/sketch pads
e. Portable USB hard disks and pen drives
f. Labels
g. Pens, permanent markers
h. Storage containers
i. Torch and magnifying lens
j. Rubber gloves

2.3. Preservation of the Scene and Evidence

When you reach the crime scene, you need to ensure the preservation of the crime
scene as well as evidence. As the first step, you need to demarcate the area that
needs to be protected. The area should be cordoned off using any kind of a physical
barrier.

In addition, you should follow strict anti-contamination measures, including:

• Wearing protective clothing, gloves and shoe covers

• Using a single path when entering the scene (even for medical personnel)
• Avoiding moving anything/anybody, unless it is of absolutely necessary.
And if something or somebody is moved, the initial location should be
carefully documented.
• Respecting the victim’s privacy and human rights with the use of screens,
curtains, tents etc.
• Avoiding using any facilities available at the scene, such as washroom,
water, towel, and telephone. Further, eating, drinking or smoking at the
crime scene should be avoided.

6|Page
 Crime Scene Management

• Another key point when preserving evidence is ensuring that any individual
present at the crime scene does not destroy the evidence owing to their own
selfish reasons.

While securing the crime scene, the first responders should separate and identify
all adult persons of interest at the crime scene and record their location at the time
of entry into the scene. No one should be allowed access to any computer or
electronic device. Within the parameters of the applicable State and local laws, first
responders should obtain as much information as possible from these individuals
through preliminary interviews, including:

a. Names of all users of the computers and devices.

b. All computer and Internet user information.
c. All login names and user account names.
d. Purpose and uses of computers and devices
e. All passwords.
f. Any automated applications in use.
g. Type of Internet access.
h. Any offsite storage, Internet service provider.
i. Installed software documentation.
j. All e-mail accounts.
k. Security provisions in use.
l. Web mail account information.
m. Data access restrictions in place.
n. All destructive devices or software in use.
o. Facebook, or other online social networking Web site
account information.
p. Any other relevant information.
q. All instant message screen names.

2.4. Documenting and Recording Crime Scene

Documentation is a critical step during investigation of a crime, and it continues
throughout the investigation process. It is also the starting point for the chain-of-

7|Page
 Crime Scene Management

custody. The initial documentation of the scene should include a detailed record
using video, photography, notes and sketches to help recreate or convey the details
of the scene later. The Investigating officer should also document observations of
the crime scene including the location of persons and items within the crime scene
and the appearance and condition of the scene upon arrival. The officer should also
record statements of all those present at the crime scene including suspect. Use
voice recorder to record statements, if possible.

Documenting and Recording Digital Evidence

As an investigating officer, you must consider following points while documenting

and recording the details of digital evidence:

• Documentation of the scene should include the entire location, including

the type, location, and position of computers, their components and
peripheral equipment, and other electronic evidence.
• You should accurately record the state, power status, and condition of
computers, storage media, wireless network devices, cell phones, smart
phones, PDAs, and other data storage devices; Internet and network
access; and other electronic devices.
• The first responder should be aware that not all digital evidence may be
near the computer or other devices.
• You may need to move a computer or another electronic device to find
its serial numbers or other identifiers. Moving a computer or another
electronic device while it is on may damage it or the digital evidence it
contains. Therefore, computers and other electronic devices should not
be moved until they are powered off.
• All activity and processes on display screens should be fully
documented.
• The scene may expand to multiple locations. So, as a first responder you
should document all physical connections to and from the computers
and other devices.

8|Page
 Crime Scene Management

• Record any network and wireless access points that may be present and
capable of linking computers and other devices to each other and the
Internet. The existence of network and wireless access points may
indicate that additional evidence exists beyond the initial scene.

2.5. Identifying Potential Evidence

After securing the scene of crime and creating the initial documentation of crime
scene, the first responder should visually identify all potential evidence. This
includes both physical and digital evidence.

Physical Evidence includes any material object, such as blood stains, knife, and
hair samples, which are used to establish that a crime has been committed. The
recognition and recovery of physical evidence aims at locating and identifying a
maximum number of potentially relevant evidence, and selecting appropriate
recovery methods.

In addition to physical evidence, the first responder should also look for Digital
Evidences. Digital evidence refers to data and information that is used to establish
a crime has been committed and is stored on any electronic device, such as
desktops, mobile phones, and laptops.

Digital evidence can be volatile and non-volatile. So, in case of volatile evidence
you must collect it as soon as possible from the crime scene as it will be available
only till the system is running.

Identifying Digital Evidence

Digital evidence that you can collect from the scene of crime can be volatile
evidence, non-volatile evidence, and other peripheral devices.

Volatile digital evidence, includes data in RAM and mounted virtual drives.

Non-volatile digital evidence includes the following:

1. Internal hard disk 2. USB portable hard disk

3. External backup devices, such as 4. Flash/pen/thumb drive
jaz, zip and tape drives

9|Page
 Crime Scene Management

5. Data storage card 6. SD card/micro SD card

7. CD-R/CD-RW/DVD/blue-ray disc 8. Magnetic tapes (used for data
backup in servers)
9. And few other devices and 10. All connecting leads, including
peripherals, such as: power adapters of laptops and
peripherals
11. Dongles, if any 12. Printers with output documents
13. Modems with telephone memory 14. Scanners with power adapter and
connecting cable
15. Camera 16. USB portable Read-Write Drives :
ROM/DVD burner/floppy drives.
17. USB portable card reader/writer. 18. FAX machines with memory and its
printouts
19. Ipod 20. Mobile phones
21. Tablets 22. Landline phones with storage
23. Network router or switch

Considerations when Identifying Digital Evidence: When identifying a digital

device, you need to keep in mind the following important points:

a. Check if the computer is a standalone or connected to a network. If

networked, any server connected outside must be verified.
b. Check if the computer is connected to remote shares or networks.
c. Check and seize the following to assist with the examination:
d. Manuals and computer software
e. Paper with passwords
f. Printers, printouts and printer paper to compare printouts
g. Ensure that the condition of any electronic device is not altered. This
means that if a computer or electronic device is already in power off or
power on state, leave it as is.

10 | P a g e
 Crime Scene Management

h. Components such as keyboard, mouse, removable storage media, and

other items may hold latent evidence such as fingerprints, DNA, or other
physical evidence that should be preserved. First responders should take
the appropriate steps to ensure that physical evidence is not
compromised.
i. Ensure that possible hiding places of difficult access areas have not been
overlooked in detailed search.

The next step that you need to follow as a first responder is labeling and seizing
the evidence.

2.6. Labeling and Seizing Evidence

After you identify the digital evidence, you need to follow steps to seize and label
the evidence. Seizure of evidence involves creating a digital fingerprint or image of
the evidence to a target device that can be used for forensics analysis.

As part of seizure and labeling, you must label all the evidence properly and
photograph the evidence with labels. You must also note the serial number, make,
model, item description and purpose of seizure in the seizure note. Let us first look
at the steps that you need to follow when seizing different digital devices.

Seizure of a Powered-On computer: The seizure of a powered-on computer

includes the following steps:

1. If the computer is powered-on, you need to perform the given steps during
seizure.
2. As the first step, you need to photograph the screen.
3. In powered-on stage, the computer would contain evidence in the volatile
memory i.e. RAM and Cache of the computer. So, you need to collect the
data present in the RAM.
4. Then, you need to check the display screen for signs that digital evidence is
being destroyed. Some of the words to look out for include “delete,”
“format,” “remove,” “copy,” “move,” “cut,” or “wipe.”

11 | P a g e
 Crime Scene Management

5. After this, look for indications that the computer is being accessed from a
remote computer or device.
6. Look for signs of active or ongoing communications with other computers
or users such as instant messaging windows or chat rooms.
7. Take note of all cameras or Web cameras or Web cams and determine if they
are active.
8. Check for virtual drives. If found, collect logical copies of mounted data.
9. Then, you need to label and photograph all connections and ports.
10. Disable network connectivity to prevent remote access.
11. Disconnect the power/shutdown the computer.
12. Then, open CPU chassis to locate Hard Disk and disconnect it.
13. Finally, you need to Seize and package all evidence in bags.
14. At the end, tag or label each bag.

Seizure of a Powered-Off Computer: The seizure of a powered-off computer

includes the following steps:

1. If the computer is powered-off, begin by clicking a photograph of the screen.

2. Then, you need to add labels to all ports that are connecting peripherals and
external devices.
3. This is followed by photographing the ports.
4. Next, you need to open CPU chassis to locate hard disk.
5. Collect non-volatile data, that is storage media, including data storage
cards, pen, drives. These need to be seized with hash value.
6. After this, collect peripherals and software CDs/DVDs.
7. Then, seize and package all evidence in bags.
8. And finally, add tag/label on each bag.

Seizure of a Mobile Phone: The seizure of a mobile phone includes the

following steps:

1. The first step that you need to perform is to search and identify the mobile
device that you think needs to be seized.

12 | P a g e
 Crime Scene Management

2. Then, check if the mobile phone is on. If the mobile phone is on, achieve
isolation by switching the mobile to flight mode.
3. Then, you should photograph and document what is in the mobile phone.
4. Always remember not to insert any SIM card or replace SIM in the mobile
phone as it may risk losing the data/evidence contained in the mobile
phone.
5. Next, you should disable Pattern lock, pin from the phone.
6. Then, complete the evidence seizing procedure.

Guidelines for Seizure Memo (Panchnama)

Section 165 Cr PC and Section 80 of the ITAA 2008 provides the legal provisions
empowering the Investigating Officers to conduct search and seizure.

As an investigating officer, you should:

1. Ensure that one of the technical people from the responder side along with
two independent witnesses is part of the search and seizure proceedings.
This is required to identify the equipment correctly and to guide the
Investigating Officer and witnesses.
2. Refer to the notes made during the pre-investigation assessment for cross
verifying and correctly documenting the technical information regarding
equipment, networks and other communication equipment at the scene of
crime.
3. Note down accurate Time Zone and System. Time play a very critical role in
the entire investigation. So, you should ensure that this information is noted
carefully in the Panchnama, from the systems that are in switched on
condition.
4. Always remember, DON’T switch ON any device.
5. Make sure a serial number is allotted for each device and the same should
be noted not only in the Panchnama but also in the Chain of Custody and
Digital Evidence Collection forms.

13 | P a g e
 Crime Scene Management

6. Ensure that each device is photographed before starting of the investigation

process at their original place along with respective reference like cubicle
number or name room soundings, etc.
7. Photograph the Hard Disk Drive or any other internal part along with the
system, once removed from the system. If possible, paste the serial number
along with PF number/Crime number/section of law.
8. Capture the information about the system and data that you are searching
and seizing in the Panchnama.
9. Brief the witnesses regarding the tools used to perform search and seizure
of the digital evidence.
10. Make sure that the Panchas have some knowledge and ability to identify
various digital devices.
11. Document the Chain of Custody and Digital Evidence Collection forms apart
from your regular Panchnama as a “best practice”, for digital evidence.
12. Finally, make sure all the details mentioned in the forms are filled.

2.7. Acquisition and Authorization

Once the evidence is seized by the investigation officer, the next step is to create
forensic image of suspect hard disk at the scene of crime.

The investigation officer or first responder must take the hash value of both suspect
and forensic image. This will ensure that any tampering of the digital evidence post
seizure is detected.

2.8. Packing of Evidence

The authentication and acquisition of evidence is followed by packing the evidence
properly. Some of the key aspects that you need to take care of when packing
evidence are:

1. You should use antistatic aerated cover to place the seized hard disk
2. You must pack mobile phones in a Faraday bag, so that it does not receive
any signals.
3. You should leave mobile phones in the same state, power -on or –off mode,
in which they were found.

14 | P a g e
 Crime Scene Management

4. Digital evidence should not to be dropped in plastic bags.

5. Packaging has to be chosen of proper size and material for the evidence to
fit. Also, all pieces of evidence should be packaged separately and should be
properly labelled, sealed, marked, photographed and documented.
6. Packaging should be clean and new to avoid contamination.
7. You should add tag numbers to every piece of evidence with all visible details
that go into the evidence database.

2.9. Transporting and Storing Evidence

Once the packing is completed, the evidence can be transported to the forensic lab.
The steps to be followed are:

1. Send packaged evidence to the laboratory through special messenger for

analysis but not by post or courier.
2. The person, who is transporting evidence should be made understood that
the exhibit is not exposed to any magnetic field during transportation. Discs
have magnetic data so If they are packed loosely and strike each other
during transit, the media could be damaged or data might be lost.
3. Evidence should not be placed in an area where there will be drastic changes
in temperature. Heat, cold, and humidity can also spoil Digital evidence.
4. Hard disks should not be subjected to shocks.
5. Poor transportation and handling of evidence can damage the evidence.

While sending the evidence to forensics lab, a fresh hard disk of approximately
same capacity should also be sent for forensic imaging along with the suspected
storage media.

15 | P a g e
Crime Scene Management

16 | P a g e
 Crime Scene Management

3. Important Documents for First Responder

3.1. Chain of Custody Form
As a first responder, there are multiple documents that you need to prepare and
send, including Chain of Custody, First Information Report or FIR, evidence
seizure form, and FSL form.

As per the Guidelines Mentioned by NICFS for Chain of Custody, the chain of
custody is established whenever an investigator takes custody of the evidence at a
crime scene. This chain is maintained when the evidence is received from another
officer.

Some of the key points that you need to keep in mind when creating a chain of
custody document are:

1. The chain-of-custody record for all the items collected from the crime
scene must be documented. Each evidence collected should be tagged and
must include the following details:
a. Case reference number FIR, dated and Police Station.
b. Exhibit number.
c. Date and time of collection.
d. Item description.
e. Identity of the person who collected the evidence.
f. Location where the item was found.
g. Name and signature of the person who collected the evidence.
2. In case of digital evidence, the hash value of each digital evidence must be
computed and recorded individually on every transfer in order to maintain
the authenticity and integrity of digital evidence records. Individuals
assuming custody of such digital evidence must sign a chain-of-custody
document mentioning the respective hash values.
3. A clear, well-documented chain of custody should be established through
the following:
a. Notes, including information recorded above and any unusual
markings on or alterations to the item.

17 | P a g e
 Crime Scene Management

b. Markings and packaging of the evidence.

c. Seals of the evidence.
d. Remember that all the processes during transfer of evidence
should be recorded faithfully in the case diary to establish the
chain of custody.

3.2. Registering an FIR at the Police Station

Once the Investigation Officer or First responder has secured the crime scene and
seized all evidence, he or she shall return to the Police Station and file an FIR for
the crime.

First Information Report (FIR) is a written document prepared by the police when
they receive information about the commission of an offence/crime. It is generally
a complaint lodged with the police by the victim of an offence or by someone on
his/her behalf. Anyone can report the commission of an offence/crime either orally
or in writing to the police. Even a telephonic message can be treated as an FIR.

Why FIR is important?

Some of the reasons are as follows:

• Well, it is the earliest record made of an alleged offence before there is time
for its particulars to be forgotten or embellished.
• It can be used to corroborate or impeach the testimony of the person filing
it under sections 145,157 and 158 of the Indian Evidence Act.
• It can also be used under clause(1) of section 32and illustrations (j) &(k)
under section 8 of the Indian Evidence Act.
• It is necessary that the drawing up of this document is done with utmost
care and accuracy and with all available details.

Who can lodge an FIR?

Anyone who knows about the commission of an offence can file an FIR. It is not
necessary that only the victim of the crime should file an FIR. A police officer who
comes to know about an offence can file an FIR himself/herself.

18 | P a g e
 Crime Scene Management

3.3. Drafting an FIR

Technically an FIR refers to the information on the commission of an offence given
to a police officer by the first informant. In other words, it is basically a complaint
document that sets the provisions of the criminal law in motion. It is important to
primarily understand the difference between Cognizable and Non-Cognizable
offences. And FIR is filed for cognizable offences. These are explained below:

1. Cognizable offense: Under the Criminal Procedure Code, commonly

known as CrPC, a cognizable offence allows the police to directly register an
FIR and immediately begin investigation. The accused can also be arrested
without a Warrant. Some of the offenses that fall into this category are rape,
murder, kidnapping and theft.
2. Non-cognizable offense: In a Non-Cognizable Offence, the police will
require the permission of the court to register a case or investigate. The
accused cannot be arrested without a Warrant and the offence is bailable.
Some of the examples of non-cognizable offences include criminal
intimidation, trespassing, making a public nuisance of oneself,
misappropriation of property, physical assault, forgery, causing simple
hurt, and simple cheating.

Guidelines when Drafting an FIR

As per the Police Manual Vol 2. by Sikkim Police, salient points to be remembered
when registering and dispatching an FIR are:

1. Write the FIR immediately with all available details, mentioning the name
of the complainant or informant, father’s or husband's name, age,
occupation and residence, the time of reporting at the police station and
brief particulars of the report, including the crime number and section of
law and indicating the action taken. Substance thereof shall be entered in
the GD.

19 | P a g e
 Crime Scene Management

2. Obtain the signature or, if illiterate, the thumb impression of the

complainant or informant on all the pages of the statement.
3. Record all available facts of the case if complaint is made orally in
unambiguous terms and make sure that no important point is omitted.
4. Use ballpoint pen with blue or black ink, used for document writing, for
writing the FIR or print on a typewriter or on a computer printer and make
copies by carbon process or photocopying. The handwritten/typed
complaint can even be scanned, if need be.
5. Do not make corrections, erasures, or over-writings. If a correction is
necessary, strike out the word/words, leaving them still legible, and attest
it.
6. Record on the original written statement report of the informant, the date
and hour of its receipt and through whom it was received.
7. Ascertain and incorporate in the FIR the reasons for the delay, if any, in the
receipt of the report or in the making of the complaint at the police station.
register a case even if the information is from the accused.
8. In cases registered suo moto, satisfy yourself that the FIR contains a full and
correct record of all facts and circumstances relating to the offence and the
offenders, including the names of witnesses, if any.

While drafting an FIR, you need to fill in the following columns of the FIR
correctly:

a. Date and hour of occurrence. If you don’t know the correct time of
occurrence, give the approximate time and, if you don’t know the
exact date of occurrence, place it between two dates.
b. Date and hour when reported.
c. Place of occurrence and distance and direction from police station.
d. Date of dispatch from the police station.
e. Name and residence of informant or complainant. The complainant's
or informant’s full name with aliases, if any, address and father's
name.

20 | P a g e
 Crime Scene Management

f. Name and residence of the accused. The full name of each of the
accused with aliases, if any, address and father's name.
g. Brief description of the offence, with section and details of property
stolen/taken away, if any. Note the section of law and modus
operandi classification, and the details and value of stolen property.
If the list of stolen property is lengthy, it must be made on a separate
sheet of paper and attached to the FIR and the fact mentioned in this
column. In such a case, the list should bear the signatures of both the
complainant and the SHO.
h. Reason for any delay in recording information or lodging of the
complaint.
i. Signature and designation of the recording officer should be on all
the pages.
j. Use only the prescribed form and fill up all the columns accurately
based on available information using words and symbols prescribed,
correctly in brief language, which brings out essential features of the
crime. It is not advisable to use words such as “Nil” when information
in particular column is not available at that moment.

Steps after Drafting an FIR

The followings steps should be taken:

1. The copy of FIR should be dispatched or made available to the following

officers by the earliest possible means duly entering the manner, the date and
hour of dispatch in the GD.
• The area Magistrate (in original)
• Superintendent of Police
• Sub-Divisional Police Officer
• Station file
• The complainant or informant
• To the concerned Police Station/Department if the crime reported
pertains to their jurisdiction

21 | P a g e
 Crime Scene Management

2. Attach the original written complaint to the original copy of the FIR to be sent
to the Magistrate
3. Dispatch the copies of the FIR to the Magistrate (in original) and other officers
without any delay and enter the manner, the date and hour of dispatch in the
concerned records
4. Satisfy yourself that the copies of the FIR are delivered promptly under proper
acknowledgment, if sent through messenger. If sent by post, obtain a
certificate of posting
5. In special report cases, send copies of FIR through courier or speed post or by
express messengers, if delivery is local, or by fax or e-mail.

Process Flow of FIR

There is a process flow that you must adhere to while drafting an FIR. These
include the following:

1. FIR must be filed immediately. If there is any delay, mention it in the form.
2. If given orally, the FIR MUST be taken down in writing and explained to you
by the officer in charge, at a Police Station within the jurisdiction of which the
offence has taken place.
3. Four copies of FIR must be recorded simultaneously, with carbon sheets in
place.
4. The FIR must be recorded in first person. Do check in which language this
needs to be done.
5. Make sure the officials’ attitude towards victim/complainant is sympathetic
and towards him/her is respectful.
6. Avoid complicated, technical words, terminologies and unnecessary details.
7. Try not to overwrite or score out words.
8. Ensure that the arrival/departure time is mentioned in the FIR and in the Daily
Diary Register at the Police Station.

Drafting Process Checklist

An FIR must contain authentic information. It should answer all of these questions
with the necessary bits of information:

22 | P a g e
 Crime Scene Management

a. What information do victim/complainant want to convey?

b. In what capacity are victim/complainant providing the information?
c. Who is the perpetrator of the crime?
d. Who has the crime been committed against
e. Victim /complainant?
f. When was it committed (time)?
g. Where was it committed (specific place /locality/area)?
h. Why do you think it was committed?
i. Which way (actual process involved) was it committed?
j. Were there any witnesses? (Names will be required here.)
k. What were the losses? (Money /valuables/ possessions /physical
damage etc.)
l. What were the traces at the scene of the crime? (Weapons/evidence
if any.)

All of the given information must be recorded by the officer in the book maintained
for this purpose by the State Government.

3.4. Documents to be sent with FIR

There are various documents that need to be sent. The first is Chain of Custody
Form, then Evidence Seizure form and the FSL form. These are explained below:

1. Evidence Seizure Form: As mentioned in NICFS, once digital evidence

is identified, it should be seized by First Responder/Investigating Officer
using appropriate forensic tools. Seizure of evidence involves creating a
digital fingerprint of the data by calculating hash value of the suspect
storage media at Scene Of Crime so that any tempering with digital data,
after seizure to court room can be detected.
It is also recommended that forensic image of suspect hard disk should be
made at Scene Of Crime and hash value of both suspect and forensic image
should be computed. Acquisition of data is the process of acquiring data by
making a forensic image of suspect storage media. A preferably new sterile

23 | P a g e
 Crime Scene Management

hard disk should be used for making the image. You should always use
higher capacity hard disk for forensic imaging purpose.
2. Forwarding to Forensic Science Laboratory (FSL) Form:
According to the NICFS guidelines on how to handle digital evidence by the
Investigating Officer from the scene of Crime to FSL, when handling digital
evidence the Investigating Officer must follow the given steps:

1 The Investigation Officer must provide physical storage media, e.g. USB,
CD, DVD and hard disk. The new physical storage media may be a
permanent sterile storage media. In case a used hard disk is taken as
physical media for storage of alleged information, it is necessary to wipe off
the previous data from this hard disk.Remember that if you open any file
without using a write blocker, time stamping will change and that would
amount to tampering of the evidence contents hence strictly avoid it.
2 Immediately after transfer of data image to the new physical media as per
the flowchart of data acquisition and imaging that is shown in the Next
Slide, the first thing is to give an evidence or exhibit number to this new
physical media.
3 Then, the Investigating Officer must give a ‘unique number’ to the contents
of the physical storage media in terms of hash value. Unique identification
number or hash value to the contents of the physical media can be given by
use of a software called Hash Algorithm. Unique identification number is
software generated fixed length number. Though it is a randomly generated
number but it does not change if read in any computer.
4 In order to give a ‘unique number’ to the contents of the physical media,
the Investigating Officer should transfer the alleged data to a new sterile
permanent storage media as soon as possible as per the flowchart of data
acquisition and imaging discussed in the next slide.
5 The unique number should be mentioned in panchnama to authenticate the
evidence subsequently.

24 | P a g e
 Crime Scene Management

6 Complete seizure and acquisition by ensuring that the hash value of

evidence in original marked as N1 and its imaged copies marked as N2, N3
and N4 are all same.
7 Finally, prepare the Seizure memo and send the evidence to the FSL after
proper packaging and sealing along with seizure memo.

When forwarding to Forensic Science Laboratory Form, here are the steps that you
need to perform for evidence suspect and acquisition of evidence.

1. Write Blocker
2. Read bit by bit by using software, such as FTK, Encase and C-
DAC.
3. ‘Generate Unique Identification Number’ to the contents of the
evidence media using Hash Algorithm. You also need to write bit
by bit and make three copies of evidence contents, that is for
Police/court, FSL and Defence Council of new sterile non volatile
storage media such as new USB hard disk, CD and DVD.
4. Mark the Hash Value of Original Contents as N1 and Mark the
Hash Value of Imaged contents as N2, N3 & N4
5. ‘Generate Unique Identification Number’ to all three copies of the
evidence contents using Hash Algorithm.

25 | P a g e
Crime Scene Management

26 | P a g e
 Crime Scene Management

4. SOP for Handling the Digital Crime Scene/Digital Evidence

There are Standard Operating Procedures for handling the Digital crime scene and
digital evidence. SOP refers to any procedures, processes or practices framed in digital
evidence recovery falls within a defined and accepted framework for Computer
Forensic investigation and we must comply with the principles stated earlier. For
example, in the identification and recovery of digital evidence, computer forensic
specialists must go to the crime scene himself or any crime scene investigator with
experience must go himself and recover the evidence. It is important that relevant legal
guidelines or constraints are known to the investigator.

For the process of collecting the evidence, here are the standard operating procedure
for its preparation, search, prioritization, and collection. These are as follows:

1. Preparation: At the preparation step, a forensic specialist must ensure that

he/she has proper tools including forensically sterile media. All equipment,
sampling materials, storage and transportation containers should be new,
preferably disposable or cleaned thoroughly before and after use. Extra care and
precautionary measures should be taken so that digital evidence is preserved.
2. Searching the scene: Approach the scene and first secure it so that nobody
comes near to the scene of crime.
3. Prioritization: The investigator should prioritize evidence collection to
prevent loss, destruction or contamination.
4. Evidence collection: The evidence should be collected based on the volatility
of data.

4.1. Consequences of Tampering Digital Evidence

Any crime scene handling requires you to take some precautions. There are
consequences of Tampering Digital Evidence which you should be aware.
Tampering with evidence is an act in which a person alters, conceals, falsifies, or
destroys evidence with the intent to interfere with an investigation (usually) by a
law-enforcement, government, or regulatory authority.

Law defines tampering of digital evidence as follows:

27 | P a g e
 Crime Scene Management

Under IPC section 204, if anyone tries to destroy or temper document or electronic
record which he may be lawfully compelled to produce as evidence in a Court of
Justice, or in any proceeding lawfully held before a public servant, as such, or
obliterates or renders illegible the whole or any part of such document or electronic
record with the intention of preventing the same from being produced or used as
evidence before such Court or public servant as aforesaid, or after he shall have
been lawfully summoned or required to produce the same for that purpose, shall
be punished with imprisonment of either description for a term which may extend
to two years, or with fine, or with both.

28 | P a g e
Crime Scene Management

29 | P a g e
 Crime Scene Management

5. Reference:

1.
http://sikkimpolice.nic.in/e_library/Sikkim_Police_Manual/Sikkim_Police_Ma
nual_Vol_2.pdf

2. https://www.ojp.gov/pdffiles1/nij/187736.pdf

3. https://www.ojp.gov/pdffiles1/nij/199408.pdf

4. https://www.ojp.gov/pdffiles1/nij/219941.pdf

5. https://www.ojp.gov/pdffiles1/nij/178280.pdf

6. NICFS Digital Evidence Chapter

30 | P a g e