FORENSIC EVIDENCE

ne.
Introduction technology (IT) based interventions has
information developmente
Internet and other every day. Like other
Use of Computer, but also is expanding
aspectsof human life, commission of crime, Ae
only touched almost all interventions are also being misused for
Technology, IT based prevetion
in Science and imperative that officers and staff dealing with
technology, it is preventing
this involvesuse of high-end adequately equipped with latest knowledge for
of crime are nabbing the
as well as investigation undertaking investigation of crime to its logical end for
commission of crime and also law. The Cyber Forensics Division
undertakes
as per due process of
culprit and imposing punishment phones including SIM card and other digital
storage media
Hard disk, Mobile
examination of Computer
like memory card, pen drive, CD, DVD etc.
What is Cyber Crime?
computers or the Internet.
crime is a type of criminal activities carried out by means of
Cyber or a target or both.
considered to be unlawful acts where in the computer is either a tool
Cyber crime instruction
electronic device that takes data as input process the data using set of
Computer is an software.
computer system consists of hardware and
(called program) and gives result (output). A
Types of Cyber Crime:
Unauthorized data access.
Hacking/Cracking of Password, e-mail account, website etc.
Mobile Threats
Cyber Terrorism
Denial of Service
Fake website for cheating
Credit card fraud
Spreading pornography
email as threat or harassment
Phishing
Image morphing
Ransomware
 Investigator's Guide 457

What is Cyber Forensics?

Cyber Forensics is the
scientific
analysis,
documentation and preservationprocesses
of identification, seizure, acquisition, authentication,
computer systems, computer network, mobiledigital evidence involved in cyber crimes committed using
evidence to a court of law. Primary activities ofdevices and other peripheral devices and reporting the
Cyber Forensics are investigative in
nature.

Complaint Received

|Pre-Investigation Assessment
Criminal Offence

Issue Notices to
Register FIR
External Agencies
to provide Data
Document
everything, Photo Scene ofCrime
graphy/Videography
Evidence Seek Technical/
Collection Expertise Expertise help

Interviewing External/Third
Witness/Accused Evidence
Collection and Packing Party Service
/Victim Provider Evidence

Digital Forensic
Analysis Request

Collect Reports
Forensic Report and Information

Consider Statement, Forensic Report, External Third Party

Evidence and Prepare FinalReport

Flow Chart for Cyber Crime Investigation

MANUAL-DSCI)
(Kej. CYBER CRIME INVESTIGATION
 FORENSICEVIDENCE
458

Evidence
Sources of Digital

SCSI
Ultra ATA SATA

External
Solid State Mobile Phones
Various Types of Hard Disks

Drone Camera with

Removable Storage Devices Storage Device

Investigation Toolkit and Preservation

Antistatic Bag Radio Frequency Shielding Bag

Screw Driver Set

Forensic Duplicator Portable Write
Blocker Kit
 seizure procedure
Investigator's Guide 459

Secure all electronic

Evaluate the scene fordevices, including personal or
Carry basic investigatingidentifying
tools and
all the portable devices.
potential evidence.
withequipment (Toolbox)
Conduct preliminary
Confirm whether the interviews
machine is concerned person to analyse the
Ifthe system is OFF leave it OFE switched OFF or ON, situation.
Special care to be taken for
Remove all persons from the
volatile data, if required.
crime scene or the
collected. immediate area from which evidence to be
Ensure that the condition of
any electronic device is
not altered.
Don'ts while doing the Cyber Crime
Do not attempt to explore the investigation
contents of a
information from it.
computer or other electronic device or to recover
Do not press any keys click the mouse.
Do not move a computer or other
electronic device from one place to the other when powNer
is on.

Drocedure for collecting digital evidence from "Switched OFF" machine

Open side casing of CPU cabinet
Identify Hard disk
Detach Hard disk from power cables and mother board
Record make, model, serial number of the hard disk
Take signature of the custodian/accused and witness.
Collect non electronic evidence like diaries, notebooks and pieces of paper which may contain
user id, password etc.
"Switched ON" machine
Procedure for collecting digital evidence from
and documentation
Record what is on the screen by photograph
Record system date and time. volatile memory (RAM) using
to extract information from the
Take the help of technical expert
live forensics tool, if required.
connection.
Detach power cable and
Mobile Device Seizure Procedure (Make, model, Serial no, capacity, Os
details
condition and other
Document the location,
of the hand held digital devices.
data
IMEletc.) including on-screen
version,
 FORENSIC EVIDENCE

460
suspect for the pIN/
password or PIN or pattern lock, ask the
protected with
If adevice is lock.
pattern/password and disable user keeping the phone
the network bykeeping it on flight mode or
Isolate the mobile device from
phone.
in a faraday bag.
and accessories related to the seized mobile
Whenever possible get all cables
Electronics exhibits to FSL for Scientific analysis
Guidelines for packing/sending
Forwarding letter
Brief history of the case.
The details of the exhibits
seized and their place of seizure.
media.
make and description of the Hard disk or any other storage
The model,
model, make, IMEI, SIM No, Battery and memory card details.
For mobile phones crime.
to the scene of
The date and time of the visit crime.
system/mobile (on or off) at the scene of
The condition of the computer
a network ?
Is it a stand-alone computer or with external
computer has any Internet connection or any means to the communication
Is the
computers ?
Specimen seal of the forwarding authority.
Certificate of authority.
antistatic bags/faraday bag.
Exhibits must be properly sealed preferably by use of
Each exhibit should be marked/ labelled properly.
the suspect hard disk
For each Hard disk analysis, a blank hard disk of capacity more than the size of
should be sent along with suspected hard disk.
 FORENSIC EVIDENCE
478

Chemistry
carat?
21. Are the ornaments made of gold? What is the have been dissolved in the proree
22. Whether the solution contains gold particles which might
of cleaning the gold ornaments?
acid? What is the acid?
23. Do the wearing apparels of the victimcontain
24. Is it corrosive chemical and can endanger human life?
being?
25. Is it chilly powder/ whether it can cause harm to human
26. Does the hand wash contain detective dye (in trap cases )?
present in the container/cloth etc?
27. Whether any corrosive substances are
human beings?
28. Name & type of the acid/corrosive substance. Can it cause harm to
Explosives
29. Is there anyexplosive substance in the exhibits marked a, b, C...? If so name of the explosiv
substance present in them.
30. Are the exhibits nmarked w1, w2, w3.... used for the preparation of explosive?
31. What is the probable mechanism of the diffused explosive device as per the remnants collected
from the device?
32. Whether the items like glass, nail, stone chips...can be used as splinter in the explosive device?
33. Whether there is any explosive like RDX or any other high explosive present in the paste like
substance ?

Dowry death cases

34. Is there any inflammable liquid present in the container? If so name and type of the liquid
substance ?
35. Isthere anypresence of residual hydrocarbon inflammable oil in the container/burnt wearing
apparels/burnt hair &skin/cloth/soil etc? if so name the inflammable oil ?
NB: No live explosive be sent to FSL. Only after diffusion the materials be sent for chemical
examination along with diffusal certificate from BDDS.
Questionnaires for Cyber Forensic Examination
Exhibit - Mobile Phone including SIM card
1 Retrieve the data contents like call logs/contact list /SMS/GPS
clips from the exhibit marked 'A' and provide the
details.
locations/Audio/images/video
2. Retrieve the call logs (incoming call and outgoing call details) along with date
particular period from the mobile phone marked 'A'. and time for the
3. Retrieve the contact details from the phone memory/ SIM memory of
4 Whether anySMS was sent/received from exhibit marked 'A' the exhibit marked 'A
to the Mobile no 98XXXXXXXX on bearing mobile no 94XXXXXXXXX
Contents. dd.mm.yyyy? If yes, please provide the details of SMS
5
Retrieve images/videos/audio includingcall recording files from the marked exhibit 'X
provide the details. and
6
Whether any obscene image/video available in thephone
marked 'X. If yes please provide the obscene
content with memory/memorycard of the exhibit
details.
7. Retrieve the photos/images/videoclips captured on dd.mm.yyyy from
the mobile phone
 Forensic Question Box

exhibit ...
marked as
Retrieve the chat data (Facebook messenger, WhatsApp, Telegram, imo etc) from mobile phone
8. marked X
details of the exhibit marked 'X'
ProvidelMEl de
9. Retrieve the data contents like installed application/User accounts details/Web search history/
10 marked 'X' and provide the details.
from the exhibit
Any other interesting findings related to the case may be furnished.
11.
Exhibit-Hard disk/ Laptop

12
ootrieve documents like word, excel, pdf etc. / Audio/images/video clips from the exhibit
marked X' and provide the details.
13
wbether any obscene pictures/images/video clips related to the attached hardcopy photo are
ctored in the exhibit marked 'A. If so furnish the details.
Otrieve the contents of source codes/files with names ( abc, xyz etc) from the exhibit marked
14. details.
X' and furnish the
Check whether any files with extension .doc/.exe/ppt etc with the file name abc" are stored in
15.
the exhibit marked 'X. If so furnish the details.
Check whether any files related to the attached exhibit (specimen document or image) are
16.
stored in the exhibit marked 'A. If so please provide the details.
data/Social media
17. Retrieve user account/web search history/installed software list/email/Chat
provide the
data/ web browsing history/USB devices list from the exhibit marked X and
details.
marked 'A'ondd.mm.yyyy.
18. Whether the email id pgr@abc.com was accessed from the exhibit
sales/stock/purchase/employee record are stored in
19. Whether any database files related to the
the exhibit marked X' .If so furnish the details.

Exhibit- Pen drive/ Memory card/Other devices

marked 'X and provide the details.
20. Retrieve Audio/images/video files from the exhibit
any obscene pictures/images/video clips related to the attached hardcopy photo are
21. Whether
details.
stored in the exhibit marked 'X'. If so furnish the the
from the exhibit marked X' and provide
22. Retrieve word, excel, pdf etc. document files
details.
23. any files related to the attached exhibit (specimen document or image) are
Check whether
provide the details.
stored in the exhibit marked 'A'. If so pleasecloning/skimming device or not. If yes, provide the
24. Whether the exhibit marked 'X' is an ATM
ATM
25
details of the device.
App installed in the exhibit 'X to collect data from
wnetner there is any software/ the details along with ATM card data
collected
device. If yes, provide
Skimming/Cloning
through cloning/skimming device. suspect
protected with password or PIN or pattern lock, ask thefrom the
o: If aMobile device is user lock. Isolate the mobile
device
PIN/pattern/password and disable
Jor the mode or keeping the phone in a faraday bag. suspect
network by keeping it on flightblank hard disk of capacity more than the size of
analysis. a
For each Hard disk suspected hard disk.
hard disk should be sent along with
 FORENSICEVIDENCE
494

A-ll
Crime-Case-Exhibit Forwarding Form
Specimen Cyber

To
The Director
State Fore nsicScience Laboratory

From:-.

Date.
Memo no

FORENSIC EXAMINATION
CASE FORWARDING NOTE FOR

Case No:..
.Date.

U/S:
District:
Police Station:...

Parcel No

II. Brief history of the case :

 Annexes (Sample Specimen Form)

Descriptionoof exhibits sent for

IL.
examination:
ExhibitType Description
S.No. Exhibit Where Seized and
Make:
Marking bywhom
Harddisk
1
Model:
S/N:
Capacity:
Mobile Phone Make :
Model:
2
IMEI:
SIM No:
ICCID no:
Service provider:
Memory card:
Present/absent
If Present
Make :
Capacity :
S/N:
Pattern Lock/PIN code :

Memory card Make

3
Capacity :
S/N:

4 Pendrive Make :
Capacity
S/N:
5 CD Make :
Capacity :

6 DVD Make :
Capacity:

required/questionnaires:
V. Nature of examination
1).
2)....
Signature of the Investigating Officer
and Contact No
Specimen Seal Name & Designation
Forwarding Authority
Signature of the and Seal
Designation, Contact No
Name,
 496 FORENSIC EVIDENCE

CERTIFICATE OF AUTHORITY
Certified that the Director, State Forensic Science Laboratory,
has the authority to examine the forwarded electronic exhibits of the Caco
no. Date... ..P.S...
........u/S.. ..,and if desired to install or uninstall
programs/software or perform rooting or break the software enabled security lock
or delete or alter data for the purpose of
examination. The Director/Examiner will
not be liable for any loss of data and
damage of storage media etc. during the
exhibits analysis.

Date: Signature, Seal and Designation

Place: of the Forwarding Authority
 Annexes (Sample Specimen Form) 497

CHECK LIST
Brief history of the case along with case
reference
1. Yes/No
Duly packed, labelled and sealed exhibits
2. Yes/No
Specimen seal in wax
3.
Yes/No
Attested copy of FIR/Seizure list
Yes/No
4.

Whether seizure list conta ins signature of

witness and custodian ? Yes/No
5.

Whether exhibits make, model, S/N number

mentioned in the forwarding note? Yes/No
6.

Whether fresh new hard disc(s) is / are given Yes/No

7. along with exhibit(s)?

Whether forwarding letter bears seal and Yes/No

8. signature of the forwarding authority?

Whether forwarding letter bears Yes/No

9. telephone/fax no of the forwarding authority
and the investigating officer?
Whether special messenger has been
informed to be present in laboratory in Yes/No
10.
uniform with identity card and
command/authorization letter?

Signature, Seal and Designation

Date:
of the Forwarding Authority
Place: