uty LECTR' eee jn EDENEE, a ow aa op THEE" ON =— Electronic Evidence/ Digital Evidence & Cyber I Law in India INTRO 3 The proliferation of computers and the influence of information technology on i ole, coupled with the ability to store and amass information in form have all necessitated amendments in Indian law, to incorporate the isions on the appreciation of digital evidence. The foun Technology Act, 2000 and its amendment is based on the|United Nations Commission on rade Law (UNCTI TRAL) model Law on Electronic Commerce. The In’ ne Information pecinology cD Act 2000, was amended to allow for the bi Digitale evidence or electronic evidence is any probative ation stored or transmitted in digital form that a party to a court case may “use at trial. Before fore accepting digital evidence itis vital that the determination of its relevance, veracity and authenticity be ascertained by the court and to if the fact is hearsay or a copy is preferred to the original ital Evidence is “information of probative value that is stored or transmitted in pinary form”. Evidence is not only limited to that found on computers but may also extend to include evidence on digital devices such as telecommunication or electronic multimedia devices. The e-EVIDENCE can be found in digital photogray hs, ATM trar susan logs, word proce: ing, documents, instant message histories, files sav ing programs, spreadsheets, internet browser histories database puter memory, Computer backups, Computer printouts, Global Positioning System tracks, Logs from a hotel’s electronic door locks, Digital video or audio files, Digital Evidence tends to be more voluminous, more difficult to destroy, easily modified, easi potentially more expressive and more readily available. \-y Computer forensics is a branch of forensic pertaining to legal evidence Cn income andl so edn ¢ mediums, Computer forensics is also oa as digital forensics. The cay of computer forensics is to exp! lain the.bored om the UNCITRAL Madal how on Eleatioonic Commence . 1 Whe TT Act 4000 uss omundaol Le allow fo he edmiichaty 7st min Amardmonly prank (te Uke Und linzaee Bonk Gate Eu Ach, 18H Act, 1872 5 the LPC, 1860 fale ne es cores foe ee ae CO ha Reon “ee fee DIGITAL Mice te: [elena Evipeneea ba ceie » séc 3, 14, aah, current state ofa digital artifact, The erm digital arfacteanincude: A, 65-f1, 658 computer system storage medium (hard disk or CD-ROM) an electronic document (e.g. an email message or JPEG image) or even a sequence of packets moving over a computer network, NUE ACT. [Gia t The definition of evidence! has been amended to include electronic records. The definition of 'documentary evidence! has been amended to include all documents, including electronic records produced for inspection by the court. Section 3 of the Evidence Act, 1872 defines evidence as under: "Evidence" - Evidence means and includes:-Yall statements which the court permits or requires to be made before it by witnesses, in relation to matters of fact under inquiry; such statements are called oral evidence:\2Yall documents including electronic records produced for the inspection of the court. Such documents are ited (doetnientanyevidences | : eS} Changs Breugict R The term ‘electronic records’ has been given the same meaning as that assigned to it under the IT Act. IT Act provides for "data, record or data generated, image ‘orsound stored, received or sent in an electronic form or microfilm or computer-generated microfiche" The definition of 'admission' (Section 17 of the Evidence Act) has been changed to include a statement in oral, documentary orelectronic form which suggests an inference to any fact relevance. New Section 22-A has been inserted into Evidence Act, to provide for the relevancy of oral evidence regarding the contents of electronic recor rovides that oral admissions regarding the contents of electronic records are not relevant unless the genuineness of the electronic records produced is in tuestion. The definition of ‘evidence’ has been amended to include electronic evidence! has be fed to inclu for inspection by the records may be proved in with the provisions of, Section 65-B provides that notwithstanding anything contained in the Evidence Act, any information contained in an electronic, is deemed to be a Mocunient and is ad idence without further proof of the original's production, provided ditions set out in Section 65-B are sati The conditions speci! Firstly, the computer output containing the information should have been produced by the computer during the period over which the computer was tused regularly to store or process information for the purpose of any activities regularly carried on over that period by the person having lawful control over the use of the computer.© 0 Llsiiente et. (E- E-Euiclenes ) one faunsl_on, trail 2 ATM Gonsoxton Logs, ca on ee ees AaToborss complex backups , a comping memes Moko P ee. oi feat Sn flee eral oe on Dig tL tuculenee oath a be ee Beet 3 / Paka —— “en [Computex founcie / Dip Gt frounuc 4 Ome aan ae CML , een SEN compulisesi } j ; ye second requirement is that it must be shown that during the said period the information of the kind contained in electronic record gr of the Kind from which the information contained is derived was 'regularly fed ___ into the computer in the ordinary course of the said activity’. . WA third requirement is that during the material part of the said period, the computer was operating properly and that even if it was not operating, properly for some time that break did not affect either the record or the curacy of its contents. The fourth requirement is that the information contained in the record ; should be a reproduction or derived from the information fed into the i computer in the ordinary course of the said activity. Inder Section 65-B(4) the certificate which identifies the electronic record containing the statement and describes the manner in which it was produced giving the particulars of the device involved in the production of that record and deals with the conditions mentioned in Section 65-B(2) and is signed by a person occupying a responsible official position in relation to the operation of the relevant device 'shall be evidence of any matter stated in the certificate’ Section 65-B(1) states that if any information contained in an electronic record produced from a computer (known as computer output) has been copied on to a optical or magnetic media, then such electronic record that has been copied ‘shall be deemed to be also a document’ subject to conditions set out in Secti 65-B(2) being satisfied. Both in relation to the information as well as the computer in question such document 'shall be admissible in any proceedings when further proof or production of the original as evidence of any contents of the original or of any fact stated therein of which direct evidence would be 7 TILL HERE |! ELECTRONIC EVIDENCE ¢CASE LAW'S) \_4“Amitabh Bagchi Vs. Ena Bagchi (AIR 2005 Cal 11) [Sections 65:8 of Evidence ‘Act, 1872 were analyzed,] The court held that the physical presence of person in Court may not be required for purpose of adducing evidence and the same can be done through medium like video conferencing} Sections 65-A and 65-8 provide provisions for evidences relating to electronic records and admissibility of electror records, and that definition of electronic records includes video conferencing, “cn ‘ i Stat shits. Dr Praful B Desai (AIR 2003 SC 2053) (The question involved Whether a wi eth, Count, yak qf the anil Ack, 1872 ashore () AL atotemenite i the Count prcomats Faguisss te be masle beforce tt “( cuttresseg m xehotun ts mottisy f fact wnolox Ergutay uh ao axe called ool ewtdeney @) ott decimate Grelahing cCecbenio cama. Rr ‘conferencing and concluded that there is no reason why the examination of a ___ witness by video conferencing should not be an essential part of electronic evidence. 2. BODALA MURALI KRISHNA VS. SMT. BODALA PRATHIMA (2007 (2) ALD 72) The court held that, “..the amendments carried to the Evidence Act by introduction of Sections 65-A and 65-B are in relation to the electronic record. Sections 67-A and 73-A were introduced as regards proof and verification of digital signatures. As regards presumption to be drawn about such records, Sections 85-A, 85-B, 85-C, 88-A and 90-A were added. These provisions are referred only to demonstrate that the emphasis, at present, is to recognize the electronic records and digital signatures, as admissible pieces of evidence.” 1, DHARAMBIR Vs. CENTRAL BUREAU OF INVESTIGATION (148 (2008) DLT 289).The Court arrived at the conclusion that when Section 65-8 talks of an electronic record produced by a computer referred to as the computer output) it would also include a hard disc in which information was stored or was earlier stored or continues to be stored. It distinguished as there being two levels of an electronic record. One is the hard disc which once used itself becomes an electronic record in relation to the information regarding the changes the hard disc has been subject to and which information is retrievable from the hard disc by using a software program. The other level of electronic record is the active accessible information recorded in the hard discin the form of a text file, or sound file or a video file etc. Such information that is accessible can be converted or copied as such to another magnetic or electronic device like a CD, pen drive etc. Even a blank hard disc which contains no information but was once used for recording information can also be copied by producing a cloned had or a mirror image. 1. STATE (NCT OF DELHI) Vs. NAVJOT SANDHU (AIR 2005 SC 3820) There was an appeal against conviction following the attack on Parliament on December 13 2001. This case dealt with the proof and admissibility of mobile telephone call records. While considering the appeal against the accused for attacking Parliament, a submission was made on behalf of the accused that no reliance could be placed on the mobile telephone call records, because the prosecution had failed to produce the relevant certificate under Section 65-B(4) of the Evidence Act. The Supreme Court concluded that a cross-examination of the competent witness acquainted with the functioning of the computer during the relevant time and the manner in which the printouts of the call records were taken was sufficient to prove the calll records. JAGIIT SINGH Vs. STATE OF HARYANA ((2006) 11 SCC 1) The speaker of the bly of the State of Haryana disqualified a member for defection, » matter, the Supreme Court considered the digital evidence in the scan from the Zee News television channel, the Aaj Tak fana News of Punjab Today television channel. The tronic evidence placed on record was admissible and.che DEA 1b?) hos amendments bik re a (see hy Euldone, ee Je ee le Cele a totomonk in ee or on ira Te ot Csae ot rehome . es SECTION Za—A Ase ben (nersited nls Citi he Ae fprrorole fox the xeleuamey f fhe (encinty Cenkintyp Mectrenie Ost! i aolmissiens aged ihe Bia oni, Fas Pe iie wea ove me nat the pe of the the licen a tlhe deinitivn of 8 ete. hor ‘ae ume a inclusle, : Se Recoscols | Baths haf? of Glecumen nioiej letrend emerging in Indian courts: judges are beginning to recognize and appreciate the importance of digital evidence in legal proceedings. 4, TWENTIETH CENTURY FOX FILM CORPORATION Vs. NRI FILM PRODUCTION ASSOCIATES (P) LTD. (AIR 2003 KANT 148) In this case certain conditions have been laid down for video-recording of evidence: + Before a witness is examined in terms of the Audio-Video Link, witness is to file an affidavit or an undertaking duly verified before a notary or a Judge that the person who is shown as the witness is the same person as who is going to depose on the screen. A copy is to be made available to the other side. (Identification Affidavit). The person who examines the witness on the screen is also to file an affidavit/undertaking before examining the witness with a copy to the other side with regard to identification. The witness has to be examined during working hours of Indian Courts. Oath is to be administered through the media. The witness should not plead any inconvenience on account of time different between India and USA. + Before examination of the witness, a set of plaint, written statement and other documents must be sent to the witness so that the witness has acquaintance with the documents and an acknowledgement is to be filed before the Court in this regard. + Learned Judge is to record such remarks as is material regarding the demur of the witness while on the screen. Learned Judge must note the objections raised during recording of witness and to decide the same at the time of arguments. . After recording the evidence, the same is to be sent to the witness and his signature is to be obtained in the presence of a Notary Public and thereafter it forms part of the record of the suit proceedings. + The visual is to be recorded and the record would be at both ends. The witness also is to be alone at the time of visual conference and ‘notary is to certificate to this effect. B r ied Judge may also impose such other conditions as arene ae : “ to ba a. (Document ox ts Fe wldne witht futher proof of ' 5 production, preerrioleol Ast Soar, wt eat in SEC 65-G ase sotiofied [Corditiera) sprerfirol v/ sec 65-6(2) :delivered in ANVAR P.V. VERSUS, P.K. BASHEER AND OTHERS, in CIVIL APPEAL NO. 4226 OF 2012 decided on Sept., 18, 2014, That Computer Output is not admissible without Compliance of 65B,BA overrules the judgment laid down in the State (NCT of Delhi) v. Nayjot Sandhu alias Afzal Guru{(2005) 11 SCC 600 by the two judge Bench of the Supreme Court. The court specifically observed that the Judgment of Navjot Sandhu supra, to the extent, the statement of the law on admissibility of electronic evidence pertaining to electronic record of this court, does not lay down correct position and is required to be overruled. This judgment has put to rest the controversies arising from the yarious conflicting judgments and thereby provided a guideline regarding the practices being followed in the various High Courts and the Trial Court as to the admissibility of the Electronic Evidences. The legal interpretation by the court of the following Sections 22A, 45A, 59, 654. & 65B of the Evidence Act has confirmed that the stored data in CD/DVD/Pen Drive is not admissible without a certificate u/s 65 B(4) of Evidence Act and further clarified that in absence of such a certificate, the oral evidence to prove existence of such electronic evidence and the expert view under section 45A Evidence Act cannot be availed to prove authenticity thereof. In the Judgment, the Hon'ble Supreme Court has held that Section 65B of the Evidence Act being a ‘not obstante clause’ would override the general law on secondary evidence under Section 63 and 65 of the Evidence Act. The section 63 and section 65 of the Evidence Act have no application to the secondary evidence of the electronic evidence and same shall be wholly governed by the Section 65A and 65B of the Evidence Act, The only alternative to prove the electronic record/evidence is by producing the original electronic media as Primary Evidence to the court or it’s copy by way secondary evidence u/s 65A/65B of Evidence Act. Thus, in the case of CD, VED, chip, cic., the same shall be accompanied by the certificate in terms of Section 65B obtained at the time of taking the document, without which, the secondary evidence pertaining to that electronic record, is inadmissible. In the Present case, the court observed that: lant admittedly has not produced any certificate in terms of Section of the CDs, Exhibits-P4, P8, P9, P10, P12, P13, P15, P20 and the same cannot be admitted in evidence. Thus, the whole case practice using songs, announcements and speechesees the matical gasct of te sw thet sven yf ct wos net ee fad vals Bu _computne in thy idl COUHLL tha sod tine ® SEC 65 64) ; : a a y 4p | See 65-00) tote that q ony of Tent | mom boob am xlootrerig +24 po ss : | 1 | i cova Ga Qa “eomputux : as ae or aoe mada 2 \ \ Gon ww as akenteone _peesuh pieiaa = emse The appropriate amendments in Evidence Ww This Judgment will have severe implications in all the cases where the prosecution relies heavily on the electronic data specially those cases where the audio-video recordings are produced in the form of CD/DVD before the court. The anticorruption cases are generally based on a lot of electronic / digital evidence and the CD/DVD forwarded to the courts are without a certificate and shall therefore not be admissible as evidence u/s 65B Evidence Act, which makes it mandatory to produce a certificate u/s 65 B(4). The failure to provide the certificate u/s 65 B(4). further occludes the judicial process as the expert view in that matter cannot be availed of till the preceding condition is fulfilled. Ithas been specified in the judgment that Genuineness, Veracity or Reliability of the evidence is looked into by the court subsequently only after the relevance and admissibility is fulfilled. The requirement to ensure the source and authenticity, pertaining to electronic records is because it is more vulnerable to tampering, alteration, transposition, excision, ete. without such safeguards, the whole trial based on proof of electronic records can lead to mockery of justice, ‘The original recording in Digital Voice Recorders/mobile phones need to be | preserved as they may get destroyed, in such a case the issuance of certificate under section 65B(4) of the Evidence Act cannot be given. Therefore such CD/DVD is inadmissible and cannot be exhibited as evidence, the oral testimony or expert opinion is also barred and the recording/data in the CD/DVD’s do not serve any purpose for the conviction. CONCLUSION: The prog has withstood the pressures and challer sion of the Indi: evidence law is apparent as it es of technology and the cyber world. ww, incorpo show pro-activism,{In my opinion the law enforcement ag investigating officers have to update themselves about th proc ‘bed by the court regarding the admissibility of electronic/d Evidences so that impediments in trial procedures can be successfully overcome. Proper training of law enforcement agencies in hand cyber related evidence e and sections of Evidence Law while and correct application of procedu s 4 presenting such evidence in court is the primary need of recent times] Common man in the role of a complainant should be now aware that while submitting Gridence to police or courts, he should submit itwith.a certificate under section 65B(4) of (4) of The Indian Evidence Act so the court takes cognizance and reads it.as, aprimary evidence. ee thy monn M Pc) a ye oe which,J dhe vil “ Entdemen” &y defined. De which audion 4 ti Indian Evidence Ae wn? ES py Wj aa-A, oof $65.8 > Which wath ruw sections nested a unl eh saul et, 1812 5 suppaxting apali- cliliy om _ Elec TRowtc REcoRD, LN x Sf ony mobos ctotil in the wrtifieale, gee ob eva b. Uataul that Popes } ung of Low » obo marit opemeien en | hx suloliol rome omol colual +f Pterroliuu, £ cretion f eriolone, on Count & lAr neeol Ercoloner Kory, wthily en wud | @|CASE LAWS Ae. Kou aa Bs, Bogeh’ v. Eno. Bagchi (AIR 200g the cout AGL) thot secs, SECS GA anil Maa ae Act Prutoly, prcoruiecony 6s fox a Te rborbienie s0 coro K oolmiserhilidy |ing digital evidence a court will determine if is reley ant, ‘whether it is authentic, if itis hearsay and Siete S inal is required.[\| he use of digital al exidereohs has increased in the past few decades as courts have allowed the use of e-mails, digital photographs, A Mtransaction ~ logs, word processing documents, instant messaze histories, files saved from accounting programs, spreadsheets, internet browser histories, databases, the contents of computer memory, computer backups, computer printouts, Global Positi logs from a hotel’s electronic door locks, and digital video or audio files.(2) duplicated, potentially more eee ey such, some courts have sometimes treated digital evidence differently for purposes of authentication, hearsay, the best evidence In December 2006, strict new rules were enacted within the edi of Civil Procedure requiring the preservation and disclosure of electronically stored evidence. Digital evidence is often attacked for its authenticity due to the ease with which it can be modified, although courts are beginning to reject this argument without proof of tampering. (4) Contents fgctmussibilityedie uired to Bite i estaate aan devices. Ina digital investigation ‘can present problems where, for example, evidence of other crimes are while i ing another, During a 1 999 investigation. _Authenticationrait As with any evidence, the proponent of digital evidence must lay the proper foundation. Courts largely concerned themselves with the reliability of such digital evidence.|4) As such, early court decisions required that authentication called "for a more comprehensive foundation." US v. Scholle, 553 F.2d 1109 (8th Cir, 1976). As courts became more familiar with digital documents, they backed away from the higher standard and have since held that "computer data compilations... should be treated as any other record." US y. Vela, 673 F.2d 86, 90 (5th Cir. 1982). A common attack on digital evidence is that digital media can be easily altered. However, in 2002 a US court ruled that "the fact that it is possible to alter data contained in a computer is plainly insufficient to establish untrustworthiness" (US y. Bonallo, 858 F. 2d 1427 - 1988 - Court of Appeals, 9th).[1|/6) Nevertheless, the "more comprehensive" foundation required by Scholle remains good practice. The number of ways to establish the comprehensive foundation. It suggests that the proponent demonstrate "the reliability of the computer equipment", "the manner in which the basic data was initially entered", "the measures taken to ensure the accuracy of the data as entered", "the method of storing the data and the precautions taken to prevent its loss", "the reliability of the computer programs used to process the data", and "the measures taken to verify the accuracy of the program” {7| Inits turn it gave rise to a breed of commercial software technology solutions designed to preserve digital evidence in its original form and to authenticate it for admissibility in disputes and in court. UK ACPO guidelines! Inthe United Kingdom, exa ers usually follow guidelines issued by the Asso f Police Officers (ACPO) for the authentication and integrity of evidence.{sl[°l They were updated to Version 5 in October 2011 when computer based evidence was replaced with digital evidence reflecting the development of investigating information security incidents ina wider context.{9] The guidelines consist of four principles: Principle 1: No action taken by law enforcement agencies, persons employed within those agencies or their agents should change data which may subsequently be relied upon in court. Principle 2: In circumstances where a person finds it necessary to access original data, that person must be competent to do so and be able to giveevidence explaining the relevance and the implications of their actions. Principle 3: An audit trail or other record of all processes applied to digital evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result. Principle 4: The person in charge of the investigation has overall _ responsibility for ensuring that the law and these principles are adhered to. These guidelines are widely accepted in courts of England and Scotland, but they do not constitute a legal requirement and their use is voluntary. It is arguable that whilst voluntary, non adherence is almost certain to lead to the exclusion of evidence that does not comply subject to the provisions of s 78 Police and Criminal Evidence Act 1984 (Power to exclude evidence obtained unfairly) ADAM PrinciplesEdit Building on the ACPO Guidelines with a more gene of law enforcement, a doctoral thesis proposed the followir principles to be followed by digital forensic practitioners: 1. The activities of the digital forensic practitioner should not alter the original data. If the requirements of the work mean that this is not possible then the effect of the practitioner’s actions on the original data should be clearly identified and the process that caused any changes justified. application outside overriding 2. A complete record of all activities associated with the acquisition and handling of the original data and any copies of the original data m maintained. This includes compliance with the appropriate rules of evidence, such as maintaining a chain of custody record, and verification processes such as hashing. be 3. The digital forensic practitioner must not undertake any activities which are beyond their ability or knowledge. 4. The digital forensic practitioner must take into consideration all aspects of personal and equipment safety whilst undertaking their work. 5. Atall times the legal rights of anyone affected by your actions should be considered. 6. The practitioner must be aware of all organizational policies and procedures relating to their activities 7. Communication must be maintained as appropriate with the client, legal practitioners, supervisors and other team membersormat readable by humans, requiring cuments as evidence (i.e. printing out i at this change of format may mean i lifjunder the "best evidence z . leral Rules of Evidence" rule 1001(3) states ast eo ina computer..., any printout or other output readable by , Shown to reflect the data accurately, is an ‘original.’"L10] mmonly courts do not bar printouts under the best evidence rule, 1 Aguimatang v. California State Lottery, the court gave near per treatment to the admissibility of digital evidence stating "the computer intout does not violate the best evidence rule, because a computer printout is considered an ‘original.’" 234 Cal. App. 3d 769, 798.© unit-t Computer Forensics Computer forensies (also known as computer forensic science|)) is a branch of digital forensic scienceperfaining to evidence found in computers and digital storage media. The goal of computer forensics is to examine digital media in a forensically sound manner with the aim of identifying, preserving, recovering, analyzing and presenting facts and opinions about the digital information.] Although it is most often associated with the investigation of a wide variety of computer crime, computer nsics may also be used in civil proceedings. The discipline involves similar techniques and principles to data recovery, but with additional guidelines and practices designed to create a legal audi Evidence from computer forensics investigations is usually subjected to ‘the same guidelines and practices of other digital evidence. It has been used in a number of high-profile cases and is becoming widely accepted as reliable within U.S. and European court systems. Contents Overview: In the early 1980s personal computers became more accessible to consumers, leading to their increased use in criminal activity (for example, to help commit fraud). At the same time, several new "computer crimes" were recognized (such 2 ). The discipline of computer forensics emerged during this time as a method to recover and investigate digital evidence for use in court. Since then computer crime and computer related crime has grown, and has jumped 67% between 2002 and 2003./2) Today it is used to investigate a wide variety of crime, including child port 6 alking, murder and rape. The discipline also features in civil proceedings as a form of information gathering (for example, Ele: discovery) Forensic techniques and expert knowledge are used to explain the current state of a digital artifact, such as a computer system, storage medium (e.g. hard disk or CD-ROM), or an electronic document (e.g. an email message or JPEG image).(3] The scope of a forensic analysis can vary from simple information t al to reconstructing a series of events. Ina 2002 book, Computer Forensics, authors Kruse and Heiser define computer forensics as involving "the preservation, identification, extraction, documentation and interpretation of computer data" |4/They go on to describe the discipline as "more of an art than a science", indicating ck.that forensic methodology is backed by flexibility and extensive domain knowledge. However, while several methods can be used to extract evidence from a given computer the strategies used by law enforcement are fairly rigid and lack the flexibility found in the civilian world.[5] ~ Use as evidencerair In court, computer forensic evidence is subject to the usual requirements for digital evidence. This requires that information be authentic, reliably obtained, and admissible.[s| Different countries have specific guidelines and practices for evidence recovery. In the United Kingdom, examiners often follow Association of Chief Police Officers guidelines that help ensure the authenticity and integrity of evidence. While voluntary, the guidelines are widely accepted in British courts. Computer forensics has been used as evidence in mid-1980s, some notable examples include:[7| + BTK Killer: Dennis Rader was convicted of a string of serial killings that occurred over a period of sixteen years. Towards the end of this period, Rader sent letters to the police on a floppy disk. Metadata within the documents implicated an author named "Dennis" at "Christ Lutheran Church"; this evidence helped lead to Rader's arrest. + Joseph E. Duncan Ill; A spreadsheet recovered from Duncan's computer contained evidence that showed him planning his crimes. Prosecutors used this to show premeditation and secure the d » Sharon Lopatka: Hundreds of emails on Lopatka's counties lead investigators to her killer, Robert Glass.{7] + Corcoran Group: This case confirmed parties’ duties to preserve digital evidence when litigation has commenced or is reasonably anticipated. Hard drives were analyzed by a computer forensics expert who could not find relevant emails the Defendants should have had. Though the expert found no evidence of deletion on the hard drives, evidence came out that the defendants were found to have intentionally destroyed emails, and misled and failed to disclose material facts to the plaintiffs and the court. « Dr. Conrad Murray: Dr. Conrad Murray, the doctor of the deceased Michael Jackson, was convicted partially by digital evidence on his computer. This evidence included medical documentation showing, lethal amounts of propofol. since the |, examination, oe——S a — = technique that correlates information found on a Ba ee a The process, still being researched, can be used fy social networks ly det 1 : social networks bp Live analysis ol and, in some instances, the logical hard drive volume may be imaged (known as a live acquisition) before the computer is shut down. b Deleted files "A common technique used in computer forensics is the recovery of deleted files. Modem forensic software have their own tools for recovering or carving out deleted data.[11) Most ope: and file systems do not always erase physical x investigators to reconstruct it from the physical disk na involves searching for known file headers d reconstructing deleted materials. sectors. File carving within the disk image an S > properties of the computer system ee ectigale ligital artifacts. Its chief use is to investigate data the! 2a y i is Vi: 5 used to hide data is via steganography, the ‘One of te aa ide of a picture or digital image. An o hide pornographic images of children or other criminal does not want to have discovered. by looking at the mage (if available.)While the j cae cet exactly the same, the hash changes as the Volatile datardi: When seizing evidence, stored solely in RAM ¢] lost.[ licatio » if the machine is still active, any information Ceeticn an is not recovered before powering down may be cee ion 0 c live analysis" is to recover RAM data (for pa 1g Microsoft's COFEE tool, WinDD, WindowsSCOPE) prior femoving an exhibit. CaptureGUARD Gateway bypasses Windows login for locked computers, allowing for the analysis and acquisition of physical memory on a locked computer. RAM can be analyzed for prior content after power loss, because the electrical charge stored in the memory cells takes time to dissipate, an effect exploited by the cold boot attack. The length of time that data is recoverable is increased by low temperatures and higher cell voltages. Holding unpowered RAM below ~60 °C helps preserve residual data by an order of magnitude, improving the chances of successful recovery. However, it can be impractical to do this during a field examination.(13) Some of the tools needed to extract volatile data, however, require that a computer be in a forensic lab, both to maintain a legitimate chain of evidence, and to facilitate work on the machine. If necessary, law enforcement applies techniques to move a live, running desktop computer. These include a mouse jigeler, which moves the mouse rapidly in small movements and prevents the computer from going to sleep accidentally. Usually, an uninterruptible power supply (UPS) provides power during transit. However, one of the easiest ways to capture data is by actually saving the RAM data to disk. Various file systems that have journaling features such as NTFS and FS keep a large portion of the RAM data on the main storage media during operation, and these page files can be reassembled to reconstruct what was in RAM at that time. (14) Analysis toolsEdit See also: List of forensics tools A number of open source and commercial tools exist for computer forensics investigation. Typical forensic analysis includes a manual review of material on the media, reviewing the Windows registry for suspect information, discovering and cracking passwords, keyword searches for topics related to the crime, and extracting e-mail and pictures for review.[7] CertificationsEdit CoThere are several com iter ‘has the n t forensics certificati vailable, suc! ics ‘ a certifications available, uch as th Examiner, Digital Forensics Investigation Professional i net nal (DFIP) and TACRB Certified Computer Forensics Examiner. ication (especially within EU) is Cyber Forensics Professional [1 J].[i5) A or APAC are the: IACIS (the Computer Investigative Specialists) offers Forensic Examiner (CFCE) program. tnational Society of Forensic Computer Examiners®) ss niner (CCE) program. Asian School of Cyber Laws offers international level certifications in Digital Evidence Analysis and in Digital Forensic Investigation. These Courses are available in online and class room mode. The top vendor independent certifi considered the [CCEP - Certified Others, worth to mention for US. International Association of the Certified Computer Fi ISFCS (the The Inte offers the Cer Many commercial based forensic software companies are now also offering proprietary certifications on their products. For example, Guidance Software offering the (EnCE) certification on their tool EnCase, AccessData offering (ACE) certification on their tool FTK, PassMark Software offering (OCE) certification on their tool OSForensics, and X- Ways Software Technology offering (X-PERT) certification for their software, X-Ways Forensics.