‘It is high-time for the State Police to bring out a good practise guide for digital evidence, if they intend to tackle cyber crime head on.’
The Kerala High Court has called upon the State Police to bring out a good practise guide for digital evidence to tackle cyber crimes and also to impart training to police officers to tackle the criminal misuse of current and emerging technologies.
While considering a bail plea in a cybercrime case, Justice Raja Vijayaraghavan V. criticized an investigation officer who returned the mobile phone to son of the de-facto-complainant after transferring the data to a compact disk.
The prosecution case was that the accused raped a lady and shoot the act in a mobile phone and later forwarded the same to her son. During the arguments, the prosecutor submitted that the investigating officer had taken screenshots of certain pictures and the same was transferred to a compact disc and then the phone was then handed over back to the son of the de facto complainant as it was required for his everyday use.
Taking serious note of this submission, the court said that the phone ought to have been seized and the same should have been sent to a digital evidence specialist to retrieve the data in a scientific manner. The judge said: “I have no doubt in my mind that the manner in which the investigating officer has handled the mobile phone of the son of the de facto complainant which was a valuable piece of evidence has to be deprecated in the strongest possible terms. All that he had done was to transfer the data to a compact disc after taking a screenshot of some of the pictures. He has not even retrieved the videos which were allegedly recorded by the applicant and which were forwarded to the recipient. The investigating officer ought to have borne in mind that it was essential to display objectivity in a court of law when the case ultimately comes up for trial. The investigating officer was bound to demonstrate as to how the evidence was retrieved showing each process through which he had accomplished the said objective. In the case of digital evidence stored in a computer, mobile phone, USB drive or digital camera, he should have ensured that there is a clear link between the hardware and the digital evidence copied from that hardware. He should have maintained a record to show the chain of custody which would address issues such as the person who collected the evidence, the nature and mode as to how the evidence was collected, the name of the person who took possession of the evidence, the manner in which the evidence was stored, the protection offered to the evidence whilst in storage and the names of persons who removed the evidence from storage including the reasons.”
The Court further observed: “There is no reason why the investigating officer had failed to seize the mobile phone of the son of the victim which was the most important piece of evidence in the instant case. The hardware itself ought to have been seized and the same should have been sent to a digital evidence specialist to retrieve the data in a scientific manner. Only then, the range of digital evidence that need to be obtained including audit trials, data logs, biometric data, the metadata from applications, the file system, intrusion detection reports and the content of data bases and files could be properly retrieved. Given the nature of evidence to be copied, maintaining the evidential continuity and integrity of the evidence that is copied is of paramount importance. Such evidence will be subjected to cross-examination in relation to its integrity. In other words, the process of copying and handling such evidence should be carried out to the highest possible standards.”
The Court then explained what ought to have been done by the investigating officer in a case in which a mobile phone is used for the commission of the crime. “The first and foremost thing the officer should have done was to secure the phone to prevent the destruction/manipulation of data. He should have first recorded the status of the device after taking a photograph and record any on-screen information. If the device was switched on, it should have been switched off and the batteries should have been removed. Turning off the phone would preserve the various information, metadata and call logs and it would also prevent any attempt to wipe off the contents of the phone remotely. The officer also was bound to seize all cables, chargers, packaging, manuals etc. if possible to assist the enquiry and minimise the delays in any examination by the digital evidence specialist. The password/ pin of the device, if any, also had to be obtained from the owner of the phone. The phone had to be packed and sealed in antistatic packaging such as plastic bag, envelope or cardboard box and the secured device along with the collected data had to be sent to the digital evidence specialist. Only the said specialist can obtain and copy the digital evidence and also provide an analysis of the evidence”
The Court then added that the cybercriminals are way ahead of the law enforcement officers and urgent measures are to be taken to train officers to successfully prosecute the offender. The Court said: “It is high-time for the State Police to bring out a good practise guide for digital evidence, if they intend to tackle cyber crime head on.. Officers, who are engaged in investigation of cyber crimes, are required to be trained in best practices to tackle the criminal misuse of current and emerging technologies.”