Unlike the real world, a cyber crime can be committed even without visiting the country of the victim. In another situation of cyber crime, criminal and victim may be present under the jurisdiction of the same court but still digital evidences of the crime may be spread across the globe. Under third situation, criminals can gang-up virtually from across the world, commit a cyber crime and disperse, they may not even know each other in the physical world. Therefore, the task of an investigator is far more challenging to not only identify and gather digital evidences from the computers, mobile devices, servers, routers and gateways but also to accomplish this task to convince the court that the digital evidences are not tampered and correctly collected according to the established scientific procedures.
The technique and acceptable procedure for handling of evidence can be different in different countries. This can diminish or destroy the evidentiary value of such electronic evidence. There are several cases when courts have not accepted when evidences collected are not according to the Indian procedures. To add to the complexity, digital evidences are fragile, volatile and can be tampered easily, sometimes even without such intentions. Therefore, special expertise is required to collect the electronic evidence according to the procedure which meets the requirement of all the courts of the world.
The Lochard’s principle of forensics is that the perpetrator of a crime will bring something into the crime scene and leave with something from it. These evidences are without prejudice and just because they are not detected do not mean they do not exist. This principle is true for cyber crime investigation also. The large amount of logging takes place inside computers and network devices, which can leave almost irrefutable trail of digital evidences from scene of crime to the criminal. The challenge is identifying, collecting and preserving the evidence and later during the trial passing the test of courts. This is all the more relevant when such evidence is collected from a country having different procedures of evidence handling than the country where the case will be tried.
Leaving the task of analysis of evidence to the investigators, the digital evidence may be identified, collected, acquired, preserved and transported by a person who may not be from Law Enforcement Agency. This person is called ‘Digital Evidence First Responder’ (DEFR). It is therefore necessary that DEFR whether from Law Enforcement Agency (LEA) or not must have expertise on digital evidence and associated procedures.
To manage these challenges, especially handling evidences under multi-jurisdictional situation, the Organisation of International Standards, after years of efforts, have published ISO/IEC 27037 – Guidelines for identification, collection, acquisition, and preservation of digital evidence. The document provides, after due deliberations with all member countries, including India, a standardised approach which if followed by DEFR can provide assurance to the respective courts about the reliability and credibility of the digital evidence. The standard provides necessary guidance as how to identify, collect, acquire and preserve digital evidences from computers, mobile devices, navigation systems, digital still and video cameras (including CCTV).
ISO/IEC 27037 is technology and jurisdictional neutral, and does not recommend any specific product. A digital evidence handled in accordance with international standard ISO 27037 provides a kind of assurance to any court that irrespective of the fact that who and from which country such evidence is collected, it has maintained its evidentiary value. The standard does not supersede the national laws but add to the procedural aspects of handling of digital evidences. This also means that an accused in his defence can show the court that the investigators have not followed the procedures given in the ISO/IEC 27037, hence the electronic evidence has lost is evidentiary value, because the standard is based on the least common denominator of electronic evidence handling and anything short can have an impact on the weight of electronic evidence. Interestingly there is a British Standard BS 10008 which deals with the evidential weight and legal admissibility of the electronic information.
In India, Section 65B of the Evidence Act lays down the procedure for admissibility of electronic evidence while Section 85B of the Evidence Act prohibits the courts from presuming electronic evidences as genuine unless it is signed by ‘secure’ digital signature. It means that the presenter of electronic evidence has to prove that the digital evidence is genuine and has not been tampered. It is here that ISO/IEC 27037 can be a very powerful tool in the hands of the investigators to prove truthfulness of the evidence, even if it is collected from outside the jurisdiction of the court.
ISO/IEC 27037 being an internationally accepted standard is an important instrument to provide reliable standardised approach towards handling of digital evidences and will have impact on admissibility and reliability of evidence in any court proceeding. It is therefore necessary that all investigating officers must familiarise themselves with the bare minimum requirements which must be met in respect of handling of digital evidences to be acceptable in any court of the world. This can be very critical especially in handling issues related to terrorism, money laundering, drug trafficking and other trans-national crimes.
(The author is Head, IT Security, Essel Group)