Introduction
Computer crime is also known as cybercrime. It refers to an illegal act committed by a computer user or a hacker. Cybercrime can harm an individual’s cyber security. Crimes such as scams, internet fraud, stalking, online harassment, identity theft, and many such acts are conducted. With the advancement of technology, such crimes are also increasing. Thus, we can say that any illegal act that involves the usage of a computer and network is cybercrime. Standard of operations is released by various governments to deal with such cases and how the investigation should go about.
The Cyber-crimes can be defined as a crime in which a Computer is the object of the crime or is used as a tool for the commission of a cyber offence’. Cybercrime can also be defined as –a crime where a Computer is a target or a crime committed through the use of a Computer. Cyber-crime Investigation is almost similar to the investigation of regular crimes, except Cyber investigators use Computers as a tool for Investigation and data as sources of evidence.[1]
Who conducts Cybercrime Investigations?
Cybercrime Investigation Cell (CCIC)
This cell was established in 1999 and came into effect in 2000. It has jurisdiction all over India. The cell has the power to investigate criminal offences under the IT Act, 2000.
Cybercrime Research and Development Unit
The role of this cell is to track development and changes in the field of cybercrime and coordinate with the police to collect data.
Cyber Forensics Laboratory
This cell helps in conducting scientific analysis of the digital evidence found. It helps in analysing forensic data and digital evidence. Expert testimony and well-presented forensic evidence are very useful in a court of law. The information collected in cyber forensics is used as evidence in a court of law.
The Information Technology Act, 2000 states that police officer not below the rank of deputy superintendent can investigate offences under the IT Act. Since certain sections of the Act deals with cybercrime, the police also have the power to register and file complaints related to cybercrime.
Crime Scene Investigation
Cybercrime scenes are different from traditional crimes. Electronic / Digital evidence is extremely fragile, it can easily be altered or tampered with. Therefore, utmost care must be taken in the storage, examination, and preservation of these evidences. The steps to be followed at the place of occurrence:
- Proper identification and protection of the place of occurrence
- “As and where is” a written description of the place of occurrence
- Forensic Duplication of electronic evidence and maintaining proper chain of custody of the electronic evidence and devices
- Recording statements of witnesses
- Classification of evidence
- Proper packaging and preservation of electronic evidence and electronic devices.[2]
Standard of procedures is important in an investigation as they guide the investigators in every process of the investigation. The methods prescribed in the SOPs have to be followed by each and every person involved in the investigation. The investigation usually starts from the filing of a complaint to the presentation of evidence in court.
Handling the Evidence
Identification
This identification stage deals with obtaining information about cybercrime. In this phase, the investigators seek an answer to questions like What had happened at the crime scene?; Who was involved?; Where did it occur?; When and how did the cybercrime occur? etc. Traditional methods like interviewing the witnesses, victims, or suspects are done to gather information. The identification phase will help the police officer in strategizing the process like what devices need to be collected, operating systems involved, the scale of crime, documentation of interviews, etc.
Collection
The cybercrime crime scene includes the digital devices that potentially hold digital evidence, and spans multiple digital devices, systems, and servers. The crime scene is secured when cybercrime is observed, reported, and/or suspected. [3]Then if the first responder is not an investigator the investigator will again search the crime scene and identify the evidence. Before the collection of evidence, the entire crime scene has to be documented. Documentation involves noting down all the information of the crime scene including the evidence collected.
This documentation should include detailed information about the digital devices collected, including the operational state of the device – on, off, standby mode – and its physical characteristics, such as make, model, serial number, connections, and any markings or other damage. In addition to written notes, sketches, photographs, and/or video recordings of the crime scene and evidence are also needed to document the scene and evidence.[4]
When the evidence is collected, the investigators have to make sure that it is transported in the same condition. If a computer device is turned OFF then it has to be left OFF only and should not be turned ON by the investigators. If the device is found ON then a forensic expert should be called to collect all the data. Documentation or taking a picture of the device proves helpful.
Preservation of Digital Evidence
Preservation is an important step of the investigation. The chain of custody i.e. the documentation of all those who handled the evidence and the people involved has to be preserved. Thus, the chain of custody needs to be maintained.
Analysis and Reporting
In the analysis phase, examiners connect all the dots and paint a complete picture for the requester. Often examiners can produce the most valuable analysis by looking at when things happened and producing a timeline that tells a coherent story. For each relevant item, examiners try to explain when it was created, accessed, modified, received, sent, viewed, deleted, and launched. Examiners document all their analyses, and other information relevant to the forensic request. This is a list of all the meaningful data that answers who, what, when, where, how, and other questions. The information on this list satisfies the forensic request. [5] Examination and interpretation of all the evidence collected are the crucial steps. The analysis of the data is done depending on the type of digital evidence. Once the analysis is done, a report is prepared by the examiner. This report contains all the information obtained and the interpretation and opinion of the examiner also based on the analysis.
Presentation before the Court
The examiner has to testify before the court. This requires the examiner to carefully analyse the facts and all the related information with respect to the case. They may have to depose/ testify the evidence in a court of law. Thus, they have to list and note down all the details of the complaint received. The manner of collection and analysis of the evidence and the opinion reached. The Code of Criminal Procedure and the Information Technology Act contain provisions that allow the police to seize evidence and also present them before the court.
Forensic Duplication
Every storage media consists of certain data. For the forensic purpose, the data needs to be copied in such a manner that it does not alter the original data available in the device. The common techniques are as follows-
Logical Backup
It copies the directories and files of a logical volume.
Bitstream Imaging
Also known as cloning or imaging. It generates copies of the original media in the same manner.
Write Blocker
These are hardware or software tools that prevent a computer from writing on a storage media. The suspected storage media is directly connected to the hardware write-blocker, and then the write-blocker is connected to the device taking backup. Similarly, a soft write blocker is loaded onto the suspect computer, before the copying device is connected to that.[6]
This is an important step in computer crime investigation which is generally not seen in other investigations.
Conclusion
To conclude we can say that computer crime investigation varies from a civil or criminal investigation. Digital evidence plays a key role in the investigation of cybercrime. The handling of digital evidence also requires great care and precaution. In cases of cybercrime, the data of the computer user or hacked into serves as evidence. The devices have to be handled in such a way that the original data does not tamper with. The forensic expert analysis the digital evidence collected by an investigating officer from a crime scene. With the advancement of technology, computer crimes have also been increasing at an unprecedented rate. This requires a more developed way of cybercrime investigations. Effective cybercrime policies and standards of procedures will lead to a better approach.
References:
[1] Dr. Shiv Raman and Ms. Nidhi Sharma, Investigation of Cyber offences and Cyber Police in India : An Analytical Study, 7 INTERNATIONAL JOURNAL OF LEGAL DEVELOPMENT AND ALLIED ISSUES 1, 1 (2021).
[2] Standard operating procedure for cyber crime investigation, JUDICIAL ACADEMY JHARKHAND, https://jajharkhand.in/wp/wp-content/uploads/2019/10/02_sop_english.pdf.
[3] Handling of Digital Evidence, UNITED NATIONS OFFICE ON DRUGS AND CRIME, https://www.unodc.org/e4j/en/cybercrime/module-6/key-issues/handling-of-digital-evidence.html.
[4] Id.
[5] Standard operating procedure for digital evidence related to crimes against women and children, KERALA POLICE, https://keralapolice.gov.in/storage/pages/custom/ckFiles/file/7GafuMCjLbFgjBNh8aXz8WhLv2Zqtfczvbi7Uv6m.pdf.
[6] Standard operating procedure for collection of digital evidences and cyber investigation techniques, https://indianrailways.gov.in/railwayboard/uploads/directorate/security/downloads/2019/SOP%20on%20Cyber%20Investigation%20Techniques.pdf.
0 Comments