Embed Size (px)
Citation preview
HTC ITMR – Unit III
V. RajendranAdvocate and Cyber Law Consultant+91-44-22473849; +91-9444073849
www.venkrajen.inEmail: [email protected], [email protected]
Investigation
• formal or systematic examination or research.• A formal enquiry or a systematic study into an
incident• Examination, enquiry, inquiry, study, inspect,
explore, appraise etc are all related funcitonsexplore, appraise etc are all related funcitons• a searching inquiry for ascertaining facts;• Malpractices or frauds or crimes that has already
occurred for ascertaining complete truths• Often a purposeful, systematic, methodical and
procedural analysis with a definite objective
Digital data as evidence• Features of digital evidence• Volatility of digital data• Time-dependent• Criticality on the basis of: Confidentiality, importance• Criticality on the basis of uniqueness • How to preserve the data• How to preserve the data• How to retrieve and produce• How to accept the data as evidence• Irrefutability ?• Admissibility – Legal and technological
Investigation through Cyber Forensics
• Use of digital evidence in disputes• Civil disputes between two individuals• Common mechanism to store e-records• Common mechanism to store e-records• Commonly accepted digital library• Private forensics initiatives• Private digital evidence and experts’ views• Private forensics warehouses
Digital Evidence
• “Digital evidence is any information of probativevalue that is either stored or transmitted in a binaryform”
• Digital evidence includes computer evidence, digitalaudio, digital video, cell phones, fax machines,etc.……..all digital, but with different outputs.
Digital data as evidence• Features of digital evidence• Volatility of digital data• Time-dependent• Criticality on the basis of: Confidentiality, importance• Criticality on the basis of uniqueness • How to preserve the data• How to preserve the data• How to retrieve and produce• How to accept the data as evidence• Irrefutability ?• Admissibility – Legal and technological
Cyber Forensics
• Use of digital evidence in disputes• Civil disputes between two individuals• Common mechanism to store e-records• Common mechanism to store e-records• Commonly accepted digital library• Private forensics initiatives• Private digital evidence and experts’ views• Private forensics warehouses
Data Analysis
• Data Warehousing and Data Mining Tools• Data relevant to the incident• Manual and Software tools for analysis• In-house vs outsourced software • In-house vs outsourced software • In-house vs outsourced tools to collect data• Data Storage: Hard drives/disks, interfaces• File Systems and Operating Systems• Different types of drives: SATA etc
Cyber Crime: Scene and Evidence
Where does a cyber offence take place?Hard-disk? Network? Software logs? Operating System
Logs? Other peripherals and related devices?What is the scene of crime in a cyber offence?Bank premises, Customer’s residence, cyber café?Bank premises, Customer’s residence, cyber café?A remote location? A foreign land? ISP’s premises?To mark the scene of cyber crime and preserve
what to mark, where and how?
Forensic Analysis
Preparation: Organisation’s methodologies, data format, data condition, o/s environment
Preparing a forensic duplicate Restoring the forensic duplicate (duplicate images…) Use of tools like Encase Computer Forensic Software TUCOFS: Forensic Software collection mainly in Windows TUCOFS: Forensic Software collection mainly in Windows The Sleuth Kit Utility (on Solaris and other platforms) Network forensics Imaging utilities like dd in Unix Mail analysis tools Security Wizardry Forensic tools Freeware Forensics for Linux, Unix etc.
Features of software toolsEvidence and Forensic Tools should typically– have seamless sharing of evidentiary data– Solve the resource drain of encrypted data.– Network capabilities included – Have something like Virtual File System (VFS)– Some search and related features– Some search and related features– Compressed file format support– Traceability and retrievability– Capability to open and read and never write– Universal acceptability and ease of use
What is physical evidence?
• Physical evidence of an incident – is any physical object – that contains reliable information – that supports or refutes a hypothesis – about the incident – about the incident
• digital evidence of an incident – is any digital data – that contain reliable information – that supports or refutes a hypothesis – about the incident.
Physical evidence
• It is understood that an object has information about the incident because it was a cause or effect in an event related to the incident.
• Note that because digital data has a physical form, then • Note that because digital data has a physical form, then physical evidence can contain digital evidence.
• Using this definition, a hard disk is physical evidence and the sectors and files that contain information about the incident are digital evidence.
Primary evidence
• Basis on which the case is filed• Alters the proceedings in the case• Primary evidence is evidence that is corroborated by other
pieces of primary evidence and, in turn, corroborates additional primary evidence additional primary evidence
• Also makes up the evidence chain in a digital investigation. • Depends upon the circumstances of the case• Facts of the case or basis of investigation : Reports, experts
opinion etc?• Primary evidence may, in turn, be corroborated additionally
by secondary evidence.
What is Real evidence?
• Real evidence is roughly defined as any physical, tangible object that played a relevant role in an event that is being adjudicated.
• Very concrete and currently on, as evidentiary value• It is the knife that was pulled from the victim’s body. • Weapon used in the committing of the crime – an • Weapon used in the committing of the crime – an
electronic gadget• It is the gun that fired the bullet. It is the physical copy of
the contract that was signed by both parties. • How does a digital evidence become real evidence?• At the time of search, some mails going, sms in the mobile,
live uploading etc being taking place etc
Real evidence … contd
• Real evidence usually comprises the physicality of the event, and as such is often the most easily presented and understood element of a crime.
• Human beings understand tangible objects much more readily than abstract concepts, such as data comprised of ones and zeros. ones and zeros.
• Unless the hard drive was used as a blunt object in an assault, and as a consequence is covered in identifiable traces of blood and hair follicles (DNA is real evidence too), the judge or jury may have a difficult time envisioning the process through which the evidence reached its current state and was preserved.
Direct evidence
• Direct evidence is the testimony offered by a direct witness of the act or acts in question.
• There are lots of ways that events can be observed, captured, and recorded in the real world, and our court systems try to accommodate most of these when there is accommodate most of these when there is relevant evidence in question.
• Examples of direct evidence can include:– “I saw him stab that guy.”– “I watched him crack passwords using John the
Ripper and a password file he shouldn’t have.”– “I saw him with that USB device.”
hearsay evidence – digital ?
• Hearsay: The rule against hearsay says that any assertion of fact other than one made by a person while giving oral evidence in the court proceedings is inadmissible as evidence of any fact asserted.
• Thus, any out of court statements including • Thus, any out of court statements including photographs, video tapes, and digital information produced and stored by a computer are hearsay and cannot be used as evidence.
• Practical significance of the evidence – relevance to the facts of the case – how it would affect the course and proceedings
Circumstantial evidence?
• “Circumstantial evidence” is evidence that does not directly support a specific conclusion.
• Circumstantial evidence is important for cases involving network forensics because it is “the involving network forensics because it is “the primary mechanism used to link electronic evidence and its creator.”
• Relevance and importance of circumstantial evidence in courts
• Practical uses of circumstantial evidences
Why digital evidence?
• If impacted: How, when, why and by whom Determine whether the system is compromised
• Determine the extent of damage or impact • Ascertain the modalities how it was done• Ascertain the modalities how it was done• Digital Evidence to strengthen the physical
evidence, supplement and not substitute?• Ascertain availability of evidence like
whether available, if so, where, when and how andissues of storage
Indian Evidence Act• 65 B is an independent section and is not a part of 65• 65 A or B is not a subsection of 65 and are independent• 65A and 65B – I E Act In fact should have been 66 or later
and this capital A or B means separate section• 65 A and B states “also taken as evidence” without
mentioning as primary or secondary. mentioning as primary or secondary. • In IT Act 66 A to F are all independent sections and
separate • Secondary evidence in a paper form as against digital form• Photocopy is secondary and original documents primary • original certificate is primary and others are secondary
What are artifacts?
• Artifacts are remnants created during or as a consequence of the event to be investigated. Sometimes these are referred to as evidence.
• Artifacts are items of data or information left behind after a specific activity occurs on a system. Generally, any user activity specific activity occurs on a system. Generally, any user activity leaves some type of artifact somewhere.
• Depending on the type of activity, the artifacts can be of enormous forensic importance.
• These artifacts might include: event logs, registry hives, Recycle Bin indexes, Internet History indexes, shortcuts, browser history etc
Volatility of artifacts
• Volatile information is information that is lost the moment a system is powered down or loses power.
• Significance of seeking the evidence without powering off
• Volatile information usually exists in physical memory, or RAM, and consists of information about processes,
• Volatile information usually exists in physical memory, or RAM, and consists of information about processes, network connections, open files, clipboard contents, and the like.
• Knowledge of where lies the evidence – how to take it – when, by whom,: What, where, when, by whom and How?
• Significance of RAM – contents, capacity, retrivability
Look for and Look at..?
• Intrusion Analysis – facts of the case• Damage Assessment on specific request• suspect examination – specific circumstances:
government etc– logic bomb, trojan horse– logic bomb, trojan horse
• Tool analysis – Specific purpose and usage of tools– effectiveness & efficiency of tool
• log file analysis• evidence search – Be clear on what to look for and
where?
WHAT IS CYBER FORENSICS?
• The process of identifying, preserving, analysing andpresenting digital evidence in a manner that is legallyacceptable in any judicial or administrative hearing orotherwise as part of any legal requirement
• Application of investigation and analysis techniques to gather• Application of investigation and analysis techniques to gatherand preserve evidence from a particular computing device in away that is suitable for presentation in a court of law.
Evidence – where does it “lie”? Digital Evidence : Visible and invisible
Physical storage of non-physical evidence? Computer:
Hard disk, External Storage: Floppy, Pen Drive, CD/DVD Mobile Phone: Devices, disks, memory card etc Memory card of digital camera Other devices like PDA etcOther devices like PDA etc
Difficulty in gathering evidences
When to go for search and seizure of hard disks or computer? Can you switch on the computer, to see where the evidence is Can you switch off the computers?
Volatile data and RAM data, minimised windows, cookies etc
The most critical issue: Legal Admissibility, irrefutability?
IT Act - Records
• Recognition to electronic records is a big step• Reliance on electronic records• Acceptability of electronic signatures as an
authentication mechanism• Procedures for trying a cyber crime described• Procedures for trying a cyber crime described• Search and seizure powers and extra territorial
powers etc • Role of CERT-In (or ICERT) recognisedThis is a computer generated print-out. Hence
does not require signature… e-records?
Security in Unix o/s
• The unix file concepts in different flavours of Unix: IBM, HP, SCO, DG etc
• Files and directories in Unix• Commands in Unix: mv, ls, group, owner and • Commands in Unix: mv, ls, group, owner and
user, netstat, usr, bin etc• Significance of files like .cshrc, .login, • /dev files, network and admin files• Tamperability of system files in Unix
O/s Internals
• Evaluating an O/s, effectiveness and efficiency, throughput, speed, search etc
• DOS internals: Shell, Checking Peripherals, File-systems, Interrupt processing, Booting File-systems, Interrupt processing, Booting DOS, Running DOS
• Sys files, com files, exe files, bat files• Resident files, TSR files in DOS
Mobile O/s Android is a mobile o/s cell phones and tablet computers, developed by
Open Handset Alliance led by Google and purchased by it from Android in 2005
Google leads the consortium of 80 hardware, software and telecom companies.
Nokia’s mass-market smartphones, on the Symbian platform, include reportedly the world's smallest touchscreen smartphone
Windows O/s now Phone 7 – very small market share only Forensic value in all these Forensic value in all these Data storage in mobile handsets – Retrieval mechanism – Deletion
technology in mobile handsets flash memories for smart-phones, tablets and solid-state drives (SSD) for
PCs. ... flash memory cards for mobile phones, digital cameras and camcorders…
Forensic Analysis
Preparation: Organisation’s methodologies, data format, data condition, o/s environment
Preparing a forensic duplicate Restoring the forensic duplicate (duplicate images…) Use of tools like
Encase Computer Forensic SoftwareEncase Computer Forensic SoftwareUCOFS: Foensic Software collection mainly in Windows, Sleuth Kit Utilitiy (on Solaris and other platforms)
Network forensics Imaging utilities like dd in Unix Mail analysis tools Many other Freeware Forensics for Linux, Unix etc.
Embedded Device Forensics
• EPROM, EEPROM, Flash memory• Data transfer protocols: how data gets written
in USB and other devices vis a vis in a CD or DVD etcDVD etc
• Data in an Audio and Video device and their retrievability
• Data storage mechanism in such small handheld sets
Network Forensics
• Network forensics as compared to hard-disk or an external device
• Routers, switches and their configurations• Routing tables, Natting and its features• Routing tables, Natting and its features• Switches, its uses and significance• Where to look for evidence in a network• Network administrator and his role and duty• Off-line and on-line functions in network
Issues in Digital Forensics
• Digital Evidence is highly fragile• Tampering the bits and bytes in the computer and not the bits of paper to
destroy or manipulate?• All digital data are time dependent, volatile• Log files – Interpret the log files, understand• Understand all O/s logs, O/s files, protocols used• Understand all O/s logs, O/s files, protocols used• Log files of systems• Systems messages and understanding them –interpret and replace with
application messages• Application messages and
• Network Time protocol NTP for time synchronization among data packetsacross network, different time zones - Analyse the NTP and synchronize
Features of Digital Evidence
LocalUsually, digital evidence isstored in data storage media
which is visible, e.g. HDD of a computer, USB, floppy of a computer, USB, floppy disk etc..
Computer Forensics can be done with specific tools, if they were seized at crime scene.
Features of Digital Evidence
REMOTE
Sometimes, Digital Evidences exists outside the scene of crime, like file server of a company, network server or other servers in the data centre network server or other servers in the data centre or a secondary data centre or even a data warehousing centre etc, or in just a network in transit, at some user-level storage in a distant nation..
Types of Cyber Forensics• Disk Forensics (Media Forensics)
– Analysing the data in a storage medium– Use of specific tools – hidden files ?– Analyse the o/s , logs etc– Computer Forgery, data manipulation, encrypted data?
• Network Forensics – When the network traffic is live and running– Chat messages – various facilities provided online– Chat messages – various facilities provided online– Sessions in network – protocol dependent -- Hacking type of tools, email cheating and mails etc
• Software forensics – determine software ownership or software liability issues
• virus, logic bombs, ipr issues
• Embedded forensics – Forensic analysis of pre programmed chips
• sky bus, washing machines, mobile phones
Some volatile artifacts
– system time – Logged-on user(s) Open file, – Network information – Network connections – Process information – Process-to-port mapping – Process-to-port mapping – Process memory – Network status – Clipboard contents – Service/driver information – Command history, and Mapped drives
Cyber Forensics
Add text here
TITLE
Manual creationSystemic preservationNeeds software and hardware to storeCannot be produced easilyUnderstandable with some expertiseDifficult to assess the location
Physical Forensics
Manual creationKnown where it liesManual preservationNeeds storage (bags, containers)Produced easily Difficult to assess the location
Complex system of preservationPreservation needs hardware and softwareProduction needs hw and swIrrefutability proved with difficulty
Produced easilyPhysically carriedEasy to understandExperts from different fieldsShown as exhibits in courtsIrrefutability can be proved
LOCARDS EXCHANGE PRINCIPLE
Locard's principle holds that the perpetrator of a crime will bring something into the crime scene and leave with something from it, and both are forensic evidences.
"Wherever he steps, whatever he touches, whatever he leaves, even unconsciously, will serve as a silent witness against him. Not only his fingerprints or his footprints, but his hair, the fibers from his clothes, the glass he breaks, the tool mark he leaves, the paint he scratches, the blood or semen he deposits or collects. All of these and more, bear mute witness against him. This is evidence that does not forget. It is not confused by the excitement of the moment. It is not absent because human witnesses are. It is factual evidence. Physical the moment. It is not absent because human witnesses are. It is factual evidence. Physical evidence cannot be wrong, it cannot perjure itself, it cannot be wholly absent. Only human failure to find it, study and understand it, can diminish its value.“
Fragmentary or trace evidence - any type of material left at—or taken from—a crime scene, or the result of contact between two surfaces, such as shoes and the floor covering or soil, or fibers from where someone sat on an upholstered chair.
Fundamental forensic principlesLocards exchange principle:
“anyone or anything entering a crime scene takes something of the scene with them and leavessomething of themselves behind when they depart………...”
Application of this principle in digital world or cyberspace - Study ..
It is different from traditional and branches of forensic science
– NEVER WORK ON DIGITAL EVIDENCE
– DONOT HAVE A LONG SPAN
– Act, be diligent, interpret and decide
– Conclusion, preserve and make it irrefutable
Steps in acquiring
PortableServer
• Identify the Evidence • Forensics reviewing • Time Stamps – be cautious • Logical backup • Logical directory: files, data etc• Handling deleted filesServer
TargetComputer
• Handling deleted files• Physical backup:
Important disk Imaging, cloningSpeed of imaging,Data Integrity – hash valuesprotection of data
Steps …. Contd
• Protect the system thoroughly during examination• Discover and recover all files in the system• Access the contents of protected files• Analyse all the relevant data• Take printouts wherever necessary• Keep ready the legal compliance – like preparation for
testimony in a court of law• Acquire, Authenticate, Anayse and Document
Precautions while acquiring
• Static electricity
• Magnetic fields
• Electricity short circuit
• Moisture • Moisture
• Size and nature of equipment
• Portability of the gadget
MORE DATA, PLACES, CUSTOMERS & COMPLEXITY
Places you might not think of …
LAB SYSTEMS (I) PVT LTD
Ideally, a forensic tool should be
• Able to image every bit of data• Ensure retrievability with ease• Non tamperability – preserve integrity • Repeatable –any number of times viewing• Verifiable by third partyVerifiable by third party• Irrefutable • Provided with Key word search – options to search• With History of viewing etc – ie logs • Using minimum Memory, disk space and resources Able to copy deleted files, slackspace Popular tools: Encase, Safeback, Forensic Replicator, Cyber Check
Forensic tools - featuresEvidence and Forensic Tools should typically– have seamless sharing of evidentiary data– Solve the resource drain of encrypted data.– Network capabilities included – Have something like Virtual File System (VFS)– Have something like Virtual File System (VFS)– Some search and related features– Compressed file format support– Traceability and retrievability– Capability to open and read and never write– Universal acceptability and ease of use
Analysis involves steps like
– Extract, process, Interpret– Produce binary junk which may not be
readable– Processing makes it readable– Interpret: human or systemic and makes it – Interpret: human or systemic and makes it
easy to understand to serve the purpose• Disparate O/s • Deliberate file extensions, file attributes• Steganography and related software • Fonts etc incompatibility – regional
language then font colour to hide data?
ANALYSIS(ONION MODEL)
OperatingSystem
FileSystem
PhysicalMedia
System
File
ContentAnalysis
Searching for Evidences BIOS Information Date Setting, Boot sequence etc
Number of partitions, clusters, hard-drive information OS and os log files Registry information Password protected files Password protected files Slack space All logs (Applications, systems messages,
customised messages, message numbers) Recycle bins Trash folders
Network crimes
• In a network, where is the crime committed?• CISCO’s IOS and other O/s of network gadgets• Evidence lying in a network device• Access to network configurationsAccess to network configurations• Threats, vulnerabilities and risks in a network• Network policy of organisation and Access Control• Internet Policy, email Policy and other policies• Network Administrator’s role in User management
– Inactive user, user access, privilege rights etc
Problems in Digital EvidenceManagement
Technological Problems and issues
Problems in Collection, Analysis O/s related problems, network-based issues Language or Software based problems Language or Software based problems Problems as a result of lack of knowledge Version and releases of operating systems (Windows variants) Flavours of the operating systems (Unix: HP-UX, AIX, Solaris, SCO) Knowledge of the system logs and files Knowledge about the system files ‘more than what the culprit knows’ When the culprit is one up on the know-how?
Issues in Digital Forensics
• Digital Evidence is highly fragile• Tampering the bits and bytes in the computer and not the bits of paper to
destroy or manipulate?• All digital data are time dependent, volatile• Log files – Interpret the log files, understand• Understand all O/s logs, O/s files, protocols used• Understand all O/s logs, O/s files, protocols used• Log files of systems• Systems messages and understanding them –interpret and replace with
application messages• Application messages and
• Network Time protocol NTP for time synchronization among data packetsacross network, different time zones - Analyse the NTP and synchronize
Features of Digital Evidence
LocalUsually, digital evidence isstored in data storage media
which is visible, e.g. HDD of a computer, USB, floppy of a computer, USB, floppy disk etc..
Computer Forensics can be done with specific tools, if they were seized at crime scene.
Features of Digital Evidence
REMOTE
Sometimes, Digital Evidences exists outside the scene of crime, like file server of a company, network server or other servers in the data centre network server or other servers in the data centre or a secondary data centre or even a data warehousing centre etc, or in just a network in transit, at some user-level storage in a distant nation..
Features of Digital Evidence
STATIC– Data stored in a data storage media in the form of
plain text, binary or hexadecimal formats– May exist in deleted files, recycle bins, formatted
disks, compressed format, readable by a specificsoftware only, password protected or encrypteddisks, compressed format, readable by a specificsoftware only, password protected or encryptedformat
– Evidence remains in the same place and in thesame format until removed or tampered orotherwise accessed
Features of Digital Evidence
DYNAMIC Data contents that are purely temporary Session generated or session determined As part of processing taking place Volatile Data is normally dynamic data only May be lost by the application or by a system overwrite May be lost by the application or by a system overwrite May be automatically terminated – without trace? Network connection between two computers at a certain
point of time during internet surfing
HENCE DATA MAY BE STORED, MOVING or VOLATILE
The Four pillars in cyber forensics examination
Scientific Methodology
Documentation
Non tamperability
Integrity
DAUBERT RULESThe Admissibility of Scientific Evidence
– Acceptability of Expert Opinion– Acceptability – peer level – Acceptable technology – Potential rate of error in the method used– Potential rate of error in the method used– Wider reach and acceptability of the method– Acceptability by the scientific and other experts
Do’s and Don’ts in Digital Evidence
Proper handling – preserving and submission No damage to the original whatsoever Original and copies here are different from the physical or
other evidences Continuing chain of customer – proof and submit Continuing chain of customer – proof and submit Compliance with all legal provisions Procedural laws and compliance Be thorough with the particular evidence: network, har-
disk, local laws, other rules and procedures etc Above all, clear documentation is a must
Evidence Gathering - requirements
Forensics requests and evidence may be for:• Intrusion Analysis• Damage Analysis• Suspect Assessment: Software, Trojan, malware, • Suspect Assessment: Software, Trojan, malware,
programming, network traffic etc• Assessment of damage or likely impacts• Analysis of various tools deployed• Analysis of logs, trails, audits and messages• Specific Searches
Types of Cyber Forensics
• Disk Forensics (Media Forensics)– Analysing the data in a storage medium– Use of specific tools – hidden files ?– Analyse the o/s , logs etc– Computer Forgery, data manipulation, enrypted data? – Computer Forgery, data manipulation, enrypted data?
C.
• Network Forensics – When the network traffic is live and running– Chat messages – various facilities provided online– Sessions in network – protocol dependent – Hacking type of tools, email cheating and mails etc
Techno-legal issues Techno-legal issues in Collection, Analysis and presentation Disk Analysis and use of tools Knowledge of the investigators:
Investigation Agencies inside the corporate, Police, legal and accounting professionals, Judicial officers
Preservation of documentary evidence Preservation of documentary evidence e-Record Management Policies in Banks, NSPs, ISPs Legal and technological problems in e-record preservation Analysis of e-record preservation & reproduction (imaging?) Preservation of emails, voice instructions, oral, SMS, IVR ?? EMERGING ISSUES: Cyber Will Will for Informarion Assets stored in a website, emails
Digital Evidence - The Future• Cyber Warfare in future
– weapons in the arsenal, Just a mouse and a keyboard?• Mobile may become the single convergence point• No more viruses for the heck of it or to showcase
knowledge – there are paid professionals for it• Corporate espionage through data breaches, data theft• Corporate espionage through data breaches, data theft• Ease of customers’ use vis a vis security initiatives
– Where to strike the balance?• Easier access, better is the bank or tougher is the bank or
safer is the bank – customers prefer or avoid or detest ?? Voice as an evidence, Phishing and Vishing ?
FIR – its significance
• To make a complaint to the police to set the criminal law in motion.
• The first official record – police version? – of what happened/ reported
• Its secondary though equally important objects is to obtain early information of an alleged criminal activity.
• The First Information Report regarding commission of a cognizable • The First Information Report regarding commission of a cognizable offence is referred to as FIR.
• It is recorded by the police in register prescribed for that purpose by the State Government.
• FIR is the basic record – responsibility of the police to logically see the final disposal of FIR – conclusion, conviction, closure
FIR – its significance … contd
• Correctness and completeness of FIR• Need to check the FIR and add sections or facts to it• Existing evidences not seen earlier, changes in the substance
of the case, changes in the circumstances, changes in the role play
• Evidences of persons mentioned in the FIR and others• Evidences of persons mentioned in the FIR and others• Evidences and witness turning hostile• Tracking of FIR – All CRB records based on the FIR only• FIR number is the basis nation-wide• Inter state tracking and follow up• Inter-departmental or cross-functional crime and records• Many FIRs on the same persons – related offences• FIR is incident based and not person based
Cyber Crime in Court
• No separate cyber crime courts; no separate team at the judicial side
• Any case becomes a cyber crime based on the FIR and the circumstances of the case, evidences, incidents etc
• Hence, any case may become cyber law case right from a small causes petty offence upto the mot heinous of cyber terrorism terrorism
• Procedures for trial, court proceedings etc are the same• Covered by the IPC, Cr P C and the C P C and other Acts like
Evidence Act, BBE and other local legislations and procedures enshrined therein
• Differences arise in the way evidences are produced and preserved and in the manner witness testify, are questioned, cross-examined etc
Experts and their role in courts• Ramesh Chandra Agarwal vs. Regency Hospital Ltd – Supreme Court order dated
11 Sept 2009 in Civil Appeal 5991 of 2002 setting aside the order of National Consumer Disputes Redressal Commission - Expert Advice of doctors – medical negligence case – complete reports not produced by the Assistant Registrar to the National Commission – NCDC directed to call for the original medical records and then the expert doctor’s evidence and then decide. Importance and relevance of expert opinion in law-suits
• Medical negligence and expert doctor’s opinion – heavy damages and compensation of around Rs.6 crs awarded Criminal Appeal Nos. 1191-1194 of 2005
• Medical negligence and expert doctor’s opinion – heavy damages and compensation of around Rs.6 crs awarded Criminal Appeal Nos. 1191-1194 of 2005 with Civil Appeal No. 1727 of 2007, decided on 7.8.2009].
• No expert will act as Judge or Jury, but puts before the judge all the materials, reasons etc to enable the judge to arrive at conclusion
• Sec 45 IEA - Opinions of experts.—When the Court has to form an opinion upon a point of foreign law or of science or art, or as to identity of handwriting, or finger impressions, the opinions upon that point of persons specially skilled in such foreign law, science or art, or in questions as to identity of handwriting or finger impressions are relevant facts. Such persons are called experts.
Experts Opinion in IEA• Evidence of tracking of dogs - Abdul Razak V. State of Maharashtra (AIR
1970 SC 283)• conflict between the medical evidence and ocular evidence, oral
evidence of an eye witness has to get primacy as medical evidence is basically opinionative - difficult to convict the accused on the basis of such evidence alone - If the evidence of the prosecution witnesses is totally inconsistent with medical evidence…. it is sufficient to discredit totally inconsistent with medical evidence…. it is sufficient to discredit the evidence as well as the entire case. [Mani Ram v. State of U.P. 1994 Supp (2) SCC 289,292; 1994 SCC (Cri) 1242]
• Sec 45 to 51: Conditions to seek an expert opinion, who is an expert, duty of expert, value of his opinion, more than one expert etc
• Experts opinions may differ – When two experts differ, direct Evidence always to get primacy and the expert evidence in support of the direct evidence and not the other
