KOCHI: Cops and cybercriminals are always at loggerheads in the state. Criminals sometimes outwit or outsmart cops in the cyber world. Now, the Kerala High Court has sprung into action and observed cybercriminals are way ahead of law enforcement officers and urgent measures have to be taken to train officers to successfully prosecute offenders.
“It is high time the State Police brought out a good practice guide for digital evidence if they intend to tackle cybercrime head-on. Flaws committed by the officers may prove fatal to the prosecution. Officers engaged in the investigation of cybercrimes are required to be trained in the best practices to tackle the criminal misuse of current and emerging technologies,” observed the High Court.
The court issued the order while allowing bail to Vijesh, Kodakkad, Palakkad, who is accused in a rape case. According to the prosecution, the accused had gone to the victim’s home when she was alone and subjected her to sexual intercourse. He allegedly recorded the sexual act on his mobile phone. Later, she was again forced to have sex with him after he threatened her saying the videos in his possession would be made public. When their relationship became strained, he allegedly forwarded the explicit videos and photographs to the mobile phone of the son of the victim.
The court said the manner in which the investigating officer had handled the mobile phone of the son, which was a valuable piece of evidence, has to be deprecated. The court said all that the police officer had done was to transfer the data to a compact disc after taking a screenshot of some of the pictures. He had not even retrieved the videos which were allegedly recorded by the accused and which were forwarded to the recipient. The investigating officer ought to have borne in mind that it was essential to display objectivity in a court of law when the case ultimately comes up for trial, the court said.
In the case of digital evidence stored in a computer, mobile phone, USB drive or digital camera, he should have ensured there was a clear link between the hardware and the digital evidence copied from that hardware. He should have maintained a record to show the chain of custody which would address issues such as the person who collected the evidence, nature and mode as to how the evidence was collected, the name of the person who took possession of the evidence, the manner in which the evidence was stored, the protection offered to the evidence whilst in storage and the names of persons who removed the evidence from storage including the reasons, said the court.
There was no reason why the investigating officer had failed to seize the mobile phone of the son of the victim which was the most important piece of evidence in the case. The hardware itself ought to have been seized and the same should have been sent to a digital evidence specialist to retrieve the data in a scientific manner. Only then, the range of digital evidence that needs to be obtained, including audit trials, data logs, biometric data, the meta data from applications, the file system, intrusion detection reports and the content of databases and files, could be properly retrieved.
Given the nature of the evidence to be copied, maintaining the evidential continuity and integrity of the evidence that is copied, is of paramount importance. Such evidence will be subjected to cross-examination in relation to its integrity. The process of copying and handling such evidence should be carried out to the highest possible standards, held the court.
Guidelines needed to handle digital evidence
It is high time the State Police brought out a good practice guide for digital evidence if they intend to tackle cybercrime head-on. Flaws committed by the officers may prove fatal to the prosecution. Officers engaged in the investigation of cybercrimes are required to be trained in the best practices
‘Secure the device first’
The High Court also said in a case in which a mobile phone is used for the crime, the first and foremost thing the officer investigating the Palakkad cybercrime case should have done was to secure the phone to prevent the destruction or manipulation of data. He should have first recorded the status of the device after taking a photograph and record any on-screen information.
If the device was switched on, it should have been switched off and the batteries should have been removed. Turning off the phone would preserve the various information, meta data and call logs and it would also prevent any attempt to wipe off the contents of the phone remotely. The officer also was bound to seize all cables, chargers, packaging and manuals. The password or pin of the device, if any, also had to be obtained from the owner of the phone.
The phone had to be packed and sealed in antistatic packaging such as plastic bag, envelope or cardboard box and the secured device along with the collected data had to be sent to the digital evidence specialist. Only the specialist can obtain and copy the digital evidence and also provide an analysis of it. None of these procedures was adopted by the investigating officer, observed the court.