CA C.M.

Simon
"Evidence” means and includes –
(1) all statements which the Court permits or
requires to be made before it by witnesses, in
relation to matters of fact under inquiry; such
statements are called oral evidence;
(2) all documents, including electronic records,
produced for the inspection of the Court; such
documents are called documentary evidence.
A chain of custody is a roadmap that shows
how evidence was collected, analyzed, and
preserved in order to be presented as evidence
in court. Hence, it is important that the
investigating team are skilled in collecting
evidence that can be used in a court case, and
in keeping a clear chain of custody until the
evidence is presented in court.
 Oral Evidence and Documentary Evidence
 Primary Evidence and Secondary Evidence
 Direct evidence and Indirect Evidence
 Judicial Evidence and Non-judicial Evidence
 Real Evidence
 As per Section 3 of the Indian Evidence Act,
1872, all documents, including electronic records,
produced for the inspection of the Court called
documentary evidence.
 Electronic Records come under the category of
Digital Evidence
1.Volatile Evidence
2.Non-volatile Evidence

Volatile Evidence :
Volatile Data is information that
changes frequently and is often lost upon
powering down the PC. Volatile data will
include information about running process,
network connections, clipboard contents, data
in memory.
Volatile Evidence can be found on
1. Ram Memory

2. Temporary file System / Swap Space

3. Data on Hard Disk

4. Cache Memory

5. Logs Maintained.
Non-Volatile Evidence :
The data can be retrieved even when the
computer is not powered on.

Examples of Non-Volatile Data commonly

includes:
 Read Only memory
 Flash Memory
 Hard Disk , Floppy Disk , Magnetic Tape
 Optical Disc etc
 Following are the common mistakes that can happen
while handling Digital Evidence:-

 Absence of appropriate plan for incident response.

 Underestimating the scope of incident
 Failure to control access to digital evidence
 Failure to maintain proper documentation
 Failure to notify or provide accurate information to
decision makers
 Failure to report the incident in a timely fashion to the
management or Law enforcement Agency
 Identify the computer system , Secure the scene , preserve the traced
evidence
 If the Computer is switched off , then Photograph , label and document
the system details on collection form and collect related software
peripherals , removable media , passwords if any
 If the computer is on and prompts for any password simply disconnect
the power and then Photograph , label and document the system details
on collection form and collect related software peripherals , removable
media , passwords if any
 If it does not prompts for any password , then document screen , system
time, network activity. Preserve the RAM content if needed using
Authorized tools and procedures.
 Depending upon the case Scenario , the entire computer can be seized or
any particular suspected hardware can be seized
 Hashing is a process of converting large , possibly variable-size
amount of data in to a small datum by well defined procedure or
mathematical function.

 Hashing is mainly done to check the integrity of the data.

 Values returned after hashing is commonly called as hash values,

hash sums or hashes

 Commonly used Hash functions are

1. MD5 Hash Algorithm

2. SHA1 Hash Algorithm

 While imaging the original Harddisk , an hash
value is generated.
 After imaging an hash value will be generated .
 Hash value of the original Harddisk = Hash
value of the imaged Hard Disk , then we can
say that the Message integrity is 100%
 Fulfilment of various conditions as
per Section 65B(2) to (5) is an
important challenge to a forensic
auditor, as regards electronic
records produced as evidence to
court
THANK YOU