Introduction
Digital evidence management encompasses the entire lifecycle of evidence from seizure to presentation in court. Proper management ensures evidence integrity, maintains chain of custody, and supports successful prosecution.
By the end of this part, you will master evidence storage protocols, labeling and documentation standards, forensic lab submission procedures, and proper handling of forensic reports.
Evidence Storage (Saakshya Bhandaran)
Proper storage of digital evidence is critical to maintaining its integrity and ensuring admissibility in court. Different types of evidence require different storage conditions.
Storage Requirements by Evidence Type
| Evidence Type | Storage Requirements | Special Considerations |
|---|---|---|
| Hard Drives/SSDs | Anti-static bags, temperature controlled (15-25C) | Avoid magnetic fields, physical shock |
| Mobile Phones | Faraday bags/cage, separate from SIM | Battery management, prevent remote wipe |
| Optical Media (CD/DVD) | Vertical storage, jewel cases, dark environment | Avoid scratches, temperature extremes |
| USB Drives | Anti-static bags, labeled containers | Small size - risk of loss/misplacement |
| Servers/Large Equipment | Secure evidence room, climate controlled | Space requirements, power management |
| Memory Cards | Original cases, anti-static protection | Very small - require careful inventory |
Evidence Room Requirements
Physical Security
Locked room with limited access. CCTV monitoring. Access log maintained. Biometric or key card entry preferred.
Environmental Controls
Temperature: 15-25 degrees Celsius. Humidity: 30-50%. No direct sunlight. Dust-free environment.
Fire Protection
Fire-resistant storage. Gas-based fire suppression preferred. No water sprinklers near electronics.
Inventory System
Digital inventory tracking. Regular audits. Check-in/check-out log for every access.
Chain of Custody Maintenance
Chain of Custody is the chronological documentation showing the seizure, custody, control, transfer, analysis, and disposition of evidence. It must show that evidence was not tampered with from seizure to court presentation.
Chain of Custody Record Must Include:
- Unique evidence identification number
- Description of evidence item
- Date, time, and location of each transfer
- Name and signature of person releasing
- Name and signature of person receiving
- Purpose of transfer (analysis, court, return)
- Condition of evidence at each transfer
- Seal integrity verification at each transfer
Any gap in chain of custody can be exploited by defense to challenge evidence admissibility. Even temporary custody by unauthorized persons must be documented. When in doubt, document everything.
Labeling and Documentation (Labeling aur Dastaavezikaaran)
Proper labeling ensures evidence can be identified, tracked, and presented correctly. Documentation provides the legal foundation for evidence handling.
Evidence Labeling Standards
Standard Evidence Label Format
Case Number: [FIR No./Year/PS Name]
Evidence ID: [Unique sequential number]
Description: [Brief item description]
Serial/IMEI: [Device identifier]
Seized From: [Name and address]
Seized By: [IO name and designation]
Date of Seizure: [DD/MM/YYYY]
Time: [HH:MM]
Seal Number: [If applicable]
Hash Value: [MD5/SHA-256 if imaged]
Documentation Requirements
| Document Type | Purpose | When Created |
|---|---|---|
| Seizure Memo | Record of items seized | At time of seizure |
| Panchnama | Witnessed record of search/seizure | At time of search |
| Evidence Register | Master log of all evidence | Upon receipt at station |
| Chain of Custody Form | Track all transfers | Every transfer |
| Hash Certificate | Prove integrity of digital copies | When forensic image created |
| FSL Forwarding Letter | Request forensic examination | Before lab submission |
| Section 65B Certificate | Legal admissibility of electronic evidence | Before court submission |
Photographic Documentation
- Overview Shots: Context showing where evidence was found
- Mid-Range: Evidence in relation to surroundings
- Close-Up: Detailed views of evidence, serial numbers
- Screen Captures: Display contents if device is running
- Seal Photos: All sealed packages with seal numbers visible
- Scale Reference: Include ruler/scale in close-up photos
Forensic Lab Submission (Forensic Lab mein Jama)
Forensic Science Laboratories (FSL) provide expert analysis of digital evidence. Proper submission procedures ensure timely and accurate examination.
Pre-Submission Checklist
- All items properly sealed with FSL seal
- Seals signed by IO and witnesses
- Evidence register entry completed
- Forwarding letter prepared
- Specific questions for examination listed
- Priority level indicated (routine/urgent)
- Hash values documented for storage media
- Chain of custody form completed
Forensic Lab Network in India
Central FSL (CFSL)
Hyderabad, Chandigarh, Kolkata. Central government cases, complex examinations, research.
State FSLs
Each state has its FSL. Most routine cyber crime evidence examined here. Follow state SOP.
CERT-In Lab
Specialized malware analysis, incident response, advanced cyber forensics for critical cases.
Private Labs
NABL accredited private labs can be used. Ensure proper authorization and accreditation.
Forwarding Letter Contents
FSL Forwarding Letter Format
To: Director, Forensic Science Laboratory, [Address]
Subject: Examination of Digital Evidence in Case FIR No. [X]
Reference: FIR No., Date, PS, Sections of Law
Brief Facts: [One paragraph summary of case]
List of Exhibits:
1. [Item description with seal number]
2. [Item description with seal number]
...
Questions for Examination:
1. Whether the said mobile phone contains any communication related to...
2. Whether any deleted data can be recovered...
3. Whether the device was used to access...
Priority: Routine / Urgent (with reason)
Signature: IO with designation
Types of Forensic Examinations
| Examination Type | Purpose | Typical Duration |
|---|---|---|
| Mobile Device Examination | Extract call logs, SMS, apps, deleted data | 2-4 weeks |
| Computer Forensics | Hard drive analysis, file recovery, timeline | 4-8 weeks |
| Network Forensics | Log analysis, traffic examination | 2-6 weeks |
| Malware Analysis | Identify malware functionality, origin | 4-12 weeks |
| Image/Video Authentication | Verify authenticity, detect manipulation | 2-4 weeks |
| Audio Enhancement | Enhance recordings, speaker identification | 2-6 weeks |
Be specific in your questions to FSL. Generic questions like "examine the device" will get generic answers. Ask specific questions based on case requirements - this guides the examiner and speeds up the process.
Report Handling (Report Prapti)
Forensic reports are crucial evidence that require proper handling, interpretation, and presentation. Understanding how to work with these reports is essential for successful prosecution.
Types of FSL Reports
- Preliminary Report: Initial findings, may be issued for urgent cases
- Final Report: Comprehensive analysis with detailed findings
- Supplementary Report: Additional findings on same evidence
- Expert Opinion: Interpretation and conclusions by examiner
Understanding FSL Report Components
| Section | Contents |
|---|---|
| Header | Lab name, report number, date, case reference |
| Receiving Details | How/when evidence received, condition of seals |
| Exhibit Description | Detailed description of each item examined |
| Methodology | Tools and techniques used for examination |
| Findings | Factual observations from examination |
| Opinion | Expert interpretation of findings |
| Annexures | Screenshots, data extracts, hash certificates |
Report Review Checklist
- Verify case number and FIR details match
- Check that all submitted exhibits are accounted for
- Confirm seal numbers match submission records
- Review findings answer your specific questions
- Note any limitations or qualifications mentioned
- Check for hash value verification
- Ensure expert signature and designation present
- Identify if supplementary examination needed
Follow-Up Actions
Clarification
If report is unclear, request clarification from examiner in writing. This can be done before chargesheet.
Supplementary Exam
If new questions arise or additional analysis needed, submit supplementary requisition.
Expert Briefing
Meet examiner before trial to understand findings and prepare for testimony.
Evidence Return
Coordinate return of evidence after examination. Maintain chain of custody during return.
Common Issues with FSL Reports
- Delay in Reports: Follow up regularly, escalate if urgent, request preliminary report
- Generic Findings: Submit specific questions, meet examiner for clarification
- Missing Data: Check if device was damaged, request re-examination with different tools
- Contradictory Reports: Request clarification, may need second opinion
- Technical Jargon: Request simplified explanation for court presentation
- Evidence storage must be secure, climate-controlled, and properly documented
- Chain of custody must be unbroken from seizure to court presentation
- Proper labeling with unique identifiers is essential for tracking
- FSL forwarding letters should contain specific questions, not generic requests
- Review FSL reports carefully and seek clarification if needed
- Coordinate with forensic examiner before trial for effective testimony