Introduction to Digital Search & Seizure
Search and seizure of digital evidence is one of the most critical and legally sensitive aspects of cyber crime investigation. Unlike traditional evidence, digital evidence is volatile, easily modifiable, and requires specialized handling procedures to maintain integrity and admissibility.
📚 Key Concept
Digital search and seizure involves the lawful examination and collection of electronic devices, storage media, and digital data that may contain evidence relevant to a criminal investigation, while maintaining chain of custody and evidence integrity.
Legal Framework for Search & Seizure
BNSS Provisions (Bharatiya Nagarik Suraksha Sanhita, 2023)
| BNSS Section | Old CrPC Section | Provision |
|---|---|---|
| Section 94 | Section 91 | Summons to produce document or electronic record |
| Section 95 | Section 92 | When search warrant can be issued |
| Section 100 | Section 97 | Search for persons wrongfully confined |
| Section 105 | Section 102 | Power to seize property |
| Section 106 | Section 103 | Search to be made in presence of witnesses |
| Section 107 | Section 104 | Occupant to be present at search |
IT Act Provisions for Search & Seizure
- Section 69: Power to issue directions for interception/monitoring/decryption
- Section 69A: Power to issue directions for blocking public access
- Section 69B: Power to authorize monitoring of traffic data
- Section 80: Power of police to enter and search public place
⚠ Important Note on Section 80 IT Act
Section 80 allows police officers not below the rank of Inspector to enter any public place and search any computer system, apparatus, etc. without warrant if the officer has reasonable cause to believe that an offense is being or has been committed. However, this does NOT apply to private premises without proper authorization.
Types of Search Warrants
Specific Search Warrant
Authorizes search of a specific place mentioned in the warrant. Most common type for cyber crime cases. Must specify the premises address clearly.
General Search Warrant
Authorizes search of multiple locations. Rarely used in cyber crimes. Requires strong justification and judicial scrutiny.
Warrant for Computer/Electronic Device
Specifically authorizes seizure of computers, mobile phones, storage devices, and other electronic equipment relevant to investigation.
Emergency Authorization
In exceptional cases where delay would lead to evidence destruction, search may be conducted with subsequent judicial approval.
Contents of a Valid Search Warrant
- Name of the court issuing the warrant
- Case number and relevant FIR details
- Name and designation of the officer authorized to execute
- Specific address/location to be searched
- Description of items/evidence to be seized
- Time limit for execution (usually valid for 30 days)
- Signature and seal of the issuing magistrate
Pre-Search Planning
Successful digital evidence seizure requires meticulous planning. Poor planning leads to evidence contamination, legal challenges, and case dismissal.
Intelligence Gathering
Collect information about the target premises, number of devices expected, type of organization (residential/commercial), technical setup (servers, network), and potential resistance or evidence destruction risks.
Team Assembly
Assemble team with appropriate expertise: Investigating Officer, forensic expert, technical personnel familiar with the systems to be seized, videographer, and sufficient support staff for security.
Equipment Preparation
Prepare forensic equipment: write blockers, forensic imaging tools, anti-static bags, evidence bags, labels, seals, camera, video recording equipment, cables, and adapters for various devices.
Documentation Preparation
Prepare chain of custody forms, seizure memos, search witness forms, hash value documentation sheets, and Section 65B/63 BSA certificate templates.
Legal Verification
Verify warrant validity, ensure all legal requirements are met, brief team on permissible scope of search, and identify items specifically mentioned in warrant.
Pre-Search Checklist
Valid search warrant obtained and verified
Team briefing conducted with roles assigned
Forensic equipment tested and ready
Evidence bags and labels prepared
Camera and video equipment charged
Documentation forms printed
Transport arrangements confirmed
Secure storage facility arranged
Executing the Search
Step-by-Step Execution Protocol
Secure the Premises
Upon arrival, secure all entry/exit points. Prevent anyone from accessing computers or destroying evidence. If screens are active, photograph them before any changes occur.
Announce and Display Warrant
Identify yourself as law enforcement. Show the search warrant to the occupant. Explain the scope of search. Request cooperation and inform of legal consequences of obstruction.
Identify and Isolate Devices
Systematically identify all electronic devices. Disconnect from networks to prevent remote wiping. Do NOT turn off devices yet - photograph running state first.
Document Everything
Video record entire search process. Photograph each device in situ before moving. Document serial numbers, locations, and visible content on screens.
Secure Devices Properly
Follow device-specific shutdown procedures. Place in anti-static bags. Apply tamper-evident seals. Label with unique evidence numbers.
Prepare Seizure Documentation
Complete seizure memo with detailed inventory. Get witness signatures. Provide copy to occupant. Record any objections raised.
🛑 Critical Do's and Don'ts
- DO NOT turn on devices that are off - you may alter evidence or trigger destruction
- DO NOT run any programs or click on anything on live systems
- DO NOT use owner's peripherals (keyboard/mouse) - may be keylogged
- DO capture RAM dump if trained, before shutdown for volatile evidence
- DO document visible content on screens before any changes
- DO collect cables, adapters, and power supplies with devices
- DO note any passwords provided voluntarily by suspect
Handling Specific Digital Devices
Desktop Computers
- Photograph screen if powered on
- Check for encryption indicators (BitLocker, VeraCrypt)
- If running, consider RAM capture before shutdown
- Pull power cord from back of computer (not wall) to preserve last state
- Seize entire CPU, monitor, keyboard, mouse, and all cables
- Document all connected peripherals and network connections
Laptops
- If open and running, photograph screen immediately
- Do NOT close the lid (may trigger hibernate/shutdown)
- Remove battery if possible after photographing
- Disconnect all peripherals and cables
- Place in Faraday bag if available to block remote access
Mobile Phones/Tablets
📱 Mobile Device Priority Actions
- Enable Airplane Mode IMMEDIATELY to prevent remote wipe
- If screen is locked, do NOT attempt to unlock - note the lock type
- If unlocked, keep it unlocked if possible (disable auto-lock)
- Place in Faraday bag to block all signals
- Document IMEI (dial *#06#), phone number, and any visible data
- Seize chargers and SIM card ejector tools
Servers and Network Equipment
- Assess criticality - can it be powered down without major business disruption?
- Consider on-site imaging if server cannot be seized
- Document network topology and connected devices
- Preserve network logs and router configurations
- If virtual servers involved, coordinate with hosting provider
External Storage Devices
- USB drives, external HDDs, memory cards - seize all found
- Check for hidden or disguised storage (USB in calculators, etc.)
- Do NOT insert into any computer for preview
- Document where each was found (drawer, pocket, etc.)
Documentation Requirements
Seizure Memo Components
| Component | Details Required |
|---|---|
| Header Information | Police station, FIR number, date, time, location of search |
| Search Team | Names, ranks, and designations of all officers present |
| Witnesses | Names, addresses, and signatures of at least two independent witnesses (Section 106 BNSS) |
| Device Inventory | Description, make, model, serial number, color, condition, unique identifiers |
| Location Found | Exact location where each item was found (room, drawer, etc.) |
| Photographs | Reference to photographs/videos taken with timestamps |
| Sealing Details | Seal numbers, packing description, signatures on seals |
| Occupant Acknowledgment | Signature of premises owner/occupant or refusal noted |
Chain of Custody Documentation
Every transfer of evidence must be documented with:
- Date and time of transfer
- Name and signature of person releasing
- Name and signature of person receiving
- Purpose of transfer
- Condition of evidence at time of transfer
- Seal verification status
Post-Seizure Procedures
Evidence Transportation
- Transport in secure, climate-controlled environment
- Avoid exposure to extreme temperatures, moisture, or magnetic fields
- Maintain physical security throughout transport
- Document transportation details in chain of custody
Evidence Storage
- Store in designated, secure evidence room/malkhana
- Maintain access logs for evidence room
- Ensure appropriate environmental conditions
- Create forensic copies before any analysis on original
Section 65B/63 BSA Certificate
📜 BSA Section 63 Certificate
Under Section 63 of Bharatiya Sakshya Adhiniyam (BSA), 2023 (formerly Section 65B of Indian Evidence Act), electronic records must be accompanied by a certificate for admissibility. This certificate must state:
- The manner of production of the electronic record
- Particulars of the device involved
- That the record was produced during the regular use of the device
- That the device was operating properly
📚 Key Takeaways
- Always obtain proper search warrant specifying electronic devices before search
- BNSS Sections 94-107 govern search and seizure procedures
- Never turn on a device that is off - it may alter or destroy evidence
- Mobile devices must be placed in airplane mode immediately to prevent remote wipe
- Document everything through photographs, videos, and detailed written records
- Chain of custody must be maintained meticulously from seizure to court
- BSA Section 63 certificate is mandatory for electronic evidence admissibility
- Pre-search planning is as important as the search itself