Introduction to Case Management
Effective case management is the backbone of successful cyber crime investigation and prosecution. Given the volume of digital evidence, multiple data sources, and complex relationships between entities, systematic organization is essential. This part covers practical techniques for managing cyber crime cases from initiation to chargesheet.
📚 Importance of Case Management
Poor case management leads to lost evidence, missed connections, failed prosecutions, and wasted resources. Good case management ensures nothing falls through the cracks and presents a coherent narrative to the court.
Case File Organization
Digital Case File Structure
Maintain both physical and digital case files. Digital files should follow a consistent folder structure:
FIR_XXX_2026_CyberPS/
├── 01_FIR_Documents/
│ ├── FIR_Copy.pdf
│ ├── Complaint_Original.pdf
│ └── Complainant_ID.pdf
├── 02_Statements/
│ ├── 161_Complainant_DDMMYYYY.pdf
│ ├── 161_Witness1_DDMMYYYY.pdf
│ └── 164_Statement_DDMMYYYY.pdf
├── 03_Evidence_Digital/
│ ├── Screenshots/
│ ├── CDR_IPDR/
│ ├── Bank_Records/
│ └── Platform_Data/
├── 04_Evidence_Physical/
│ ├── Seizure_Memo.pdf
│ ├── Device_Photos/
│ └── Chain_of_Custody.pdf
├── 05_Forensic_Reports/
│ ├── Device_Analysis_Report.pdf
│ └── Hash_Values.pdf
├── 06_Correspondence/
│ ├── Service_Providers/
│ ├── Banks/
│ └── Agencies/
├── 07_Analysis/
│ ├── Timeline.xlsx
│ ├── Link_Chart.pdf
│ └── Financial_Flow.pdf
├── 08_Legal/
│ ├── Section_63_Certificates/
│ └── Court_Orders/
└── 09_Final_Report/
├── Chargesheet_Draft.pdf
└── Case_Summary.pdf
Physical Case File (Paper Dossier)
| Section | Contents |
|---|---|
| Part A - Case Information | FIR, complaint, complainant details, case diary index |
| Part B - Statements | All 161 and 164 statements in chronological order |
| Part C - Documentary Evidence | Bank records, CDR, platform data (printed), screenshots |
| Part D - Scientific/Forensic | Forensic reports, Section 63 BSA certificates |
| Part E - Seizure Records | Seizure memos, photos, chain of custody forms |
| Part F - Correspondence | Notices sent, responses received, court orders |
Timeline Reconstruction
Timeline reconstruction is crucial in cyber crime cases to establish the sequence of events, correlate different data sources, and present a coherent narrative.
Steps for Timeline Construction
Collect All Time-Stamped Data
Gather timestamps from: victim's account, CDR/IPDR, bank transactions, platform logs, email headers, chat logs, and any other relevant sources.
Normalize Timezones
Convert all timestamps to a single timezone (typically IST). Note: Some platforms log in UTC, others in local time. Always verify and document the timezone conversion.
Create Master Timeline
Merge all events into a single chronological list. Use spreadsheet software (Excel/Google Sheets) with columns for: Date/Time, Event, Source, Actor, Notes.
Identify Correlations
Look for events that correlate across sources. E.g., call from suspect's number at same time as IP login from same city.
Identify Gaps
Note missing time periods or unexplained delays. These may indicate additional data needed or deliberate gaps by criminal.
Sample Timeline Format
Case Timeline - Financial Fraud Investigation
2026-01-15 10:32 IST
Victim receives call from +91-9876543210
CDR
2026-01-15 10:34 IST
Call duration: 8 minutes 23 seconds
CDR
2026-01-15 10:41 IST
OTP received on victim's phone
Victim Statement
2026-01-15 10:42 IST
UPI transaction Rs. 49,999 to xxx@ybl
Bank Statement
2026-01-15 10:43 IST
Second UPI transaction Rs. 49,999
Bank Statement
2026-01-15 10:47 IST
Caller terminates call
CDR
2026-01-15 10:51 IST
Money transferred from beneficiary to Account B
Bank Data
2026-01-15 11:05 IST
Cash withdrawal Rs. 80,000 from ATM
Bank Data
💡 Timeline Analysis Insights
- Rapid money movement (within minutes) suggests organized operation
- ATM withdrawal location provides physical lead for investigation
- Multiple small transactions (under 50,000) suggest awareness of alert thresholds
- Call duration and transaction timing help establish coercion narrative
Link Analysis
Link analysis visually maps relationships between entities (people, phones, accounts, devices) to identify patterns and connections not obvious in raw data.
Types of Links in Cyber Crime Cases
Communication Links
Phone calls, SMS, chat messages, emails between parties. Direction, frequency, and timing matter.
Financial Links
Money transfers, shared accounts, payment patterns. Follow the money trail.
Social Links
Social media connections, common friends, group memberships, location overlaps.
Technical Links
Shared IP addresses, same device fingerprints, common network usage patterns.
Creating Link Charts
Link charts can be created using:
- Software Tools: i2 Analyst's Notebook, Maltego, Gephi (free), yEd (free)
- Manual Methods: Whiteboard diagrams, PowerPoint/Draw.io for simpler cases
- Spreadsheet Analysis: Pivot tables to identify common elements
Best Practices for Link Analysis
- Start with known entities (victim, suspect, reported numbers/accounts)
- Add links as you discover them from data
- Use consistent symbols for different entity types
- Label links with nature and strength of connection
- Look for nodes with many connections - these may be key actors
- Document the source of each link for court presentation
Investigation Report Writing
Final Investigation Report Structure
| Section | Contents |
|---|---|
| Executive Summary | Brief overview of case, key findings, accused identified, evidence summary |
| Background | FIR details, complaint summary, applicable sections, investigation history |
| Methodology | Investigation steps taken, data sources consulted, tools used, agencies contacted |
| Timeline of Events | Chronological reconstruction of the offense |
| Evidence Analysis | Detailed analysis of each evidence type - digital, documentary, forensic |
| Accused Identification | How accused was identified, linking evidence, prior records if any |
| Findings | Conclusions on offense, modus operandi, role of each accused |
| Recommendations | Chargesheet recommendation, additional investigation if needed |
| Annexures | Evidence list, witness list, document index, forensic reports |
Writing Tips for Court-Ready Reports
- Be Objective: Present facts, not opinions. Let evidence speak.
- Technical Clarity: Explain technical terms. Include a glossary if needed.
- Source Everything: Every fact should reference its evidence source.
- Logical Flow: Connect evidence to conclusions clearly.
- Completeness: Address all elements of the alleged offense.
- Professional Language: Formal, precise, avoiding jargon.
⚠ Common Report Mistakes to Avoid
- Missing Section 63 BSA certificates for electronic evidence
- Incomplete chain of custody documentation
- Timezone confusion in timestamps
- Technical jargon without explanation
- Conclusions not supported by documented evidence
- Failure to address all applicable legal sections
Chargesheet Preparation
Chargesheet Components for Cyber Crime Cases
- Form (Police Report): Standard format as per BNSS
- List of Witnesses: With addresses, categorized by type
- List of Documents: With Section 63 certificates for electronic evidence
- List of Material Objects: Seized devices, documents
- Previous Conviction Record: If any
- Investigation Summary: Narrative of investigation and findings
Special Considerations for Cyber Crime Chargesheet
- Clearly establish digital identity of accused (not just physical identity)
- Connect devices/accounts to the accused person with evidence
- Include Section 63 BSA certificates for ALL electronic evidence
- Reference forensic reports and their findings
- Explain technical aspects in layman's terms
- Map evidence to each element of the offense charged
📚 Key Takeaways
- Maintain organized digital and physical case files with consistent structure
- Timeline reconstruction is crucial - normalize timezones and correlate sources
- Link analysis reveals connections not obvious in raw data
- Document everything with source references for court presentation
- Investigation reports should be objective, well-sourced, and court-ready
- Section 63 BSA certificates are mandatory for all electronic evidence
- Chargesheet must connect digital identity to physical accused with evidence
- Explain technical concepts for non-technical court audience