📧 admissions@cyberlawacademy.com
Back to Course Home
CCPModule 3Lesson 3.4

🔬 Digital Forensics & Evidence Handling

Preserving the digital crime scene—from bits to courtroom

⏱️ 120 minutes 📖 Lesson 4 of 4 🎯 Advanced

Introduction: Where Technology Meets Law

"In digital forensics, we don't just find evidence—we prove it existed, we prove it wasn't tampered with, and we explain it so a judge can understand."

Digital forensics sits at the intersection of technology and law. Technical excellence alone isn't enough—if evidence can't be admitted in court, the investigation was meaningless. This lesson teaches you to handle digital evidence so it withstands legal scrutiny.

In India, this means understanding Section 65B of the Indian Evidence Act—the gateway through which all electronic evidence must pass. Countless cases have been dismissed because investigators didn't understand this requirement.

🎯 Lesson Objectives

By the end of this lesson, you will be able to:

  • Apply proper evidence handling procedures and chain of custody
  • Perform forensic imaging while maintaining evidence integrity
  • Conduct basic memory and disk forensics
  • Prepare Section 65B certificates for Indian courts
  • Document findings for legal proceedings

1. Digital Forensics Principles

1.1 The Five Fundamental Principles

1

Preserve the Original

Never work on original evidence. Create forensic copies and analyze those. The original must remain pristine.

2

Document Everything

Every action, every tool, every timestamp. If it's not documented, it didn't happen (legally speaking).

3

Maintain Chain of Custody

Track who handled evidence, when, why, and what they did. Any gap breaks the chain.

4

Use Validated Tools

Forensic tools must be tested and validated. Results must be reproducible by another examiner.

5

Report Objectively

Present findings factually, without bias. Note both incriminating and exculpatory evidence.

1.2 Types of Digital Forensics

Type Focus Key Artifacts Tools
Disk Forensics Hard drives, SSDs, USBs Files, deleted data, file system metadata FTK, EnCase, Autopsy
Memory Forensics RAM analysis Running processes, network connections, encryption keys Volatility, Rekall
Network Forensics Network traffic Packets, flows, protocol analysis Wireshark, NetworkMiner, Zeek
Mobile Forensics Smartphones, tablets Apps, messages, location data Cellebrite, Oxygen, UFED
Cloud Forensics Cloud services Logs, API calls, storage artifacts AWS CloudTrail, Azure logs
Email Forensics Email communications Headers, attachments, metadata MailXaminer, Paraben

💡 The Locard Exchange Principle

French forensic scientist Edmond Locard stated: "Every contact leaves a trace." In digital forensics:

  • Attackers leave traces: Log entries, modified timestamps, malware artifacts
  • Investigators can leave traces: File access times change, memory states alter

This is why we use write-blockers and forensic imaging—to capture traces left by attackers without leaving our own.

2. Chain of Custody: The Legal Lifeline

Definition

Chain of Custody is the chronological documentation of the seizure, custody, control, transfer, analysis, and disposition of evidence. It proves evidence integrity from collection to court.

2.1 Why Chain of Custody Matters

Without proper chain of custody, defense attorneys will argue:

  • "The evidence could have been tampered with"
  • "We can't prove this came from the defendant's computer"
  • "Anyone could have modified this during the gap in documentation"

Result? Evidence becomes inadmissible, cases collapse.

2.2 Chain of Custody Documentation

📋 Evidence Chain of Custody Form (Sample)

CYBER/2024/001234
E-001
Dell Laptop, Model XPS 15, S/N: ABC123XYZ
Inspector Rajesh Kumar, Cyber Cell
15-Jan-2024, 10:30 IST
Office #302, XYZ Corp, Mumbai
a3f2c8b1e9d4...
Custody Transfer Log
Date/Time Released By Received By Purpose
15-Jan-2024, 14:00 Insp. R. Kumar FSL Lab Tech S. Patel Forensic Imaging
16-Jan-2024, 09:00 S. Patel Sr. Analyst M. Sharma Analysis

2.3 Best Practices for Evidence Handling

1

Photograph Before Touching

Document the scene: device location, screen contents (if powered on), surrounding environment. Photos should include timestamps.

2

Use Evidence Bags and Labels

Anti-static bags for electronics. Tamper-evident seals. Labels with case number, item number, date, collector's initials.

3

Calculate and Record Hashes

Hash the evidence immediately (SHA-256 preferred). Re-hash when transferring custody. Matching hashes prove integrity.

4

Secure Storage

Evidence locker with access logs. Climate-controlled (electronics are sensitive). Limited access—need-to-know only.

3. Forensic Imaging: The Foundation

A forensic image is a bit-for-bit copy of storage media—including deleted files, slack space, and unallocated areas. It's the foundation of all disk forensics.

3.1 Why Not Just Copy Files?

❌ Regular Copy

  • Copies only visible files
  • Misses deleted files
  • Misses slack space data
  • Changes file access timestamps
  • Can't be verified with hash

✅ Forensic Image

  • Copies entire disk sector-by-sector
  • Includes deleted files (if not overwritten)
  • Includes slack space, unallocated areas
  • Uses write-blocker—no modifications
  • Verified with cryptographic hash

3.2 Imaging Procedure

1

Connect Write Blocker

Hardware write blocker between evidence drive and forensic workstation. This physically prevents any writes to the source.

2

Document Source Drive

Record: make, model, serial number, capacity, interface type (SATA, NVMe, USB).

3

Calculate Source Hash

Hash the source drive before imaging. This proves the starting state.

4

Create Forensic Image

Use forensic imaging tool (FTK Imager, dc3dd, Guymager). Create in forensic format (E01, AFF4, or raw DD).

5

Verify Image Hash

Hash the image and compare to source. Must match exactly. Document in chain of custody.

6

Create Working Copy

Make a second copy for analysis. Preserve the first copy as evidence. Analyze only the working copy.

# Forensic Imaging with dc3dd (Linux)
# Using hardware write blocker

# Step 1: Identify source drive
lsblk
# Example: /dev/sdb is evidence drive (via write blocker)

# Step 2: Calculate source hash
sha256sum /dev/sdb > source_hash.txt

# Step 3: Create forensic image
dc3dd if=/dev/sdb of=evidence_image.dd hash=sha256 \
    log=imaging_log.txt

# Step 4: Verify image hash (should match source)
sha256sum evidence_image.dd

# Output Example:
# a3f2c8b1e9d4f5a6... evidence_image.dd
# (Compare with source_hash.txt - must match!)

3.3 Image Formats

Format Description Pros Cons
Raw (DD) Exact bit copy, no metadata Universal, no proprietary format Large files, no compression
E01 (EnCase) EnCase evidence file Compression, metadata, widely accepted Proprietary format
AFF4 Advanced Forensic Format Open standard, compression, metadata Less tool support

4. Memory Forensics: The Volatile Goldmine

"RAM is where secrets live—encryption keys, running malware, network connections. But it vanishes when power is lost."

4.1 Why Memory Forensics?

Disk forensics misses what's only in memory:

  • Running processes: Including fileless malware that never touches disk
  • Network connections: Active C2 sessions, exfiltration in progress
  • Encryption keys: BitLocker, TrueCrypt keys may be in RAM
  • User activity: Commands typed, clipboard contents
  • Injected code: Malware hiding inside legitimate processes

4.2 Memory Acquisition

⚠️ The Volatility Challenge

Memory is volatile—it changes constantly and is lost when power is removed. Acquisition must be:

  • Fast: Minimize changes during capture
  • Complete: Capture all RAM, not just portions
  • Documented: Record time, method, tool version

Order of Volatility: Capture memory BEFORE pulling power for disk imaging!

# Memory Acquisition Tools

# Windows - Using WinPMEM (open source)
winpmem_mini_x64.exe memory_dump.raw

# Windows - Using FTK Imager
# GUI tool - Memory Capture option

# Linux - Using LiME (Linux Memory Extractor)
sudo insmod lime.ko "path=/tmp/memory.lime format=lime"

# Linux - Using /dev/mem (limited on modern kernels)
# Requires kernel parameter: mem=X to limit usable RAM

4.3 Memory Analysis with Volatility

Volatility is the premier open-source memory forensics framework. Here are key plugins:

# Volatility 3 Analysis Commands

# Identify the memory image profile
vol -f memory.raw windows.info

# List running processes
vol -f memory.raw windows.pslist

# Show process tree (parent-child relationships)
vol -f memory.raw windows.pstree

# Detect hidden/unlinked processes
vol -f memory.raw windows.psscan

# Network connections
vol -f memory.raw windows.netscan

# Loaded DLLs for each process
vol -f memory.raw windows.dlllist --pid 1234

# Command line arguments
vol -f memory.raw windows.cmdline

# Detect code injection
vol -f memory.raw windows.malfind

# Extract registry hives
vol -f memory.raw windows.registry.hivelist

💡 Detecting Hidden Malware with Memory Forensics

Scenario: A server is sending suspicious traffic, but antivirus finds nothing.

Memory Analysis Findings:

  1. pstree shows normal processes
  2. psscan reveals a hidden process "svchost.exe" not in pstree—DKOM (Direct Kernel Object Manipulation) detected!
  3. malfind shows RWX memory pages in explorer.exe—code injection detected!
  4. netscan reveals connection to known C2 server from the injected process

Disk forensics would have missed this fileless attack entirely.

5. Legal Framework: Section 65B and Beyond

In India, electronic evidence admissibility is governed by the Indian Evidence Act, 1872 (as amended by IT Act 2000). Section 65B is the critical provision.

5.1 Section 65B: The Gateway for Electronic Evidence

⚖️ Indian Evidence Act, Section 65B

Section 65B(1): Any information contained in an electronic record which is printed on paper, stored, recorded or copied in optical or magnetic media produced by a computer shall be deemed to be also a document and admissible in evidence.

Section 65B(4): The certificate required must contain:

  • (a) Identification of the electronic record
  • (b) Description of manner of production
  • (c) Particulars of the device involved
  • (d) Statement that conditions in 65B(2) are satisfied

Certificate must be signed by a person in charge of the computer/device.

5.2 Landmark Case: Anvar P.V. v. P.K. Basheer (2014)

📋 Supreme Court Judgment - Civil Appeal No. 4226 of 2012

Facts: Election dispute where CD recordings were submitted as evidence without Section 65B certificate.

Issue: Can electronic evidence be admitted without 65B certificate?

Held: The Supreme Court ruled that Section 65B(4) certificate is mandatory for admissibility of electronic evidence. Without it, the evidence is inadmissible.

Key Quote: "Electronic evidence by way of secondary evidence shall not be admissible unless the requirements under Section 65B are satisfied."

Impact: This overturned earlier conflicting judgments and established that 65B compliance is non-negotiable.

5.3 Sample Section 65B Certificate

CERTIFICATE UNDER SECTION 65B(4) OF THE INDIAN EVIDENCE ACT, 1872

I, [Name], [Designation], being the person in charge of the computer/electronic device and operations, do hereby certify as follows:

1. Identification of Electronic Record:
The electronic record identified as [description - e.g., "Email dated 15-Jan-2024 from abc@company.com to xyz@company.com with subject line 'Project Details'"] stored in [location/device].

2. Description of Production:
The printout/copy annexed hereto marked as Exhibit [X] is a true reproduction of the electronic record produced by the computer system described below during the period [date range].

3. Computer/Device Particulars:
- Device Type: [e.g., Dell Server Model PowerEdge R740]
- Operating System: [e.g., Windows Server 2019]
- Location: [Physical location]
- Owner/Custodian: [Organization name]

4. Compliance Statement:
I certify that:
(a) The computer output was produced during the regular course of activities
(b) The information was regularly fed into the computer in the ordinary course
(c) The computer was operating properly during the material period
(d) The electronic record accurately reproduces the information fed into the computer

Signed: _________________
Name: _________________
Designation: _________________
Date: _________________
Place: _________________

5.4 Other Relevant Legal Provisions

IT Act, Section 79A

Central Government can notify Examiner of Electronic Evidence. CERT-In and state FSLs are authorized.

IT Act, Section 66

Computer related offenses. Evidence must meet 65B requirements for prosecution.

CrPC, Section 91

Court can summon electronic records. Organizations must preserve and produce on order.

DPDPA 2023

Data Fiduciaries must retain records for breach investigation. Forensic preservation is implied.

⚠️ Common Section 65B Mistakes

  • Missing certificate entirely: Most common—evidence rejected outright
  • Wrong signatory: Must be person in charge of the computer, not just any employee
  • Vague identification: Certificate must specifically identify the electronic record
  • Post-dated certificate: Should be contemporaneous with evidence collection
  • Photocopied certificate: Original signed certificate required

6. Forensic Report Writing

A forensic report is the bridge between technical findings and legal/business decisions. It must be technically accurate, legally sound, and understandable by non-technical readers (judges, executives).

6.1 Report Structure

1. Executive Summary

One-page summary for executives/judges. Key findings, conclusions, impact. No jargon.

2. Case Background

What prompted the investigation? Who requested it? Scope and objectives.

3. Evidence Description

List all evidence items: description, serial numbers, chain of custody reference, hash values.

4. Methodology

Tools used (with versions), procedures followed, standards applied (ISO 27037, NIST).

5. Findings

Detailed technical findings with supporting evidence. Screenshots, logs, timeline.

6. Conclusions

What do the findings mean? Answer the investigation questions. State limitations.

7. Appendices

Chain of custody forms, 65B certificates, hash logs, raw tool output.

6.2 Writing Tips

✅ Do

  • Use objective language: "The evidence shows..." not "I believe..."
  • Explain technical terms when first used
  • Include timestamps for all findings
  • Reference specific evidence items
  • State what you found AND what you didn't find

❌ Don't

  • Speculate beyond evidence ("The suspect probably...")
  • Include opinions on guilt/innocence
  • Use jargon without explanation
  • Omit steps from methodology
  • Hide findings that don't support the hypothesis

📝 Key Takeaways

1

Never work on original evidence—create forensic images and analyze copies

2

Chain of custody is the legal lifeline—any gap can invalidate evidence

3

Memory forensics captures volatile evidence (processes, connections, keys) that disk forensics misses

4

Section 65B certificate is mandatory for electronic evidence admissibility in Indian courts

5

Forensic reports must be technically accurate, legally sound, and understandable by non-technical readers

🎉 Module 3 Complete!

Congratulations! You've completed Cyber Attacks, Malware & Threat Hunting. Now test your knowledge with the Module Assessment.