INVESTIGATION PROCEDURE
There are different stages of a criminal proceeding, in a criminal matter.
   Investigation is the first stage which is instigated after the police get information
   of any crime, which is subject to the order of the magistrate or without the order
   of magistrate. There is no uniform process of investigation. Different techniques
   are used by the police while investigating a crime. Investigation is a skill and
   requires special knowledge in the field in which the investigation officer is
   investigating. There are established procedures for the investigation of
   traditional crimes, in the Code of Criminal Procedure. In case of traditional
   crimes, the physical evidences are generally found at the crime scene. The
   collection of those evidences needs lot of commonsense and less technical
   knowledge. But the process of investigation is completely different in the case
   of cybercrime.
The investigation in cybercrime requires special skill and scientific tools without
   which investigation is impossible. The Information Technology Act, 2000
   provides certain provisions on investigation of cybercrime. Certain changes
   have also been done in the CrPC and the Evidence Act with regard to this.
Investigation in Cybercrime
Crimes became more complex with the advancement of technology, and criminals
   became more sophisticated, as their modus operandi is incomparable to the
   normal investigation methods. Information technology provides a chance to the
   criminals to commit crimes such as attacks against the security of critical
   infrastructures like tele-communication, banking and emergency services. Such
   crimes could also be committed through computer networks across the national
   borders, affecting individuals and that may also result in compromising the
   security and the economy of the nation.
The criminal offence is committed in one country extents to the other country
and even to many other countries. The speed and accuracy is additionally in no
time and excellent.
The Information Technology Act, 2000 has set up a special procedure for
investigation and further proceeding in cybercrime contended which makes
cybercrime investigation slow. Section 78 of the Act describes that the
investigation of cybercrime shall be done by an inspector. Before the
Amendment of 2008 in IT Act, the power of investigation was with the Deputy
Superintendent of Police. The object behind this amendment is to bring the
cybercrime for investigation in mainstream as sort of conventional crime. This
gives power to the inspector to register and investigate the cybercrime just like
other traditional crimes. There are various problems and various minute
processes required for the investigation of cybercrime. No single proceeding is
often laid down within the investigation of the cybercrime.
With the rise in the domain of the internet, it is now possible for an individual
sitting in one country to hack into someone’s account in another country.
Therefore, to fight against cybercrime, the CBI has created a specialized
structure. They are:
     1. Cyber Crimes Research and Development Unit (CCRDU)
     2. Cyber Crime Investigation Cell (CCIC)
     3. Cyber Forensics Laboratory
     4. Network Monitoring Centre
   1. Cyber Crimes Research and Development Unit: This unit has the
      responsibility of keeping track of the changes and developments that take
      place in this ever changing area.
   They are:
       To ensure cooperation and tie-ups with the State Police Forces.
       To collect information about cases of cybercrimes reported to the
         police for investigation.
       To find out about the follow up actions takes by the investigating
         officer in every case.
       To tie-up with software experts to locate and identify areas where
         the attention of the state police is required.
       Entail the collection of information relating to cases that happens
         in other countries and prepare a monthly cyber Crime Digest.
2. Cyber Crime Investigation Cell: The CCIC was established in 1999.
   However, it came into action in 2000. It works as a part of the economic
   offences division and has an all India jurisdiction. It can investigate cyber
   crimes under the IT Act 2000. It is additionally a round-the-clock Nodal
   Point of contact for Interpol to report cybercrimes in India and is
   additionally a member of Cyber Crime Technology Information Network
   System, Japan.
3. Cyber Forensics Laboratory: The CFL was established in 2003 and it has
   following functions:
       Provide media analysis in support of the criminal investigations
         done by the CBI and other Law Enforcement Agencies.
       Provide on-site assistance for computer search & seizure upon
         request.
       Provide consultation on investigations in which media analysis is
         probable or occurring.
          Provide expert testimony.
          Provide adequate research and development in Cyber Forensics.
      The collected information is used as evidence in the court of Law.
   4. Network Monitoring Centre: Its function is to police the internet and
      search for any unusual activities using a network monitoring tool.
To ensure that such evidences are admissible in the court, it should be ensured
that all the process and formalities are followed properly. This means that every
document is seized in a proper legal manner and the chain of custody is
not broken.
The purpose of the organs of the cybercrime department is to police the internet
to ensure that cybercrime can be stopped before it is committed.
Investigation of Cybercrime
   - Investigation Process and Methods
      The IT Act, 200 is both substantive and procedural nature. It describes the
      offences and the penalties and punishments and procedure regarding the
      investigation of the cybercrime as well. Section(s) 78 and 80 deals with
      the power of investigation and search & arrest of accuse. But the
      provisions of this Act are not sufficient enough to meet the requirements,
      therefore the Criminal procedure Code and the Indian Penal Code is
      additionally amended to bring the Cyber crime within the ambit
      of this laws which are subject to the traditional crime. That means all the
      traditional procedural laws regarding the investigation of crime are also
      applicable to cybercrime investigation.
   - Search and Seizer in Cyber Crime investigation
The Cybercrime has no physical boundaries. The criminals seeking
information stored in computers with dial-in-access can access the
information virtually from anywhere. The quantity of data that can be
stolen or the level and amount of damage that can be caused by malicious
programming code may be limited only by the speed of the network and
the criminal’s equipment.
i.    Advance Planning for Search:
      The plan should include following:
          The place where the Investigating Officer is required to carry
            out search;
          List of computer or computer networks or any other
            electronic memory devices that are suspected to be found;
          Mostly, a forensic team accompany them in that search, but
            when it is not possible information may be collected about
            the   type,     make,   model,   operating   system,   network
            architecture, type and location of data storage, remote access
            possibilities etc., which may be passed on to Forensic
            Experts as that might help making necessary preparation to
            gather and preserve evidence.
          The Investigator or expert must carry necessary media,
            software, and other specialized items, also some special
            packing materials which can prevent loss of data as that can
            be destroyed by dust, jerks and electrostatic environment.
ii.   Precautions at the search location
       Taking control of the Location: The IO must ensure that suspect
         or an accused do not touch any part of the computer or
         accessory attached to it either physically or through wireless
         means. The Investigator needs to be extremely alert and may
         seek guidance from an expert and take steps as per their
          instructions. This should be paid attention that individuals
          present at the site of the search are separated from their
          computers and all devices must be kept out of their reach. The
          information in a computer network need not be stored at the
          same site. The data could reside at a foreign location even in a
          different country. Therefore, it may be important to find out the
          location of storage and take action accordingly. If in case,
          storage of data is suspected to be located outside the country, it
          will be necessary to alert the Interpol and take necessary steps
          to issue letters under Section 166A of Code of Criminal
          Procedure. Before starting the search, the Investigator needs to
          decide whether to seize data on site, or seize hardware for
          examination at a Computer Forensic Laboratory. When there is
          any doubt, a Computer Forensics Specialist at the scene is used,
          to determine whether they need to seize data or seize hardware,
          if a specialist is not available, then they have to seize
          everything.
        Networked Computers: The computer must not be disconnected
          if networks or mainframes are involved, disconnecting a
          computer from a network may damage the network, and cause
          harm to the data. It is generally not suggested to seize a
          mainframe because it requires disconnecting all the computers
          attached to it. Hardware seizure with computers on a network
          can be very complicated. They are required to take the help of a
          Computer Forensics Specialist in these cases.
iii.   Preparation for the Search
       The Investigators must carry the following items with them that
       will facilitate the search:
          Disks or Cartridges: To store copies of files from the
             computer.
          Labels: to label cables, where they plug in, disks, various
             parts of the computer and to write or protect disks.
          Screwdrivers and other tools: To dismantle the hardware for
             seizure.
          Gloves: To take latent prints from disks or other storage
             media or hardware.
          Packing materials: Rubber bands, tape, boxes, bubble wrap,
             anti-static wrap or paper bags.
          Camera equipment: to videotape and photograph the place
             of investigation.
          Custody report sheets and other paper to make a list of
             seized evidence.
iv.   Steps for the Search:
          Labelling & Photographing the Set-up: IO is supposed to
            take some general photographs of the search place to
            document its pre-search condition for legal purposes, and to
            provide it as a reference during investigation. This
            documentation may prove essential when the system will be
            re-connected in the Forensic Laboratory. The IO should
            make sure to get close-ups of the front and back of all
            equipment and the way it is connected. He should pay
            special attention to DIP switches on the rear of certain
            equipments that must be in a certain configuration. These
            switch settings could accidentally move in transport that
            might create problems for the examiner.
 Labelling all Parts: The IO is supposed to label each part
  before he starts dismantling any of the equipment. All the
  connectors and plugs at both ends, the computer are
  supposed to be labelled so that re-assembly is easy and
  accurate.
 Power System Down: If a computer is off, it should not be
  turned on. Hackers can make those computers erase data if a
  particular disk is not in the drive when the machine is booted
  up or if a particular password is not entered. One should
  check before turning off, if it is on, otherwise it may destroy
  data. The IO needs to shut the machine down through the
  operating system rather than just pulling the plug or he can
  instead disconnect it from the back of the machine, this is
  because if the machine is plugged into a back-up power
  supply it may initiate a shutdown process that could destroy
  files.
 Dismantle the System: The system can be dismantled into
  separate components for transportation, once it is labelled
  and powered down. If a computer is at a business location
  and a part of a network, then a proper procedure should be
  followed to properly disconnect the computer from the
  network.
 Seize Documentation: All manuals for the computer, its
  peripheral devices, and especially the software and operating
  system are seized. The examiners at the Forensic Laboratory
  need to refer to the manual to know the kind of hardware and
  its technicalities. Other documents like notes, passwords,
  and journals are also seized. Sticky notes, or other pieces of
                      paper around the computer that may have passwords or login
                      ID’s written on them, are also supposed to be seized.
   These are the techniques to search and seizer in investigation of cyber crime.
   Application of these techniques of search and seizer can make the
   investigation effective.
Cyber Forensics
The word ‘forensic’ can be understood as, the application of scientific methods
and techniques in the investigation of crime. It provides a new and different way
to the investigator for investigating the crime by using modern technique. Use
of forensic tools is important to make the investigation in technical crimes. The
criminals these days are using modern techniques to commit crimes. Therefore,
Forensic Science offers a useful way to trace the truth. This technology is very
useful in the traditional offences also, because it has invented and discovered
various things, which can be used to know the truth behind the incident, act or
crime.
    Computer Forensics
         Computer forensics is the study of computer technology. Computer
         forensics is the science of applying computer science to aid the legal
         process. It is more than the technological, systematic inspection of the
         computer system. Computer forensics requires expertise and tools that
         goes beyond the traditional data collection and preservation techniques
         available to end-users or system support personnel. Computer Forensics
         is just the appliance of computer investigation and analysis techniques
         within the interests of determining potential legal evidence.
    IP Address: When a cybercrime is committed using a particular device,
         one of the most useful ways to trace the user by detecting the IP address.
IP address means Internet Protocol Address. Every computer or devices
communicate through the IP address that’s allotted either on a static or
dynamic basis and this is the reason why law enforcement agencies
throughout the world use IP address to trace cyber criminals. This is the
common mode to trace out the person, who is behind the any crime
committed through internet.
There are two types of IP address
          a. Statics and
          b. Dynamic
A static address is one that is allotted and configured by the administrator
or ISP (Internet Service Provider) by editing computer’s network settings.
It produces a single and constant identifiable IP Address that is easily
attributable to the computer using the same.
A Dynamic IP Address is assigned by the Dynamic Host Configuration
Protocol (DHCP). This is a service running on the network. DHCP runs
on network hardware such as routers or dedicated DHCP servers. A
computer using Dynamic IP Address is allotted a new IP Address for
every new session during its lease period.
However, the investigator should not solely rely on the IP address
because when different devices are connected to a router then all of those
devises share the same IP address, and this IP address is different from te
IP address provided by the ISP. They are internal IP address and external
IP address. It gets very difficult to find out the true user of the particular
IP address.
Therefore, though the IP address is a way to find out the real user of the
device, but that cannot be sole way on which the investigator can rely to
trace the person.
           General stages in Digital Forensic Investigation
      A computer forensic investigator follows certain procedures:
               a. Identifying the crime, along with the computer and other
                   tools use in committing the crime.
               b. Gathering evidence and building up a suitable chain of
                   custody.
               c. Once the data is recovered, it must be imaged, duplicated
                   and replicated and then the duplicated evidence is analyzed.
               d. After that, the forensic investigator must act as an expert
                   witness and present the evidence in court.
      The forensic investigator becomes a tool which law enforcement agency
      uses to track and prosecute cyber criminals.
Challenges faced
  1. Jurisdiction and problem
      Jurisdiction is a very important notion while execution of any law in any
      country. Jurisdiction is of two types that are territorial and personal.
      Cybercrime often transgress the national boundaries there is when
      jurisdiction becomes a complicated matter. Countries differ in civil &
      criminal offences standards, substantive & procedural law, data collection
      & preservation practices and other evidentiary and juridical factors.
      Moreover, it's often ambiguous on whose responsibility it's to deal with a
      specific crime or conduct an investigation, or the way to collaborate
      through extradition and mutual assistance policies. This plays out not
      only on world level, but also within nations where multiple law
      enforcement departments are implicated. Due to the nature of cybercrime
      the traditional notion of jurisdiction is needed to be changed. The
      traditional notion of jurisdiction is predicted on territorial theory and
   physical presence theory. The territorial theory protects the territorial
   integrity of the state, it gives power to investigate and inquire any crime
   within the territory of the state. In physical presence theory, the presence
   of person or property in a state is a basic ground upon which a legal
   authority exercises its jurisdiction. But cyber crime is different therefore
   both the theories are useless in certain situations.
2. Impact of the internet upon the territorial notions of jurisdiction
   Internet communications goes beyond state boundaries creating a new
   realm of human activities and weakening the legitimacy of applying laws
   based on territorial boundaries. Some territorial-based law makers and
   law enforcement authorities take this as new environment threat. A state
   is territorial in nature while the internet is not restricted to territorial
   boundaries.
   Considering the problem of jurisdiction the CrPC and IPC was amended
   at the time of enactment of the IT Act 2000. Chapter XIII, Section(s) 178-
   186 and Section 188 were meant to enlarge the ambit of the local
   jurisdiction. Apart from dealing with the crimes committed in India, the
   CrPC also supplements Section 4 of IPC which contains the extension of
   the IPC to extra-territorial crimes. The amended Section gives power to
   the Indian Court to deal with the matter if the affected computer recourse
   is situated in India. The rules under this section show the legitimate right
   of a sovereign state on its citizens, not only on its lands but also on any
   foreign land. Thus, the amendment somewhere tried to provide the
   jurisdiction, but the execution of this section is still not possible without
   the co-operation of other State.
3. Electronic/ Digital Evidences
   Electronic evidences are all such materials that exist in electronic, or
   digital, form. It can be stored or transmitted. It can be in different forms
   like computer files, transmissions, logs, metadata, or network data.
Digital forensics deals with recovering of volatile and easily
contaminated information that may have evidential value. Forensics
techniques includes creation of bit-for-bit copies of stored and deleted
information, cryptographic file hashes or digital signatures that can
demonstrate changes in information and write-blocking to ensure that the
original information do not get changed.
In cyber crime the evidence may be in any form.
Digital evidence is any information stored or transmitted in digital form
that a party to the case may use in the trial. Whenever any digital
evidence submitted in the court of law, then before accepting it, the Court
will determine if the evidence is relevant or whether it is admissible as
evidence. Court also determines, whether it is hearsay evidence and
whether original is required or a copy is acceptable.
The Amendment in the Evidence Act, 1872 has brought the electronic
document under the preview of evidence. The definition of documentary
evidence has been amended to include electronic record produced for
inspection by the court.
Section 3 of Indian Evidence Act, 1872 defines evidence as,
“Evidence means an includes
1) All statements which the court permit or require to be made before it
by witness in relation to matter of fact under inquiry; such statements are
called oral evidence;
2) All documents including electronic records produced for the
inspection of the court. Such documents are called documentary
evidence.”
The Indian Evidence Act includes certain new sections as Section 65A
and 65B and these sections provide that the content of electronic records
may be proved in the court of Law.
Sec. 65B (1): Notwithstanding anything contained in this Act, any
information contained in an electronic record which is printed on a
paper, stored, recorded or copied in optical or magnetic media produced
by a computer shall be deemed to be also a document, if the conditions
mentioned in this section are satisfied in relation to the information and
computer in question and shall be admissible in any proceedings, without
further proof or production of the original, as evidence of any contents of
the original or of any fact stated therein of which direct evidence would
be admissible.
Sec. 65B (2): This Section lists the technological conditions upon which a
duplicate copy (including a print-out) of an original electronic record may
be used.
Sec. 65 (3): This Section lists what computers shall constitute as single
computer:
    by a combination of computers operating over that period; or
      by different computers operating in succession over that period;
       or
    by different combinations of computers operating in succession
       over that period; or
    in any other manner involving the successive operation over that
       period, in whatever order, of one or more computers and one or
       more combinations of computers.
 Sec. 65 (4) States that for the purpose of admissibility of evidence, a
certificate shall have the following matters as necessary:
        Identifying the relevant electronic records containing the
            statement and describing the manner in which it was produced
       giving the particulars of device involved in the production of
          that electronic record
       dealing with any of the matters to which the conditions
          mentioned in subsection (2) relate
and purporting to be signed by a person occupying a responsible official
position in relation to the operation of the relevant device or the
management of the relevant activities (whichever is appropriate) shall be
evidence of any matter stated in the certificate; and for the purposes of
this sub-section it shall be sufficient for a matter to be stated to the best
of the knowledge and belief of the person stating it.
The Section 17 of the Indian Evidence Act deals with admission, this
Section now includes the statement in electronic form.
Section 22A of Indian Evidence Act, 1872, deals with the relevancy of
oral evidence regarding the content of electronic record. It says the
contents of electronic records are not relevant, unless the genuineness of
the electronic record produced is in question.
Section 88A of the evidence Act, 1872 grants discretion to the court to
presume that an electronic massage forwarded by the originator through
an electronic mail server to the addressee correspondents with the
massage as fed into his computer transmission. Section 88A clarifies that
the court shall not make any presumption as to the person by whom such
electronic massage is sent. The law thus accepts the vulnerability of
fabrication of electronic message.
The next amendment in the Indian Evidence Act 1872, is Section 45A of
the Evidence Act, which provides, 45A.
Opinion of Examiner of Electronic Evidence.- When in a proceeding, the
court has to form an opinion on any matter relating to any information
     transmitted or stored in any computer resource or any other electronic or
     digital form, the opinion of the Examiner of Electronic Evidence referred
     to in section 79A of the Information Technology Act, 2000(21 of 2000) is
     a relevant fact.
     Thus, the various provisions of the evidence Act deals with the electronic
     or digital evidence.
General Problems in Investigation
  - The police force is not properly trained on modern methods of criminal
     investigation and is not trained to gather scientific evidence to present a
     strong case in the court. This is why the gap continues between reporting
     of crime, arresting a criminal and a successful prosecution of the accused.
  - The training is restricted to traditional methods and is not extending to
     modern techniques of criminal investigation. Further, the method and
     content of data collected during investigation and recorded varies from
     State to State. With the cross border crime that occurs frequently, the
     tracing of criminals is a challenge for any State police, in the absence of
     criminal data sharing and co-operation. The data collected and recorded
     by the National Crime Records Bureau (NCRB) is basic and data access
     at all levels is limited. Therefore, the Police machinery needs to develop
     its way of working. State needs to provide technical training to
     investigate the cyber crime.
  - It is very difficult to collect the evidence. Even if it is collected the next
     difficulty is to preserve it until submitted in the court.
  - Quality of investigation and documentation:
 Police are not able to undertake effective investigation because of
    the lack of modern gadgets such as cameras, video equipment etc.
 Forensic science laboratories have scarcity of equipments, even at
    district level there is no lab available which can render timely
    assistance to the investigating police.
 Further, there is scarcity of forensic and cyber experts in police
    departments of various States. The result is that Police heavily
    focuses on oral evidence, instead of focusing on scientific and
    circumstantial evidence.
   Sufficient care and effort is not given to examine and record the
    statements of witnesses.
 The statements/FIRs/reports recorded are not uploaded on the
    computer immediately either because lack of computer network or
    because of lack of training or for because of lack of specific
    instructions.
There is a need to bring change in the traditional method of
investigation and use scientific method to ensure proper and fast
conviction of the cybercriminal.