Seizure of Digital Evidences: It involves- (a) calculating hash value of the suspect storage media, (b) creating a digital fingerprints of the same at a system on chip (SoC) and (c) calculating hash value of the forensic image as well.
- The digital evidences may look simple to gather , but maintaining its reliability integrity and legal relevance is always challenging. The E.O. should adopt a through professional approach and follow the guidelines prescribed here and also provided from time to time.
- No file should be opened without using a write blocker. Otherwise, the time stamping would change which amounts to tempering with the evidences.
- Always, a permanent sterile new physical storage media should be used. In case of an already used hard disk, all previous data must be wiped off prior to the forensic storage.
- The new physical media must be fire proof & tamper proof. Immediately after imaging the data on it , that should be marked with a unique exhibit number related to the case.
- Thereafter, a unique number should be given to the contents of the forensic storage media, duly computed through hash algorithm. This number should be mentioned in the panchanama to authenticate the evidence the evidence in future.
- It should be verified and cross-checked that the hash values of the evidences in original (say N 1) and that of the copies imaged (N2, N3,N4 etc.) are be the same.
- The seizure memo should be prepare in the format prescribed (Form-4 of Schedule-1) and the evidences to be sent to the Cyber Cell/FSL/Court for further analysis of presentation.
The Digital evidences so collected, should always be preserved in an anti-static cover with all details and tag/barcode, with separate inventory lists for all the media seized with case /other reference number; and stored in a dry & cool place.
How to do Packaging, Labeling and transportation of Digital Evidence? Read More: