Executive Summary
Digital evidence gathering and its analysis is an essential and integral part of any investigating or enforcement agency in modern day India. Digital forensics is becoming an increasingly powerful tool for the Income Tax Department in its fight against tax-evasion. This article focuses on proper understanding of digital evidence and its proper methods of collection and presentation. The article proposes useful procedures and steps in ensuring that any critical data collected and digital evidence discovered, which is useful in fulfilling the objectives of Income Tax Department, should be admissible in any Court of law in India and its authenticity and integrity should be unquestionable.
(A) Introduction
In the era of computerisation and digitisation the day to day working of offices is changing from paper world to paperless world. There is a sea change in the technology and consequently having an impact on the working and work culture of offices whether it may be a private office or public office. Everywhere people are now exposed to the digital world. The computer and digital technology is not only easy to use but also help in processing the information, its storage and transmission easy in digital form. Due to its veracity and credibility of records, the laws of various countries are recognizing electronic records as evidence.
Digital evidence gathering is becoming an increasingly powerful tool for the Income Tax Department in its fight against tax-evasion, help reconstruct past event or activity and show the evidence of policy violation or illegal activity. The digital evidence collected and presented should be admissible in law and steps should be taken to maintain integrity of the data.
Digital evidence, which is ephemeral, poses problems for searching and seizing. Problems posed by recovery of deleted evidence are the challenges which law enforcement agencies have to tackle. These are one form of credible documents/ evidences similar to paper documents/evidences. As these are of diverse and hi-tech nature and available in form of software and programmed form, these are generally stored in various digital storage devices as a hardware come in a large variety of technology, shapes and sizes e.g.
- Harddisks IDE/ATA/PATA/SATA/SCSI/SAS Laptop Hard Disks – 2.5 & 1.8
- USB Pen-drives and various types of Flash drives.
- USB i-Pods, USB MP3 players
- CD & DVD Media, Floppy Media
- Mobile SIM cards, Memory Card & Device‘s internal memory
(B) The Challenges
Due to its diverse and hi-tech nature of these documents/evidences, it poses a key challenge before enforcement agencies like Income Tax Department. Following are as below:-
- The records including books of account maintained on papers are mostly replaced by documents in digital form.
- Most organizations use networks connecting different PCs, and servers spread across various geographical locations and poses challenge on sovereignty issues.
- Computer data including books of account are easy to modify, alter, delete or hide.
- It is very easy to protect data by passwords and encryption making deciphering of real data an extremely difficult task.
- Different kind of software, platforms and customized applications used for varied business purposes.
- Digital data being often stored on networked servers which are normally/ remotely accessed.
- Shared International Networks and Platforms having transnational jurisdictions.
- “cloud server”, i.e., a server located in even a foreign country thousands of miles away and the searched / surveyed party is sitting merely with a monitor/ laptop.
- Specialized skills are required to identify relevant data, safely retrieve them, and properly analyze them for their evidentiary value.
- Subsequently produce them in a manner that their integrity can be established in any formal proceedings such as assessment/ appeals and prosecution, etc.
- With ever changing and improving technology, skills are also required to be honed and updated regularly.
As mentioned above, these are some of the major challenges before the department. Not only these challenges bring a hurdle to the working and investigation of this digital information but also bring lack of standardization in the methods and practices followed for above purpose. Now days the current practice followed during search/ survey operations includes:- Taking hard copies of data and seizing the same, Using a CD writer or USB pen drive or USP Portable Hard Drive to take copy of data on the original hard disk and Seizing Hard disks or computers and taking them to office. Now these practices are cannot be said to be of standard nature as it has some shortcomings like-
- These methods are forensically unsound. If proper procedures are not followed data integrity and authenticity can be compromised.
- When a system, seized on a particular date, is switched on/ booted at a later date to view its content, the date and time of opening these files automatically get modified.
- The anti-virus software on the Investigator‘s system scans files on the seized hard disk, This anti-virus program may even delete or quarantine critical evidence on the seized disk.
- Accessing a system or hard disk in any way without the use of “write-protect” devices causes change in the hash value or digital fingerprint of the disk. This can render the evidence on such disks inadmissible.
Now after exposing with the key challenges and shortcomings with the practices the department is facing vis-à-vis the digital documents/evidences. Let’s see legal definition and characteristics of Digital documents.
“Digital evidence” or “Electronic Evidence” is any probative information stored or transmitted in digital form that may be used before the courts/ Income-tax authorities.
Section 79A of the IT (Amendment) Act 2008 defines electronic form evidence as-
“any information of probative value that is either stored or transmitted in electronic form and includes computer evidence, digital audio, digital video, cell phones, digital fax machines”
(C) Main Characteristics of the Digital Evidences
1. It is latent as fingerprints and DNA.
2. Can transcend national borders with ease and speed.
3. Highly fragile and can be easily altered, damaged or destroyed and also time sensitive.
(D) Forms of Digital Evidences
As it is seen from above that how fragile the information in digital form is. Now let’s see in what forms are these digital information are available. There are wide range of the digital evidence which include:
- E-mail word processing documents,
- Data base tables,
- Files saved from accounting programs, digital photographs,
- ATM transaction logs,
- Instant message histories,
- Internet browser histories,
- The contents of computer memory, computer back-up,
- Global positioning system tracks,
- Digital video or sound files,
- Data stored in mobile telephones and
- The data stored in all types memory storage devices
(E) Digital Devices & Evidences
Further, for proper and understanding in easy way there are some examples of which kind of digital device can store what form of information as below:
| S. No. | Digital Device |
Potential Evidence/Information |
| 1. | A Desktop Computer | Files and folders stored including deleted files and information which may not be seen normally. Analysis of key document files like word documents, excel files, email‘s, tally data may help in unearthing potential evidences. |
| 2. | Pen drives | The device stores many files and may be hidden easily. In many cases the parallel books of accounts maintained as tally data or excel sheets are kept in Pen Drives that can be easily hidden |
| 3. | Hard disks | The device stores many files and may be hidden easily.
Backup of earlier years may be kept and may be easily hidden |
| 4. | Handheld Devices like Mobile Phones (Smart Phones), I Electronic Organizer, IPAD, Personal Digital Assistant etc | Information like Address Book, Appointment calendars/ information, documents, emails, phone book, messages (text and voices), video recording, email passwords etc. Many applications like CHAT, Whatsapp application can store many crucial conversations. Remittances and transactions done for fund transfer through mobile phone service providers utilizing money deposited with the latter bypassing banking channels. Details of online business platform www.amazon.com |
| 5. | Smart cards, Dongles and Biometric Scanners | The device itself enables to understand the user level access to various information and places. |
| 6. | Answering Machines | The device can store voice messages and sometimes, the time and date information about when the message was left. It may have details such as last number called, memos, phone numbers and names, caller identification information and also deleted message. |
| 7 | Modems, Routers, Hubs and Switches | The device may contain details of IP addresses where the actual data is stored. |
| 8 | Servers | Contains crucial data on business related applications like SAP, ERP, CRM, Mail Servers. The device is a potential evidence for pulling out audit logs using forensic analysis. emails of key persons. |
| 9 | devices like SD Cards in Mobile phones | All new generation phones use these and store files in which evidence can be found. |
| 10 | Scanners and Copiers | The device itself, having the capability to scan may help prove illegal activity like making bogus bills etc. Copiers may also contains stored data which can be crucial evidences. |
| 11 | Digital Cameras | The device can be looked for images, videos, sounds, removable cartridges, time and date stamps |
| 12 | pagers | The device can be looked for address information, Text message and phone numbers |
| 13 | CDs/DVDs/ Floppy disks | The device stores many files which may contain the Evidence |
| 14 | Fax Machines | The device stores some documents, phone numbers, send/receive logs that can contain the evidence |
| 15 | Global Positioning Systems (GPS) | The device may provide travel logs, home location, previous destinations etc which may be crucial in finding places where evidences may be stored. |
| 16 | Cloud Data Servers | The Cloud may be used to store hidden data where crucial evidences may be stored. Some enterprises offer service for storage of commercial data in servers located in foreign countries and business data are stored there through internet – which can be accessed as per terms and conditions. |
(F) Digital Evidence Identification
Below are some pictorial representations which are looked at one instant as general and common form of item used generally for some miscellaneous activities, but these can also be used to store any form of digital information and can be camouflaged easily
(G) Significance of Digital Evidence & Precautions
As can be seen from above, it is quite clear that how the digital world is changing all aspects of business and its working and subsequently posing many challenges before enforcement agencies. At the same it is to be seen that now digital information is becoming an increasingly powerful tool in the hand of these agencies because of veracity and credibility of these virtual information for bringing an investigation to its end not only procedurally but also legally. These digital documents are significant for the following-
- Digital evidence gathering is becoming an increasingly powerful tool for the department in its fight against tax-evasion.
- Help reconstruct past event or activity.
- Show the evidence of policy violation or illegal activity.
- Ensure the overall integrity of network infrastructure.
- Also it has to be seen that there are critical challenges in dealing with these documents as below:
- The digital evidence collected and presented should be admissible in law and steps should be taken to maintain integrity of the data.
- Digital evidence, which is ephemeral, poses problems for searching and seizing.
- Problems posed by recovery of deleted evidence are the challenges which law enforcement agencies have to tackle.
- It is very easy to keep digital data in encrypted or password protected mode. It is difficult to decipher the real information without knowing and getting the password or without having the key to the encryption.
As seen above, the difficulties faced in dealing with these documents, it is rather important for these agencies to be proactive and careful in handling these data because in one way or the other they are going to paly a very important role in carrying the investigation further and for the justification of it. Therefore following points to be followed as a standard part of procedure-
- Evidence has to be gathered in such a way that the same would be accepted by a court of law.
- Every care must be taken to avoid doing anything which might corrupt or add to the data, even accidentally or cause any other form of damage. The use of standard methods and procedures would diminish this risk of damage.
Further, in order to keep the integrity of data in secured condition. It is essential that no changes should be made while handling digital evidence. A change of a single Bit may render the whole evidence inadmissible. This can be achieved by write blocking the storage media which is intended to be acquired/ seized by adopting a technology commonly referred to as —Write Block. This is a technology, which ensures that nothing is written on a particular storage media that has been write blocked. Bit stream imaging is a process by which a storage media is copied by reading each bit and then transferring it to another storage media thereby ensuring that an exact copy of the original digital evidence is prepared. Bit stream imaging differs from copying. Bit Stream Imaging is the safest technique to acquire digital evidence sources and it is a mirror image of the copied disk with the same hash value.
Mathematical hashing is equivalent to one-way encryption. All digital evidence at the lowest level translates into a big numerical number. The preacquisition hash is computed to maintain the authenticity and integrity of the evidence when it is seized/ received for the Examination. For evidence authentication, it must be proven to be genuine to be admissible in a court of law.
(H) Gathering Digital Evidence – Standard Operating Procedure
i. Evaluating the Premises – Before entering a premise suspected of having digital evidences, the entry and exit points should be identified and secured, along with all possible windows/ stairs/ structures which can be either used to destroy such evidence or used to carry such evidence out of the premise.
ii. Entry and Element of Surprise – This is very crucial as this enables the Department to prevent any untoward activity/ measures which might obstruct in collection of digital evidence.
iii. Secure the premises both physically and electronically to prevent destruction of evidence.
iv. Taking control of mobile phones and putting it on flight mode, disabling the internet, LAN, CCTV to isolate communication of the premise from the outside world.
v. Identification and photographing of the server room and other major facility.
vi. Identification of location of servers-such as File server, Database Servers, Mail Servers and Accounting Servers etc and ascertaining On system and shut system protocols.
vii. Collection Passwords: such as BIOS password, Operating System password, Password for MS office files, Password for Tally files and any customized software, Password for Gmail, Hotmail etc, Password for Online Accounting Software.
viii. Identification of Customized Software Used: collect information such as vendor of the software‘s, database used by the software, their file format and passwords. If the software are operated with smart card/dongle keys, (small hardware token keys generally validated through the USB port); then one must take possession of the smart card/dongle keys as in the absence of such keys software will not function.
ix. Identification of Cloud Data: Cloud data is any data which is stored on a remote server. The types of data typically stored on remote servers can be email, ERP application data or company intranet. Cloud hosting can be of following types:
a. Physically hosted server (also known as Colocation hosting): when server is stored off-premises in a dedicated secure data center owned by a large service provider like Tata Communications, Net Magic, Bala Sai etc. Usually this should be in the same city or a nearby metro location. Sometimes this can also be located in another state of country.
b. Virtually hosted server: Typically virtually hosted servers have no dedicated physical hardware assigned to it. Examples are Amazon EC2, Digital Ocean, Linode etc.In order to extract data from such remote servers; administrator level access on the Virtual machine is required. The data backup or image acquisition has to be run remotely and it will take a very long time for such acquisition to complete because of the bandwidth issues.
x. Identification of Encrypted Volume of Data:
There are some cases where Assesses store its important data in encrypted volume using application like TrueCrypt, Bitlocker etc. Using a program call TCHunt we can detect an encrypted Volume.
xi. Identification of history of USB media connections: In many cases we have found a printed piece of paper of interest but no corresponding document. Even after searching all the PCs on premise no trace of such document can be found. One the possible explanation of such a puzzling situation may be that the document itself is stored on portable media such as USB drive. In such case, it is important to ascertain whether USB devices were connected and how recently on all on premise PCs.
(I) Principles of Evidential Value
No actions performed by investigators should change data contained on digital devices or storage media. Individuals accessing original data must be competent to do so and have the ability to explain their actions. An audit trail or other record of applied processes, suitable for independent third-party review, must be created and preserved, accurately documenting each investigative step. The person in charge of the investigation has overall responsibility for ensuring the above-mentioned procedures are followed and in compliance with governing laws. Below are some practices that should necessarily be followed for data authentication and sanctity.
Digital Evidence Collection Form
It ensures proper documentation of all the information about the evidence that is visible to the naked eye. It should contain the following details:
- Case Name/Date of Search/Name of the Authorized Officer and Address of acquisition
- System Information like Device Type/ Manufacturer/Model Number/Serial Number/BIOS Date(Time)
- Type of Media
- Details of Forensic Software and Version Number
Chain of Custody Form
Chain of custody refers to the chronological documentation that shows the people who have been entrusted with the evidence. It should document the details of the people who seized the equipment, the details of people who transferred it from the premise to forensic labs, people who are analyzing the evidence, the details on when all it was opened and so on. Because evidence can be used in a court to convict persons of crimes, it must be handled scrupulously careful manner to avoid later allegations of tampering or misconduct.
Certificate u/s.65B
Further, special provisions as to evidence relating to electronic record have been inserted in the Indian Evidence Act, 1872 in the form of section 65A & 65B, after section 65. These provisions are very important. They govern the integrity of the electronic record as evidence, as well as, the process for creating electronic record. Importantly, they impart faithful output of computer the same evidentiary value as original without further proof or production of original. Accordingly, while handling any digital evidence, the procedure has to be in consonance of these provisions. So, the authorized officer should ensure that each and every piece of digital media that has been secured and seized should be certified by a digital forensic team.
CERT (Computer Emergency Response Team)
If in some sensitive cases, if a piece of digital media contains very sensitive information or there might of suspicion/ allegation of digital tampering, then that media should be verified and its authenticity and sanctity should be certified by a computer scientist from CERT, so as to maintain its admissibility in Courts.
(J) Conclusion
Digital frontier is a rapidly changing and evolving environment. Smartphone have achieved saturation in just 10 years. Unlocking the data held on them has increasingly needed to be used as vital evidence. However as apps and the data held within them have moved into the cloud. Data of Gmail, Drop box, Google Drive, Whats App is actually stored in the cloud, not on the device itself.
- Identification of Cloud Data – Cloud data is any data which is stored on a remote server. The types of data typically stored on remote servers can be email, ERP application data or company intranet.
- Physically hosted server & Virtually hosted server
- Cloud hosted data
- Artifacts of cloud data
- Most mid-to-large size businesses in India tend to employ some ERP system other than Tally for various reasons. Such ERP system almost invariably is a RDBMS (relational database management system) with a front end in the form of Windows/ Java/ Web based application.
- Custom made ERP systems:
- Readymade ERP systems: Systems such as SAP, Microsoft Dynamics, Oracle Financials, RAMCO are examples of ERP stacks which can be bought and implemented
- The structure of a typical high level ERP is something like –
It is very much possible that all 3 tiers are hosted on separate servers.
- From data perspective – Database Tier‘is most important. Hence backup of the RDBMS is must. Usually if RDBMS table structure is known standard issue reports such as ‘Purchase order details by year‘, ‘trial balance by year‘, ‘cash transactions by year‘ can be extracted from the database itself.
- But if the goal is to recreate the complete ERP application off-site then imaging all the machines involved from ‘Database‘ and ‘Business logic‘ tier and one of the client machines is must. This is the bare minimum strategy required to recreate the entire system offline.
- Following are the big 3 ERP systems used by mid-to-large size businesses in India which have relational databases as their back-end- a) SAP, b) Microsoft Dynamics and c) Oracle Applications. There are small India specific ERP software developers like Udyog, Ramco, Quadra which are also used to a lesser extent. All of them follow multi-tier software architecture.
- For Income Tax Department, backup perspective taking back-up of database tier is a must. In many cases Business logic tier and database tier are part of the same system. In that case imaging done for a single machine would suffice. If that’s not the case then separate imaging would need to be taken for machine hosting business logic and machine hosting database. You can take help of the system administrator to take back up of the database tier and structure of the same and also take help of the business applications manager to recreate the environment at your office. Where customized accounting package or ERP is being used, a dummy server (assessee may be asked to help) with the same application and database software on an ordinary computer with proper license can be prepared. After the dummy server is ready, the cloned copy of the server can be attached with this dummy server and the database inside this cloned copy can be easily linked with the accounting package or ERP. This will give us a complete working copy of their application without disturbing their ongoing business.
2.5 quintillion bytes of data is added every day to the digital sphere. Too much parameters and keywords under enquiry, and a search might go overbroad; too little, and investigators could miss important data for their case.
There are costly legal procedures associated in filing a MLAT (mutual legal assistance treaty) request as the cloud data often resides crossborder. Secondly is the fact that a provider’s response will often be far from swift and more likely measured in weeks or months as complex legal as well as procedural hurdles are involved. Finally, there is the difficulty of a silo-end analysis of a likely incomplete data set from multiple providers. The Income Tax Department has to keep up with the pace of rapidly changing digital landscape and continuously evolving cross-border legal issues. Capacity building of investigators and simplification of procedural hurdles aided with technological up gradation is the need of the hour.
References
[1] Digital Evidences Investigation Manual 2014, published by CBDT.
[2] www. google.co.in
Shri. Pawan Kumar Minz, Assistant Commissioner of Income Tax, New Delhi. He is a graduate from IIT Roorkee with a B.Tech in Mechanical Engineering. He was inducted into 70th Batch of Indian Revenue Service in 2016.
Shri. Harsh S. Gautam, Deputy Commissioner of Income Tax, New Delhi is a B.Tech in Chemical Engineering. He joined IRS in year 2013.
