Computer Forensics: Cyber Crimes, Digital Evidence, Seizure and Acquisition

Computer forensics is the legally defensible end of digital investigation. The discipline grew out of US federal seizures in the late 1980s, was formalised by DFRWS and SWGDE in the early 2000s, and is now codified in ISO/IEC 27037 (identification, collection, acquisition, preservation), ISO/IEC 27041 and 27042 (investigation assurance and analysis), and ISO/IEC 27043 (incident investigation principles). For NET, memorise the five-stage pipeline as a single line.

1. Identification. Recognise potential sources of digital evidence at the scene: desktops, laptops, mobiles, IoT, network logs, server logs, CCTV/DVR, email accounts, social-media handles, cloud accounts, USB and external storage.
2. Preservation. Photograph in situ, label cables and ports, isolate from networks (Faraday bag for mobile, pull network cable for laptop), document running processes, capture RAM if the system is live.
3. Acquisition. Bit-stream image the storage to a sterile destination through a write-blocker, hash the source and the image, and seal the original under panchnama as per BNSS 176.
4. Examination and analysis. Mount the image read-only, recover deleted and carved files, parse file systems, reconstruct timelines, extract artefacts (registry, plist, syslog, browser SQLite, prefetch, event logs, email PST/mbox).
5. Presentation. Prepare the analyst report, attach the BSA 2023 Section 63 certificate, and depose in court.

The full taxonomy and IT Act mapping sits in the book companion on cyber-crime taxonomy and the IT Act 2000. The on-scene first-response routine that the NET aspirant must recall is covered end to end in the digital first responder, volatility, seizure and imaging chapter.

NTA tests cyber-crime classification two ways: by the target of the attack, and by the role the computer plays. Learn both.

By target.

• Against individuals. Identity theft, phishing, cyber-stalking, child sexual abuse material (CSAM) under IT Act Section 67B, sextortion, online harassment, revenue-eating credit-card skimming. BNS 2023 maps stalking to Section 78 and voyeurism to Section 77.
• Against property. Hacking and unauthorised access under IT Act Section 66, data theft under Section 43 with civil and Section 66 criminal layers, software piracy under Copyright Act 1957, banking fraud and UPI fraud, cryptocurrency theft.
• Against organisations. Corporate espionage, ransomware (LockBit, Conti, BlackCat variants), distributed denial of service (DDoS), website defacement, supply-chain compromise. The most serious is cyber-terrorism under IT Act Section 66F, punishable with imprisonment for life.
• Against the state. Cyber-terrorism, attacks on critical information infrastructure under IT Act Section 70, leakage of classified material under the Official Secrets Act 1923, election-system intrusions.

By the role the computer plays.

• Computer as instrument. The device is the tool: a phishing kit, a botnet C2 console, a ransomware encryptor.
• Computer as target. The device is the victim: hacking, defacement, DDoS, data theft.
• Computer as container. The device is the storage locker: CSAM library, stolen credit-card dumps, planning notes for an offline crime.

The full statutory map across IT Act 2000, BNS 2023, BSA 2023 and the BSA 2023 Section 63 evidentiary frame is in the book chapter on BNS 2023 cyber provisions and BSA 2023 electronic evidence.

Digital evidence splits into volatile (lost when power is removed) and non-volatile (persists across reboots). RFC 3227 (2002) gives the canonical collection order, and NTA tests this ladder almost verbatim.

The warm-tone boxes (top three) are the volatile band that must be captured live, before any shutdown. Tools used at Indian labs include WinPmem, DumpIt and Magnet RAM Capture for Windows, LiME (Linux Memory Extractor) for Linux, and the Volatility Framework for offline analysis of the captured memory image.

Common evidence sources the NET aspirant must list: personal computers and laptops, servers, mobiles and tablets, IoT devices and smart-home hubs, network logs (firewall, IDS, NetFlow), server logs (Apache, IIS, nginx, syslog), CCTV and DVR recordings, email archives (PST, mbox, EML), social-media activity, and cloud-storage accounts (Google Drive, OneDrive, iCloud, AWS S3).

The seizure question NTA asks most often is whether to pull the plug or shut down gracefully. The answer depends on the device class.

Desktop or laptop running Windows. The classical SOP is pull the plug from the back of the machine (not the wall switch) to freeze the disk state and prevent shutdown scripts from wiping evidence. If full-disk encryption (BitLocker, VeraCrypt, FileVault) is active and the system is in an unlocked state, capture RAM first because the encryption keys live in memory, then pull the plug. A graceful shutdown is preferred only on servers where ungraceful power loss would corrupt databases or RAID parity beyond recovery.

Server (production database, mail server). Graceful shutdown after RAM capture and live disk image. Pulling the plug on a busy database server destroys evidence and may trigger civil liability.

Mobile device. Never power off. Place in a Faraday bag (conductive shielded pouch) immediately to block cellular, Wi-Fi, Bluetooth and GPS, which prevents remote wipe (Find My iPhone, Android Device Manager) and stops the device from associating with new cell towers that would overwrite location history. Keep the device charged inside the bag with a battery pack.

The on-scene routine: photograph the screen and the entire workstation in situ, sketch and label every cable and port before unplugging, list every connected peripheral and external drive, capture RAM if the system is live and unlocked, then disconnect from the network, then power-handle per device class, then seal each item in tamper-evident bags with hash labels under a panchnama drawn up per BNSS Section 176. Every transfer thereafter is logged in the chain of custody register; a single missing signature is the easiest line for the defence to attack.

Acquisition is the step that turns a seized drive into a working copy a forensic examiner can analyse without altering the original.

Bit-stream image. A sector-by-sector exact copy of the source medium, including unallocated space, slack space and the partition table. Different from a logical file copy (which only grabs allocated files) and a sparse image (which only grabs allocated sectors). For NET, the canonical command line is dd if=/dev/sda of=image.dd bs=4096 conv=noerror,sync, and the canonical GUI tools are FTK Imager (AccessData), EnCase (OpenText), X-Ways Forensics, and Guymager on Linux. The standard output formats are raw .dd, EnCase Expert Witness Format .E01 (with built-in compression and metadata), and AFF (Advanced Forensic Format).

Acquisition modes.

• Physical. Bit-stream image of the entire medium including unallocated sectors. Gold standard, required for deleted-file recovery.
• Logical. File-by-file copy of the allocated file system. Faster, but misses deleted data and slack space.
• Sparse. Targeted copy of specific files or directories, used when full imaging is impractical on multi-terabyte storage.
• Live RAM. Volatile memory dump with WinPmem, DumpIt, Magnet RAM Capture or LiME. Analysed with the Volatility Framework for process listing, network connections and encryption-key recovery.

Write-blocker. A hardware device (Tableau, WiebeTech, CRU) or software shim (USBWriteProtect, registry write protect on Windows) interposed between the suspect drive and the imaging workstation. The write-blocker passes read commands and intercepts every write command, including the inadvertent metadata writes Windows performs on any drive it sees. NTA reliably tests this: the write-blocker is the device that preserves the original.

Hashing. Compute MD5, SHA-1 or SHA-256 of the source drive before imaging, then SHA-256 of the produced image after imaging. Matching hashes prove the image is a true and complete copy. SHA-256 is the modern standard; MD5 and SHA-1 are deprecated for cryptographic use because of known collisions but still accepted in many SOPs as a secondary check. The hash values go into the panchnama and into the BSA 2023 Section 63 certificate.

Examination runs on the working copy, never the original. The image is mounted read-only on a forensic workstation, parsed against the source file system, and combed for both allocated artefacts and recoverable deleted data.

File systems NTA tests. FAT32 (legacy USB sticks), exFAT (modern SD cards and USB), NTFS (Windows volumes, with the Master File Table as the structural index), APFS (modern macOS), HFS+ (older macOS), ext4 (Linux). The Windows artefact layer (registry hives, event logs, prefetch files, shellbags, jump lists, USN journal, $MFT) is the highest-yield evidence trove for Indian casework and is covered in the book chapter on Windows forensic artefacts. The underlying boot process and file-system mechanics are in operating systems, boot process and file systems.

Deleted file recovery and carving. When a file is deleted, the file-system metadata is unlinked but the underlying sectors usually remain until overwritten. Recovery tools (TestDisk, R-Studio) parse the metadata. File-carving tools (Foremost, Scalpel, PhotoRec) ignore metadata and search the raw byte stream for file headers and footers (JPEG starts with 0xFFD8FFE0, PDF with %PDF, ZIP with PK 0x0304). PhotoRec is the standard tool for SD-card image recovery in Indian SFSL casework. Full mechanics in the book chapter on data recovery and file carving.

Timeline reconstruction. Plaso / log2timeline ingest the image and every artefact source, normalise timestamps across MAC times (modified, accessed, changed/created), event logs, browser history, prefetch and registry, and emit a single super-timeline in CSV or ElasticSearch. Indian DFSS labs increasingly run Plaso on every casework image.

Other artefact families. Browser SQLite databases (Chrome History, Firefox places.sqlite), email containers (Outlook .pst, Thunderbird mbox) with header analysis to trace originating IP, Windows registry hives (SYSTEM, SOFTWARE, NTUSER.DAT, SAM), plist files on macOS, syslog on Linux, and the WhatsApp / Signal / Telegram SQLite caches on mobile (handled in the sibling NET topic on

Electronic evidence in India is governed by the IT Act 2000 (substantive cyber-crime offences) and the Bharatiya Sakshya Adhiniyam 2023 (evidence law, in force from 1 July 2024). BSA Section 61 defines electronic and digital records as evidence; BSA Section 63 (replacing IEA Section 65B) requires a certificate signed by the person occupying a responsible official position in relation to the device, certifying that the electronic record was produced regularly, that the device was working properly, and that the integrity of the data was maintained. Without the Section 63 certificate, the electronic record is not admissible as secondary evidence.

The two judgments NTA tests as a pair:

• Anvar P.V. v. P.K. Basheer (2014) 10 SCC 473. The Supreme Court held the (then) IEA Section 65B certificate is mandatory for admissibility of electronic records, overruling earlier liberal readings. Primary evidence (the original device produced in court) is the exception; secondary evidence (a copy or printout) needs the certificate.
• Arjun Panditrao Khotkar v. Kailash Kushanrao Gorantyal (2020) 7 SCC 1. Three-judge bench reaffirmed Anvar, clarified that the certificate must be produced with the electronic record (not later), and addressed practical difficulties where the certificate-issuer is unavailable. BSA Section 63 carried this framework forward almost verbatim.

For the examiner's deposition, the analyst attaches the Section 63 certificate, the hash values, the chain-of-custody register, the seizure panchnama and the tool-validation log to the report. Cross-examination predictably attacks any gap in this stack. The full evidentiary framework lives in the book chapter on Bharatiya Sakshya Adhiniyam 2023: forensic evidence in court.

The Indian computer-forensics ecosystem is layered across central forensic labs, sectoral cyber-security agencies and police cyber-crime cells.

• CFSL Hyderabad. Central cyber-forensics hub of the Directorate of Forensic Science Services. Houses the largest digital-forensics division and handles cross-state and CBI casework.
• CFSL Chandigarh, Kolkata, Pune and Bhopal. Regional digital-forensics units feeding the central lab.
• CERT-In (IT Act Section 70B). Coordinates national cyber-incident response. Mandatory incident reporting under the April 2022 CERT-In directions.
• NCIIPC (IT Act Section 70A). Protects critical sectors (power, banking, telecom, transport, government).
• I4C (Indian Cyber Crime Coordination Centre). Runs the cybercrime.gov.in citizen reporting portal and the 1930 helpline under the Ministry of Home Affairs.
• State cyber-crime cells at Pune, Bangalore, Hyderabad, Mumbai and Delhi handle the bulk of citizen complaints.
• NFSU Gandhinagar. Academic and training apex, established by an Act of Parliament in 2020.