Skip to content

Computer Forensics: Cyber Crimes, Digital Evidence, Seizure and Acquisition

Computer forensics. Cyber-crime taxonomy, RFC 3227 volatility, seizure SOP, bit-stream imaging, hashing and BSA 2023 Section 63.

Last updated:

Share

Computer forensics is the discipline of identifying, preserving, acquiring, examining, and presenting digital evidence in a legally defensible manner. Evidence is collected in order of volatility (RFC 3227, 2002), captured via bit-stream imaging through a write-blocker, and verified by matching hash values before and after acquisition. In Indian proceedings, electronic records produced as secondary evidence must be accompanied by a certificate under Bharatiya Sakshya Adhiniyam 2023 Section 63, which replaced Indian Evidence Act Section 65B from 1 July 2024. The controlling case law is Anvar P.V. v. P.K. Basheer (2014) and Arjun Panditrao Khotkar v. Kailash Kushanrao Gorantyal (2020), both affirming that the certificate is mandatory for admissibility.

Computer forensics operates as a tightly coupled technical and legal pipeline. The discipline maps every procedural step to a corresponding evidentiary requirement: the order of volatility follows RFC 3227, bit-stream imaging is performed through a write-blocker, integrity is verified by SHA-256 hash comparison, and admissibility in Indian courts depends on the BSA 2023 Section 63 certificate that replaced IEA Section 65B in July 2024.

This topic covers the four cyber-crime categories with their IT Act sections, the RFC 3227 volatility ladder, the seizure procedure under BNSS Section 176, the difference between live and dead acquisition, and the Indian institutional map: CFSL Hyderabad, CERT-In, NCIIPC, and I4C.

By the end of this topic you will be able to:

  • Explain the five-stage computer-forensics pipeline (identification, preservation, acquisition, examination, presentation) and state the legal and procedural requirement at each stage.
  • Apply the RFC 3227 order of volatility to determine the correct evidence-collection sequence at a digital crime scene.
  • Distinguish physical, logical, sparse, and live RAM acquisition modes and select the appropriate mode for a given scenario.
  • Describe the role of a write-blocker and hash verification in establishing the integrity of a forensic image.
  • Summarise the admissibility requirements for electronic evidence under BSA 2023 Section 63 and the key holdings of Anvar P.V. and Arjun Panditrao Khotkar.
Key terms
Computer forensics
Application of investigative and analytical techniques to identify, preserve, acquire, examine and present digital evidence in a legally defensible manner. Five-stage pipeline: identification, preservation, acquisition, analysis, presentation.
Digital evidence
Any information of probative value stored or transmitted in binary form. Latent, volatile in part, easily altered, and admissible only if integrity is provable through hashes and chain of custody.
Volatile evidence
Data lost when power is removed: CPU registers and cache, RAM contents, routing table, ARP cache, process list, network connections. Captured live before shutdown.
Order of volatility
RFC 3227 (2002) ranking that dictates collection order: registers and cache, then routing and process tables, then RAM, then temporary file systems, then disk, then remote logs, then physical archives.
Bit-stream image
Sector-by-sector exact copy of a storage medium, including unallocated and slack space. Created with dd, FTK Imager, EnCase or X-Ways. Output formats: raw.dd, EnCase.E01, AFF.
Write-blocker
Hardware or software device that allows read commands to a suspect drive while intercepting all write commands. Mandatory between the suspect drive and the imaging workstation.
Hash value
Fixed-length fingerprint of a file or image computed with MD5, SHA-1 or SHA-256. Matching hash before and after imaging proves the copy is identical to the original.
BSA 2023 Section 63 certificate
Mandatory certificate accompanying any electronic record produced as secondary evidence in Indian court. Replaces IEA Section 65B from 1 July 2024. Signed by the person in charge of the device at the time of production.
Faraday bag
Conductive shielded pouch that blocks radio signals (cellular, Wi-Fi, Bluetooth, GPS) reaching a seized mobile device, preventing remote wipe or evidence alteration between seizure and lab.

What computer forensics is and the five-stage pipeline

Computer forensics is the legally defensible end of digital investigation. The discipline grew out of US federal seizures in the late 1980s, was formalised by SWGDE (formed 1998) and DFRWS (first conference 2001) in the late 1990s and early 2000s, and is now codified in ISO/IEC 27037 (identification, collection, acquisition, preservation), ISO/IEC 27041 and 27042 (investigation assurance and analysis), and ISO/IEC 27043 (incident investigation principles)., memorise the five-stage pipeline as a single line.

  1. Identification. Recognise potential sources of digital evidence at the scene: desktops, laptops, mobiles, IoT, network logs, server logs, CCTV/DVR, email accounts, social-media handles, cloud accounts, USB and external storage.
  2. Preservation. Photograph in situ, label cables and ports, isolate from networks (Faraday bag for mobile, pull network cable for laptop), document running processes, capture RAM if the system is live.
  3. Acquisition. Bit-stream image the storage to a sterile destination through a write-blocker, hash the source and the image, and seal the original under panchnama as per BNSS 176.
  4. Examination and analysis. Mount the image read-only, recover deleted and carved files, parse file systems, reconstruct timelines, extract artefacts (registry, plist, syslog, browser SQLite, prefetch, event logs, email PST/mbox).
  5. Presentation. Prepare the analyst report, attach the BSA 2023 Section 63 certificate, and depose in court.

The full taxonomy and IT Act mapping sits in the book companion on cyber-crime taxonomy and the IT Act 2000. The on-scene first-response routine that the examiners aspirant must recall is covered end to end in the digital first responder, volatility, seizure and imagingchapter.

Types of cyber crimes

Cyber-crime classification follows two parallel frameworks: by the target of the attack, and by the role the computer plays.

By target.

  • Against individuals. Identity theft, phishing, cyber-stalking, child sexual abuse material (CSAM) under IT Act Section 67B, sextortion, online harassment, revenue-eating credit-card skimming. BNS 2023 maps stalking to Section 78 and voyeurism to Section 77.
  • Against property. Hacking and unauthorised access under IT Act Section 66, data theft under Section 43 with civil and Section 66 criminal layers, software piracy under Copyright Act 1957, banking fraud and UPI fraud, cryptocurrency theft.
  • Against organisations. Corporate espionage, ransomware (LockBit, Conti, BlackCat variants), distributed denial of service (DDoS), website defacement, supply-chain compromise. The most serious is cyber-terrorism under IT Act Section 66F, punishable with imprisonment for life.
  • Against the state. Cyber-terrorism, attacks on critical information infrastructure under IT Act Section 70, leakage of classified material under the Official Secrets Act 1923, election-system intrusions.

By the role the computer plays.

  • Computer as instrument. The device is the tool: a phishing kit, a botnet C2 console, a ransomware encryptor.
  • Computer as target. The device is the victim: hacking, defacement, DDoS, data theft.
  • Computer as container. The device is the storage locker: CSAM library, stolen credit-card dumps, planning notes for an offline crime.

The full statutory map across IT Act 2000, BNS 2023, BSA 2023 and the BSA 2023 Section 63 evidentiary frame is in the book chapter on BNS 2023 cyber provisions and BSA 2023 electronic evidence.

Digital evidence and the RFC 3227 order of volatility

Digital evidence divides into volatile (lost when power is removed) and non-volatile (persists across reboots). RFC 3227 (2002) gives the canonical collection order.

RFC 3227 order of volatility: collect from top down. Registers and cache survive microseconds; physical media survive decades
RFC 3227 order of volatility: collect from top down. Registers and cache survive microseconds; physical media survive decades.

The warm-tone boxes (top three) are the volatile band that must be captured live, before any shutdown. Tools used at Indian labs include WinPmem, DumpIt and Magnet RAM Capture for Windows, LiME (Linux Memory Extractor) for Linux, and the Volatility Framework for offline analysis of the captured memory image.

Evidence sources include: personal computers and laptops, servers, mobiles and tablets, IoT devices and smart-home hubs, network logs (firewall, IDS, NetFlow), server logs (Apache, IIS, nginx, syslog), CCTV and DVR recordings, email archives (PST, mbox, EML), social-media activity, and cloud-storage accounts (Google Drive, OneDrive, iCloud, AWS S3).

Seizure: the on-scene SOP

A recurring decision point in on-scene procedure is whether to pull the plug or shut down gracefully. The answer depends on the device class.

Desktop or laptop running Windows. The classical SOP is pull the plug from the back of the machine (not the wall switch) to freeze the disk state and prevent shutdown scripts from wiping evidence. If full-disk encryption (BitLocker, VeraCrypt, FileVault) is active and the system is in an unlocked state, capture RAM first because the encryption keys live in memory, then pull the plug. A graceful shutdown is preferred only on servers where ungraceful power loss would corrupt databases or RAID parity beyond recovery.

Server (production database, mail server). Graceful shutdown after RAM capture and live disk image. Pulling the plug on a busy database server destroys evidence and may trigger civil liability.

Mobile device. Never power off. Place in a Faraday bag (conductive shielded pouch) immediately to block cellular, Wi-Fi, Bluetooth and GPS, which prevents remote wipe (Find My iPhone, Android Device Manager) and stops the device from associating with new cell towers that would overwrite location history. Keep the device charged inside the bag with a battery pack.

The on-scene routine: photograph the screen and the entire workstation in situ, sketch and label every cable and port before unplugging, list every connected peripheral and external drive, capture RAM if the system is live and unlocked, then disconnect from the network, then power-handle per device class, then seal each item in tamper-evident bags with hash labels under a panchnama drawn up per BNSS Section 176. Every transfer thereafter is logged in the chain of custodyregister; a single missing signature is the easiest line for the defence to attack.

Acquisition: bit-stream imaging, write-blockers and hashing

Acquisition is the step that turns a seized drive into a working copy a forensic examiner can analyse without altering the original.

Bit-stream image. A sector-by-sector exact copy of the source medium, including unallocated space, slack space and the partition table. Different from a logical file copy (which only grabs allocated files) and a sparse image (which only grabs allocated sectors)., the canonical command line isdd if=/dev/sda of=image.dd bs=4096 conv=noerror,syncand the canonical GUI tools are FTK Imager (AccessData), EnCase (OpenText), X-Ways Forensics, and Guymager on Linux. The standard output formats are raw.dd, EnCase Expert Witness Format.E01 (with built-in compression and metadata), and AFF (Advanced Forensic Format).

Acquisition modes.

  • Physical. Bit-stream image of the entire medium including unallocated sectors. Gold standard, required for deleted-file recovery.
  • Logical. File-by-file copy of the allocated file system. Faster, but misses deleted data and slack space.
  • Sparse. Targeted copy of specific files or directories, used when full imaging is impractical on multi-terabyte storage.
  • Live RAM. Volatile memory dump with WinPmem, DumpIt, Magnet RAM Capture or LiME. Analysed with the Volatility Frameworkfor process listing, network connections and encryption-key recovery.

Write-blocker. A hardware device (Tableau, WiebeTech, CRU) or software shim (USBWriteProtect, registry write protect on Windows) interposed between the suspect drive and the imaging workstation. The write-blocker passes read commands and intercepts every write command, including the inadvertent metadata writes Windows performs on any drive it sees. examiners reliably tests this: the write-blocker is the device that preserves the original.

Hashing. Compute MD5, SHA-1 or SHA-256 of the source drive before imaging, then SHA-256 of the produced image after imaging. Matching hashes prove the image is a true and complete copy. SHA-256 is the modern standard; MD5 and SHA-1 are deprecated for cryptographic use because of known collisions but still accepted in many SOPs as a secondary check. The hash values go into the panchnama and into the BSA 2023 Section 63 certificate.

Seizure-to-presentation pipeline: every box is mandatory, every connector is a chain-of-custody event with a signature. Skip
Seizure-to-presentation pipeline: every box is mandatory, every connector is a chain-of-custody event with a signature. Skip one and the evidence fails Section 63 scrutiny.

Examination: file systems, deleted recovery and timelines

Examination runs on the working copy, never the original. The image is mounted read-only on a forensic workstation, parsed against the source file system, and combed for both allocated artefacts and recoverable deleted data.

File systems examiners test. FAT32 (legacy USB sticks), exFAT (modern SD cards and USB), NTFS (Windows volumes, with the Master File Table as the structural index), APFS (modern macOS), HFS+ (older macOS), ext4 (Linux). The Windows artefact layer (registry hives, event logs, prefetch files, shellbags, jump lists, USN journal, $MFT) is the key evidence trove for Indian casework and is covered in the book chapter on Windows forensic artefacts. The underlying boot process and file-system mechanics are in operating systems, boot process and file systems.

Deleted file recovery and carving. When a file is deleted, the file-system metadata is unlinked but the underlying sectors usually remain until overwritten. Recovery tools (TestDisk, R-Studio) parse the metadata. File-carving tools (Foremost, Scalpel, PhotoRec) ignore metadata and search the raw byte stream for file headers and footers (JPEG starts with 0xFFD8FFE0, PDF with %PDF, ZIP with PK 0x0304). PhotoRec is the standard tool for SD-card image recovery in Indian SFSL casework. Full mechanics in the book chapter on data recovery and file carving.

Timeline reconstruction. Plaso / log2timeline ingest the image and every artefact source, normalise timestamps across MAC times (modified, accessed, changed/created), event logs, browser history, prefetch and registry, and emit a single super-timeline in CSV or ElasticSearch. Indian DFSS labs increasingly run Plaso on every casework image.

Other artefact families. Browser SQLite databases (Chrome History, Firefox places.sqlite), email containers (Outlook.pst, Thunderbird mbox) with header analysis to trace originating IP, Windows registry hives (SYSTEM, SOFTWARE, NTUSER.DAT, SAM), plist files on macOS, syslog on Linux, and the WhatsApp / Signal / Telegram SQLite caches on mobile (handled in the related topic on mobile phone forensics).

Encryption and steganography. Encrypted volumes (BitLocker, VeraCrypt, FileVault) are attacked via RAM-resident keys captured at live acquisition, dictionary attacks with Hashcat, or vendor recovery keys. Steganography is detected with StegDetect and chi-square statistical tests on the carrier file.

Admissibility: BSA 2023 Section 63 and the case law

Electronic evidence in India is governed by the IT Act 2000 (substantive cyber-crime offences) and the Bharatiya Sakshya Adhiniyam 2023 (evidence law, in force from 1 July 2024). BSA Section 61 defines electronic and digital records as evidence; BSA Section 63 (replacing IEA Section 65B) requires a certificate signed by the person occupying a responsible official position in relation to the device, certifying that the electronic record was produced regularly, that the device was working properly, and that the integrity of the data was maintained. Without the Section 63 certificate, the electronic record is not admissible as secondary evidence.

The two controlling judgments are:

  • Anvar P.V. v. P.K. Basheer (2014) 10 SCC 473.The Supreme Court held the (then) IEA Section 65B certificate is mandatory for admissibility of electronic records, overruling earlier liberal readings. Primary evidence (the original device produced in court) is the exception; secondary evidence (a copy or printout) needs the certificate.
  • Arjun Panditrao Khotkar v. Kailash Kushanrao Gorantyal (2020) 7 SCC 1.Three-judge bench reaffirmed Anvar, clarified that the certificate must be produced with the electronic record (not later), and addressed practical difficulties where the certificate-issuer is unavailable. BSA Section 63 carried this framework forward almost verbatim.

For the examiner's deposition, the analyst attaches the Section 63 certificate, the hash values, the chain-of-custody register, the seizure panchnama and the tool-validation log to the report. Cross-examination predictably attacks any gap in this stack. The full evidentiary framework lives in the book chapter on Bharatiya Sakshya Adhiniyam 2023: forensic evidence in court.

Indian institutional landscape

The Indian computer-forensics ecosystem is layered across central forensic labs, sectoral cyber-security agencies and police cyber-crime cells.

  • CFSL Hyderabad. Central cyber-forensics hub of the Directorate of Forensic Science Services. Houses the largest digital-forensics division and handles cross-state and CBI casework.
  • CFSL Chandigarh, Kolkata, Pune and Bhopal. Regional digital-forensics units feeding the central lab.
  • CERT-In(IT Act Section 70B). Coordinates national cyber-incident response. Mandatory incident reporting under the April 2022 CERT-In directions.
  • NCIIPC(IT Act Section 70A). Protects critical sectors (power, banking, telecom, transport, government).
  • I4C (Indian Cyber Crime Coordination Centre). Runs the cybercrime.gov.in citizen reporting portal and the 1930 helpline under the Ministry of Home Affairs.
  • State cyber-crime cells at Pune, Bangalore, Hyderabad, Mumbai and Delhi handle the bulk of citizen complaints.
  • NFSU Gandhinagar. Academic and training apex, established by an Act of Parliament in 2020.
What is the order of volatility under RFC 3227, and why does examiners test it?
RFC 3227 (2002) ranks evidence sources by how quickly the data disappears. Collect in this order: (1) CPU registers and cache, (2) routing table, ARP cache, process table and kernel statistics, (3) RAM, (4) temporary file systems and swap, (5) disk, (6) remote logging and monitoring data, (7) physical configuration and archives. examiners test the ladder because skipping a level destroys the higher levels: pull the plug before capturing RAM and the encryption keys, running processes and network connections are gone forever.
What replaces IEA Section 65B in the new Indian evidence law?
Bharatiya Sakshya Adhiniyam 2023 Section 63 replaces Indian Evidence Act Section 65B with effect from 1 July 2024. BSA Section 61 defines electronic and digital records as evidence and BSA Section 63 requires a certificate signed by the person occupying a responsible official position in relation to the device, certifying regular production, working condition of the device, and integrity of the data. Anvar P.V. v. P.K. Basheer (2014) and Arjun Panditrao Khotkar v. Kailash Kushanrao Gorantyal (2020) remain controlling precedent on the mandatory nature of the certificate.
Why is a write-blocker mandatory before imaging a seized drive?
Modern operating systems write metadata to any drive they recognise, including timestamps, journal entries and recycle-bin records, simply by mounting the drive. Even read-only-mounted filesystems can trigger filesystem repair or journal replay. A write-blocker (hardware unit like Tableau or WiebeTech, or a software shim) sits between the suspect drive and the imaging workstation, allowing read commands through and intercepting every write command. Without a write-blocker the source hash changes during imaging and the bit-stream copy is no longer identical to the original, which destroys the integrity case under BSA Section 63.
What is the difference between physical, logical, sparse and live RAM acquisition?
Physical acquisition is a sector-by-sector bit-stream image of the entire storage medium including unallocated and slack space, the gold standard for forensic work. Logical acquisition is a file-by-file copy of the allocated file system, faster but misses deleted data. Sparse acquisition is a targeted copy of specific files or directories, used when full imaging is impractical (multi-terabyte enterprise storage). Live RAM acquisition is a volatile-memory dump from a running system using WinPmem, DumpIt, Magnet RAM Capture or LiME, then analysed offline with the Volatility Framework for process listing, network connections and encryption-key recovery.
Which Indian institutions handle computer forensics and cyber-crime response?
CFSL Hyderabad is the central hub for digital-forensics casework under DFSS, supported by digital-forensics units at CFSL Chandigarh, Kolkata, Pune and Bhopal. CERT-In (Indian Computer Emergency Response Team) under IT Act Section 70B coordinates national incident response. NCIIPC under IT Act Section 70A protects critical information infrastructure. The Indian Cyber Crime Coordination Centre (I4C) runs the cybercrime.gov.in citizen reporting portal and the 1930 helpline. State cyber-crime cells at Pune, Bangalore, Hyderabad, Mumbai and Delhi handle complaint-level casework, and NFSU Gandhinagar is the academic and training apex established by Parliament in 2020.

Test yourself on UGC-NET Forensic Science with free, timed mocks.

Practice UGC-NET Forensic Science questions

Found this useful? Pass it along.

Share

Spotted an error in this page? Report a correction or read our editorial standards.

Your journey to becoming a forensic professional starts here.

Practice with mock tests, learn from structured notes, and get your questions answered by a global forensic community, all in one place.