evidence

IMPORTANCE OF HASH VALUE IN THE CONTEXT OF DIGITAL EVIDENCE COLLECTION

Chandni Joshi ,

IMPORTANCE OF HASH VALUE IN THE CONTEXT OF DIGITAL EVIDENCE COLLECTION

INTRODUCTION

“A “hash value” is an electronic fingerprint. The data within a file is represented through the cryptographic algorithm as that hash value”. Digital forensics professionals use hashing algorithms to generate hash values of the original files they use in the investigation. This ensures that the information isn’t altered during the course of the investigation since various tools and techniques are involved in data analysis and evidence collection that can affect the data’s integrity. Another reason why hash values are important is that electronic documents are shared with legal professionals and other parties during investigation, and it’s important to ensure that everyone has identical copies of the files. Hash values are used to identify and filter duplicate files (i.e. email, attachments, and loose files) from an ESI collection(electronically stored information ) or verify that a forensic image or clone was captured successfully.

Digital Forensic Investigator At Work Photograph by Microgen Images/science Photo LibraryGUIDELINES RELATED TO HASH VALUE:

Following are the rules regarding the hash value extracted from the Digital Evidence Investigation Manual Central Board of Direct Taxes ,Department of Revenue, Ministry of Finance, Government of India:

  • Accessing a system or hard disk in any way without the use of “write-protect” devices causes change in the hash value or digital fingerprint of the disk. This can render the evidence on such disks inadmissible.
  • Mathematical hashing is equivalent to one-way encryption. Every digital evidence at the lowest level translates into a big numerical number. When the digital device or data is encrypted using a hashing algorithm, it results in a new number of a fixed length called the dark message digest. The hashing algorithm has some unique characteristics, which are as follows:
  1. Message digest always of a fixed length: The digital evidence may be of any size, but on application of the hash algorithm the resultant message digest would always be of a fixed length.
  2. Message digest is a randomly generated number: The message digest is a randomly generated number. However, if the contents of the digital evidence remain the same, the hash algorithm would generate the same message digest every time it is applied on the digital evidence. This property is useful in authenticating seized digital evidence before a court of law. If application of hash algorithm on digital evidence in a court of law results in the same message digest as was obtained during the time of seizure, it indicates that the presented evidence is the same as what was seized.
  3. One-way hash function: It is computationally not feasible to determine the contents of the digital evidence if somebody knows the message digest. Hash algorithm is a one-way function. This property is of great importance from the legal point of view, since it prevents manipulation of digital evidence as no one can predict the message digest that would be generated if the evidence is manipulated.
  4. collision-free hash: The odds that two digital pieces of evidence with different contents have the same message digest is roughly 2 to the power128 (i.e. 34 followed by 37 zeros).
  • On completion of the imaging process, the device displays the hash value of the cloned hard disk. The image/clone has to have the same hash value as that of the target hard disk. The Hash value should be recorded in the Panchnama and the assessee can be given the option of seeking a copy of the imaged/ cloned hard disk by paying the copying charges.
  • Before seizing any of the digital evidence, their hash value must be calculated using forensic tools such as cyber check or duplicator or anything else. There will be a report generated by these tools which can be attached along with the panchnama.
  • Digital Forensic Report( Given by Forensic Examiner) containing details of hash value and the details of all mahazar drawn to open the digital evidence at various times to gather further evidence should be included as an annexure to the assessment order. If the chain of custody form is present, the same can be annexed to the assessment order. This will establish the integrity of the data before any court of law.
  • 11.4.3 Procedure for imaging seized hard disks

In cases where hard disks cannot be cloned at the site and are therefore seized, two sets of images/clones should be created in the lab in presence of the assessee or his representative and the authorized officer following the same procedure as described above. A panchnama should be prepared for this activity recording the hash value of each of the hard disks imaged and the other particulars mentioned above. The assessee may be given an option to obtain a copy of the image at his cost.

  • Sec. 3. Of the IT Act: Authentication of electronic records.

(1) Subject to the provisions of this section any subscriber may authenticate an electronic record by affixing his digital signature.

(2) The authentication of the electronic record shall be effected by the use of an asymmetric cryptosystem and hash function which envelopes and transforms the initial electronic record into another electronic record.

Explanation.- For this sub-section, “hash function” means an algorithm mapping or translation of one sequence of bits into another, generally smaller, set known as “hash result” such that an electronic record yields the same hash result every time the algorithm is executed with the same electronic record as its input making it computationally infeasible-

(a) to derive or reconstruct the original electronic record from the hash result produced by the algorithm;

(b) that two electronic records can produce the same hash result using the algorithm.

CASE LAWS

  • United States vs. Cartier: the district court found that the files with the same hash value have 99.99% probability of being identical.
  • Shirley Williams v. Sprint/United Management Company  : The court observed that When an electronic file is sent with a hash mark, others can read it, but the file cannot be altered without a change also occurring in the hash mark.  The producing party can be certain that the file was not altered by running the creator’s hash mark algorithm to verify that the original hash mark is generated.  This method allows a large amount of data to be self-authenticating with a rather small hash mark, efficiently assuring that the original image has not been manipulated.
  • Dramatico Entertainment Ltd. vs. British Sky Broadcasting Ltd: While commenting on the role of hash values in identifying the impugned data by the investigation agency in Peer to Peer Network and its admissibility in the court, it was observed that “the hash value is a reference code comprising a string of letters and numbers, which is used to identify each piece of the content to be shared. This enables the tracker to recognize pieces of the content file as they are shared and is intended to ensure that the content files are correctly downloaded and unmodified.”
  • Lorraine v. Markel:The court dealing with the issue search by Hash Value also observed that it would narrowly restrict the searched of digital devices and observed that “A file can be mislabeled; its extension (a sort of suffix indicating the type of file) can be changed; it can actually be converted to a different file type (just as a chat transcript can be captured as an image file, so can an image be inserted into a word-processing file and saved as such).  Any of these manipulations could change a document’s hash value. And in any event a limited hash-value search would not have turned up any chat transcripts (which, again, can be saved as image files)”

CONCLUSION

Thus, the hash value is internationally accepted scientifically attested means to authenticate the reliability and authenticity of the electronic evidence which has also been recognized as admissible by the Courts in USA as well as various other digitally advanced countries. The provision of Information Technology Act, 2000 also recognize the hash value as unique and MD5 & SHA-2 as the standard hash function attuned to International Standards.Therefore, before seizing any of the digital evidence, their hash value must be calculated using forensic tools such as cyber check or duplicator or anything else. There will be a report generated by these tools which can be attached along with the panchnama and it can be concluded from the above-mentioned guidelines that any digital evidence does not have any evidentiary value if the hash value is not taken into account while considering it. 

Author: Priyanka Jaiswal

EditorAdv. Aditya Bhatt & Adv. Chandni Joshi

Are WhatsApp messages admissible in court of law?

Chandni Joshi , , , ,

Are WhatsApp messages admissible in court of law?

The world around us is continuously evolving. The technology has laid down its foundations in every nook and corner of the world. In the present scenario of our country with ever-expanding technology ambiance, the admissibility of e-evidence has become the most germane issue. The advancement of technology brought a drastic change in the mode of communication of people.

Whatsapp chats, emails, text messages have become a prevalent mode of communication. Nowadays various electronic evidence such as DVD, hard-disk, SMS, mail site, etc is produced as evidence in court.

Applicability of law has to always resonate with technology advancement. The Indian computerized system began with the introduction of the Information Technology Act, 2000. This act inserted section 65A and 65B in the Indian evidence act 1872 which deals with the acceptability of electronic evidence in the court of law.

Admissibility of E-evidence; Are WhatsApp chats and E-mails admissible in Court? - Lawyers Blog Vkeel

Meaning Of Evidence 

The term evidence is defined under section 3 of the Indian evidence act 1872. Section 3 of the act includes the following

  1. Every statement which the court allows to be made by witnesses pertaining to the matter under investigation, such explanations are said to be oral evidence
  2. All documents including e-records produced in the court of law for its inspection, such documents are referred to be as documentary evidence.

Besides this, documentary evidence can be classified into two categories- primary evidence and secondary evidence. As per section 62 of the act, primary evidence means the original copy of the documents produced in the court for review. The legal definition of secondary evidence is given under section 63 of the act.

Secondary evidence is not the original document but those documents referred under section 63. It includes a copy of the original document, certified copies. Though a copy of a copy is not acceptable as evidence, those copies produced by mechanical process and copies of a copy compared with the original are admissible as secondary evidence.

Electronic Evidence 

IT act 2000 was amended in the year 2016 to include digital/electronic evidence as admissible evidence. Section 2 (1) (t) of the above act gives the legal definition of the electronic record. The electronic record refers to data, data produced image or sound, and any document sent or received in electronic form or computer-generated electronic data. Electronic data that is transmitted or stored digitally is admissible under section 63 of IEA as secondary evidence.

Section 64 of the act mandates that the content of documents should be proved by primary evidence but section 65 lists few exceptions to it. Section 65 clause (a)(c) and (d) provides for the circumstances where secondary evidence pertaining to the documents is held to be admissible. As per section 65-A, the content of the e-record has to be proved according to the guidelines laid down in section 65-B.

 

Section 65A-B is special legislation different from the documentary evidence procedure laid down in sections 63 and 65.  As per these sections, if the conditions listed below are complied by, then the data stored in electronic form which is printed/copied/stored or created by computer would be regarded as a document. Such documents would be admissible in the court of law without the need for an original copy or direct evidence. 

Conditions for admissibility of computer-outputs are listed in section 65-B (2)- 

  • The computer from which information of electronic record is obtained should have been regularly in use to save/process information for a regular activity carried by an individual having lawful control over it.
  • During feeding of information, the computer should have been working properly
  • Information in electronic-record should be of such nature that it is on a regular-basis fed into the computer during ordinary-activities.
  • Information contained in electronic-record should be a derivation or reproduction of the information stored/fed into the computer

Section 65-B(4) lists the conditions which need to be followed to record statement pertaining to the electronic record-

  • There has to be a certificate that recognizes the electronic record which contains the statement. That certificate –
  • Should describe the manner through which electronic-record is produced.
  • Mention all particulars of the device involved in such production
  • Should take care of conditions of Sec-65B(4)(explained above)
  • Signed by the responsible official which dealt with the operation of that device
  • Such certificate should also accompany the electronic record, for instance, computer printouts pertaining to which statement is sought to be given in evidence

Such safeguards need to be taken while dealing with electronic-evidence to ensure its authenticity.

Judicial Precedents Over Admissibility Of Electronic Records

The court in State (NCT of Delhi) v. Navjot Sandhudealt with the issue of admissibility of evidence of call records. The accused questioned the authenticity of the evidence and alleged that such evidence shouldn’t be held admissible as procedure laid down in section 65B clause 4 was not followed.

The court held evidence of call records to be admissible as they were taken from the computer by a mechanical procedure and certified by an official. The court observed that irrespective of following the conditions laid down in section 65B, a person is not proscribed to adduce secondary evidence under sections 63 and 65 of the Indian evidence act. The court held that merely because conditions of section 65B(4) are not fulfilled, that doesn’t bar adducing the same evidence under other provisions of the act.

Whether WhatsApp chats are primary evidence or secondary evidence?

In the case of Girwar Singh v. CBI, the court-appointed a committee to examine the veracity and authenticity of electronic evidence. It was found that the evidence submitted to the court was not a copy of the original document, but it was copied multiple times and on various devices. The court ruled that in this case, e-evidence was inadmissible.

Similarly, in the case of Vikas Garg v state of Haryana, the trial court relied on WhatsApp conversation to convict the accused of the offence of rape. Later on, Punjab and Haryana high court ignored the chats which were incontestable evidence of rape and abuse of the victim. Supreme Court stayed the bail application of the accused and the matter is still pending in the court.

Whether the condition of certificate u/s 65-B(4) mandatory?

Anvar P.V. Versus P.K. Basheer is one of the important judgments where the court discussed several issues regarding the admissibility of electronic evidence in the court of law. The court observed that secondary evidence stored in CD/DVD/drive is inadmissible u/s 65A and 65B unless it complies with the condition of the certificate mentioned in section 65-B (4).

Conditions mentioned in section 65-B(4) discussed above are necessary to comply to ensure the authenticity of the electronic evidence. The court further held that e-evidence submitted without certificate can’t be held admissible by oral evidence and not even by the statement of experts under section 45A of the act.

Electronic records could easily be affected, tampered with, changed, transposed, or damaged and so forth without such safeguards, the entire trial dependent on verification of electronic records can eventually lead to injustice. The court, in this case, ruled that secondary evidence of electronic evidence shall be entirely governed by section 65A-B of the act, and sections 63 and 65 have application in such cases.

In contrast to Anvar case the court relaxed the certificate condition of section 65-B(4) in case Shafi Mohammad v. Territory of H.P [5] in certain scenarios – a) when the device from which the document is produced is not in the possession of the party b) this condition being a procedural one could also be relaxed in the interest of justice.

The two contrasting positions regarding certificate were finally settled in Arjun Panditrao Khotkar v. Kailash Kushanrao Gorantyal & Ors[6]. The court held that the condition of the certificate mentioned under section 65B (4) is mandatory for secondary evidence of electronic data to be admissible in court.

The court further reasoned that this condition is redundant if the original document is itself produced. If the device in which the original information is first stored is brought in the court, compliance with the conditions of section 65-B (4) is not necessary.

Few conditions to be satisfied for admissibility of WhatsApp chats as secondary evidence

As held in various Indian high courts, WhatsApp chats are considered to be electronic evidence and are admissible in court if the following conditions are satisfied-

  • The receiver should have received the message.
  • Cell phones should not have been damaged.
  • The sender should have the mens rea to send those messages.

Significance of blue ticks

In SBI cards and payment services Pvt. Ltd. v. Rohit Jadhav the court observed that if blue ticks are seen over the messaging app, it would be conclusive proof that the receiver has received the message and it would be considered legitimate evidence.

In another case Shamsudin Bin Mohd. Yosuf v. Suhaila Binti Sulaiman, the high court held that even in the case where most of the communication takes place on WhatsApp, there was an oral valid agreement between the parties. 

Conclusion

Whatsapp chats are admissible as secondary evidence in the court of law if certain conditions as discussed above are satisfied. The Judiciary’s stance over the admissibility of electronic evidence is to ensure its credibility and evidentiary value as such evidence could be easily damaged or tampered with.

This progressive stance of courts is the outcome of recognizing the nature of the e-record itself. Current legislation and precedents regarding the admissibility of electronic evidence present a myriad of issues that still remains unresolved. Issues pertaining to the procedure of preserving them, ascertaining their veracity, finding original authors, retrieving them, are still being debated and a progressive precedent in this penumbral area is awaited.

The jurisprudence over the admissibility of electronic evidence is still in its nascent stage even after two decades since the IT act of 2000 was passed. The applicability of laws should resonate with the development of technology. It is expected that in recent years the present lacuna in law would be addressed by amendments and progressive judgments.

Chat with us | Bhatt & Joshi Associates