“Cross-examination, — the rarest, the most useful, and the most difficult to be acquired of all the accomplishments of the advocate…. It has always been deemed the surest test of truth and a better security than the oath.” – Cox
Digital Evidence is becoming the major sources of any crime today. This non-technical guide will explain technical concepts in simple terms.
If you’re a defence criminal lawyers handling cases that has pieces of digital evidence artifacts such as IP addresses, CDRs, videos, images, chat history, emails, downloaded digital materials, and more technical stuffs like cache, slack space, hash value, forensic copies, timeline artifacts and metadata, then this guide will be helpful.
I’ll explain what questions I had when tasked with cross-examining an investigating officer in one of the India’s first cyber terrorism case.
Questions like: “What do I ask for?” “Is the evidence relevant?” “What does this item in the forensic report mean?” “How to impeach the witness?” “How to tackle contradicting answers?” “How to explain the technical aspect to the judge?”
This guide will show you how to cross-examine on digital evidence like a PRO and win cases.
Here’s how to enhance your cross-examination skills for more success.
Getting Started
The purpose of Cross-Examination
Purpose of cross-examination is to impeach the accuracy, credibility and general value of evidence given in examination-in-chief.
Why cross-examine at all?
Because it is the best method available to rebut the prosecution version and journey towards ascertaining forensic truth. It is one of the most powerful and valuable weapon for the purpose of testing the veracity of a witness and the accuracy and completeness of the story.
What are the limits of cross-examination?
You can’t go outside of the facts and merits of the case. Finally, your question comes down to the relevance and importance of the defence to elicit the truth from the witness.
Indian Laws and Cross-Examination
In India, a witness may be examined in both civil and criminal cases.
Criminal cases: The Code of Criminal Procedure along with the Indian Evidence Act, 1872 provides various guidelines to examine a witness viz., Examination in chief, Cross-examination, and Re-examination.
Civil cases: The plaintiff has the right to begin the Order XVIII, Rule 3 of the Code of Civil Procedure.
Questions to ponder:
What is Chief Examination?
When the party examine a witness called by them is the chief-examination. Also called prosecution witness.
What is Cross-Examination?
When the adverse party (opposite) examines the witness refuting the chief-examination to elicit the truth is called Cross-examination. And the same is covered under Section 137 of the Indian Evidence Act.
Develop your own style and approach
There is no straight jacket formula when it comes to the style and presentation of your cross-examination. Each advocate has their own approach and has distinct voice, body language, and appearance.
However, you can apply certain established principles as a guiding light.
- Don’t mumble or whisper.
- Don’t read word-to-word from prepared notes.
- Maintain direct eye contact.
- Ask questions using plain and direct words. No mumbo and jumbo.
- Only Leading Questions.
- Only 1 new fact per question.
- Only leading to a specific conclusion.
Irving Younger’s Ten Commandments
You should apply Irving Younger’s Ten Commandments of cross-examination if at all possible. They are as follows:
- Be brief;
- Use plain words;
- Ask only leading questions;
- Be prepared;
- Listen carefully;
- Don’t argue with witnesses;
- Avoid repetition;
- Limit witnesses explanations;
- Limit questioning; and
- Save the main point for your closing address
Order of Cross-Examination
Strategically Prepare Your Cross-Examination
Here’s the truth:
If you want your case to succeed, you need to prepare.
No useful cross-examination will be achieved without thorough preparation.
Whether it is really necessary to cross-examine this particular witness? Will it strengthen or weakness your case?
Take a moment and think it aloud. If your answer is simply ‘NO’, then don’t cross-examine the witness.
Prepare based on ‘TONS’ of case documents
- Chief-examination
- Exhibits
- FSL Reports
- CDR
- Hard-disk
- SMS and WhatsApp Chats
- Google location services, and cellular location cases.
- CCTV Footages
- GPS Data
- Compact Disc (CD)
- Voluntary Statement
- Practice and Procedures
- Caselaws
- Legislations
Unearth critical data from the digital evidence
Your case may have ‘TONs’ of data involving digital evidence such as CDR, CCTV footages, videos, images, social media posts, WhatsApp chats, IP addresses, etc. Carefully review and identify critical pieces of data that support your case.
If digital evidence is not properly handled, there’s a possibility of alteration, revision or even deletion of crucial information.
As a defence lawyer, you must be equipped yourself with — knowledge, skills, education and training to handle shaky evidence of the prosecution and police through vigorous cross-examination, presentation of contrary evidence and careful instruction on the burden of proof.
Focus on the areas of attack
- Bias
- Lack of thorough investigation
- Credibility
- Impeachment
- Qualifications
- Methodology
- Personal Opinion
- Insufficiency of Reports
Examining Expert Witnesses
Investigation Officer as Police Witness
How do you get the police witness give conceding answer to you?
An expert cross-examiner will tell you that when handling police witnesses, all you need to do is to familiarise yourself with police acts, procedures and rules their behaviour.
Questions to ask in the cross-examination:
- Do you have the know-how on how to recover original evidence?
- Do you know what the Chain of Custody principle means?
- Are you trained in proper evidence recovery?
- Did you properly document the Chain of custody?
- You did not encrypt the files downloaded from the email account.
- I suggest that no documents of any evidentiary value or investigative interest were found on the devices.
- I put it to you that no documents, pictures, HTML files, and text fragments of any investigative interest were located incriminating the accused.
- You did not bring on record any documentation that outline the the steps taken during the enhancement process of the image/videos.
Forensic Witnesses (FSL Labs in Bengaluru)
- Whether due diligence conducted?
- Whether procedure was violated?
- What kind of certification have you obtained?
- Are you comfortable working with various different video file formats and file types?
- Do you understand the importance of maintaining pixel integrity during forensic video enhancement?
- Did you document the BIOS information and compared the system time to a trusted time source?
- I suggest that you did not power off before making any chances to the BIOS.
- I suggest that you did not find any deleted files that contains incriminating materials.
- You had failed to record the file data, including file names, dates and times, physical and logical size, and complete path.
- I suggest no incriminating materials found in the unallocated and slack space.
Expert Witnesses
Is the witness having requisite technical skills and knowledge on the subject matter?
What are their credentials?
How many years of experience they have in being an Expert Witness?
What kind of certification have they obtained?
Making Sense of Digital Evidence: A Simplified Guide
The handling of digital evidence is a key factor to determine whether the evidence presented by the prosecution is tainted or tampered with.
What is digital evidence?
Digital evidence may come into play any serious criminal investigation when the crimes were committed using computers, mobiles phones and any other digital devices. Serious crimes including murder, stalking, car-jacking, burglary, counterfeiting, extortion, gambling, piracy, property crimes and terrorism.
What Is Digital Forensics?
Digital forensics is a specialisation of forensic field that involves identifying, acquiring, and analysing evidence found on electronic devices such as computers, mobile phones, digital kiosks and IoT devices.
Can deleted file can be recovered?
Yes, when a file is deleted, the traces of the files may be found elsewhere on the system. And a digital forensic examiner can perform advanced search and recover deleted files using digital forensic tools. The technique is commonly called as data carving or file carving.
4 Major Steps in Processing of Digital Evidence
The four major phases involved in the initial handling of digital evidence are identification, collection, acquisition, and preservation.
Search and Seizure Issues (Acquisition)
Integrity of Digital Evidence (Preservation)
The International HighTech Crime Conference in 1999 adopted the following guidelines to preserve admissibility of digital evidence:
- Upon seizing digital evidence, action should not change that evidence.
- When it is necessary for a person to access original digital evidence, that person must be forensically competent.
- All activity relating to the seizure, access, storage or transfer of digital evidence must be fully documented, preserved and available for review.
- An individual is responsible for all actions taken with respect to digital evidence while the digital evidence is in their possession.
- Any agency that is responsible for seizing, accessing, storing or transferring digital evidence is responsible for compliance with these principles.
Questions to ponder:
- Whether the prosecution’s presentation of digital evidence is reliable?
- Do you know even a single error during footage recovery can be enough to prove integrity violation of the evidence?
Question about the reliability of ‘volatile evidence’:
- registers, cache
- routing table, ARP cache, process table, kernel statistics, memory
- temporary file systems
- disk
- remote logging and monitoring data that is relevant to the system in question
- physical configuration, network topology
- archival media
Preparation for Legal Proceedings (Documentation)
Digital Evidence Rules as per Indian Evidence Act
Presentation of Digital Evidence (Presentation)
Digital Forensics for Lawyers
When you find that the prosecution have not followed thorough procedure in authenticating the evidence, then confront that their reliance on the record of evidence is not properly authenticated.
Moving Pieces of Digital Evidence
Digital evidence is not restricted only to crimes (hacking) committed using computers and mobile phones, but now now found in every crime category.
Cross-Examination in Narcotics Cases
Cross-Examination in Criminal Cases
Cross-Examination in Cyber Terrorism
Cross-Examination in Social Media Cases
Examination of CCTV, photographs, videos and written plans should also be inspected to aide your preparation.
Indian Laws and Electronic Evidence
The concept of “electronic evidence” has been introduced in India due to fast growth of the digital transformation.
In 2000, the Information Technology Act (“IT Act”) was enacted, which brought in corresponding amendments to the Indian Evidence Act, 1872 (“Evidence Act”), Indian Penal Code, 1860 (“IPC”) and the Bankers Book Evidence Act, Reserve Bank of India Act etc., to make digital evidence admissible.
Section 3(2) of the Indian Evidence Act: All documents including electronic records produced for the inspection of the Court, such documents are called documentary evidence.
The amendments carried to the Evidence Act by introduction of Sections 65-A and 65-B are in relation to the electronic record.
Digital evidence and its admissibility in the Indian courtroom
Sections 67-A and 73-A were introduced as regards proof and verification of digital signatures. As regards presumption to be drawn about such records, Sections 85-A, 85-B, 85-C, 88-A and 90-A were added. These provisions are referred only to demonstrate that the emphasis, at present, is to recognise the electronic records and digital signatures, as admissible pieces of evidence.
Certificate of Authenticity: Section 65B(4) of the Evidence Act provides for the non-technical conditions being the requirement of a certificate of authenticity.
Rules of Cross-Examination under the Indian Evidence Act
S.138: Stick to the relevant facts. But don’t confine only to Chief-examination.
S.140: Witnesses to character may be cross-examined and re-examined.
S.145: Cross-examining a witness relating to previous statements made in writing.
S.146: Check the credibility of the witness.
S.147: Witness cannot escape from answering any relevant questions put to him.
Questions to ponder:
Is 65B certificate mandatory?
The Hon’ble Apex Court in India have made it clear through its decision that the certificate under Section 65B of Evidence Act is mandatory when submitting electronic documents (email, chat, SMS, social media posts) to the court.
Which documents are not admissible in evidence?
Secondary data found in external hard disks such as CD/DVDs and USB drives are not admissible in the Court proceedings without a Certificate of Authenticity as mandated by the S.65B(4) of the Indian Evidence Act, 1872.
Is video recording admissible in court?
Yes, both the video/audio recordings are admissible subject to the submission of 65B certificate and to the satisfactory of the court about the origin of such data.
Technical Concepts in Digital Evidence
Digital evidence: Information stored or transmitted in binary form that may be relied on in court.
IP address: An Internet Protocol (IP) address is a unique number assigned to every device on a network.
MAC address: Media Access Control address is a unique identifier assigned to a network interface controller for use within a network.
Static IP address: An IP address that does not change.
Dynamic IP address: An IP address that changes from time to time unlike a static IP address.
Public IP address: A public IP address is used to access the Internet.
Private IP address: It is not routed on the Internet and no traffic cannot be sent to them from the Internet as they work within the local network.
Electronic Record: Under Section 2(1)(t) of the IT Act, the term “electronic record” means data, record or data generated, image or sound stored, received or sent in an electronic form or micro-film or computer-generated micro fiche.
Cloud Computing: Software, applications and digital storage that is accessed on the Internet through a web browser or desktop or mobile app.
Encryption:Any procedure used in cryptography to convert plain text into cipher text in order to prevent anyone but the intended recipient from reading that data.
Forensic Wipe: A verifiable procedure for sanitising a defined area of digital media by overwriting each byte with a known value; this process prevents cross-contamination of data.
Hashing: The process of using a mathematical algorithm against data to produce a numeric value that is representative of that data.
Log File: A record of actions, events, and related data.
Metadata: It refers to the data and information that is part of or attached to some other more obvious piece of data.
Data: It means a representation of information, knowledge, facts, concepts or instructions which are being prepared or have been prepared in a formalised manner, and is intended to be processed, is being processed or has been processed in a computer system or computer network, and may be in any form (including computer printouts magnetic or optical storage media, punched cards, punched tapes) or stored internally in the memory of the computer. Section 2(1)(o) in The Information Technology Act, 2000.
Bit stream Image: It copies virtually everything included in the drive, including sectors and clusters, which makes it possible to retrieve files that were deleted from the drive.
File Signature: A signature analysis is a process where files, their headers and extensions are compared with a known database of file headers and extensions in an attempt to verify all files on the storage media and discover those which may be hidden.
Forensic Artifact: They refer to objects that have forensic value. Meaning any objects that contain data or evidence of something that occurred. Such as logs, registry and hives to name a few.
Cache: An area or type of computer memory in which information that is often in use can be stored temporarily and got to especially quickly.
Malware: It is the collective name for a number of malicious software variants, including viruses, ransomware and spyware.
Chain of Custody: The chain of custody proves the integrity of a piece of evidence.
Probative value: It means the extent to which the evidence could rationally affect the assessment of the probability of the existence of a fact in issue.
Compressed file: A file that has been reduced in size through a compression algorithm to save disk space.
BIOS: Basic Input Output System. The set of routines stored in read-only memory that enables a computer to start the operating system and to communicate with the various devices in the system such as disk drives, keyboard, monitor, printer, and communication ports.
Steganography: The art and science of communicating in a way that hides the existence of the communication. It is used to hide a file inside another.
Forensically clean: Digital media that are completely wiped out of nonessential and residual data, scanned for viruses, and verified before use.
Landmark Judgments on Electronic Evidence
- Shafhi Mohammed v. State of Himachal Pradesh 2018 (2) SCALE 235
- Arjun Panditrao Khotkar v Kailash Kushanrao Gorantyal & Ors 2019 SCC OnLine SC 1553
- Kundan Singh v The State 2015 SCC OnLine Del 13647.
- Paras Jain and Others. v State of Rajasthan 2015 SCC OnLine Raj 8331.
- Pravata Kumar Tripathy v Union of India 2014 SCCOnLine 407
- Shamsher Singh Verma v State of Haryana (2016) 15 SCC 485.
- Union of India and Others v CDR Ravindra V Desai (2018) 16 SCC 272
- Abdul Rahaman Kunji v. The State of West Bengal 2014 SCC OnLine Cal 18816
- Babu Ram Aggarwal v Krishan Kumar Bhatnagar & Ors. 2013 SCC OnLine Del 324.
- M/s. Xact Studio International v M/s. Liwona SP. Z.O.O 2018 SCC OnLine Del 9469
- S. Karunakaran v Srileka 2019 SCC OnLine Mad 1402
- Syed Asifuddin v State of Andhra Pradesh 2005 SCC OnLine AP 1100
- Dharambir v Central Bureau of Investigation 2008 SCC OnLine Del 336
- State (NCT of Delhi) v Navjot Sandhu (2005) 11 SCC 600
- R.M. Malkani v State of Maharashtra (1973) 1 SCC 471
- Sanjaysinh Ramrao Chavan v Dattatray Gulabrao Phalke (2015) 3 SCC 123
- Puneet Prakash v Suresh Kumar Singhal & Anr 2018 SCC OnLine Del 9857
- K.K. Velusamy v N. Palanisamy (2011) 11 SCC 275
- Havovi Kersi Sethna v Kersi Gustad Sethna 2011 SCC OnLine Bom 120
- Ram Kishan Fauji v State of Haryana, 2015 SCC OnLine P&H 5058
- Om Prakash v Central Bureau of Investigation (CBI), 2017 SCC OnLine Del 10249
- M/s ICICI Bank Limited v Gurdev Singh, 2018 SCC OnLine Del 6934
- Central Electricity Regulatory Commission v National Hydroelectric Power Corporation Ltd. & Ors. (2010) 10 SCC 280
- Dr. Madhav Vishwanath Dawalbhakta v M/s. Bendale Brothers 2018 SCC OnLine Bom 2652
- Tata Sons Limited & Ors. v John Doe(s) & Ors 2017 SCC OnLine Del 8335
- SBI Cards & Payments Services Pvt. Ltd. v Rohidas Jadhav 2018 SCC OnLine Bom 1262
Next Steps
Digital evidence and FSL reports overwhelm you? Want advice on improving cross-examination skills to win your next case? Let me know, I’ll be happy to help.