Editor’s note: This article continues our four-part series written by Mr. Santosh Khadsare, our guest digital forensics expert from New Delhi, India, based upon his recent LinkedIn series, #25Days25Questions. Part 1 and Part 2 have been published. More about Mr. Khadsare is in his bio below.
On 18 August 2020 #25Days25Questions was started on LinkedIn. Every day a question was posed to the enthusiastic digital forensic community and the next day I posted my comments/views on the same. The idea of 25 days 25 questions (#25Days25Questions) initiative was to achieve three major purposes:
- Creating a common forum for the DFIR professionals to interact and share their thoughts.
- Increasing the core knowledge base in an interactive mode.
- To network with professionals who are working in this niche area.
I have summarised all the responses, including mine, to get a consolidated reply to the question posed. Everyone who has responded has equal credit to the final answer.
For a digital forensics professional, is knowledge of cyber laws a must? If yes, why?
(Originally asked on Day 12)
The answer to this question is ‘Yes and No’ but more tilting towards ‘Yes’. Digital forensics is a techno-legal field and the author of the digital forensic report has to be deposed as an expert witness in the court of law. So the person preparing the report has to have knowledge about the cyber laws of the land they are in, for the following reasons.
- As a digital forensics professional, you will need to know what your rights, duties, liabilities and privileges are when you are dealing with an investigation (both internal and governmental). Knowledge of law helps you with this understanding.
- As a digital forensics professional, you are often expected to offer expert opinion in a court or other judicial and quasi-judicial forums. Without the basic awareness of law, you will not be able to address the legal forums and explain your opinion during cross examination.
- As a digital forensics professional, you are a technical expert. However, in a legal forum, your audience cannot be expected to be as technical as you are. So you need to speak their language. Knowledge of law helps you in explaining your findings and expert opinions in a way that relates to your audience and helps you in your profession.
- Many opine that the knowledge of cyber laws alone is not enough for a digital forensics professional. They should also know the realms within the evidence act, general jurisprudence, criminal procedure codes, civil procedure codes, and broad knowledge about the treatment of evidence, as well as what becomes evidence and when.
- While having good knowledge in law is strongly recommended, the lack of a law degree, or lack of knowledge in law, does not prevent a digital forensics professional from practice or expert testimony. The nature of the profession is technical and requires them to deal with digital devices and find digital evidence based on the case requirements. In this scenario, the technical capabilities are far more important than the legal capabilities of the digital forensics professional. Without the required competency in technical aspects, the professional will not do justice to their profession.
- Digital technology is advancing and getting more complex day by day, which can challenge digital forensics professionals, investigators, and the judiciary. This makes a strong case for acquiring cyber law competency from the very beginning and remaining attuned to the emerging challenges of the future.
- With the increasing use of AI, building cyber law engines in AI would definitely require knowledge of cyber laws.
Can anyone without qualifications but with experience be deposed as an expert witness in a court?
(Originally asked on Day 2)
Globally there are no fixed qualifications for a digital forensics expert to be deposed as an expert witness in a court of law, and anyone with sufficient experience and skills can depose a subject to the court. An expert should have experience, knowledge and skill set in the subject matter.
In an Indian context, an expert is a person who has devoted time and study to a special branch of learning, and thus, is especially skilled on those points on which they are asked to state their opinion. Under Section 45 of the Indian Evidence Act of 1872, “expert” means “one who is a specially skilled person.” The testimony is based on sufficient facts or data and is the product of reliable principles and methods.
However, in courts it has become a norm that the expert needs the basic qualification (minimum Bachelor’s degree in computer science or IT) in addition to forensics courses. The most stress is on continuity training, as technology changes at a very fast pace.
In practice, though — especially in quasi-judicial organizations and quasi-judicial courts — certain relaxations may be applied to an investigating officer when they depose on a matter which requires a domain expertise, but which is not available through tutoring and university qualifications, only through years of experience in the field.
Whoever is giving their professional opinion should, regardless, be substantially equipped with knowledge and be in a position to understand the various aspects of the technology in all possible ways, along with day-to-day changes and updates.
If a digital forensics laboratory is notified by the government / Notifying Agency, but the expert whose signed the forensic report has left or is not available, can the present incumbent depose on their behalf as an expert witness?
(Originally asked on Day 2)
In the present scenario, one can never testify for another in court. Questions such as, “Where is the author of the final report?” will be asked by the court.
The court may ask for re-examination, and hence the original examiner’s technical notes will be crucial. Another important question is, “Can another expert in the field re-create the outcome and findings based on the acquisition of evidence?” If you go by the cardinal rules of digital forensics, the same evidence should be retrieved by a different analyst and a different tool.
Another viewpoint is that the answer to the question is both ‘Yes’ and ‘No’:
Yes, when the opinion and facts shared in the report is completely objective and did not contain any subjective or personalized interpretation of the data. Further, the nonavailability of the original examiner should be well substantiated with proper documentation and approved by the court.
The answer will be No if the report involves subjective interpretation of the data by the original examiner. In subjective interpretations, the original examiner would have examined the evidence based on a particular context as provided by the investigation team. This context is not available to the new examiner, who is expected to depose on the report.
Under such circumstances, the new examiner will be deposing based on just the report (which in most cases is self-explanatory). She will not know the context and will not be able to be fair in her deposition. In this scenario, her deposition cannot be accepted.
My take: we need to change with time and technology. Let me explain by giving the Indian context which may be true even globally:
Section 79A of the Information Technology Act of 2000 (India) mandates the Central Government to notify the department, body or agency — not the expert — as an Examiner of Electronic Evidence (EEE) for the purposes of providing expert opinion on electronic forms of evidence before any court or other authority.
There are some teething problems. In law enforcement agencies and government, the tenure of the laboratory in charge is fixed. When the expert moves to their next appointment or retires, they no longer have access to their previous laboratory, reports, or preserved artefacts. Again, in India, laboratories are notified and not experts.
The digital forensics laboratory is notified after finding that its people, process and procedures are in place. Hence, even if there is a change of the analyst / expert, the processes and procedures remain the same even if the analyst / expert may not be available. In my opinion, If the incumbent is qualified and skilled, he should be allowed (is allowed) to be deposed.
What are the statements that a digital forensics analyst / investigator/ expert should use in a report and a court?
It is the knowledge, training and experience that forms the opinions, so they are valid in the court of law. A comment is warranted to clarify based on expertise of the examiner.
The following statements are recommended to be used by the digital forensics analyst / investigator / expert in their report or while deposing as an expert witness.
- ‘Sound digital forensic techniques’
- ‘My professional opinion is …. ‘
- ‘The evidence indicates ….. ‘
- ‘Possible but not probable’
- ‘Based on my knowledge… ‘
- ‘The statement of fact is… ‘
- ‘Consistent with…’
- ‘Inconsistent with…’
- ‘Within a reasonable degree of scientific certainty, I can state…’ (editor’s note: in the United States, this phrasing is now discouraged.)
Participation in #25Days25Answers
As anticipated, a wide spectrum of participants to include enthusiasts, new entrants, professionals, experts, mentors and even academia took interest and put forth their views in these 25 days. A few of the participants and their designations are as mentioned below.
- Barath Rajagopalan J Iyer, ACIArb, CMO, Founder & Director – SourceData Consulting
- Prince Boonlia, Editor In Chief at Digital Forensics (4N6) Journal
- Heather Mahalik, Senior Director of Digital Intelligence at Cellebrite & SANS Senior Instructor, DFIR Co-Curriculum Lead and Author
- Richard Saylor, Computer Crimes Program Manager at U.S. Army Criminal Investigation Command
- Venkatesan Owner, Lab Systems India Pvt Ltd
- Jessica (Ceres) Hyde, Director, Forensics at Magnet Forensics
- Michael Smith, Cybersecurity, Privacy & Disaster Response
- Rajesh Kumar, Certified Cyber Forensic Professional at State Forensic Science Laboratory, Patna
- Anupam Tiwari, IT Security Enthusiast and Blockchain Learner
- Patrick Siewert, Founder & Principal Consultant, Expert Witness, Nationwide Instructor
- Patrick Eller, CEO – Digital Forensic Examiner – Expert Witness
- Amrit Chhetri, DFIR & AI Researcher
- Aman Agarwal, Cyber Crime Investigator and Incident Responder
- Nikhil Sood, Information Security Auditor
- Om Salamkayala, Digital Forensics Professional
- Kashish Srivastava, Intern @Noida CyberCell
- Rohit Tiwari, SOC Trainee at SOC Experts
- Vipin George, Cyber Forensic Consultant, Kerala Police Academy
- Piyush Kohli, Cyber Threat Engineer – Global Threat Operations
- Bikash Halder, Cyber Security Analyst
- Atoshe Lohe, Managing Director at INsoftware & Solution/Institute of Information Security and Computer Forensic.
- Shreya Koley, Summer Intern at KPMG
- Shubham Sangwan, Intern at Gurugram Police
- Kanishka Joshi, Actively seeking opportunities in Auditing and Compliance
About The Author
Mr. Santosh Khadsare is an Digital Forensics Expert from India with two decades of experience and presently is heading a Digital Forensic Laboratory at New Delhi, India. In addition to his Bachelor’s degree he possesses additional qualifications such as CHFI, CEH, RHCSA, Advance Cyber Forensic Course (CDAC), Cyber Crime Investigator, IVTA (CMU, Pittsburgh USA), etc. He has rich experience in the field of Information Security, Digital Forensics, Cyber Audit, Cyber Laws and Incident Response. He has been a speaker in various national / international conferences and has also authored various articles on information security and Digital Forensics in reputed publications.
Email : [email protected]
Linkedin : https://www.linkedin.com/in/santosh-khadsare-3539a818/