Part 2 / 7

Sakshya Pehchan aur Sangrahan

🕑 60-90 minutes 📖 Intermediate Level 📋 Module 2

Parichay

Digital evidence ki sahi pehchan aur sangrahan cyber crime investigation ka sabse critical phase hai. Galat handling se evidence court mein inadmissible ho sakti hai ya tamper ho sakti hai. Is part mein hum systematic approach sikhenge jo evidence integrity maintain karti hai.

📚 Seekhne ke Uddeshy

Is part ke ant tak, aap digital evidence identify karna, proper collection procedures follow karna, aur forensic imaging ki techniques sikhenge.

Pehchan Techniques

Evidence identification mein crime scene par potential digital evidence sources ko recognize karna aur prioritize karna shamil hai.

Crime Scene Assessment

Jab investigator crime scene par pahunchta hai, sabse pehle ek systematic assessment zaroori hai:

  • Scene Security: Area ko secure karein aur unauthorized access rokein
  • Documentation: Scene ki photographs aur notes lein
  • Device Inventory: Sabhi electronic devices identify karein
  • Network Mapping: Connected devices aur network topology note karein
  • Volatile Evidence: Time-sensitive evidence prioritize karein

Potential Evidence Sources

💻

Computers

Desktops, laptops, servers - hard drives, RAM, connected peripherals check karein

📱

Mobile Devices

Smartphones, tablets, smartwatches - charging cables bhi collect karein

💾

Storage Media

USB drives, external HDDs, memory cards, CDs/DVDs

🌐

Network Devices

Routers, modems, NAS devices - logs contain valuable evidence

Important Consideration

Kabhi bhi evidence device ko directly operate na karein. Running computer ke case mein, volatile data capture pehle karein, phir proper shutdown procedure follow karein. Mobile devices ko Faraday bag mein rakhein.

Evidence Prioritization - Order of Volatility

Evidence collection mein volatility ke order ka dhyan rakhna zaroori hai - sabse volatile evidence pehle collect karein:

  1. CPU Registers, Cache: Nanoseconds mein lost
  2. RAM Contents: Power off hone par lost
  3. Network Connections: Active connections ki state
  4. Running Processes: Currently executing programs
  5. Temporary Files: Soon overwritten ho sakte hain
  6. Hard Drive Data: Relatively stable
  7. Remote Logs: Server-side evidence
  8. Archival Data: Backups, offline storage

Sangrahan Prakriya

Evidence collection ek systematic process hai jo evidence ki integrity ensure karti hai.

Collection Steps

  • Scene Documentation
    Photography, videography, aur detailed notes. Device ki state (on/off), screen display, connected cables - sab document karein.
  • Volatile Data Capture
    Agar device on hai, RAM capture karein specialized tools se (jaise FTK Imager, Magnet RAM Capture). Running processes, network connections note karein.
  • Device Isolation
    Mobile devices ko Faraday bag mein rakhein. Network cables disconnect karein. Batteries remove karein (jahan possible ho).
  • Physical Collection
    Anti-static bags use karein. Proper labeling karein. Chain of custody form initiate karein.
  • Transportation
    Evidence ko secure environment mein transport karein. Extreme temperatures aur magnetic fields se bachayein.

Live System vs Dead System Collection

AspectLive SystemDead System
State Computer running/powered on Computer off/powered down
Priority Volatile data capture first Direct imaging possible
Tools Live forensics tools (RAM capture) Write blockers, imaging tools
Risks Data modification possible Volatile data already lost
Encryption May access unlocked encrypted volumes Encryption may be barrier
💡 Practical Scenario

Ek financial fraud case mein, accused ka laptop running state mein mila. Investigator ne pehle RAM capture kiya (cryptocurrency wallet keys memory mein thi), network connections document kiye, phir properly shutdown kiya. Is approach se encrypted wallet ka access mil gaya jo otherwise impossible tha.

Forensic Imaging

Forensic imaging original evidence ka exact bit-by-bit copy banana hai jo analysis ke liye use hota hai. Original evidence preserve rehti hai.

Imaging Principles

  • Bit-by-Bit Copy: Exact replica including deleted files, slack space, unallocated areas
  • Write Protection: Original media mein koi change nahi hona chahiye
  • Verification: Hash values se image accuracy verify karein
  • Documentation: Imaging process ka complete record maintain karein

Imaging Tools

🔧

FTK Imager

Free tool by AccessData. E01, DD, AFF formats support karta hai. RAM capture bhi possible.

🔧

dd (Linux)

Command-line tool for raw imaging. Simple but powerful. dcfldd enhanced version hai.

🔧

Guymager

GUI-based Linux tool. Fast imaging with verification. Open source.

🔧

EnCase

Commercial forensic suite. Industry standard. E01 format create karta hai.

Image Formats

FormatDescriptionFeatures
E01 (EnCase) Expert Witness Format Compression, built-in hash, case metadata
DD/Raw Bit-by-bit raw image Universal compatibility, no compression
AFF Advanced Forensic Format Open source, metadata support, compression
Ex01 EnCase v7+ format Enhanced compression, larger file support

Imaging Process

  1. Write Blocker Connect: Hardware ya software write blocker use karein
  2. Source Hash: Original drive ka hash calculate karein (MD5 + SHA-256)
  3. Create Image: Forensic image create karein destination drive par
  4. Verify Hash: Image ka hash calculate karein aur source se match karein
  5. Document: Process ka complete log maintain karein
💡 Best Practice

Hamesha do forensic images banayein - ek working copy ke liye, ek archive ke liye. Analysis hamesha working copy par karein, original image touch na karein.

Best Practices

Do's

  • Hamesha write blocker use karein
  • Complete documentation maintain karein
  • Hash values calculate aur verify karein
  • Proper labeling karein (unique identifier, date, case number)
  • Anti-static precautions follow karein
  • Evidence bags properly seal karein
  • Chain of custody maintain karein

Don'ts

  • Original evidence par directly work na karein
  • Evidence device ko normally boot na karein
  • Untrusted tools use na karein
  • Evidence unattended na chhodein
  • Personal devices connect na karein
  • Evidence ke baare mein unauthorized disclosure na karein
Legal Reminder

Evidence collection hamesha proper legal authority ke saath karein - warrant, consent, ya applicable legal provision. Improper collection se evidence inadmissible ho sakti hai aur case compromise ho sakta hai.

📚 Mukhya Points
  • Evidence identification mein systematic crime scene assessment aur device inventory zaroori hai
  • Order of volatility follow karein - most volatile evidence pehle collect karein
  • Live system mein volatile data capture before shutdown is critical
  • Forensic imaging bit-by-bit copy create karti hai without modifying original
  • Write blocker use karna mandatory hai original evidence protect karne ke liye
  • Hash verification (MD5 + SHA-256) image integrity ensure karta hai
  • Complete documentation aur chain of custody legal admissibility ke liye essential hai
Previous: Digital Sakshya ka Parichay Agla: Chain of Custody