Part 7 / 7

Sakshya Sanrakshan Techniques

🕑 60-90 minutes 📖 Intermediate Level 📋 Module 2

Parichay

Evidence preservation digital forensics ka sabse critical aspect hai. Agar evidence properly preserve nahi ki gayi to wo court mein inadmissible ho sakti hai ya tampered maani ja sakti hai. Is final part mein hum write blockers, forensic copying, aur cloud evidence preservation ki techniques detail mein sikhenge.

📚 Seekhne ke Uddeshy

Is part ke ant tak, aap write blockers ka proper use sikhenge, forensic copies banana jaanenge, aur cloud-based evidence ko preserve karne ki techniques samjhenge.

Write Blockers

Write blocker ek device ya software hai jo evidence drive mein kisi bhi write operation ko block karta hai, ensuring ki original data modify nahi hota.

Write Blocker Importance

  • Original evidence ko accidental modification se bachata hai
  • Operating system ke automatic writes rokता hai (temp files, logs)
  • Evidence integrity court mein prove karne mein help karta hai
  • Chain of custody support karta hai
  • Industry standard aur legal requirement hai

Types of Write Blockers

🔧

Hardware Write Blockers

Physical devices jo drive aur computer ke beech connect hoti hain. Zyada reliable, multiple interfaces support (IDE, SATA, USB, SAS).

💻

Software Write Blockers

Registry changes ya kernel-level protection through software. Kam reliable lekin free options available.

Popular Hardware Write Blockers

Brand/ModelInterfacesFeatures
Tableau T35u SATA/IDE to USB 3.0 Fast, reliable, LED indicators
WiebeTech Forensic UltraDock Multiple interfaces All-in-one solution
CRU WiebeTech Ditto Various Standalone imaging + write block
Logicube Forensic Falcon Multiple High-speed, portable

Software Write Blocking Options

ToolPlatformNotes
Linux mount -o ro Linux Read-only mount option
USB Write Blocker (Registry) Windows Registry modification
SAFE Block Windows ForensicSoft tool
Paladin/CAINE Linux Live Forensic distros with built-in protection
Critical Warning

Software write blockers 100% reliable nahi hain. High-stakes cases mein hamesha hardware write blocker use karein. Software blockers fail ho sakte hain certain conditions mein (driver issues, OS updates, etc.).

Write Blocker Verification

Write blocker proper work kar raha hai ye verify karna zaroori hai:

  1. Test drive connect karein write blocker ke through
  2. Write operation attempt karein (file create, modify)
  3. Operation fail hona chahiye
  4. Verification ke logs maintain karein
  5. Regularly test karein (especially before important cases)

Forensic Copy

Forensic copy (forensic image) original evidence ka exact bit-by-bit replica hai jo analysis ke liye use hota hai. Original evidence untouched rehti hai.

Types of Forensic Copies

💿

Physical Image

Complete disk ka bit-by-bit copy including unallocated space, slack space, hidden areas.

📁

Logical Image

Only file system level data. Faster lekin hidden data miss ho sakta hai.

📂

Targeted Collection

Specific files/folders only. Quick triage ke liye useful.

Forensic Imaging Process

Pre-Imaging Checklist
  • Write blocker connected aur verified
  • Destination drive larger than source
  • Destination drive forensically wiped/new
  • Documentation ready (case number, date, examiner)
  • Imaging tool tested aur validated

Imaging Steps

  1. Preparation: Write blocker connect, destination prepare
  2. Source Hash: Original drive ka MD5 + SHA-256 calculate karein
  3. Create Image: Forensic image create karein (E01/DD format)
  4. Verify Hash: Image ka hash calculate aur compare karein
  5. Create Working Copy: Analysis ke liye second copy
  6. Document: Complete log maintain karein

Image Verification

Image verification ensure karta hai ki copy exact hai:

  • Hash Match: Source hash = Image hash
  • No Errors: Imaging log mein koi read errors nahi
  • Complete: All sectors captured
  • Mountable: Image properly mount ho rahi hai
💡 Imaging Log Example

Case: CYBER/2024/001
Examiner: Inspector XYZ
Date: 15-Jan-2024 10:30 IST
Source: Seagate 1TB HDD (S/N: ABC123)
Source MD5: d41d8cd98f00b204e9800998ecf8427e
Source SHA-256: e3b0c44298fc1c149afbf4c...
Image File: Case001_Evidence01.E01
Image MD5: d41d8cd98f00b204e9800998ecf8427e [MATCH]
Image SHA-256: e3b0c44298fc1c149afbf4c... [MATCH]
Status: Verified - No Errors

Cloud Evidence Sanrakshan

Cloud-based evidence ki preservation traditional evidence se different hai kyunki data physically access nahi hota - service providers ke servers par hai.

Cloud Evidence Challenges

  • Jurisdiction: Data different countries mein ho sakta hai
  • Access: Provider cooperation required
  • Volatility: Data quickly change ya delete ho sakta hai
  • Authentication: Account ownership prove karna
  • Completeness: All relevant data capture karna

Cloud Preservation Methods

📧

Legal Preservation Request

Provider ko legal notice/warrant bhej kar data freeze karwana. Time-sensitive hai.

👥

Account Preservation

User account credentials se direct access aur download (consent cases mein).

🔧

API-Based Collection

Provider APIs use karke automated data extraction. Comprehensive aur structured.

📷

Screenshot/Screen Recording

Visual documentation jab direct download possible nahi ho. Last resort.

Common Cloud Services - Preservation Approach

ServicePreservation MethodKey Considerations
Google (Gmail, Drive) Google Takeout, Legal Process Comprehensive export available
Microsoft (Outlook, OneDrive) eDiscovery, Legal Process Enterprise tools available
Facebook/Meta Download Your Information, LEA Portal Special law enforcement portal
WhatsApp Chat Export, Backup Access End-to-end encryption consideration
AWS/Azure Snapshot, Legal Hold Requires account access typically

Legal Process for Cloud Data

  1. Identify Provider: Service provider aur data location determine karein
  2. Preservation Letter: Provider ko legal hold request bhejein
  3. Legal Process: Warrant/subpoena/MLAT as appropriate
  4. Data Receipt: Provider se data receive karein
  5. Verification: Data completeness verify karein
  6. Documentation: Process ka complete record
Time Sensitivity

Cloud evidence ke liye time bahut critical hai. Service providers ke data retention policies different hain - kuch 30 days, kuch 90 days, kuch unlimited. Jitna jaldi preservation request bhejein utna better. Delay se evidence permanently lost ho sakti hai.

Evidence Storage Security

Preserved evidence ki long-term security maintain karna chain of custody ka important part hai.

Physical Storage Requirements

  • Evidence Room: Access-controlled, CCTV monitored
  • Climate Control: Temperature aur humidity controlled
  • Anti-Static: ESD protection for storage media
  • Fire Protection: Fire suppression systems
  • Backup Location: Off-site backup for critical evidence

Digital Storage Best Practices

  • Multiple Copies: Minimum 2 copies different locations par
  • Media Verification: Periodic hash verification
  • Media Refresh: Old media ko new media par migrate (every 3-5 years)
  • Encryption: Evidence files encrypt karein (AES-256)
  • Access Logging: Every access logged

Evidence Retention

Case TypeTypical RetentionNotes
Minor Offenses 3-5 years after case closure Check local regulations
Serious Crimes 10+ years or case duration May be indefinite for some crimes
Appeals Pending Until final resolution All appeals exhausted
Cold Cases Indefinite May reopen anytime

Module Summary

Module 2 mein humne digital evidence aur forensics ke fundamentals cover kiye. Yahan ek quick recap hai:

Part 1: Digital Sakshya ka Parichay

  • Digital evidence definition aur characteristics
  • Traditional vs digital evidence differences
  • Types of digital evidence

Part 2: Sakshya Pehchan aur Sangrahan

  • Evidence identification techniques
  • Order of volatility
  • Collection procedures aur forensic imaging

Part 3: Chain of Custody

  • Documentation requirements
  • Evidence integrity maintenance
  • Hash values (MD5, SHA-256)

Part 4: Section 65B/63 BSA Certificate

  • Legal requirements for admissibility
  • Certificate format
  • Anvar PV aur Khotkar case implications

Part 5: File Systems aur Metadata

  • FAT, NTFS, EXT4, APFS structures
  • Metadata analysis
  • Timestamp examination

Part 6: Data Recovery Basics

  • Deleted file recovery
  • File carving techniques
  • Fragmented data handling

Part 7: Sakshya Sanrakshan Techniques

  • Write blockers usage
  • Forensic copy creation
  • Cloud evidence preservation
📚 Module 2 - Mukhya Points
  • Write blockers original evidence modification prevent karte hain - hardware blockers zyada reliable
  • Forensic image bit-by-bit exact copy hai - hash verification mandatory
  • Cloud evidence preservation time-sensitive hai - jaldi action zaroori
  • Multiple copies different locations par rakhein
  • Complete documentation har step par maintain karein
  • Section 65B/63 BSA certificate electronic evidence admissibility ke liye mandatory
  • Chain of custody break se evidence inadmissible ho sakti hai
  • Module quiz attempt karne se pehle sabhi concepts revise karein
Previous: Data Recovery Basics Module Quiz Dein