Apply your knowledge through real-world case studies, practice with mock examination and cross-examination scripts, and refine your testimony skills with sample exercises.
Case Study 1: Corporate Data Theft
💼
State v. Rajesh Kumar
Corporate Espionage / Data Theft
Background
Rajesh Kumar, a senior software engineer at TechCorp Solutions, resigned to join a competitor. Two weeks after his departure, TechCorp discovered that proprietary source code and client databases were being used by the competitor. Internal audit revealed that large volumes of data were transferred to external storage devices in Kumar's final weeks of employment.
Evidence Examined
Kumar's company-issued laptop (Dell Latitude 5520)
USB device logs from enterprise DLP system
Email server logs and archived emails
Cloud storage access logs (OneDrive for Business)
Building access card logs
Key Findings
USB Device Activity: Registry analysis (USBSTOR) revealed connection of a 128GB SanDisk USB drive on three dates: Oct 10, 15, and 18 (Kumar's last day). Total of 47GB transferred.
File Access Patterns: Windows Event Logs showed access to 342 files in /Projects/ClientDB/ directory between Oct 8-18, compared to average of 12 files/month in preceding period.
Email Evidence: Personal email account accessed via webmail on Oct 12; email with subject "backup files" sent to personal Gmail.
Timestamps Correlation: File access times correlated with Kumar's building access card entries - all activity occurred during his verified presence in office.
Cloud Sync: OneDrive sync logs showed 892 files synced to personal device on Oct 16-17.
Expert Testimony Challenges
Defense Argument: "Anyone with network access could have copied files. The USB device might have been Kumar's personal device for legitimate work backup. There's no proof Kumar personally performed these actions."
Expert Response Strategy: Correlate USB timestamps with building access records showing only Kumar present. Show that accessed files exceeded job responsibilities. Demonstrate email to personal account was intentional exfiltration. Present user profile artifacts proving Kumar was logged in during all transfers.
Case Study 2: Online Financial Fraud
💰
State v. Priya Sharma
Online Banking Fraud / Identity Theft
Background
Multiple victims reported unauthorized transfers from their bank accounts totaling Rs. 23.5 lakhs. Investigation traced transactions to accounts controlled by Sharma. Her mobile phone and laptop were seized following arrest. Sharma claimed she was a victim herself, that her devices were "hacked," and someone else used her accounts.
Evidence Examined
iPhone 13 Pro (iOS 16.2)
Lenovo ThinkPad laptop (Windows 11)
Bank transaction records
Telecom subscriber and CDR data
WhatsApp extraction from phone
Key Findings
No Malware Found: Comprehensive malware scan of both devices revealed no remote access tools, keyloggers, or banking trojans.
Browser History: Chrome history showed searches for "how to transfer money without trace," "anonymous bank accounts India," and "SIM spoofing."
WhatsApp Messages: Conversations with "Bunty" discussing "today's collection," "new mark identified," and "transfer complete."
Banking App Analysis: All fraudulent transfers originated from banking app on Sharma's iPhone. Device token and session data matched her device exclusively.
Location Data: iPhone location services placed device at Sharma's home address during 90% of fraudulent transactions.
Expert Testimony Challenges
Defense Argument: "The phone could have been cloned. Someone could have accessed her banking credentials through a data breach. WhatsApp messages could have been from a spoofed number. My client is not technically sophisticated enough to commit such fraud."
Expert Response Strategy: Explain device binding in modern banking apps makes cloning ineffective. Present browser search history showing research into fraud techniques. Correlate WhatsApp messages with transaction timestamps. Demonstrate location data consistency with physical presence.
Mock Direct Examination Script
The following script demonstrates direct examination (examination-in-chief) where the prosecutor establishes the expert's qualifications and elicits findings.
⚖
Direct Examination - Qualification Phase
Prosecutor:Please state your name and current occupation for the record.
Expert:My name is Dr. Anil Verma. I am a Senior Digital Forensic Examiner at the Cyber Crime Investigation Cell, Maharashtra Police, and a visiting faculty member at the National Law School.
Prosecutor:Please describe your educational qualifications relevant to digital forensics.
Expert:I hold a Ph.D. in Computer Science from IIT Bombay with specialization in Information Security. I also hold a Master's degree in Computer Applications, and I am a Certified Cyber Crime Investigator from CyberLaw Academy, as well as an EnCase Certified Examiner.
Prosecutor:How many digital forensic examinations have you conducted?
Expert:Over my 15-year career, I have conducted more than 800 forensic examinations involving computers, mobile devices, and network systems. I have testified as an expert witness in approximately 45 cases before various courts in Maharashtra and other states.
Prosecutor:Your Honor, the prosecution tenders Dr. Verma as an expert witness in digital forensics under Section 45 of the Bharatiya Sakshya Adhiniyam.
Court:Does the defense wish to conduct voir dire on the witness's qualifications?
⚖
Direct Examination - Findings Phase
Prosecutor:Dr. Verma, what evidence items were you asked to examine in this case?
Expert:I was asked to examine two items: a Dell laptop computer marked as Evidence Item #001, and an iPhone 13 Pro marked as Evidence Item #002. Both were seized from the accused's residence on November 15, 2025.
Prosecutor:Can you describe the methodology you used to examine these devices?
Expert:Certainly. For the laptop, I first connected it to a forensic write-blocker to prevent any modification to the original data. I then created a bit-by-bit forensic image using FTK Imager version 4.7. The image was verified using SHA-256 hashing - the hash matched the source, confirming a complete and accurate copy. For the iPhone, I used Cellebrite UFED to perform a logical extraction, as the device was protected by a passcode that was provided pursuant to a court order.
Prosecutor:What were your significant findings from the laptop examination?
Expert:I found several categories of relevant evidence. First, browser history from Google Chrome showing visits to multiple victim bank websites between October 1-20. Second, saved login credentials for email accounts that matched those used to receive OTPs for unauthorized transactions. Third, a folder containing personal documents of multiple victims including PAN cards and Aadhaar cards. Fourth, a spreadsheet file titled "marks.xlsx" containing names, bank details, and amounts - this matched the list of victims and stolen amounts in this case.
[Expert refers to demonstrative exhibit showing timeline of browser activity]
Mock Cross-Examination Script
⚖
Cross-Examination - Challenging Attribution
Defense:Dr. Verma, you testified that you found browser history showing visits to bank websites. Correct?
Expert:Yes, that is correct.
Defense:But you cannot tell this court WHO was using the browser at that time, can you?
Expert:The browser activity occurred under the user profile named "Priya" which was password-protected. The browsing sessions were authenticated with saved credentials that auto-filled personal information. I also found the device's location data placed it at the registered residence of the accused during these sessions.
Defense:But couldn't anyone with the password have used that profile?
Expert:Theoretically, yes - anyone with the password could log in. However, the technical evidence I examined shows consistent usage patterns, saved personal preferences, and synced data across the accused's devices. Combined with location data and the password protection, the evidence is consistent with regular use by the account holder.
Defense:You said "consistent with." You're not saying it proves my client was the user, are you?
Expert:I can only speak to what the technical evidence shows. The evidence I described supports the conclusion that the account holder was using the device. The ultimate determination of identity is for the court to make based on all the evidence presented.
[Expert maintains composure and stays within expertise]
⚖
Cross-Examination - Challenging Methodology
Defense:Dr. Verma, you used software called Cellebrite for the phone extraction. This is proprietary software, correct?
Expert:Yes, Cellebrite UFED is commercial forensic software widely used by law enforcement worldwide.
Defense:Have you personally reviewed the source code of this software?
Expert:No, the source code is proprietary and not publicly available.
Defense:So you're asking this court to rely on software that you haven't personally verified?
Expert:Cellebrite is the industry-standard tool used by law enforcement agencies in over 150 countries. It has been validated through the NIST Computer Forensics Tool Testing program. Additionally, I verified key findings by manually examining the extracted databases using SQLite, which produced identical results. I also documented all verification steps in my report.
Defense:But NIST validation doesn't guarantee the software is error-free, does it?
Expert:No software is guaranteed error-free. That's precisely why I performed verification steps - examining the raw database files independently. The critical findings were verified through this secondary analysis, which is standard forensic practice.
Practice Exercises
📝
Exercise 1: Report Writing
Based on Case Study 1 (Corporate Data Theft), draft the Executive Summary section of a forensic report. Include:
Background summary (2-3 sentences)
Scope of examination
Key findings (bullet points)
Conclusion
Evaluation Criteria:
Your summary should be understandable to a non-technical reader while accurately representing the technical findings. Keep it to one page maximum.
💬
Exercise 2: Cross-Examination Response
Prepare responses to the following defense questions:
"Isn't it true that timestamps on computers can be easily manipulated?"
"How do you know the defendant wasn't framed by someone who planted evidence?"
"You said you found deleted files. If they were deleted, doesn't that show the defendant wanted nothing to do with them?"
Guidelines:
Keep responses concise (3-4 sentences each). Acknowledge valid technical points while explaining how your investigation addressed them. Avoid defensive or argumentative tone.
📈
Exercise 3: Technical Explanation
Explain the following technical concepts in plain language suitable for a judge with no technical background:
How hash values prove evidence integrity
What browser cookies reveal about user activity
How deleted WhatsApp messages can be recovered
What metadata in a photograph can tell us
Challenge:
Use analogies where helpful. Each explanation should take no more than 30 seconds to deliver orally.
Sample Report Excerpts
Sample Executive Summary Excerpt
EXECUTIVE SUMMARY
This examination was conducted pursuant to Court Order dated 10-November-2025
in Case No. SC-2025-1234, State vs. Priya Sharma.
SCOPE: Forensic examination of one iPhone 13 Pro and one Lenovo laptop seized
from the accused's residence to identify evidence of online banking fraud.
KEY FINDINGS:
- No malware or remote access tools were found on either device
- Browser history contained searches related to fraud techniques
- Banking app analysis confirmed all disputed transactions originated
from the examined iPhone using device-bound authentication
- WhatsApp conversations discussed "collections" and "transfers" with
timestamps correlating to fraudulent transaction times
- Location data placed the iPhone at accused's residence during 90%
of fraudulent transactions
CONCLUSION: The technical evidence examined is consistent with the
devices being used to commit the alleged fraudulent transactions.
No evidence of third-party remote access or compromise was found.
Sample Finding Documentation
6.3 WhatsApp Message Analysis
Finding 6.3.1: Conversation with Contact "Bunty"
Source: Evidence Item #002 (iPhone 13 Pro)
Database: ChatStorage.sqlite, ZWAMESSAGE table
Contact JID: 919876543210@s.whatsapp.net
On 15-October-2025 at 14:45:32 IST, the following message was received:
"Target confirmed. SBI account. Ready for today evening."
Message Key: 8A7F3B2C1D4E5F6A
Direction: Incoming (ZISFROMME = 0)
Status: Read (ZMESSAGESTATUS = 1)
On 15-October-2025 at 14:47:18 IST, the following response was sent:
"Ok. Will do transfer at 7pm. Keep receiver ready."
Message Key: 9B8E4C3D2E5F7G8B
Direction: Outgoing (ZISFROMME = 1)
Status: Delivered (ZMESSAGESTATUS = 5)
[Screenshot Reference: Appendix E, Figure 23]
Correlation: Bank records show unauthorized transfer of Rs. 1,25,000
from victim Suresh Patel's SBI account at 19:02:33 IST on same date.