Special Categories & Cross-Examination
"Each evidence type has unique rules, vulnerabilities, and attack points"
WhatsApp, emails, CCTV, CDR — the evidence you'll encounter most frequently in cyber crime cases. Master the specific admissibility requirements, authentication challenges, and cross-examination techniques for each type.
Social Media Evidence
Social media evidence is ubiquitous in modern cases — from defamation (offensive posts) to serious crimes (conspiracy via WhatsApp). Yet it presents unique challenges: accounts can be spoofed, content can be deleted, and proving WHO actually typed a message is often the hardest part.
Golden Rule: Social media evidence almost always requires S.63 certificate because you're producing screenshots/printouts (secondary evidence), not the original server data.
WhatsApp Evidence — Deep Dive
Primary Evidence (No S.63 needed):
• Original phone produced in court with WhatsApp open for inspection
• Judge directly views messages on device
• Rare in practice — device usually needed for ongoing investigation
Secondary Evidence (S.63 mandatory):
• Screenshots of WhatsApp chats
• Printouts of exported chat history
• Forensic extraction reports
• This is 99% of cases — hence S.63 certificate almost always required
1. Account Spoofing: WhatsApp accounts require only a phone number. Numbers can be obtained via prepaid SIMs with fake KYC. Display names are user-chosen, not verified.
2. Device Access: Anyone with physical access to an unlocked phone can send messages. "Was the phone always in accused's exclusive possession?"
3. Web/Desktop WhatsApp: Once linked, another person can send messages from computer while owner has no idea.
4. Message Editing: WhatsApp allows editing sent messages. Edit history not always visible to recipient.
5. "Delete for Everyone": Messages can be deleted within time limit. Recipient sees "This message was deleted."
6. Backup Manipulation: Chat backups can be edited before restoration.
7. Deepfakes: Screenshots can be fabricated using editing tools or apps like "Fake Chat Conversations."
- S.63 certificate from person operating the phone
- Phone ownership established (bill, purchase receipt, IMEI records)
- Account linked to accused's number (CDR showing same number)
- Hash value of forensic extraction
- Chain of custody from seizure to court
- Witness to identify parties in conversation
- Context of conversation (reply chain shows continuity)
- Corroborating evidence linking accused to messages
Email & CCTV Evidence
📧 Email Evidence
Sources of Email Evidence:
• Sender's "Sent" folder (S.63 from sender)
• Recipient's Inbox (S.63 from recipient)
• Email server logs (S.63 from server administrator + S.91 BNSS notice)
• Forwarded copies (weakest — multiple handling)
Critical Requirement: Preserve complete email headers! Headers contain routing information that proves authenticity and is much harder to fake than the visible "From" address.
What Defence Will Argue:
The "From" field in emails is trivially easy to fake. Anyone with basic technical knowledge can send an email appearing to come from any address — even the Prime Minister's Office.
How to Counter:
• Email Headers: Full headers show actual routing — hard to fake without server access
• Server Logs: Obtain via S.91 BNSS notice to email provider
• DKIM/SPF/DMARC: Modern email authentication protocols in headers
• IP Address: Headers contain sender's IP — can be traced
• Reply Chain: If accused replied, proves they received/sent from that account
- S.63 certificate from computer operator who accessed email
- Complete email with full headers preserved
- Account ownership established (email provider records via S.91)
- Header analysis by expert if spoofing alleged
- Server logs if available (via S.91 BNSS notice)
- Hash value of email file/printout
- Reply chain showing accused's participation
- Corroboration (other evidence linking accused to email)
📹 CCTV Evidence
Primary Evidence:
• Original DVR/NVR device produced in court
• Judge views footage directly on device
• No S.63 certificate required
• Practically difficult — DVR needed for ongoing security
Secondary Evidence (Common):
• Footage copied to CD/DVD/USB/Hard Drive
• S.63 certificate mandatory from DVR operator
• Who is "operator"? Security guard, manager, owner — whoever controls DVR
1. Time/Date Settings: "When was DVR time last synchronized? Could be hours/days off."
2. Continuity: "Is this footage continuous or have portions been edited out?"
3. Resolution: "Can you positively identify the person from this grainy footage?"
4. Camera Coverage: "What about blind spots? Could someone else have entered unseen?"
5. Tampering: "DVR was unseized for 3 days. Footage could have been altered."
6. Metadata: "Video file shows creation date after incident. Proves manipulation."
- S.63 certificate from DVR operator (security officer/owner/manager)
- DVR date/time settings verified and documented
- Camera location and coverage area documented
- Hash value of footage at time of copying
- Footage is continuous, unedited (no jump cuts)
- Witness to identify persons/events in footage
- Chain of custody from DVR to court
- Sealing of original DVR if preservation needed
Call Detail Records (CDR)
CDR SHOWS:
• Calling number and called number
• Date and time of call
• Duration of call
• Cell tower location (approximate area, NOT GPS)
• IMEI of device used
• SMS details (number, time — not content)
CDR DOES NOT SHOW:
• Content of conversation (not a wiretap)
• WHO was actually using the phone
• Precise GPS location (only tower coverage area)
• Internet-based calls (WhatsApp, Skype)
S.91 BNSS Notice: Court or IO can issue notice to telecom company requiring production of CDR.
S.94 BNSS: For interception orders (actual call content — much stricter requirements).
Retention Period: Telecom companies retain CDR for ~2 years. Apply early!
The Fundamental Weakness: CDR proves the phone was used, not WHO used it.
Defence Arguments:
• "Phone could have been borrowed, stolen, or used by someone else"
• "SIM cards can be cloned"
• "Phone was in my possession but my friend made the call"
• "I lost my phone that day — lodged complaint" (check if true!)
Prosecution Response:
• Phone ownership + exclusive possession evidence
• Pattern of calls (regular contacts match accused's life)
• Cell tower location consistent with accused's known movements
• IMEI links to device seized from accused
• Voice sample comparison if call recording available
| CDR Element | What It Proves | What It Doesn't Prove |
|---|---|---|
| Phone Number | Which SIM was used | Who owned/used the SIM |
| Call Time | When call was made | What was discussed |
| Duration | How long call lasted | Whether conversation was meaningful |
| Cell Tower | Approximate area (1-5 km radius) | Precise location (not GPS) |
| IMEI | Which device was used | Who was holding the device |
- CDR obtained via S.91 BNSS from telecom company
- S.63 certificate from telecom nodal officer
- Nodal officer available for examination (Tomaso Bruno)
- SIM ownership verified (CAF — Customer Acquisition Form)
- IMEI linked to device seized from accused
- Phone ownership/possession established
- Cell tower locations mapped and correlated
- Pattern analysis connecting calls to case facts
Cross-Examination Techniques
Cross-examination of electronic evidence witnesses requires technical knowledge combined with legal strategy. Your goal: create reasonable doubt about Authentication, Integrity, or Attribution.
"The art of cross-examination is not the art of examining crossly." — Francis Wellman
• Fabricated screenshots
• Fake emails
• Deepfake videos
• Chain gaps
• Edited footage
• Deleted messages
• Borrowed phones
• Account hacking
• SIM cloning
💬 Cross-Examining WhatsApp Evidence
Witness will identify themselves or IO as the person who took screenshots.
If Yes: "So accused was not present when screenshots were taken. How do I know nothing was deleted or added before screenshots?"
If No: "So you're showing messages received by someone else. How do you prove accused sent them?"
Establish that screenshots are secondary evidence requiring S.63 certificate, and question the integrity of the device before screenshots were taken.
"Yes, WhatsApp has 'Delete for Everyone' feature."
Purpose: Establish incomplete picture — selective presentation of evidence.
"WhatsApp requires verification via OTP sent to phone number."
Follow-up 2: "And the display name on WhatsApp — can I set it to anything? Even 'Prime Minister Modi'?"
Establish that phone number doesn't guarantee identity. OTP can be intercepted with brief phone access. Display names mean nothing.
Witness may not know.
Follow-up 2: "My client will testify his phone was frequently used by his teenage son for gaming. How do you prove my client — and not his son — typed these messages?"
📧 Cross-Examining Email Evidence
"Yes, email spoofing is possible."
If witness says "Headers can prove": "Did you examine the full headers? Were they preserved? What do they show?"
If headers weren't preserved or examined, the email's authenticity is questionable. Always ask for headers!
Witness may acknowledge weak passwords can be guessed or compromised.
Purpose: Raise account compromise defense.
📞 Cross-Examining CDR Evidence
"No, CDR only shows the phone/SIM that made the call."
Answer will be "Yes" — establishing CDR ≠ user identity.
"In urban areas 1-3 km, in rural areas up to 30+ km."
Purpose: Show CDR location is imprecise, not GPS.
"Technically possible, though difficult with modern SIMs."
Use sparingly — only if evidence suggests SIM cloning is plausible. Otherwise sounds like desperate defense.
📹 Cross-Examining CCTV Evidence
Witness may not know, or may say "at installation."
If crime has alibi for different time, this becomes critical.
Depends on footage quality. Often grainy, low resolution.
Purpose: Challenge identification when face isn't clear.
Should be continuous if properly handled.
If no satisfactory explanation: "How do I know what happened during those 3 minutes? Perhaps exculpatory footage was removed?"
S.63 Certificate:
• "Where is the Section 63 certificate?"
• "Who signed this certificate? What is their designation?"
• "Were they the person 'in charge of' or 'responsible for' operating this computer/device?"
• "Is all the information required by S.63(4) present in this certificate?"
Chain of Custody:
• "When was this device seized? When did it reach the laboratory?"
• "Who had custody during this period? Where is the documentation?"
• "What is the hash value at seizure? What is the hash value at examination?"
• "The hash values are different — doesn't this prove the evidence was altered?"
Attribution:
• "Can you prove that the accused — and nobody else — was using this device/account at the relevant time?"
• "Who else had access to this device/password/location?"
• "Is it possible someone else used this device without the accused's knowledge?"
Practical Tips for Practitioners
- Get S.63 certificate before trial — last-minute certificates look suspicious
- Identify correct signatory — IT admin, not peon; nodal officer, not clerk
- Complete all four S.63(4) requirements — partial certificates are defective
- Document hash values at every stage — seizure, FSL, examination, court
- Photograph seals at each transfer — visual proof of integrity
- Preserve email headers, not just body — critical for spoofing defence
- Ensure witnesses are available — certificate signer must be examinable
- Corroborate electronic evidence — don't rely solely on digital proof
- Anticipate attribution defence — gather evidence of exclusive possession
- Apply for CDR early — telecom companies delete after ~2 years
- Get cell tower location maps prepared — visual aids help court
- Brief your expert witness on cross-examination tactics
- Always check S.63 certificate first — missing = inadmissible (Anvar)
- Verify signatory qualification — "in charge of computer"? Really?
- Compare hash values — mismatch = integrity compromised
- Examine chain of custody — gaps = tampering possibility
- Question attribution — device found ≠ device used by accused
- Explore alternative explanations — shared device, hacking, borrowed phone
- Request forensic re-examination if doubts exist (S.45 BSA)
- Check timestamps — system clocks can be wrong
- Challenge CDR location — cell tower ≠ precise GPS
- Ask about deleted data — incomplete picture suggests selective evidence
- Verify CCTV continuity — edited footage = unreliable
- Research witnesses — police informers aren't "independent"
1. Is S.63 certificate present? No certificate = Inadmissible
2. Is certificate complete? All 4 requirements of S.63(4) satisfied?
3. Is signatory qualified? Person "in charge of" or "responsible for" computer?
4. Is chain of custody documented? Seizure → FSL → Court with signatures?
5. Do hash values match? Seizure hash = Examination hash = Court hash?
6. Is attribution established? Proof that accused — not someone else — created/sent this?
7. Is there corroboration? Other evidence supporting electronic evidence?
🎯 Key Takeaways — Part 3.5
- WhatsApp screenshots = secondary evidence requiring S.63 certificate (Ambalal Sarabhai)
- WhatsApp challenges: spoofing, device access, editing, deletion, Web WhatsApp
- Email "From" address easily spoofed — always preserve and examine full headers
- CCTV footage needs S.63 from DVR operator; verify date/time settings
- CDR requires S.63 certificate + nodal officer examination (Tomaso Bruno)
- CDR shows phone activity, NOT who was using the phone
- Cell tower location is approximate (1-30 km radius), not GPS precision
- Three attack pillars: Authentication, Integrity, Attribution
- Universal defence: "Who else had access?" (device, account, location)
- Prosecution must establish attribution — evidence on device ≠ accused used device
- Always check S.63 certificate first — missing or defective = inadmissible
- Hash mismatch = evidence altered — strongest possible attack