🎯 Part 5.2

Cross-Examining Investigating Officers

"The IO built the case — now expose its cracks"

The Investigating Officer is often the prosecution's star witness. They collected evidence, seized devices, and prepared the charge sheet. Your job: find gaps in procedure, technical failures, and chain of custody breaks that create reasonable doubt.

2.1

Understanding the IO's Role

👮 What IO Testifies About

Investigation Process: How FIR was registered, what steps were taken

Evidence Collection: What was seized, when, where, from whom

Witness Statements: Who was examined under S.161 BNSS

Technical Evidence: Device seizure, FSL referral, reports received

Accused Connection: How accused was identified and linked to crime

Documentation: Seizure memos, panchnamas, certificates prepared

Technical Ignorance
Many IOs lack deep technical knowledge. They may not understand hash values, metadata, IP tracing.
"Can you explain what SHA-256 hash means?"
Procedural Shortcuts
Pressure to close cases leads to skipped steps — no independent witnesses, delayed seizure memos.
"Why was the panchnama prepared 3 days after seizure?"
Broken Chain of Custody
Gap between seizure and FSL submission opens tampering possibility.
"Where was the device stored for those 15 days?"
S.63 Certificate Issues
Often signed by wrong person or missing mandatory particulars.
"Who was in charge of the computer when this was generated?"
💡 Golden Rule of IO Cross-Examination

Never ask "why" questions — they let IO explain and justify.

Ask "what," "when," "where," "who" — factual questions that trap.

Use documents — confront IO with their own records showing inconsistencies.

Be surgical — focus on 2-3 devastating points, not 20 minor ones.

2.2

Questioning on Seizure Procedure

📖Key Provisions
BNSS S.105-106: Search & Seizure Requirements
Search must be conducted in presence of two independent witnesses from the locality. Seizure memo must be prepared on spot, signed by witnesses and accused (if present). Any deviation creates doubt about evidence integrity.
Cross-Examination: Seizure Procedure
At what time did you reach the accused's premises?
[IO answers with time]
Lock down the time — compare with panchnama timestamp later
Were independent witnesses present when you entered?
[IO likely says yes]
Follow up: "From where were they called? Were they known to police?"
Was the computer switched ON or OFF when you arrived?
[Critical answer — ON means volatile data, OFF means different issues]
If ON: "Did you capture RAM? Screenshot? What was displayed?" If OFF: "How do you know accused was using it?"
Did you photograph the device before touching it?
[Often: No]
"So there's no record of what state the device was in before your handling?"
What steps did you take to prevent data alteration during seizure?
[IO may not know technical answer]
Exposes technical ignorance — "Did you use write-blocker? Faraday bag?"
I see the seizure memo is dated [date]. When was it actually prepared?
[May reveal delay]
Delayed memo = reconstructed from memory = unreliable
⚠️ Red Flags in Seizure

Witnesses are police personnel — not "independent" as required

Seizure memo prepared later at police station, not on spot

Device was ON but no volatile data captured

No photographs of device in original state

Multiple devices but vague description — which specific device?

2.3

Hash Value Verification

🔐 What is Hash Value?

Definition: A unique digital fingerprint of data. SHA-256 or MD5 algorithms convert any file/drive into fixed-length string.

Purpose: Proves data hasn't been altered. Same input = same hash. Any change = completely different hash.

Legal Importance: Hash at seizure must match hash at analysis. Mismatch = tampering possibility.

Cross-Examination: Hash Values
Did you calculate hash value at the time of seizure?
[Often: No, or "FSL did it"]
Critical gap — no baseline hash means no way to prove data wasn't altered between seizure and FSL
What hash algorithm was used — MD5 or SHA-256?
[IO may not know]
Exposes technical ignorance — "You don't know what method was used to verify integrity?"
Is the hash value recorded in the seizure memo?
[Check document — often not there]
"So there's no contemporaneous record of the device's digital state at seizure?"
I see FSL report shows hash value X. What was the hash at seizure?
[Cannot answer if not recorded]
"Without seizure hash, how can you prove data wasn't modified in 30 days before FSL received it?"
Do you know what happens to hash value if even one bit of data changes?
[IO may not know — it changes completely]
Establishes that IO doesn't understand the integrity mechanism they rely on
⚖️
State of Maharashtra v. Praful Desai
(2003) 4 SCC 601
"Electronic evidence is susceptible to tampering and manipulation. Courts must insist on proper authentication procedures including hash verification to ensure integrity of digital evidence."
2.4

Chain of Custody

🔗 What is Chain of Custody?

Definition: Documented chronological history of evidence — who had it, when, where, for what purpose.

Purpose: Proves evidence presented in court is same as seized, without tampering opportunity.

Break = Doubt: Any unexplained gap in custody creates reasonable doubt about integrity.

Cross-Examination: Chain of Custody
After seizure, where was the device taken?
[To police station / malkhana]
Document the path — each step is potential vulnerability
How was the device stored at the police station?
[Often vague answers]
"In a locked room? Who had keys? Was it sealed? Where's the seal?"
I see device was seized on [date] but sent to FSL on [date + 30 days]. Where was it for those 30 days?
[Critical gap period]
Long gap = tampering opportunity. "Who had access during this period?"
Is there a register showing everyone who accessed the malkhana during this period?
[May not exist or may show multiple accesses]
"So anyone with malkhana access could have accessed this device?"
Was the device sealed after seizure? Where is the seal now?
[Seal often broken for FSL examination]
"Was the seal intact when FSL received it? Who broke it? Is that documented?"
Show me the custody register entries for this device.
[Document confrontation]
Often reveals gaps, missing entries, or contradictions
🚨 Chain of Custody Red Flags

No sealing or seal not mentioned in seizure memo

Long gap between seizure and FSL submission (weeks/months)

Multiple handlers without documentation

Storage in unsecured location

Device accessed before FSL examination without documentation

Seal broken with no record of when/why/by whom

2.5

S.63 BSA Certificate Issues

📖BSA Section 63
Admissibility of Electronic Records
Certificate must be signed by person occupying responsible position in relation to the computer's operation OR person in charge of computer. Must identify the electronic record, describe manner of production, and give particulars of device.
Cross-Examination: S.63 Certificate
Who signed the S.63 certificate for this electronic evidence?
[Name of signatory]
Verify: Was this person actually in charge of computer? Often IO signs for others' devices
What is the signatory's relationship to the computer from which evidence was extracted?
[May reveal they had no control over device]
"So you signed certificate for accused's device that you never operated in regular course?"
Does the certificate describe the manner in which electronic record was produced?
[Check document]
Often missing — "Which software extracted it? What settings? What format?"
The certificate says computer was "operating properly." How do you know?
[IO may not have tested]
"Did you run diagnostics? Check for malware? Verify OS integrity?"
Was the original device produced in court along with this printout?
[Often: No, only printout]
"Without original, how can court verify printout accuracy?"
⚖️
Arjun Panditrao Khotkar v. Kailash Gorantyal
(2020) 7 SCC 1
"Section 65B certificate is mandatory for electronic evidence. However, it can be produced at trial stage. The certificate must be from person in charge of computer — not necessarily owner. Requirements are procedural, not substantive, but non-compliance affects admissibility."
✅ S.63 Certificate Checklist for Cross-Examination
  • Is certificate signed by person in charge of computer (not just IO)?
  • Does it identify the specific electronic record?
  • Does it describe manner of production (software, method)?
  • Does it give particulars of device (make, model, serial)?
  • Does it state computer was operating properly?
  • Was it produced contemporaneously or created for trial?
  • Is original device available for verification?
2.6

Complete Mock Cross-Examination Script

📋 Scenario: Online Banking Fraud Case

Facts: Complainant received call from "bank executive," shared OTP, lost ₹5 lakhs. IP traced to accused's residence. Laptop seized. FSL found complainant's bank details in browser history.

IO: Inspector Sharma, Cyber Cell. Investigated for 3 months. Filed charge sheet under S.66C, 66D IT Act + S.318, 319 BNS.

Full Mock Cross-Examination — IO Inspector Sharma
Inspector Sharma, when was the FIR registered?
On 15th January 2024.
When did you first visit the accused's residence?
On 20th February 2024.
Note: 36 days gap — why the delay?
So there was a gap of 36 days between FIR and your visit. What were you doing during this period?
We were tracing the IP address and obtaining information from the bank.
When you reached the accused's house, was the laptop switched ON or OFF?
It was switched OFF.
Did you photograph the laptop before touching it?
No.
First gap established
Were independent witnesses present when you seized the laptop?
Yes, two witnesses were present.
I see from the panchnama that one witness is "Constable Ravi Kumar." Is a police constable an independent witness?
He was present in the area.
Witness independence challenged
Did you calculate hash value of the hard drive at the time of seizure?
No, that was done by FSL.
So there is no record of the laptop's digital state at the moment of seizure?
The FSL report has the hash.
But FSL received the laptop on 15th March — 23 days after seizure. How do you prove data wasn't modified in those 23 days?
It was kept sealed in malkhana.
Chain of custody attack begins
Show me the malkhana register entries for this laptop from 20th February to 15th March.
[Produces register — may show gaps or multiple accesses]
I see the seal number is not mentioned in the seizure memo. Was the laptop sealed?
Yes, it was sealed.
Then why is there no seal number in the seizure memo prepared on spot?
It may have been an oversight.
"Oversight" in critical procedure = unreliable
Who signed the S.63 certificate for the electronic evidence extracted from this laptop?
I signed it.
Were you in charge of operating this laptop before seizure?
No, it belonged to the accused.
S.63 BSA requires certificate from person in charge of the computer. You were never in charge of accused's laptop, correct?
I certified it as Investigating Officer.
Certificate validity challenged
The IP address in the case — do you know the difference between static and dynamic IP?
I am aware.
Was the IP address in this case static or dynamic?
I would need to check the records.
Technical knowledge gap exposed
If it was dynamic, isn't it possible that same IP was assigned to different users at different times?
The ISP confirmed it was assigned to accused's connection at that time.
But that only proves someone on accused's WiFi connection used the IP — not that accused personally used it, correct?
The browser history was on accused's laptop.
Forces reliance on laptop evidence — already weakened by chain issues
Finally, Inspector, you have no hash value at seizure, one witness was a constable, seal number wasn't recorded, and you signed S.63 certificate for a device you never operated. Is that correct?
[IO may try to explain]
Summary question crystallizes all doubts for judge

🎯 Key Takeaways — Part 5.2

  • IO is prosecution's key witness — cross-examination can create reasonable doubt
  • Focus on procedural gaps: seizure procedure, hash values, chain of custody, S.63 certificate
  • Ask factual questions (what, when, where, who) — never ask "why" which allows explanation
  • No hash at seizure = no proof data wasn't altered before FSL
  • Police witnesses are not "independent" — challenge witness composition
  • Long gap between seizure and FSL = tampering opportunity
  • S.63 certificate must be from person in charge of computer — IO signing for accused's device is problematic
  • IP address only proves connection, not individual user
  • Expose technical ignorance — many IOs don't understand hash, IP, forensics
  • End with summary question crystallizing all procedural failures

📝 Assessment — Part 5.2 (10 Questions)

1. The most effective IO cross-examination uses:
Correct: C. Factual questions trap the witness; "why" allows them to explain and justify.
2. Hash value at seizure is important because:
Correct: B. Hash is digital fingerprint — matching hash proves no tampering; without seizure hash, no baseline exists.
3. S.63 BSA certificate must be signed by:
Correct: A. S.63 requires certificate from person occupying responsible position OR in charge of computer.
4. Chain of custody break matters because:
Correct: D. Gap in custody = opportunity for tampering = reasonable doubt about evidence integrity.
5. If device was ON at seizure, IO should have:
Correct: B. Live system has volatile data (RAM, open files, logged-in sessions) that disappears on shutdown.
6. A police constable as seizure witness is problematic because:
Correct: C. BNSS S.105-106 requires independent witnesses — police personnel have inherent interest in investigation success.
7. IP address alone proves:
Correct: A. IP identifies connection, not individual user. Multiple people may use same WiFi connection.
8. In Arjun Panditrao Khotkar, SC held:
Correct: D. SC clarified certificate is mandatory for electronic evidence but can be produced at trial stage.
9. Long gap between seizure and FSL submission allows argument of:
Correct: B. Extended period in police custody without proper controls creates tampering opportunity.
10. Best cross-examination strategy is:
Correct: C. Surgical focus on few critical points is more effective than scattered attack on many minor issues.