Madhya Pradesh High Court
Sandeep Sharma vs The State Of Madhya Pradesh on 5 September, 2024
Author: Milind Ramesh Phadke
Bench: Milind Ramesh Phadke
1 WP-24396-2024
IN THE HIGH COURT OF MADHYA PRADESH
AT GWALIOR
BEFORE
HON'BLE SHRI JUSTICE MILIND RAMESH PHADKE
ON THE 5 th OF SEPTEMBER, 2024
WRIT PETITION No. 24396 of 2024
SANDEEP SHARMA
Versus
THE STATE OF MADHYA PRADESH AND OTHERS
Appearance:
Shri Anil Kumar Mishra - Advocate for the petitioner.
Shri Deepak Khot - GA appearing on behalf of State.
ORDER
The instant petition under Article 226 of the Constitution of India is filed being aggrieved by the report dated 09.12.2023 Annexure P/1 issued by respondent no.2 in pursuance to an order dated 14.06.2023 issued by Eighth Additional Sessions Judge, District Gwalior in Sessions Trial No.93/2018, whereby an expert opinion to provide information regarding the dates and times on which the DVR and Pen Drive seized by the prosecution were opened and a copy after dated 28.09.2017 was sought.
2. The aforesaid report has been assailed on the ground that the examiner only supplied the Logs of the Pendrive, but no logs of Hard Disk of the DVR was provided, since being an electronic device it was easy to temper, therefore, to prove the integrity of the evidence it is necessary for the Court to know exactly when and how the same were prepared or seized from the concerned persons.
Signature Not Verified Signed by: CHANDNI NARWARIYA Signing time: 12-Nov-24 7:02:57 PM2 WP-24396-2024
3. Assailing the said report another ground raised is that digital integrity of a property can be defined whereby digital date is not altered in an unauthorized manner since the time it was created, transmitted by an authorized source to be analyzed as digital data is vulnerable to intentional or unintentional alteration, therefore, integrity of digital evidence is required to be maintained, starting from seizure till analysis and it is the duty of the forensic examiners to ensure that digital evidence is not manipulated and since respondent no.2 had not provided report to that effect, it may be directed to give exhaustive report over the hard disk and the DVR and also suitable directions be issued to re-examine the DVR and the hard disk and provide the report of timestamps, logs and digital foot prints and further make visible the blurred camera footage of camera no.1 as exhibited by the prosecution.
4. In the aforesaid context, learned counsel for the petitioner while placing reliance on literature (guidelines) issued by forensic science laboratory for forwarding crime exhibits authored by Dr. Jeetendra Pande and Dr. Ajay Prasad, had argued that the examiner only supplied the logs of the Pen drive, however, no such logs of hard disk of the DVR were provided by which it could be determined as to how many times the hard disk was opened to prepare the pen drive and how many times it was opened or written or re-written as the electronic device is easy to tamper, therefore, it is necessary for the Court to know exactly when and how the same was prepared or seized from the concerned persons.
5. It was further argued that it will not be possible to prove the Signature Not Verified Signed by: CHANDNI NARWARIYA Signing time: 12-Nov-24 7:02:57 PM 3 WP-24396-2024 integrity of the evidence if the acquisitions of the same is not proper and acquiring evidence is making sure nothing is added or written to the evidence in the process.
6. It was further argued that digital integrity of the property can be defined whereby the digital date has not been altered in an unauthorized manner since the time it was created, transmitted by an authorized source, as the digital data is vulnerable to intentional or unintentional alteration. It was also argued that Forensic examiners must ensure that digital evidence is not compromised.
7. It was also argued that according to the Section 79-A of Information Technology Act "Electronic form of evidence" refers to "any information of probative value that is either stored or transmitted in electronic form' which includes computer evidence, digital audio, digital video, cell phones and digital fax machines, Electronic Evidence, unlike other forms of physical evidence, having particular characteristics that present unique obstacles in the admission of such evidence in a court of law. As in the present case the DVR declares to be consisted with 'no content' and one pen drive declares showing error, therefore, for the proper justification of these electronic evidences, it is needed to get the Logs Report of the Hard Disk of DVR, by which the Pen drive was prepared, but the report submitted by the forensic laboratory wrongly discloses that DVR exhibit-1 did not contain any log showing the access and the copy dates of CCTV footage is present in the hard disk exhibit-H1, hence opinion regarding the date to access a copy of CCTV footage could not be offered.
Signature Not Verified Signed by: CHANDNI NARWARIYA Signing time: 12-Nov-24 7:02:57 PM4 WP-24396-2024
8. It was further argued that upon reviewing the footage provided after the forensic examination, it was found that only the portion of recording from the DVR which allegedly contains the incidents date were available while the DVR should have contained complete recordings from the date of incident or prior dates, but it did not which suggests potential tampering by the prosecution and if the prosecution had not intentionally altered or edited the recordings, the DVR would have contained the full recording from the incidents date and prior dates, therefore, obtaining a detailed report from the forensic labs regarding dates and times of DVR and pend drives were accessed and copied is crucial for fair resolution of the case and failure of the lab to provide this information might be an instance of influence by the prosecution which would hinder the Court from uncovering the truth.
9. It was further argued that the logs, times stamps which include the creation, updates and access dates, offer important information about the sequence of events that lead to a certain files and these times-stamps are closely examined by the forensic analysts in order to determine the order in which certain operations occurred on the hard disk such as creation, modification, or access of file and these files, times-stamps, anomalies, or discrepencies may point to possible manipulation or tampering, exposing questionable activities that need more research.
10. It was further argued that though hard drive can hold wealth of information they are also vulnerable to data manipulation and hacking and to find evidence of tampering such as changed file meta data, inconsistent file structures or attempts to hide incriminating evidence, forensic analysts. The Signature Not Verified Signed by: CHANDNI NARWARIYA Signing time: 12-Nov-24 7:02:57 PM 5 WP-24396-2024 examiners uses sophisticated deals and even minor hints may be found that might go missed by naked eyes by carefully reviewing the digital foot prints left on the hard disk and this information can be vital in supporting or refuting statements made during the court procedures and as there is no report of timestamps of digital footprints of the hard disk, therefore, interference of this Court is required.
11. Further learned counsel submitted that there are two types of digital evidence: first volatile evidence i.e. Memory, Network Connections, Running Progress and Open File and second is non-volatile evidence i.e. Hard Drives, USB storage, Floppy Disk and CD/DVD. In the present case, USB storage and Hard Drives (disk) are non-volatile evidence which are available and with regard to non-volatile evidence in the examination always Locard's Exchange Principle is being followed which is recognized as a foundational concept in forensic science and it is used by forensic experts world wide, including those in India, as a guiding principles.
12. It was further argued that in India forensic laboratories including those under Government agencies such as the C.B.I. and State Forensic labs, apply the principles of forensic science, including Locard's Principle, in their investigation. Further Locard's Exchange Principle can be applied metaphorically to the digital forensics of the case just as physical contact leaves a trace, the connection and interaction between digital devices (like Hard Disk and DVR or Pen Drive) should leave logs or traces in the digital environment, therefore, absence of this information in the forensic report assumes significance and it raises questions about the thoroughness of the Signature Not Verified Signed by: CHANDNI NARWARIYA Signing time: 12-Nov-24 7:02:57 PM 6 WP-24396-2024 forensic analysis and if these logs and timestamps are missing or not disclosed, it could mean that either the forensic examination was incomplete, or potentially that the logs were tampered with or erased- intentionally or otherwise. In this regard, learned counsel has placed reliance in the matter of Tomaso Bruno vs. State of Uttar Pradesh reported in 2015 (2) SCC 178.
13. It is further argued that the connection logs establish links between devices and potential tampering or unauthorized access and time stamps determine the timeline of events, helping to confirm or refute alibis. Moreover, the Metadata offers insights into file origins and modifications, assisting in establishing authenticity and identifying perpetrators and these elements are critical for ensuring the integrity of the digital evidence and establishing a comprehensive understanding of how the Hard Disk was used in relation to the crime. However, in the present, there is no such information given with regard to the abovementioned, which shows that the devices were not properly examined and the report was not properly prepared by the respondent no.2.
14. While referring to judgments of the Apex Court in the matters of State of Gujarat vs. J.B. Soni and Ors. reported in AIR 1999 SC 1984 and Anvar P.V. vs. P.K. Basheer and Ors. reported in 2014 (10) SCC 473 , it was argued that the procedure adopted by the forensic expert for examining digital evidence should be mentioned in the forensic report and detailing such procedure ensures transparency, allowing others to understand how the evidence was handled and analyzed. Further this enhances the credibility of the forensic report and documenting the procedure ensures that the Signature Not Verified Signed by: CHANDNI NARWARIYA Signing time: 12-Nov-24 7:02:57 PM 7 WP-24396-2024 examination was conducted in accordance with these standards.
15. On the basis of the aforesaid arguments and citations, it was submitted that since the report submitted by the forensic examiners do not disclose the exact procedure followed and the contents of the logs of the DVR, an exhaustive report in view of the abovementioned submissions is required to be called from respondent no.2.
16. On the other hand, learned counsel for the respondent/State while supporting the impugned report submitted that a Digital Video Recorder (DVR) and hard disk work together to record, store and manage video footage from security cameras and the DVR processes the video signals to connected cameras converting them into digital signals format, if they are not already digital. This processed data is then returned to the hard drive which serves as the primary storage medium for recorded footage and, thereafter, DVR manages the storage on the hard drive including overwriting old footage when the storage limit is reached and then DVR allows users to access, retrieve and play back storage footage from the hard drive and for that system may also create logs of when data was recorded, accessed or deleted.
17. It was further argued that when footage is transferred from hard drive to other drive (like a pendrive), the DVR maintains logs of these actions, including time stamps which can be crucial in forensic investigations. Thus, when it is DVR which maintains the logs of the actions including time stamps, then raising the eye brow over the conclusion drawn by the directorate of forensic science regarding non-offering of date of Signature Not Verified Signed by: CHANDNI NARWARIYA Signing time: 12-Nov-24 7:02:57 PM 8 WP-24396-2024 access and copy of the CCTV footages since the DVR did not contain any log cannot be faulted with.
18. It was also argued that the contention as raised on behalf of the petitioners that it is the hard disk which contains the log and not the DVR is wholly mis-conceived as even from the literature which has been placed before this Court it could not be demonstrated by the petitioner that due to this anomaly an exhaustive report is required to be called for. On the basis of the aforesaid arguments, it was submitted that there is no anomaly in the report submitted by the directorate of forensic science dated 09.12.2023. Thus, the petition being sans merit is, therefore, liable to be dismissed.
19. Heard the counsels for the parties and perused the record.
20. The Forensic Science Laboratory (Government of NCT of Delhi), framed guidelines for Forwarding Crime Exhibits at Column No.2 the "GUIDELINES FOR COLLECTION AND PRESERVATION OF ELECTRONIC DATA FROM DIGITAL CCTV SYSTEMS" at Column No.2.3 the collection of Electronic Data is mentioned as under:
2.3. Collection of electronic data:
2.3.1. A determination should be made as to how much and what type of data needs to be retrieved from the CCTV recording system.
2.3.2. Consideration of factors like amounts and type of media required and time taken in data transfer is of utmost importance. 2.3.3. Determine the possible output options, e. g., CD/DVD writer, USB drive, network port etc. 2.3.4. Performing a test retrieval will assist in estimating the time and storage requirements for the chosen output option. 2.3.5. Most of the DVR systems have a built-in or external CD/DVD writer to retrieve the data. In this case, following information should be keep in mind i. Generally the system allows to copy the propriety viewer to the disc while burning where Signature Not Verified Signed by: CHANDNI NARWARIYA Signing time: 12-Nov-24 7:02:57 PM 9 WP-24396-2024 option may be selected manually. 'Write-once' and not 'multi-
session' mode should be used for taking data in CD-
R/DVDR.Some system may take only CD-RW/DVD-RW. At the earliest possible time, the data should be transferred to CD- R/DVD-R. ii. After retrieval of data in CD/DVD, the data should be verified if the data of proper date and time has been retrieved. iii. If the files are retrieved in multiple CD/DVD, they should be named to ensure that the proper order of playback is identifiable. iv. The proprietary software (player) should also be provided. 2.3.6. In case the DVR system has not a build-in CD/DVD writer, an external CD/DVD writer can also be connected through a USB/Firewire/SCSI port.
2.3.7. Some CCTV systems have a compact flash card option, which is usually intended for short video sequences. If video is recovered via these drives, at the earliest possible time, all data should be transferred from compact flash card to a more permanent media and hash of the data may be calculated for reference.
2.3.8. USB/Firewire/SCSI ports, if available, can be used to connect external drives, CD/DVD writers and legacy devices. It should first be established that the port is in working condition. Some devices may require installation of necessary drivers on the recording systems. It is advisable to contact the operator /manufacturer of the CCTV systems before making any of such installation.
2.3.9. Most DVR systems have a limitation on the amount of data that can be retrieved (exported/downloaded) at a time, typically 1GB or 2GB. The limit may not be specified in the system manual. It is the best practice to keep the file under 1GB, unless it is known for sure it is capable for more.
2.3.10. Many CCTV systems have network ports and their own proprietary network viewer software which allows for multi- computer connectivity and recovery of the native/proprietary recorded files. By utilizing an Ethernet crossover cable, computer and network viewer, a connection to the DVR can be established and the native/proprietary file(s) downloaded/exported. 2.3.11. In some situations, the quickest solution may appear to remove the hard drives from the system and replace them. This option should be opted carefully as there are many factors that come into play.
21. Further it is provided that a Digital Video Recorder (DVR) and a Hard Drive work together to record, store, and manage video footage from Signature Not Verified Signed by: CHANDNI NARWARIYA Signing time: 12-Nov-24 7:02:57 PM 10 WP-24396-2024 security cameras. Here's how they interact:
1. Recording Video: The DVR processes the video signals from connected cameras, converting them into digital format if they are not already digital.
2. Storage: The processed video data is then written to the Hard Drive, which serves as the primary storage medium for recorded footage.
3. Management: The DVR manages the storage on the Hard Drive, including overwriting old footage when the storage limit is reached.
4. Playback and Retrieval: The DVR allows users to access, retrieve, and playback stored footage from the Hard Drive. The system may also create logs of when data was recorded, accessed, or deleted.
In cases where footage is transferred from the Hard Drive to another device (like a Pen Drive), the DVR should maintain logs of these actions, including timestamps, which can be crucial in forensic investigations.
22. In traditional, CSI-style forensics, one of the guiding concepts i s Locard's Exchange Principle , which essentially says that in the commission of a crime, the perpetrator leaves something at the crime scene, and takes away with him something from the crime scene. These "somethings" are evidence. More colorfully: "Wherever he steps, wherever he touches, whatever he leaves, even without consciousness, will serve as a silent witness against him, his fingerprints or his footprints, but his hair, the fibers from his clothes, the glass he breaks, the tool mark he leaves, the paint he scratches, the blood or semen he deposits or collects. All these and more, bear mute witness against him. This is evidence that does not forget. It is not confused by the excitement of the moment. It is not absent because human witnesses are. It is factual evidence. Physical evidence cannot be wrong, it cannot perjure itself, it cannot be wholly absent. Only human failure to find Signature Not Verified Signed by: CHANDNI NARWARIYA Signing time: 12-Nov-24 7:02:57 PM 11 WP-24396-2024 it, study and understand it, can diminish its value. -- Paul L. Kirk. 1953."
23. This principle holds in the digital world as well and, in fact, it holds whether you are perpetrating a crime or not. Just as physical contact leaves the trace, the connection and interaction between digital devices (like a hard drive disk and a DVR and pend drive) may leave logs or traces in the digital environments and these logs might include: (i) Connection logs i.e. records showing that the Hard Disk was connected to the DVR and later to a different device, such as a computer or another storage medium. (ii) Timestamp Information: Logs indicating when the data transfer, modification, or deletion occurred. This includes timestamps showing when files were written, accessed, or modified. (iii) Metadata Analysis:
Examination of file metadata that can reveal information about when files were created, modified, or last accessed.
24. It is not the case of the petitioner that the aforesaid principles have not been followed nor it is the case that in a very slip shot manner or without adhering to the basic principles of forensic science the report has been prepared and submitted rather it is the case of the petitioner that it is not possible that the DVR exhibit D/1 did not contain any log showing the access in copy dates of the CCTV footages present in the hard disk.
25. It is also not the case of the petitioner that the report which has been submitted does not contain any information with regard to presence or non-presence of the log and no analyses of the same was carried out by the experts, thus, it cannot be said that the information as it is requisite with regard to logs was absent in the report which would cast doubt over Signature Not Verified Signed by: CHANDNI NARWARIYA Signing time: 12-Nov-24 7:02:57 PM 12 WP-24396-2024 thoroughness of the forensic analysis.
26. From the aforesaid discussion, this Court does not find any reason to accept the preposition of the counsel for the petitioner that since the logs and the time stamps were missing or were not disclosed in the report would mean that either the forensic examination was incomplete or potentially the logs were tempered with or erased or modified intentionally or otherwise.
27.The Courts are not experts with regard to the forensic science and it is only for this reason that the material are, therefore, sent to forensic examination to the expert bodies and the Directorate of Forensic Science, Gujarat State, Sector-18A, Gandhinagar is one of such expert bodies and when the very process which has been adopted by the said expert body in deriving conclusion is not challenged or is under cloud, then the conclusion arrived at cannot be doubted.
28. Accordingly, the present petition having no sum and substance is hereby dismissed.
(MILIND RAMESH PHADKE) JUDGE Chandni Signature Not Verified Signed by: CHANDNI NARWARIYA Signing time: 12-Nov-24 7:02:57 PM