Siksha Sarovar

Siksha Sarovar (sikshasarovar.com) is a free educational web application that helps students in India learn programming and prepare for academic and competitive exams. The platform offers structured coding courses (C, C++, Python, Java, HTML, CSS, PHP, Power BI, AI, Machine Learning, Data Science), complete university curriculum notes for BCA/MCA students with previous year question papers, Class 10 and Class 12 CBSE/HBSE school notes, and dedicated preparation material for SSC, UPSC, Banking, Railway and other government exams. Browsing the site is completely free and requires no account. Users may optionally sign in with Google solely to save their learning progress, quiz scores and personal preferences across devices.

Privacy Policy | Terms of Service | Contact Siksha Sarovar | About Siksha Sarovar

v4.0.9 · PWA
Siksha Sarovar logo
Siksha Sarovar
Your Learning Universe

Siksha Sarovar is a free e-learning platform for coding courses, BCA university notes and competitive exam preparation. Optional Google sign-in saves your learning progress across devices.

Initializing knowledge base…
Compiling modules 0%

Digital Evidence Rules, RFC 2822 & Chain of Custody

Lesson 14 of 15 in the free Cyber Security notes on Siksha Sarovar, written by Rohit Jangra.

Digital Evidence Rules, RFC 2822 & Chain of Custody

The admissibility of digital evidence in court hinges on strict adherence to evidence handling protocols. A technically perfect analysis is worthless if the evidence was improperly collected, handled, or documented. This lesson covers the legal and procedural framework governing digital evidence.

---

Digital Evidence Rules — Admissibility Standards

Courts apply these fundamental rules to digital evidence:

1. Best Evidence Rule

  • Courts prefer original documents over copies
  • In digital forensics, a forensically verified bit-for-bit copy (verified by cryptographic hash) is treated as equivalent to the original
  • The hash value (MD5, SHA-256) serves as the digital "seal" proving the copy is identical to the original

2. Authentication

  • The party presenting evidence must prove the evidence is what it claims to be
  • For digital evidence: testify that you acquired the evidence from a specific device at a specific time, using validated tools, and the hash has not changed

3. Hearsay and Electronic Records Exception

  • Digital records (logs, emails) can be hearsay unless they fall under recognized exceptions:
  • Business records exception — regular business activity logs kept in normal course of business
  • Public records exception — government-maintained records
  • Computer-generated records (not human assertions) are generally not hearsay

4. Exclusionary Rule

  • Evidence obtained through illegal search and seizure is inadmissible ("fruit of the poisonous tree")
  • Investigators must obtain proper legal authorization (search warrant, consent, court order) before seizing digital devices
  • India: Section 65B of the Indian Evidence Act governs admissibility of electronic records
Legal RequirementGoverning RuleHow SatisfiedFailure Consequence
Proper authorizationSearch warrant / consentWarrant from magistrate, user consentEvidence excluded
Authenticity proofBest Evidence RuleHash verification logEvidence challenged
Chain of custodyCourt rules on evidenceDocumented custody logEvidence ruled tampered
Expert qualificationExpert witness rulesCertifications (CHFI, EnCE) + CVTestimony excluded
Tool validationDaubert standard (US)NIST CFTT validationAnalysis challenged

---

Section 65B of the Indian Evidence Act

Section 65B specifies requirements for admissible electronic records in Indian courts:

RequirementDescription
65B(1)Any information in electronic form is admissible if conditions in 65B(2) are met
65B(2)(a)The computer producing the output was used to store/process information in ordinary course of activities
65B(2)(b)The computer was operating properly during the relevant period
65B(2)(c)The information was fed into the computer in ordinary course of activities
65B(2)(d)The output accurately reproduces the information stored/processed
CertificateA certificate under 65B(4) must be produced by a responsible official to certify the electronic record

---

RFC 2822 — Internet Message Format

RFC 2822 (Internet Message Format, updated by RFC 5322) is the standard that defines the format of electronic mail messages on the internet. Understanding RFC 2822 is critical for email forensics.

RFC 2822 Email Structure:

ComponentDescriptionForensic SignificanceExample
FromAuthor's email addressMay be forged (check against Received headers)From: alice@example.com
ToPrimary recipientsIdentifies targetsTo: bob@example.com
DateDate/time message was composedCompare with SMTP Received timestampsDate: Mon, 15 Jan 2024 10:30:00 +0530
Message-IDGlobally unique message identifierTracks message across mail serversMessage-ID: <abc123@example.com>
SubjectMessage subject lineSocial engineering clues in phishingSubject: URGENT: Account suspended
ReceivedEach mail server adds its own Received headerTraces the email's path; timestamps each hopReceived: from smtp.evil.com...
MIME-VersionIndicates MIME encoding usedImportant for attachment analysisMIME-Version: 1.0
Content-TypeType of message contentIdentifies embedded content, attachmentsContent-Type: multipart/mixed
X-Originating-IPOriginal sender's IP (often added by webmail)Geolocation and attributionX-Originating-IP: 192.168.1.100
DKIM-SignatureCryptographic signature on headers/bodyVerifies email was not tamperedDKIM-Signature: v=1; a=rsa-sha256...

Forensic Analysis of Email Headers:

  1. Start with the bottom Received header — this is the first hop (closest to the sender)
  2. Read upward — each successive Received header shows the next mail server in the chain
  3. Compare timestamps — gaps in timestamps may indicate header manipulation
  4. Analyze X-Originating-IP — original sender's IP before webmail servers
  5. Verify DKIM signature — confirms message integrity from the signing domain

---

Chain of Custody

The chain of custody is a documented record of who had access to evidence, when, where, and for what purpose — from the moment of discovery through court presentation. It establishes that evidence has not been tampered with.

Chain of Custody Documentation Requirements:

FieldWhat to RecordPurposeFailure Risk
Evidence identifierUnique case number + item numberTrack specific evidence itemConfusion, misidentification
DescriptionPhysical description of device (make, model, serial number, condition)Prove authenticitySubstitution challenge
Date/time of collectionExact timestampEstablish timelineTimeline disputes
Location of collectionPhysical location where foundContextual evidenceRelevance challenges
Collected byName, badge/ID numberAccountabilityCollector competence challenge
Condition at collectionPowered on/off, damage, visible dataEstablish stateTampering allegations
Transfer recordsEach person who received/returned evidenceTrack possessionBreak in chain allegation
Storage conditionsTemperature, humidity, anti-static storagePrevent degradationEvidence condition challenge
Hash valuesMD5 and SHA-256 of forensic imageProve integrityAlteration allegations

A break in the chain of custody does NOT automatically make evidence inadmissible — but it significantly weakens it and provides grounds for the defense to challenge it. Courts weigh the cumulative strength of the chain of custody documentation.

Exam Tip: RFC 2822 defines the format of email messages. In forensics, the Received headers in an email are the most important — they trace the path from sender to recipient, with each mail server adding its own timestamped header. Read Received headers bottom to top to trace the message's path from origin. The "From" field can be easily forged; Received headers are more reliable.

---

Study Deep: Evidence Handling and RFC 2822

  1. Write blockers are essential: When acquiring disk images, a hardware write blocker (Tableau, WiebeTech) physically prevents the forensic computer from writing anything to the evidence drive. Software write blockers (WinHex, FTK Imager settings) can be bypassed by OS activity. Courts strongly prefer hardware write blockers. Without write blocking, accessing the drive can modify timestamps (accessed time), potentially invalidating the evidence.
  1. Email header forgery is trivially easy but detectable: The "From" and "Reply-To" fields in an email can be set to anything by the sender — anyone can send an email appearing to come from ceo@company.com. However, the Received headers are added by intermediate mail servers and cannot be easily forged (unless the attacker controls those servers). DKIM cryptographic signatures on headers provide tamper detection. SPF records identify authorized sending IPs.
  1. Time synchronization is critical in forensics: Digital forensics relies heavily on timestamps to reconstruct event timelines. However, computer clocks can be wrong — intentionally (anti-forensics) or accidentally. Investigators must: compare system clock to NTP server logs, account for timezone offsets, and correlate multiple independent timestamp sources (firewall logs, email headers, authentication logs) to establish reliable timelines.
  1. Mobile device forensics requires immediate isolation: Modern smartphones auto-erase data after failed unlock attempts (iOS), sync deletions to cloud, and can be remotely wiped. First response procedures: immediately place in airplane mode or a Faraday bag (RF-shielding bag) to prevent remote wipe commands. Keep the phone charged. Use Cellebrite UFED or Oxygen Forensics for extraction.
  1. Metadata is often more valuable than content: A document's metadata (author, creation date, modification history, GPS coordinates in photos) can be more forensically valuable than the document content itself. Office documents retain revision history. Images (especially from smartphones) embed GPS coordinates in EXIF data. This metadata has led to criminal convictions when suspects forgot to strip it.