Swetha (name changed) got the shock of her life when she received an obscene photo of herself on WhatsApp. It was a morphed image, she soon figured out.

A stranger had modified a photo she had posted on social media. Swetha deleted the image right away, triggering a series of blackmailing messages from that stranger. Meet him or he would leak the photo online, he wrote.

An educationist living in Bengaluru, Swetha knew better. She rushed to
file a police complaint. The police had two challenges. The man’s messages were suggestive, not explicit. And Swetha had deleted the morphed photo, which could have served as clinching evidence. The police tracked down the man, using his messaging trail, and summoned him. But they found no evidence on his device.

That was when the case was referred to the Cyber Research Unit, a part of the Criminal Investigation Department (CID) of Karnataka. Specialists there looked at the phones of the complainant and the accused. It took some time, but they retrieved the morphed image from the accused’s phone, as also the date and time when it was sent. A charge sheet followed and trial is on. This was in July 2023.

The police in Karnataka, like their counterparts elsewhere, have been able to shatter the myth that the cyberworld provides complete anonymity. The long arm of the law can catch up with online criminals.

Upskilling centre

This specialist unit I am visiting is located at the CID headquarters on Palace Road, Bengaluru, inside the Centre for Cybercrime Investigation Training and Research (CCITR). The centre is a PPP (public-private-partnership) initiative, involving the CID, Infosys Foundation, and Data Security Council of India (DSCI).

Since its inception in 2019, the centre has trained 40,000-odd policemen, prosecution lawyers, judicial officers, and personnel from the armed forces. 

However, police officers are compulsorily put through two levels of training to equip them to handle digital evidence. Younger officials, working for 10 to 15 years, are tech-savvy and pick up skills fast. The older officials take longer.

CCITR does not investigate cases. “It only helps in training and capacity building. It also provides technical support to officers of the CID and CEN police stations,” says M A Saleem, director general of police, CID, economic offences and special units.

Cybercrimes are an unintended consequence of the digital age. They transcend geographic boundaries and exploit lacunae in networks, posing big challenges to the police.

Saleem says, “Investigation officers, prosecutors and members of the judiciary need to be trained in handling complex digital gadgets, collecting and appreciating the evidence, and making a foolproof case against criminals.” He refers to them as “the three stakeholders of the criminal justice system”.

CCITR develops standard operating procedures (SOPs) for cybercrime investigations. “It has carried out research and published papers to bring the police up to speed with contemporary technological challenges,” he says.

Robust proof 

I sat down with a senior investigation officer of the CID to understand how digital evidence is gathered and why it has become the most critical part of an investigation.

The first step is to seal the digital device after it is seized. Then, a court’s permission is sought to take a mirror image of the device, which is then sent to the Cyber Research Unit.

That is when digital forensic tools come into the picture. “They help in gathering quality and reliable evidence. Earlier, we were solely dependent on witness statements and material evidence, but now we have technology to corroborate the evidence. Crime today has more digital than physical elements,” he explains. Evidence has to be robust, so strong that “it cannot be countered”.

Most of the evidence gathered is sent to the Forensic Science Laboratory for expert opinion, but before that, digital forensic tools assist the investigators to understand the crime better.

As soon as a device is seized from a house, office or person, the investigators work on determining whether it is related to the suspect. “The next step is to connect the data in the phone or on emails to the suspect,” he says.

Digital forensic tools help investigators confirm or dismiss their hunches. “The authenticity and integrity of data gathered with the help of digital forensic tools cannot be changed. Yes, the witness statements still count as evidence but witnesses can be bought. Also, they may lose their memory, or some bias may set in. But digital evidence is cogent, unless someone tampers with it. If there is CCTV footage and you establish its authenticity, it is a better piece of evidence than anything else,” Saleem says.

The conviction rate is better in cybercrime cases for this very reason. “Also, cases involving criminals within the country are much easier to detect than those outside,” he adds.

Tools at a glance

So what exactly are these digital forensic tools? The officers won’t reveal all of them, and understandably so. But they do talk about some.

The FTK Imager, for instance, allows investigators to create forensic images
of hard drives and removable storage devices. This helps the police create a clone of the original hard drive, which they can then use to garner information without changing anything in the original drive.

Another tool called Magnet helps streamline the acquisition of electronic evidence from various sources, such as computers, smartphones and the cloud. This is used to gather evidence from social media posts and phone chats, and can yield clinching evidence.

A tool called Cellebrite UFED4PC is used to extract and interpret data from mobile devices, SIM cards and memory cards.

Blackmail case

In 2023, a woman alleged that a man she was in a relationship with was blackmailing her, using videos of their intimate moments.

By the time the police confronted the suspect, he had deleted the videos. But using the ‘Carving method’, which helps in finding hidden or deleted files from digital media, the investigators recovered data from the suspect’s phone. The data shed light on his criminal intentions and helped the police build a strong case.

Investigators are often retrieving ‘metadata’ labelled as “deleted”. Metadata provides details like the date and time when a file was created and modified. It also indicates what devices and software programs were used.

The same year, an online portal was misused, and confidential data stolen. Investigating officers could not find any physical evidence to connect it to the prime accused.

“But we found a copy of a document related to the portal on his phone and also in his cloud account. That became the deciding factor in locking him up,” an officer reveals.

In a famous case a few years ago, a top-ranking cop lost Rs 2 lakh in seconds. This, after he clicked one of the several links sent to him by a man claiming to be a bank executive.

“The bank would have reimbursed the amount, but the officer wanted us to track down the cybercriminal,” an investigating officer recalls.

The investigation led the police first to a dummy phone number and later to several bank accounts in Punjab to which the top cop’s money was transferred. The money was finally remitted to a certain portal in exchange for gift vouchers.

“We tracked down the culprit in Pune. He was a 21-year-old engineering student. He had committed similar frauds in Madhya Pradesh as well. A chargesheet was filed. The trial is still on,” says the officer.

The ability to use these tools helps fast-track preliminary investigations. Police can find out the authenticity of an image, and also detect whether it is doctored. Such interventions help extensively when financial frauds are  investigated.

Damaged devices

I am ushered into an area where tech experts from DSCI are trying to retrieve data from a badly damaged phone. The job is tough but not impossible, says an officer from DSCI.

“The chip in any damaged device may still contain the evidence. It can be removed when we heat it carefully with a special tool. The cardinal rule is never to directly work on the original device because chances of the evidence getting destroyed are high. We make a forensic copy of the device, using a write blocker tool, which prevents intentional or unintentional over-writing on the original device,” he says.

The job is to recover the evidence as accurately as possible so that it is admissible in court. In other words, it should be “forensically sound”.

Workstation scenes

The Forensic Workstation, a large hall, is equipped with high performance computers, built especially for forensic investigation. A single computer here can generate 33,500 combinations of passwords in a second. “Imagine how many variations it can show in a minute,” an officer says.

The police use both commercially available and open-source forensic tools. But technology moves fast. Phone manufactures, for example, keep upgrading their software to strengthen data security. While that is good, it can hinder investigation.

Let’s say a crime was committed using a phone three years ago, and the police are able to locate the device only today. Chances are high that the updated software now prevents access to a chat or media history from three years ago.

Extracting data from devices with many layers of built-in privacy is almost impossible, multiple experts tell me. In such cases, they scout for alternative methods. In cases of financial fraud, physical evidence, such as bank statements and KYC statements, also serve as strong evidence.

Hiding corners

The dark web is the most formidable challenge before cyber sleuths today. It is a secret network of websites hidden from the general public. It lets people hide their identity and location from other Internet users and law enforcers.

The opposite of the dark web is the surface web, which is what most of us use. 

Global transactions of illegal goods like drugs and firearms are rampant on the dark web, and criminals are innovating almost every day, say investigators. “Most illegal businesses are closed immediately after they receive payments using non-KYC compliant crypto wallets,” an officer tells me.

Evolving crime methods keep the police on their toes. An officer shares how an investigation can play out when the police go after drug traffickers on the dark web: “We look for illegal traders from the name or code they use on the dark web and the surface web. We also look for texting patterns if different time zones are involved. This gives us an idea about their possible location. Sometimes, people sign off with things like a colon and a cheer (like an emoticon) and that can serve as a lead too. But we can trace the criminals in this line only when a courier is involved, shipped and delivered.”

Why rigorous training  

At CCITR, the training is also aimed at combating tools that conceal data and thwart investigations.

Free and open-source anti-forensic tools are enabling cybercriminals to hide their location, erase data, obscure their communication, alter the appearance of their files, and delete activity logs.

An officer, who has cracked many financial frauds, says, “We constantly look for new methods to combat anti-forensic tools. The technology and tools vary, depending on the case and modus operandi adopted by the criminals.”

Like this story? Email: dhonsat@deccanherald.co.in