Digital Forensic Examination of Counterfeit Documents

Abstract
With the advancement of the technology and shifting of the manual documentation into
digital or e- documentation led to easier and effective solution for the sake of time , accuracy
and professionalism.

In today’s market variety of document processing softwares are present which are used to edit
or make the documents .One of their most dangerous aspects is the manipulation/imitating of
original documents.

In this context, digital forensics science provides a lot of tools for examining documents from
being forged or counterfeited.

Digital Forensics is the need of today’s documentation world and it is based on 3 model
technique:

1. Image processing based detection

2. Video processing based detection
3. Spectroscopy based defection

These model technique are used to counter the present problems on the originality of the
documents and make them more secure and trustable.

Digital Forensics field is technically new but it’s history is complex and chronologically
short.

“In reviewing the history of digital forensics, I realized that there were some critical elements
that combined to create the discipline. In my view these are: people, targets, tools,
organizations and the community as a whole. I make no assertions that they constitute the
totality of the history, but they are key vectors that help capture The essential elements of the
history”.1

So , we can say that the digital forensics is not today’s topic but it is an essence of history .

Keywords Forensics , detection , documentation, counterfeit

1
Mark Palliot, Advancement in Digital Forensics 4 ( Chapter 1 , history of Digital Forensics)
 1. INTRODUCTION
Digital forensics is a new branch of forensics in the field of storing documents. The term
digital forensics is used as a synonym for computer forensics.

It usually focuses on identifying, acquiring, processing, analysing, and reporting on data

stored electronically storage of documents which can be later used as an evidence or proof in
the court against the criminal activities. The main goal of digital forensics is to extract data
from the electronic evidence, process it into actionable intelligence and present the findings
for prosecution. All processes utilize sound forensic techniques to ensure the findings are
admissible in court.

Digital forensics work as the medium in electronic storage of documents which is the key
components and can be collected by smartphones , remote storage, unmanned aerial systems,
shipborne equipment, and more.2

In many criminal cases such digital evidences like chats, voice recordings etc. have been
used extensively in court proceedings. Nowadays every court is advanced and accepting the
electronic evidence . Hence , the role of Digital Forensics is elevated and it’s an key factor for
any proceeding irrespective of nature of the case.

1.1 RESEARCH PROBLEMS

Artificial Intelligence and Cyber law are 2 such concepts which is very generic and is
the tip of the ice berg but if researched and in depth study is done on them there is lot
more than it seems to be. The research problem for this research paper is that when a
thorough study was done on these two topics it did not just connect to one entity but
many of them may it be criminal or civil jurisprudence, morals can be found there as well
and. There is indeed a rift present between the two but it gets difficult to understand the
rift present so this research paper will look into that and also look upon such instances
where there is an intersectionality as well as the rift.

1.2 SCOPE OF STUDY

2
Digital Forensics, available at : https://www.interpol.int/en/How-we-work/Innovation/Digital-
forensics#:~:text=Digital%20forensics%20is%20a%20branch,crucial%20for%20law%20enforcement
%20investigations. ( Last visited on 10 March).
This research paper is the conveyor of the digital forensics , it’s methodology. This research
paper holds the manual information , data from the government agencies etc. .The digital
forensics data used in this research paper is derived from the government websites , books ,
journals etc. . Hence , all the data is being extracted from the reliable sources ..

1.3 OBJECTIVE OF STUDY

The objective of this research paper is as follows:

(i) To understand the wider concept of AI and digital forensics .
(ii) To analyse the intersectionality and the rifts present in them.
(iii) To critically analyse the data forensics and its dangers .

1.4 QUESTIONS ASKED

a) What is the need of digital forensics ?
b) What are the steps of E-Forensics ?
1.5 HYPOTHESIS

The concept of AI and digital forensics had been recently trending in the cyber- world.
The digital forensics is the collecting , identifying , preservation and reporting of the
evidences which are later used in the proceedings. This research paper holds all the
elements of the topic.
1.6 RESEARCH METHODOLOGY
In this research paper descriptive and critical analysis method is followed throughout the
paper.
The study is based on both primary and secondary data. Primary data being the Statutes,
Cases and Books while secondary data or the sources being articles, blogs, websites,
journals have been used to refer for the formation of this paper. All these data has been
used to understand the background of the paper and also is a part of the formation of the
research questions as well. These data or sources has helped the paper in understanding
the current scenerio in the society with respect to the research topic and helped in,
indepth study for this research paper. This study is basically more of existing scenerios
and the laws made hence no field study has been done.
 2. DEFINING DIGITAL RISKS3
As the sectors moving towards the technology and cyber services , they are more
prone to cyber attacks , these can be broken down into :
(i) CYBER-SECURITY RISKS : An attack by the unknown strangers for
malicious intentions for making the other persons loss irrespective of the
nature .
(ii) COMPLIANCE RISKS : A risk posed to an organisation by the use of
technology in a regulated environment.
For example; technology can violate the digital privacy standards or might
not have security controls over the systems of required standards.
(iii) THIRD – PARTY RISKS : these are risks associated with outsourcing to
third-party vendors or service providers. For example, vulnerabilities
involving intellectual property, data, operational, financial, customer
information, or other sensitive information shared with third parties.
(iv) IDENTITY RISKS : attacks aimed at stealing credentials or taking over
accounts. These types of risks can face an organization’s own user
accounts, or those it manages on behalf of its customers.

3. STEPS OF DIGITAL FORENSICS

There are 7major steps in digital forensics:

1. IDENTIFICATION AND COLLECTION : This is the initial stage of digital forensics

in which the source is analysed and the subject matter whose nature is in criminal
sense is identified and collection is the duplicating the scene and gathering the
sufficient evidence.
For example : Pornography content related to child rape or other activity which is
derived in criminal sense is identified on electronic device . This object or source once
presented in court can be an evidence .
Other e- crimes like credit card scams , e- mail phishing, etc.

Another example is that “a floppy disk led investigators to the BTK serial killer who
had eluded police capture since 1974 and claimed the lives of at least 10 victims.” 4
3
Risks of digital data , available at: https://www.bluevoyant.com/knowledge-center/understanding-digital-
forensics-process-techniques-and-tools#:~:text=It%20helps%20reduce%20the%20scope,contain%2C%20and
%20recover%20from%20attacks..
(. Last visited on 10 March ) .
4
Digital evidence and forensics , available at : https://nij.ojp.gov/digital-evidence-and-
forensics#:~:text=Digital%20evidence%20is%20information%20stored,pornography%20or%20credit%20card
 The identification and collection of e- evidences require to train officers to collect
digital evidence and keep up with rapidly evolving technologies such as computer
operating systems to extract the essential elements of the information contained in the
systems by the investigation agencies.

The identifier make 3 lists mainly , first the list of items or digital evidences which
can be in the scope of warrant , secondly the list of e-evidences which seems to be out
of scope of warrant but can be clubbed with warrant and thirdly the items which are
not in criminal nature . For example; on searching the evidences of tax fraud in the
system , the identifier accidently found drug or any narcotic related illegal activities
on the systems . Though the second evidence is beyond the search of warrant but can
be clubbed and expand the reach of warrant. Examiners should inform the requester of
their preliminary findings at this point in the process.

2. PREPARATION : This part is important as further process depends on this part. The
making of Warrant , preparing tools, monitoring the accused system and maintaining
support system.

3. PRESERVATION: After the identification and collection of the digital evidences, it

requires correct preservation to avoid it’s leak if it’s confidential or deletion or avoid
being stolen. It focuses on safeguarding relevant electronically stored information
(ESI) by capturing and preserving the crime scene, documenting relevant information
such as visual images, and how it was obtained.
Some of the key precautions must be taken to avoid the preserved data being misused
or stolen are- 5
(i) DRIVE IMAGING : Before the analysing of the secured evidence we need
to image the evidences as first priority. Imaging a drive is a forensic
process in which an analyst will create a bit-by-bit duplicate of the drive.
This imaging of bit-by- bit copy of the evidence would be a backup source
of the evidence is destroyed or any fault occurs and the original evidence
gets null the duplicate copy will be used as an original evidence.

%20fraud. ( Last visited on 10 March)

5
Simplilearn , available at : https://www.simplilearn.com/what-is-digital-forensics-article.
 (ii) CHAIN OF CUSTODY: As the forensic agent extract the data from the
client and transfers it they should document all the steps conducted during
the transfer of media and the evidence on the Chain of Custody (CoC)
forms and capture signatures, date, and time upon the media handoff.

(iii) HARSH VALUES : The e- evidences require some harsh values like MD5,
SHA1 , etc. . which are essential for the analysis of the evidence. The
Harsh Values are used to verify the Authenticity and Integrity of the image
as an exact replica of the original media and very important in the court on
submission of the electronic evidence as changing a bit of the Harsh
Values destroys the pre-existing values and create a new high value.

4. ANALYSING THE E- ASSET: In most of the cases it is most crucial point for the
proceedings as on analysis of the evidence, it’s nature , it’s type etc the cases need to
be filed accordingly. For example : if the sole case was the investigation of the tax
fraud and the evidences are being extracted for that but an additional piece of
information regarding the narcotic related elements also found on the system Then
this additional information also being analysed and the investigation will expand its
reach . These digital evidences are being carried out in the cyber lab under the state
government subject or central government. These labs are equipped with the latest
analysing tools.

Some useful tools for the analysis of the e-evidences are:6

(i) Winex, Zeroview, Wingrep, Hurricane editor, Evidor , Sniget

5. DOCUMENTATION: These are tried-and-true procedures for documenting the

analysis’s conclusions, and they must allow other competent examiners to read
through and duplicate the results. Investigators should document carefully all
evidence that they collect, in writing and in reports, but preferably also by recording it

6
Ermprotect , available at :https://ermprotect.com/blog/what-are-the-5-stages-of-a-digital-forensics-
investigation/.
 using electronic and automated methods. Traditionally, evidence was recorded by
hand, in notebooks, and only later was some of that information reduced to typed
police reports. The ideal method of documenting evidence concerning live events is
with audio and video recording. The recording of evidence—including during
interviews, interrogations, and police encounters—is increasingly ubiquitous.

6. PRESENTATION: Once the investigation is complete, the findings are presented to a

court or the committee or group that will determine the outcome of a lawsuit or an
internal complaint. Digital forensics investigators can act as expert witnesses,
summarizing and presenting the evidence they discovered, and disclosing their
findings.

7. RETURNING OF EVIDENCE: Ensuring the return of evidence ( either physical or

digital) . This step is not as important as other steps but returning of the evidences is
also the responsibility of the agency.

4. SEIZURE AND ADMISSIBILITY OF DIGITAL EVIDENCE 7

3.1 Seizure
What are the measures of seizure of data ?
The measures of data seizure are :
1. Enumerated list of data, devices and associated media
2. Chain-of-Custody
3. Verified data extraction of logical and physical evidence – Hash and authoritative
4. Administrative records
5. The collection team may or may not perform further forensics processes i.e.
Examination – Analysis – Reporting.

3.2 Admissibility

Any documentary evidence by way of an ‘electronic record’ under the

Indian Evidence Act, in view of sec. 59 and 65A, can be proved only in
Accordance with the procedure prescribed under Sec. 65.

7
National Judicial Academy, Manual ( pg4) .
 Sec.59 provides that all facts except the contents of document or ‘electronic
records’, may be proved by oral evidence.
Production of an ‘electronic record’ as an evidence in court, can only Be under
Sec. 65A and Sec. 65B of Evidence Act.

PROTOCOLS FOR E- EVIDENCE COLLECTION

 Digital Evidence Assessment( in India )8

In this phase, courts determine whether the appropriate legal authorization was
used to search and seize information and communication technology (ICT) and
related data. The types of legal authorization include a search warrant, court
order, or subpoena. The legal order required to obtain ICT and ICT-related data
varies by jurisdiction and is determined by national laws.
In India , DEA is governed within the scope of Indian Evidence Act in which the
assessment of the evidences taken are recognisable and provisions are given for
them. The courts accept and treat them with equal sight.

 Digital Evidence Consideration9

In this phase, an assessment is made as to the integrity of digital evidence by

examining the digital forensics procedures and tools used to obtain the evidence,
the competence and qualifications of the digital forensics experts who acquired,
preserved, and analysed the digital evidence.
This evaluation seeks to determine whether scientific principles were used to
preserve, acquire, and analyse digital evidence, and standards were met to handle
and examine digital evidence (e.g., whether digital forensics tools were
validated, up-to-date, properly maintained, and tested before their use, to ensure
their proper functioning).
Digital forensics experts provide testimony in court to explain their
qualifications; how digital devices, online platforms and other ICT-related

8
Module 6: Practical Aspects of Cybercrime Investigations and Digital Forensics, available at :
https://www.unodc.org/e4j/en/cybercrime/module-6/key-issues/digital-evidence-admissibility.html. ( last visited
on 10 March)
9
Supra
 sources work; the digital forensics process; why a specific digital forensics tool
was used and not others; how digital evidence was preserved acquired, and
analysed; the interpretation and findings of the analyses performed, and the
accuracy of these interpretations; and any alterations that may have occurred to
the data and why these alterations occurred.

 Digital Evidence Determination10

In this phase, the authenticity, integrity, and reliability of digital evidence is

assessed based on the outcomes of the assessment of the digital forensics process
conducted in the previous phase (i.e., the digital evidence consideration phase),
such as the use of forensically sound methods and tools to obtain digital evidence
and the testimony of expert witnesses and digital forensics analysts to
corroborate the authenticity, integrity, and reliability of this evidence. Digital
evidence is admissible if it establishes a fact of matter asserted in the case, it
remained unaltered during the digital forensics process, and the results of the
examination are valid, reliable, and peer reviewed.

Ultimately, this three-phase model consolidates common legal and technical

requirements for evidence admissibility across jurisdictions.

5. THE ADVANTAGES AND DISADVANTAGES OF THE MODEL EXPLAINED

Every model is not complete without the advantages and disadvantage of the models .
The advantages of the Digital evidence model are : 11
(i) Create consistent and standardized framework for digital forensic
development.
(ii) Mechanism for applying the same framework to future digital
technologies.
(iii) Generalized methodology that judicial members can use to relate
technology to Non-technical observers.
(iv) Identifies the need for specific technology-dependent tools while
providing insight from previously defined tools of the same category.

10
Supra
11
International Journal of Digital evidence, ( pg 4 , volume 1 , issue 3)
 (v) Potential for incorporating non-digital, electronic technologies within the
Abstraction.

The disadvantages of Digital evidence are :

(i) Categories may be defined as too general for practical use.

(ii) No easy or obvious method for testing the model
(iii) The method is based heavily on the chain of custody and on failing to
maintain the chain of custody the entire model seems to be fail .

6. WHERE DIGITAL EVIDENCE NEED TO BE ADMISSIBILE?

Digital evidences used as an evidence in investigation and legal proceedings in the
following cases:
(i) Data theft and network breaches : E- evidences used to understand how a
breach happened and who were the attackers .

(ii) Online fraud and e- theft : Digital Forensics is used to understand the
impact of breach on organisation and their customers.

(iii) White collar crimes : Digital Forensics is used to collect evidence that can
help identify and prosecute crimes like online fraud , corporate fraud etc

(iv) Violent Crimes like burglary , assault and murdering : evidence capturing ,
from mobile phones , cars and other devices.

7. CONCLUSION

Every day millions of the people are the victims of the cyber fraud worldwide. As the
world shift towards the technology , software changes the users become tech savvy.
The crimes which took place in offline world nowadays it is going on the cyber world
like credit card crimes, child pornography , human trafficking, etc.
The steps or methodology are applicable in all digital crimes and crimes related to the
internet . The important part of the digital forensics is the analysis of cyber attack
With the objective of identifying, mitigation, and eradication of cyber threats .