Digital Evidence — Chain of Custody & Forensic Standards
Step-by-step protocols for law enforcement agencies to collect, preserve, and present digital evidence in OCWC cases for court admissibility under BSA Section 63.
🔗 Chain of Custody Workflow
🚨 Phase A — Immediate Steps (First 48 Hours)
Critical actions that must be taken immediately upon receiving a complaint or identifying an offence:
Secure Victim's Devices
Secure and preserve all devices in the victim's possession. Do NOT allow factory reset or deletion. Isolate devices from network connectivity (airplane mode) to prevent remote wipe.
Screenshot & Screen Record
Take screenshots and screen recordings of all offending content before it is taken down. Capture URLs, timestamps, account handles, usernames, and platform identifiers.
Preserve Metadata
Preserve metadata of all messages, images, emails. Do not forward without noting timestamps. Document EXIF data, IP addresses, geolocation tags, file creation/modification timestamps.
Send Platform Preservation Request
Immediately send preservation requests to relevant platforms (Google, Meta, X/Twitter, Instagram, etc.) via their abuse/LEA portals. Platforms typically preserve data for 90 days upon valid request.
Issue BNSS Production Order
Issue BNSS production order to ISPs/intermediaries for IP logs, subscriber details, and record preservation. Include FIR reference, legal provisions, exact URLs/account IDs, and officer contact.
Contact CERT-In (if applicable)
For critical infrastructure involvement or cross-border hosting, contact CERT-In for technical assistance and coordination.
🔍 Phase B — Investigation Phase
Court Orders for Interception
Obtain court order for interception/monitoring under Sec. 69 IT Act if real-time tracking is needed.
Platform Traceability Data
Issue notice to intermediary platforms under Sec. 79 IT Act for traceability data. Use official government/LEA domain email for all formal requests.
CSEAM Coordination
For CSEAM cases, coordinate with NCMEC CyberTipline — the fastest route for takedown on US-based platforms. Reports routed through NCIB/I4C channels.
Seize Physical Evidence
Seize server logs, CCTV footage, access records from cyber cafés or shared networks. Identify and secure all suspect digital devices — phones, laptops, hard drives, pen drives, SD cards.
Forensic Imaging & BSA Certificate
Prepare device seizure memo. Create forensic images using write-blockers. Compute hash values (MD5/SHA-256) at time of seizure. Obtain BSA Section 63 certificate at the earliest stage.
🔬 Digital Evidence Collection & Forensic Standards
Device Seizure Protocol
Seize in the presence of two independent witnesses. Document device state (on/off, screen content). Photograph the device and its surroundings. Use anti-static bags for storage. Never press power button if device is off. Use Faraday bags for mobile devices to prevent remote wipe.
Forensic Imaging
Always use write-blockers before connecting storage devices. Create bit-for-bit forensic image (not a file copy). Compute hash values (MD5 + SHA-256) of original and image. Verify hash match. Store image on separate forensically clean media. Document the entire process.
BSA Section 63 Certificate
The certificate must: identify the electronic record, explain how it was produced, confirm device/system details, and be completed by the responsible person or an expert. Obtain at the earliest stage — preferably from the platform, service provider, FSL, or person operating the device.
Hash Value Documentation
Compute hash values at every stage: seizure, imaging, before analysis, after analysis. Any change in hash value indicates tampering. Use both MD5 and SHA-256. Record hash values in seizure memo, case diary, and chargesheet. Hash values are the integrity backbone of digital evidence.
Evidence Storage & Transfer
Store in locked, access-controlled evidence room. Maintain temperature and humidity controls. Log every access with time, person, and purpose. Use tamper-evident seals. When transferring, maintain continuous documentation of custodianship.
Court Presentation
Present original device with seizure memo. Provide forensic image with matching hash values. Include BSA Sec. 63 certificate. Attach FSL/forensic expert report. Document complete chain of custody from seizure to courtroom.
🏠 Raid Scene Protocol (Without Cyber Expert)
Field officers may encounter digital evidence during raids without a cyber forensic expert. Follow these guidelines:
Secure the Scene
Prevent anyone from touching, moving, or interacting with any electronic device. Photograph the entire scene from multiple angles. Note which devices are on/off.
Document Before Touching
Photograph each device's screen if it's on. Note open applications, browser tabs, chat windows. Record serial numbers, make, model visible on the device.
Isolate from Networks
Enable airplane mode on phones (without unlocking if possible). Disconnect ethernet cables. Turn off Wi-Fi routers. Use Faraday bags if available.
Seize with Witnesses
Prepare detailed seizure panchnama. Include two independent witnesses. List every device with description, serial number, condition, and where it was found. Seal in tamper-evident packaging.
📄 Preparation of a Fool-Proof Chargesheet
The chargesheet in OCWC cases must be comprehensive and evidence-backed. Ensure the following are included:
- FIR copy with correct sections under IT Act, BNS, POCSO, and other applicable laws
- Victim statement — video-recorded for minors under POCSO Sec. 26
- All digital evidence with complete chain of custody documentation
- BSA Section 63 certificates for each electronic record
- Forensic analysis report from FSL or qualified expert
- Hash values at all stages (seizure, imaging, analysis) with matching verification
- Platform data — IP logs, subscriber details, content preservation records
- CDR (Call Detail Records) / IP address records obtained via BNSS orders
- NCMEC CyberTipline report for CSEAM cases
- Witness statements with panchnama
- Screenshots/recordings of offending content with timestamps and URLs
- Complete device seizure memos with serial numbers and condition reports
- Accused's device examination results
- Communication records: all notices, preservation requests, and responses from platforms
✅ OCWC Investigation Checklist
Quick reference checklist for field officers:
- FIR registered with correct sections; Zero FIR if jurisdiction issue
- SJPU / CWC notified (POCSO cases)
- Victim identity protected — no disclosure in documents
- Victim statement recorded by female officer (if applicable)
- Victim's devices secured and isolated
- Screenshots / screen recordings of offending content taken
- Platform preservation request sent
- BNSS production order issued to ISP/intermediary
- Suspect's devices seized with witnesses
- Forensic hash values computed at seizure
- Forensic imaging of devices (write-blocker used)
- BSA Section 63 certificate obtained
- CDR / IP address records obtained
- BNSS magisterial statement recorded where required
- NCMEC CyberTipline report filed (CSEAM cases)
- Chargesheet filed within prescribed period
- Forensic report annexed to chargesheet
- Victim informed of case progress
🔢 Sections to Invoke — Quick Reference
| Crime Type | IT Act | BNS | Special Act |
|---|---|---|---|
| Cyberstalking | 66C, 66E | Sec. 78 | — |
| NCII / Revenge Porn | 66E, 67A | Sec. 77/351 | — |
| Online Sexual Harassment | 67, 66E | Sec. 75 | — |
| Sextortion | 66D, 67A | Sec. 308/351 | — |
| Morphing | 66D, 67 | Sec. 336/340 | — |
| CSEAM (Production) | 67B | — | Sec. 13, 14 POCSO |
| CSEAM (Storage/Viewing) | 67B | — | Sec. 15 POCSO |
| Online Grooming | 67B | — | Sec. 11, 12 POCSO |
| Online Trafficking | 66D | Sec. 140/141 | ITPA Secs. 4-6 |
| Impersonation / Fake Profile | 66C, 66D | Sec. 318/319 | — |
| Cyberbullying (Minor) | 66, 67 | Sec. 351/352 | JJ Act Sec. 75 |