Thursday, May 31, 2012

IP Address Should Not Be The Sole Criteria For Arrest And Conviction

The Indian Approach to Cyber Forensics has not been very encouraging. Despite many claims and promises, Cyber Forensics in India has still not evolved properly. There are very few Law Enforcement Personnel who are aware of Cyber Law and even fewer are those who know about Cyber Forensics.

The Cyber Forensics Capabilities of India are still evolving. Stakeholders like Police, Lawyers, Judges, etc are still not comfortable with Cyber Forensics. In the absence of even basic level Cyber Forensics adoption in India, Cyber Forensics Best Practices have also not evolved in India.

This absence of “Best Practices” and “Cyber Forensics Methodology” in India has resulted in “Improper Use” of Cyber Forensics for Legal, Judicial and Law Enforcement purposes. Even Internet Protocol (IP) Address Tracking in India has become a mammoth task for Law Enforcement in India.

Tracking of an IP Addresses is the “First Step” in the Cyber Forensics Investigations. However, IP Tracking must be done with great caution and with good application of mind. A casual IP tracking exercise may not only provide wrong results but can also implicate an innocent person. 

Take the example of Lakshmana Kailash K who was kept in the Indian Jail for 50 days because the Internet Service Provider (ISP) made an “Apparent but very Common Mistake” while providing details of the person who used the IP Address that resulted in the Commission of the Offense. This is the “Casual Approach” that I have discussed earlier and that should be avoided in all cases. Since there were no “Best Practices” adopted by either the ISP or the Police, this result in the imprisonment of an innocent Citizen of India.

Lakshmana was released after spending 50 days in jail, three weeks after the Police claimed to have nabbed the "Real Culprits". There is no doubt that this is a clear example of violation of his Fundamental Rights in general and Human Rights in Cyberspace in particular.

Criticising the Police Investigation Methodology and the ISP’s “Misleading Information” that led to his imprisonment, the State Human Rights Commission ordered the ISP to pay Rs 2 lakh to Lakshmana as Damages. However, this Damage is “Too Less and Too Late” and this amount cannot offset the ordeal that Lakshmana faced. Now the Information Technology Act, 2000 (IT Act 2000) carries Provisions that can allow the “Victim” to claim “Damages and Compensation” to the tunes of Crores of Indian Rupees.

In this background, I am of the Opinion that an IP Address should NOT be the “Sole Criteria” for Arrest and Conviction of an accused. An IP address is the “Starting Point” and is at most a “Corroboratory Evidence” but it can never be the “Primary Evidence” on the basis of which a Person can be Arrested and Convicted.

It is the “Forensically Sound Image” of the Hard Disk (Preferably Bit by Bit Image), IP Address Details, Browser and Internet Logs, ISPs Logs pertaining to particular Cyber Activity, MAC Address of the Computer, etc that are “Collectively Relevant and Conclusive” while establishing the “Guilt” of an accused. Further, the guilt of an accused must be “Proved Beyond Reasonable Doubt” and Arresting and Convicting an accused on the basis of IP Address alone is not even close to “Proving” the guilt, forget about Beyond Reasonable Doubt.

It would be a “Dangerous Trend” to follow to Arrest or Detain suspects on the basis of mere “IP Addresses” or “E-Mail Addresses” as they are very easy to be “Spoofed and Forged”. Even MAC Addresses can be spoofed in certain circumstances and for many purposes, particularly for Identity Theft cases in wireless connections.

It is important to apply “Common Sense” and first ascertain the “Identity of Real Culprit”. Of course, it requires tremendous Cyber Forensics Expertise to correctly trace the offender. The case of wrongfully arresting Lakshmana and imprisoning him for a considerable time is a glaring example of faulty and novice Cyber Forensics application in India. The inability of the Government of India to meet these conspicuous deficiencies of the Legal Enablement of ICT Systems in India is stifling the growth Cyber Law and Cyber Forensics in India.

Interestingly, the popular concepts of Indian Criminal Justice System like Establishment of Guilt “Beyond Reasonable Doubt”, “Right to Fair Trial”, Right to Legal Representation, Protection of Privacy Rights etc are simply treated as non-existent in cases of Cyber Crimes and Terrorism related cases.

The requirements of Search and Seizure Warrants for Computers and allied Hardware, Individuals and Places must be as per the Constitutional and Statutory requirements. The lack of Cyber Forensics Expertise in India is resulting in violation of these Constitutional and Statutory provisions. It is high time for Indian Government to give these aspects a “Serious Consideration”.


  1. This is very informative article nice one praveen. Though you maybhave overlooked alot here. Since here in the PH before the search warrant can be issued extensive probing and questioning is employed to establish probable cause. Needless to aay before an investigator applied before a judge he must've exhuasted his efforts in gathering physical and technical evidences, conducted series of surveilance. Not unless we havea different process... From your article you shouldnt even be jumping to cyber forensics already but begin with proper cyber incident reaponse/investigation. I do believe alot of law enforcer would raise their eyebrow in thia topic maybe we just dont have the true story or aomewhere along the line there were miscommunication.

  2. Chrisibasco thanks for your comment and Valuable Insight. I agree that this Article is far from perfect or even close to being good. Definitely, I may have overlooked many aspects.

    From your communication, I am presuming that You are talking about US position or position existing in similar Jurisdictions. I am presuming this because You are talking about “Probable Cause” that is required to be satisfied in order to protect Law Enforcement Actions from Constitutional Attacks.

    In India there is no Legal Requirement to ask for a Court’s permission or Warrant for E-Surveillance and it is entirely an “Executive Action”. If Indian agencies wish to tap my Phone or analyse the Internet Traffic leaving my Computer, they neither need “Exhaustion” of available means nor do they need any “Warrant”.

    All they need to do is to apply to their own Bosses and Department (Home Ministry- Central or State level) and start their job. Further, they are also neither Accountable to the Parliament of India nor to the Right to Information Act 2005. We cannot even get the basic information as to how many phone tapping requests were made to Home Ministry in a year as that is an “Exempted Information”.

    I am not very much sure what you mean by cyber incident response/investigation point. If you mean that I must first cover that topic then jump to Cyber Forensics that is a good suggestion. However, the topic required me to discuss Cyber Forensics first.

    If you mean that the Law Enforcement Agencies of India/Abroad must first play First Responder’s Role, I agree with that interpretation. But a willingness to do that must also be there that is presently missing in India.

    Kindly accept my Sincere Apology (All of You) if you have felt “Offended” but this is what I feel and think. After all this is just my “Personal Opinion” and nothing more and other may disagree with me.

    Of course, with Actual Field Experience of Expert Law Enforcement Officials like You and others, I would be in a position to learn a lot and widen my perceptions.

    Thanks for taking time to write and your patience.

  3. I do not fully agree with you.

    With due respect to the information provided here, IP Tracing/Investigation is not part of Forensic at all. This is only if the off-line form of Emails are involved in the incident. That too limited until IP Address is found.

    For online web based email system IP Address are the sole criteria.

    Further, even if there are proxies, spoofed servers, etc... the relevant details can be found.

    I have been involved in training over 7,500 police officers, judiciary, public prosecutors, etc... through my previous job and the basic profiling/investigation/preliminary analysis stuff is manageable.

    Challenge comes when Mobile Devices are used.

    BOTNET, PHISHING Server, DDOS, ARP, etc... which are advance in understanding might be difficult to manage.

    But the base is IP Address and it has to be one of the most important criteria if not the sole.


    "Human Behaviour is the Biggest Risk in Security" - Vicky Shah
    Author of first of its kind book "Are You Protected?" - The HANDBOOK on Cyber Crime Awareness and Prevention


  4. Thanks Vicky for your Valuable Inputs.

    I am glad that you we are in agreement on some aspects though we differ on some other aspects.

    I also agree that an IP Address is the “Starting Point” for any Cyber Forensics Investigation.

    What I have been trying to convey through this Article is that if we are “Solely” using an IP Address for Arrest, Trail and Conviction of an accused that would produce “Counter Productive” and “Unfair Results”.

    This is because if we do not “Corroborate” and “Substantiate” the findings based upon an IP Address, we are risking the entire Trial. In fact, such a Trial is not only “Unfair” but also an Abuse of Process of Law. Such a Trail is also “Unconstitutional”.

    Let us shift from Legality and Constitutionality for the time being. Crackers use “Victims” for their nefarious activities. Unsecured Access Points, IP Spoofing, uses of Multiple Proxies located in various Nations, Botnet, etc are some of the issues that require a Corroborative and Detailed Cyber Forensics Analysis.

    Anti Forensics Techniques make the efforts of Law Enforcement Agencies next to impossible. In a Court of Law, if we do not ensure Chain of Custody, provide Proof of Concept, produce Admissible Electronic Evidences, etc, the Prosecution case is bound to fall. Mere IP Address info, unaccompanied with other Relevant and Admissible Electronic Evidence, fails to meet these objectives.

    Further, mere IP Address info can never prove a case “Beyond Reasonable Doubt” and this is a serious problem. For instance, an accused may claim that his System was infected by a malware and it is the malware that sent the offending communication. This may be a “Valid Defense” in many situations.

    This is a not a simple scenario and there are many more Techno Legal issues involved.

    Thanks for taking time to write and your patience.

  5. Dear Praveen Dalaal,

    Thank you for sharing the articles and thoughts regarding investigation and point of view in the usage of IP Address as starting point for forensic investigation.

    From the technical point of view of security trends, i personally agrees to your point of view that IP could be easily spoofed (i.e. using tools called "Y**r fr**d**, pawned computer, or even botnets or zombie computer).

    Do you mind to share with us about the cyber investigation practice in your country?
    I believe each country has taken wide varieties of approach based on the crime / attack pattern emerges in each of the country.

    Best regards,
    Yohannes E.Setiawan