Southern States - Andhra Pradesh-Hyderabad   

`Fatal errors' in manual for police

By K. Srinivas Reddy

HYDERABAD Sept. 30. When the police in Andhra Pradesh commence an investigation into a computer crime, they would in all probability, ensure that the crime perpetrator would go scot free, albeit unwittingly.

For they would be using wrong techniques in gathering electronic forensic evidence while handling the suspect computer system, as per the procedures prescribed in the recently revised Andhra Pradesh Police Manual (APPM). With very few investigators being conversant with working of computers, they would depend solely on the APPM whenever a computer system is to be seized. And the manual prescribes exactly the opposite of what an investigator should do.

Sources indicate that in several cases where computers were seized, valuable data has has either been lost or corrupted due to wrong application of procedures. In some cases, whatever evidence that could be collected from a computer system, lost the evidentiary value as overenthusiastic investigators made the crime suspects demonstrate how the system was used by them.

They could little realise that when the system was operated again, the date stamp left on the files accessed would be different from that of the date of seizure. An unexpected boon for the accused person who could accuse the police of planting the evidence on the system after the seizure. If this is an example of overenthusiastic police officer ruining the investigation, the APPM too does the same level of damage to computer-based electronic evidence.

At least two procedures for search and seizure of evidence in computer systems in the manual do not serve the expected purpose. The manual, indeed cautions the Investigating Officer, to seek expert help, but it's not available all the time. In this background, a police officer would heavily depend on the procedures of APPM while effecting the seizure of a system. The biggest blunder in APPM is Point No 14, Order No 527: It states "care should be taken to use the shut down system of the operating system and not shut off power as that could result in loss of data/programme, which make recovery of evidence extremely difficult and even impossible.''

Experts disagree with this procedure. They argue that if the system is to be shut down using the traditional method, there is no possibility of recovering the already deleted files since the current file is saved on the hard disc overwriting the deleted files. Moreover, a standard shut down using a mouse or the keyboard could also be boobytrapped by the suspect. In other words, it could even format the system if the keyboard is configured by the suspect.

The best way, experts say, is to pull out the power chord from behind the CPU. When power supply is cut off to the system, automatically, the running files are saved in `temp files' or in Ram Slack from where retrieval becomes possible. Similarly, Point No. 20 of the same chapter erroneously cautions the police officer not to disconnect or switch off power, which might result in loss of temporary memory (RAM). Experts again differ with this procedure.

Printer friendly page  
Send this article to Friends by E-Mail

Southern States

News: Front Page | National | Southern States | Other States | International | Opinion | Business | Sport | Miscellaneous |
Advts: Classifieds | Employment | Obituary |

Stories in this Section

• CM defends decision on F1 project
• `Fatal errors' in manual for police
• Naidu motives suspect: YSR
• Irregularities in medical admissions denied
• Assembly adjourns sine die
• Assembly adjourns sine die
• 169 engg. seats filled
• CAT bench vacation from Oct. 6
• NGRI scientist presented award
• Arogyavaram records 6 cm rain

Copyright © 2003, The Hindu. Republication or redissemination of the contents of this screen are expressly prohibited without the written consent of The Hindu