A woman claiming her husband was murdered and a heavily damaged mobile phone were the only leads Delhi Police’s cyber sleuths had when a case of an alleged killing during a robbery bid came up last year in west Delhi’s Patel Nagar.
A 20-member team of National Cyber Forensics Lab (NCFL) immediately got down to cracking the WhatsApp chats on the damaged phone recovered from the water tank of the victim’s house. On finding that its user, the victim’s wife, had deleted several conversations, the team sat down and recovered all the deleted chats, which eventually helped the police crack the case.
“The door is open, just push it,” read a deleted chat sent by the wife. This text revealed the woman’s role in staging a robbery bid and getting her husband killed with the help of her boyfriend. The woman was eventually arrested and based on the information provided by her, the boyfriend traced and nabbed.
“It was a blind case and the police had no clues. Everyone thought the woman was the victim but tables turned after the forensic team recovered the chats from the damaged device,” an officer said.
The NCFL, which is attached with the Delhi Police’s Intelligence Fusion and Strategic Operations Unit (IFSO), has so far retrieved both deleted and hidden data from over 4,600 devices, including laptops and mobiles, according to the police.
The team operates 24 hours a day and assists the district police, in addition to working with investigative agencies like the Central Bureau of Investigation (CBI) and the Enforcement Directorate (ED), in cracking the majority of cybercrime cases.
While the district police teams have their own forensics setup to deal with cybercrimes, their data-retrieving capacity is limited, so they coordinate with the NCFL for high-profile and complex cases.
Challenges faced
A senior officer from the forensic lab told The Hindu, “We face several challenges while extracting deleted data; there are a number of permutations and combinations that need to be decoded in order to retrieve the exact file or content needed to solve the case. “
Another officer requesting anonymity said culprits use various techniques to hide the data on their devices, making it difficult for the police to recover them.
“They (accused) create parallel windows and operate on one of them and hide it afterwards, leaving no trace of any activity. Often the hard disk is encrypted and it can only be opened with a key known to the accused,” the officer said.
DCP (IFSO) K.P.S. Malhotra said while their in-house forensics lab quickly retrieves all data from a seized device through various extraction software, the process takes time when the material is sent to the central forensic team in Rohini. “The data is reanalysed there and only then can it be filed in court as evidence,” he added.
Referring to the recent Sulli Deals and Bulli Bai cases, another police source said, “[Neeraj] Bishnoi [one of the accused] told us that a Twitter handle had shared the code for the application and when we managed to arrest [Aumkareshwar] Thakur [another accused], his deleted social media footprint was traced and it confirmed the disclosure.”
Data retrieval
The police said after an accused’s device is seized, it usually takes a day to retrieve deleted data from a mobile phone. In case of a laptop or hard disc, it takes at least 48 to 72 hours to retrieve the contents.
For memory forensics — recovering data from laptops — and mobile forensics, cyber sleuths use several high-end software like Forensic Toolkit or FTK, EnCase, NOVIX and Axiom. For Apple Macbook, the forensic team uses Blacklight Software.
Latest projects
Currently, theNCFL team is focusing on developing malware prevention software since cases of malware attacks have seen a fourfold rise over the years.
“Last year, we developed a system that allows us to retrieve data even without physically accessing the device. We can link the required device through an online platform and forensic analysis can be carried out right from the lab here,” an officer at the forensic lab said.
