Network-Based Evidence

Evidence is the materials placed or produced before a court for the sake of assisting the Judge in making a decision regarding a case. There are many types of evidence of which this article deals with a subdivision of one particular type of evidence which is the digital evidence. Digital evidence is any corroborative information which is secured or transmitted in the digital form where a party in a court can use it to support his case. With the advent of technology, there are a number of devices used by people and thereby these are used as evidences to support cases in court proceedings. This article deals mainly with the network-based evidence which is a sub-division of the digital evidence. Network-based evidence, its challenges, admissibility are all the major subjects of this article.


In today’s world communication among people has become an ease with the introduction of the digital devices. Computers, mobile phones and the internet are the not only sources of digital evidence whereas any form of technology which processes or performs the operation can be used for the purpose of committing a crime. All the information and the data of value from an investigation which is stored, received and transmitted by an electronic device is called digital evidence. This evidence is obtained when the electronic devices are confiscated and sealed for the purpose of examination. Digital evidence can be further classified into four, namely the-

(1) Internet or the Network-based Evidence, (2) Stand-alone computers, (3) Stand-alone devices & (4) Mobile devices. The processes and tools involved in collection of all these types of digital evidence differs from each other and the types of crimes tend to be linked with one or other such device. This article mainly focuses on the network-based evidence which is a part of the digital evidence.

Digital Evidence

Any proof that satisfies the essentials of evidence in a proceeding which prevails in the electronic form is called Digital Evidence. It is in the hidden form like the fingerprints or the DNA evidence. Digital evidence has to be carefully secured as there is a chance that it can be altered, damaged or destroyed with a little effort. Section 65 of the Information Technology Act deals with the electronic evidence, its contents, etc. The main examples of digital evidence are invoices and records of payment received, emails and IM sessions, deleted photograph or videos on the defendant’s device, etc. [1](Mugisha, 2019)

Digital Evidence is prone to certain challenges. These are the following:

– Encryption -It is a process used to conceal or make the evidence illegible on the proposed system. The attackers or hackers use different encryption methods and in order to make the data functioning, the investigators have to decrypt the encrypted data. This method is time consuming and at certain times the decryption may not be possible. 

-Steganography -It is an encryption method which can be used along with the cryptography to provide protection to data as a more secure method. This technique is used to conceal any information inside a file conveyer without bringing modification to its semblance. The attackers may use this steganography to conceal their hidden data in systems.  The investigators of computer crimes are left with the duty of figuring out the concealed data for further investigation of the crime.

-Data hiding in storage space – The attackers may hide some valuable data inside the storage areas and conceal it to the normal system’s command and program. This will make the inspection more complex, time consuming. One of the most popular methods used to conceal data in storage space is called rootkit. 

-Residual Data wiping- In certain cases while the hacker or an attacker uses the computer to attain a goal, a few functions will be performing in the back (such as the history of commands and the temporary files) which is usually concealed and happens without his knowledge. When the attacker uses a computer for his goal, a few hidden processes (e.g. temporary files, history of commands) are running without the knowledge of the attacker. A smart attacker or a hacker will be able to avoid this risk by completely wiping out the tracks and the history of the commands made by his process. 

– Resource Challenges – In certain situations, there will be a larger volume of data and the investigator has to perform the task of going through the entire data collected so as to gather or collect the evidence. This is a time-consuming process and the reason of time being a limiting factor, this resource challenge becomes one of the major challenges in the Digital Forensics. 

 -Legal Challenges -Privacy is an important aspect to all the organizations as well as to the victim. In most of the cases it is usually followed that the computer forensics experts communicates and provides the secured data or compromise the privacy so as to reveal the truth.  For e.g., Demanding an investigator to conduct an examination over the data of a private company or an individual user will result in risking their privacy. This is because the companies and users may have lots of personal information in their day to day usage. [2] (Katherina,2019)

Network forensics

Network Forensics is the process of capturing, recording and conducting analysis of the various network events in order to identify the origin of the security attacks and other problems. This helps in figuring out the unauthorized access to the computer system and conducts search for the evidence in such occurrences. Network Forensics has the capability to conduct investigation at a network level as well as the events that take place across an IT system.

  • Intrusion detection, 
  • logging and  
  • correlating intrusion detection and logging

     are the three parts of a network forensics.

The main aim of this network forensics is to make available the sufficient evidence in order to impose punishment on the criminal offenders. Network Forensics is applied in the major areas of hacking, fraud, insurance companies, theft of data, defamation, obscene publication, credit card cloning, software piracy, etc. [3] (Davis, 2006)

Challenges of Network Forensics

One of the greatest challenges faced in conducting network forensics is the enormous quantity of data created by the network which amounts to gigabytes per day. It is a tiresome process to search for the evidence and in some cases, it is almost impossible to find it if the event is brought to notice after a prolonged period of time. Another such challenge is in the constant unknown identities of the Internet protocols. Each of the internet layer such as the IP addresses, e-mail addresses and the MAC addresses uses a particular form of addressing which can fall prey to spoofing. However, the various high-powered software available makes it possible to conduct analysis of the internet activity and solve these cases.

Network forensic duties that can be made easier through the software comprises the collection, normalizing, filtering, labeling, stream reassembly, correlation and analysis of numerous sources of vast market data. Even though there are tools used for a single purpose which aims at fulfilling each of these tasks, feature creep is less distinct among the categories. It results in tools that are useful in addressing a growing number of things that can go wrong on the network. Prior to the performance of the foreign task by the investigator, suitable network activity data must be collected. The raw network packets which comprises of the highest possible level of traffic details supplement the often-sparse log data available from applications, authentication systems, routers and firewalls. Sniffing also collects such network data.

Stream reassembly is the gathering and packaging of raw network traffic from a single source in such a way where all the data within a connection session is presented as a complete stream. Stream reassembly is performed by the protocol analysis tools, which isolate the specific communications that took place between two or more of the apparent endpoints or relay points. Such an examination or investigation is the foremost step in identifying who communicated when and what messages was transmitted. Majority of the protocol analysis tools are made use of within the sessions and they provide a tree-oriented view of sessions. Suchlike a visual presentation of network traffic makes it easier to figure out or realize as to what exactly happened on the network. [4] (Mugisha, 2019)

Network-Based Digital Evidence

 Network-based digital evidence is a type of digital evidence which arises as product of the communications over a network. The primary and the secondary storage media of computers (such as the RAM and hard drives) tend to be productive elements for the forensic analysis and investigation. As a result of all the fragments of data, constant storage can maintain forensically recoverable and appropriate evidence for hours, days and years beyond the file deletion and storage reuse. Network-based digital evidence can be exceedingly unpredictable in variance to this. Within the milliseconds of the blinking of an eye, the packets move swiftly and lightly across the wire and disappear from the switches. Web sites keep changing from when and where they’re viewed.  [5] (Electronic CSI, 2008)

Challenges relating to Networked-based Digital Evidence

Network-based evidences lays down certain specific and prominent challenges in various areas, some of the most common challenges which are related to the Network-based digital evidence are as follow:

  • Acquisition: To find or locate a specific evidence in a network environment can be a hard task. There are multiple sources of evidence commencing from the wireless access points to the web proxies to the central log servers which makes it often difficult to point out the exact location of an evidence. In certain cases, where we are still aware of a specific evidence and as to where it resides, obtaining an access to it can often become complex at times due to the political or technical reasons. 
  • Content: Apart from the filesystems, which are mainly designed to contain all the contents of files and their metadata, network devices may or may not store evidence with the level of granularity desired. The storage limit capacity of the network devices is often very limited. Most of the time, only the selected metadata about the data transfer or transaction is maintained as compared to entire records of the data that traversed the network.
  • Storage: Secondary or persistent storage are usually not engaged as part of network devices.  As a result of this consequence a device may not be able to survive a reset because the data contained in these network devices are unstable and uncertain.
  • Privacy:  Depending on the jurisdiction, legal issues could arise which may include personal privacy issues that are unique to network-based acquisition techniques.
  • Seizure: Seizing of a hard drive can cause trouble and disruption to an individual or organization. However, a copy of the original hard drive can be constructed and deployed where the grave operations can continue with limited disturbance.  Seizure done to a network device are most often way more disruptive. In the most serious cases, an entire network segment may be brought down perpetually. In most of the circumstances, investigators have the ability to minimize the impact on network operations. 
  • Admissibility: Filesystem-based evidence is being admitted consistently both in criminal and civil proceedings. As long as the filesystem-based evidence is relevant to the case, lawfully acquired & properly handle there is a clear precedent for validating or verifying the evidence and admitting it in court. In variance, the network forensics is one of the newest approaches to digital investigations. Often there arise conflicting or even non-existing legal precedents for the admission of various types of network-based digital evidence. With time the network-based digital evidence may become more widespread and the case precedents will be set and standardized. [6] (Davis, 2006)

Real & Best Evidence 

Real evidence is the evidence which is in the physical and tangible form that plays a relevant role in an event of arbitration or making a decision. For e.g., it can be a knife with stained blood, a gun found from a crime scene or it can also be a copy of a contract with the signature of parties. When it comes to the area of digital evidence, the real evidence could be a physical hard drive or the computer components which stores data regarding the commission of a crime. It is always recommended to produce the original evidence in a court for the proceedings as it is considered to be the best evidence. In cases were an original evidence cannot be obtained, then the alternative of it can be admitted under “the best evidence rule”. The main purpose of this rule is to make sure that the decisions made in the court are based on the real and best evidence. In most cases, an exact duplicate form of digital evidence or a copy is usually admissible. Presenting a copy or the duplicate form of the digital evidence is usually preferred as it eliminates the risk of the original evidence from being altered. 

Some of the examples of the best evidence are the following:

  • A photograph of the crime scene
  • A copy of the signed contract 
  • A file recovered from the hard drive 
  • A bit-for-bit snapshot of a network transaction. [7] (Katherina, 2019)

Admissibility of Digital Evidence/Network-based Evidence under judicial System

The admissibility of evidence mainly depends upon its state or quality of being admissible in a court. It is any document, testimony or a tangible evidence which is used in a court of law. An evidence is usually introduced to a judge for the making an appropriate decision. Electronic evidences and network-based evidences are admissible in a court of law given that it should comply with the existing legislation. Certain criteria have to be taken into account regarding the electronic evidences & network-based evidences, they are as follows:

  • Authenticity- It must be possible to bind the material evidence with that of the investigated incident.
  • Completeness- It must be able to give the complete information and not just a brief or a part of it.
  • Reliability- Nothing should cause the doubt about the authenticity and accuracy of the collected evidence.
  • Believability- It must be easily believable & understandable to the judge or the court.
  • Proportionality- The whole of the process must be adequate and appropriate and the benefits that are to be obtained must exceed the harm for the party. The laws laid down should provide for the admission of electronic evidence in court. Procedures need to be put in place on the handling of electronic evidence. Investigators and forensic experts need to adhere and follow these regulations to make these evidence admissible in court. [8] (Mugisha, 2019)


Therefore, it can be understood that with the tremendous rise in the use of technological devices in daily life, the production of the network-based evidence has become an important necessity in most of the cases for the purpose of establishing the accused as guilty or for imposing liability on the defendant. The fluctuation or the swing in the judicial mindset has occurred mostly in the past twenty years and most legal systems across the world have amended their laws to accommodate such change. This article thus explains as to what a network-based evidence is, it’s challenges and its admissibility in the court of law.


Frequently Asked Questions (FAQs)

  1. What is Digital Evidence?
  • What are the different types of Digital Evidence?
  • What are Network Forensics & what are its challenges?
  • What is Network-based Digital Evidence?
  • What are the challenges faced by the Network-based Digital Evidence?
  • Whether the Network based Evidence is acceptable under the judicial system?

[1]Mugisha, D. (2019). DIGITAL FORENSICS: Digital Evidence in Judicial System. In ResearchGate (Vol. 4).

[2] Katharina kiener. (2019, March). Cybercrime Module 6 Key Issues: Handling of Digital Evidence. Www.Unodc.Org.

[3] Davis, M., Manes, G., & Shenoi, S. (2006). Chapter 3 A NETWORK-BASED ARCHITECTURE FOR STORING DIGITAL EVIDENCE.

[4] Mugisha, D. (2019). DIGITAL FORENSICS: Digital Evidence in Judicial System. In ResearchGate (Vol. 4).

[5] Electronic CSI, A Guide for First Responders, 2nd edition, National Institute of Justice, April 2008

[6] Davis, M., Manes, G., & Shenoi, S. (2006). Chapter 3 A NETWORK-BASED ARCHITECTURE FOR STORING DIGITAL EVIDENCE.

[7] Katharina kiener. (2019, March). Cybercrime Module 6 Key Issues: Handling of Digital Evidence. Www.Unodc.Org.

[8] Mugisha, D. (2019). DIGITAL FORENSICS: Digital Evidence In Judicial System. In ResearchGate (Vol. 4).

Leave a Reply

Your email address will not be published. Required fields are marked *