Cross-Examining Technical Witnesses
"Every expert has blind spots โ find them"
Forensic experts, bank officials, telecom officers, and platform representatives each have specific vulnerabilities. Master targeted cross-examination for each witness type.
3.1
Forensic Expert Cross-Examination
FSL / Forensic Expert
Examines devices, prepares technical reports
๐ฏ Key Vulnerabilities
โข Qualification gaps: General science degree, no cyber forensic certification
โข Tool issues: Unlicensed/pirated software, unvalidated tools
โข Methodology: No documented procedure, doesn't follow ISO 27037/NIST
โข Hash mismatch: Hash at receipt differs from seizure (if any)
โข No malware check: Didn't rule out remote access/planted files
๐ฏ Sample Questions โ Forensic Expert
Q: What is your specific qualification in cyber/digital forensics?
Challenge expertise under BSA S.45 โ must have "special knowledge"
Q: Which forensic tool did you use? Is the license current and validated?
Unlicensed tools = unreliable results
Q: Did you verify the device hash matched the seizure hash when you received it?
No seizure hash = no proof device was unaltered
Q: Did you check for malware or remote access tools before concluding accused created those files?
Opens alternative explanation โ someone else could have planted files
Q: Which international standard did you follow โ ISO 27037? NIST SP 800-86?
No standard = arbitrary methodology
3.2
Bank Official Cross-Examination
Bank Official / Nodal Officer
Account details, KYC, transaction logs
๐ฏ Key Vulnerabilities
โข KYC failure: Account opened with fake/unverified documents
โข Response delay: Slow action after fraud report
โข No IP logs: Cannot show who accessed account online
โข SIM swap indicators: OTP went to different number
โข S.63 certificate: Wrong person signed, missing particulars
๐ฏ Sample Questions โ Bank Official
Q: Was the account holder's identity physically verified or only digitally at account opening?
Digital-only verification can be bypassed with stolen documents
Q: When did the bank receive the first fraud report? What action was taken within 24 hours?
RBI mandates quick action โ delay = contributory negligence
Q: Do you have IP address logs for all online banking sessions on this account?
Without IP logs, cannot prove WHO accessed account
Q: Was the OTP for this transaction sent to the registered mobile number or a different number?
Different number = SIM swap fraud, not accused's doing
3.3
Telecom Nodal Officer Cross-Examination
Telecom Nodal Officer
CDR, subscriber details, IP allocation
๐ฏ Sample Questions โ Telecom Officer
Q: The CDR shows calls from number X. Can you confirm WHO physically made those calls?
CDR proves SIM activity, not individual identity โ SIM can be used by anyone
Q: How was the SIM card verified at point of sale? Was Aadhaar physically verified?
Fake ID used for SIM = real user unknown
Q: Was the IP address static or dynamic? If dynamic, could same IP be assigned to different users at different times?
Dynamic IP = same IP different users at different times
Q: What is the coverage radius of cell tower X from which this call was made?
Cell tower proves general area (often several km), not precise location
3.4
Platform Representative Cross-Examination
Platform Rep (Social Media/Tech)
Account data, IP logs, content records
๐ฏ Sample Questions โ Platform Representative
Q: This account was registered with email X. Did you verify this email actually belongs to the accused?
Email verification only confirms access to email, not identity of person
Q: How long does your platform retain IP address logs? Are logs from [date] still available?
Most platforms retain IP only ~90 days โ may be unavailable
Q: Can you rule out that this account was hacked or operated by someone other than the registered user?
Account compromise = someone else posted content
Q: The phone number used for registration โ was it verified? Could it be a temporary/virtual number?
Virtual numbers can be used by anyone, not traceable to accused
๐ฏ Key Takeaways โ Part 5.3
- Forensic expert: Challenge qualifications, tool validation, methodology, malware check
- Bank official: Focus on KYC failures, response delays, missing IP logs, SIM swap
- Telecom officer: CDR proves SIM activity not user identity; cell tower is area not location
- Platform rep: Email verification โ identity verification; IP logs often unavailable after 90 days
- Dynamic IP can be assigned to different users at different times
- Always check S.63 certificate โ who signed, are particulars complete?
- No hash at seizure = no baseline to prove evidence wasn't altered
- SIM can be used in any phone; IMEI changes show phone swaps
๐ Assessment โ Part 5.3 (10 Questions)
1. Forensic expert's qualification can be challenged under:
BSA S.45 requires expert to have special knowledge acquired by study/experience.
2. CDR (Call Detail Record) proves:
CDR shows which SIM made calls; SIM can be used by anyone โ doesn't prove identity.
3. Social media IP logs are typically retained for:
Most platforms retain IP logs for approximately 90 days only.
4. Key question for bank official in fraud case:
OTP to different number indicates SIM swap fraud โ not accused's doing.
5. Dynamic IP address means:
Dynamic IPs are reassigned โ same IP may be different users at different times.
6. Cell tower location proves:
Cell tower coverage is often several kilometers โ proves area, not exact location.
7. International standard for digital forensics:
ISO 27037 (evidence handling) and NIST SP 800-86 (forensic techniques) are key standards.
8. Platform email verification proves:
Email verification confirms email access, not identity โ anyone with email access can create account.
9. Forensic expert should check for malware to:
Malware check rules out possibility that files were planted remotely โ defence argument.
10. Bank's delayed response to fraud report is relevant because:
RBI requires banks to act quickly on fraud reports โ delay can show bank negligence.