Objective
The Investigating Officer (IO) shall focus on:
Applying the correct provisions of law under the Information Technology Act, 2000, Bharatiya Nyaya Sanhita (BNS)/applicable criminal laws, and other relevant statutes.
Identifying, tracing, and prosecuting the offender(s).
Conducting a scientific, technology-driven, and legally sustainable investigation.
Preserving electronic evidence and maintaining chain of custody.
Preventing recurrence of cyber offences through effective enforcement and awareness.
Key Investigation Objectives
A. Disclosure and detection of the offence through complainant statements and technical evidence.
B. Application of relevant provisions of the Information Technology Act and criminal laws.
C. Collection and analysis of digital evidence, computer systems, and network resources.
D. Identification of offenders and securing conviction through forensic evidence.
E. Prevention and deterrence of cyber-enabled offences.
I. Registration of FIR and Preliminary Action
Register the FIR promptly under the appropriate provisions of law.
Identify the nature and classification of the cyber offence.
Send copies of the FIR to all concerned officers through online mode.
Provide a copy of the FIR to the complainant and obtain acknowledgment.
Record the complainant's statement in the vernacular language.
Mandatory Statement
The following statement shall be incorporated in Part-II Statements:
"I can identify the accused if they are shown to me."
II. Classification of Cyber Offences
The IO shall classify the offence under appropriate categories such as:
Offences Against Individuals
Identity theft.
Cyber stalking.
Cyber harassment.
Morphing.
Online impersonation.
Defamation through electronic media.
Cyber pornography.
Obscene publication.
Email spoofing.
Social media abuse.
Honey-trapping.
Financial and Commercial Cyber Crimes
Online cheating and fraud.
Credit card fraud.
Debit card fraud.
Internet banking fraud.
ATM skimming.
UPI and wallet fraud.
Cryptocurrency-related fraud.
Cyber extortion.
Money laundering through digital means.
Offences Against Organizations
Data theft.
Hacking.
Unauthorized access.
Data destruction.
Malware attacks.
Ransomware attacks.
Industrial espionage.
Intellectual property violations.
Trade secret theft.
Offences Against Government and National Security
Unauthorized access to government systems.
Critical infrastructure attacks.
Defence data theft.
Cyber terrorism.
Website defacement.
National security-related cyber intrusions.
III. Examination of Complainant
The IO shall collect:
Date and time of occurrence.
Date and time of discovery.
Nature of offence.
Details of systems affected.
Nature of financial loss.
Reputational damage caused.
Suspected persons or entities.
Beneficiary details if known.
Communication records.
Screenshots and digital evidence.
IV. Collection and Preservation of Electronic Evidence
The IO shall identify and seize relevant electronic devices including:
Hardware
Desktop computers.
Laptops.
Servers.
Mobile phones.
Tablets.
Hard disks.
SSDs.
Pen drives.
Memory cards.
Routers.
Modems.
Printers.
Scanners.
UPS systems.
Other digital storage devices.
Electronic Records
Emails.
Chat records.
SMS.
MMS.
Social media communications.
Website records.
Transaction logs.
System logs.
Audit logs.
Cloud storage records.
All seized items shall be properly sealed, documented, and preserved.
V. Digital Forensic Investigation
The IO shall obtain:
IP addresses.
Domain registration details.
Email registration information.
Login history.
Browser history.
Access logs.
Device identifiers.
Server logs.
Cloud account records.
Network traffic information.
Forensic Examination
The IO shall:
Preserve forensic images.
Avoid alteration of original evidence.
Maintain chain of custody.
Forward digital exhibits to Cyber Forensic Laboratories.
VI. Technical Investigation
The IO shall investigate:
Common Cyber Techniques
Email spoofing.
Phishing.
Vishing.
Smishing.
Data diddling.
Salami attacks.
Social engineering.
Hacking.
Cracking.
Malware attacks.
Trojans.
Worms.
Viruses.
Unauthorized access.
Data manipulation.
System Security Review
Where relevant, examine:
Firewall logs.
Intrusion Detection Systems (IDS).
Intrusion Prevention Systems (IPS).
Password policies.
Access control systems.
Authentication mechanisms.
Security procedures.
VII. Banking and Financial Fraud Investigation
In financial cyber crimes, the IO shall:
Obtain bank account details.
Collect transaction records.
Identify beneficiary accounts.
Coordinate with:
Banks.
Financial institutions.
Payment gateways.
Card issuers.
Freeze suspicious accounts wherever legally permissible.
Obtain ATM CCTV footage.
Investigate skimming devices and cloned cards.
VIII. Intellectual Property and Cyber Content Cases
The IO shall investigate:
Intellectual Property Violations
Software piracy.
Copyright infringement.
Trademark violations.
Patent-related offences.
Content-Related Offences
Obscene publications.
Defamatory content.
Fake websites.
Fake profiles.
Unauthorized publication of videos and images.
Leakage of confidential information.
The originator and publisher shall be identified through technical evidence.
IX. Collection of Supporting Evidence
The IO shall collect:
Identity proofs.
Registration documents.
Subscriber details.
KYC records.
ISP records.
Telecom records.
Tower location details.
CCTV footage.
Expert opinions.
Additional Technical Information
The following shall be documented:
Hardware configuration.
Software details.
Operating systems used.
Network architecture.
Internet/Intranet details.
Email addresses.
Phone numbers.
System users and administrators.
X. Expert Assistance
The IO shall seek assistance from:
Cyber Forensic Experts.
Network Security Analysts.
Banking Fraud Experts.
Software Specialists.
Hardware Experts.
Internet Service Providers (ISPs).
Cyber Crime Units.
Expert opinions shall be collected and incorporated into the investigation.
XI. Motive Analysis
The IO shall establish the motive, including:
Financial gain.
Revenge.
Harassment.
Extortion.
Personal rivalry.
Industrial espionage.
Intellectual property theft.
Political motives.
Ideological motives.
Entertainment or curiosity.
XII. Arrest of Accused
Upon tracing the offender:
Arrest shall be made in accordance with:
Section 41 CrPC/BNSS provisions.
Supreme Court guidelines.
Other legal safeguards.
Conduct recovery proceedings before independent witnesses.
Recovery Proceedings
Recover and seize:
Digital devices.
Storage media.
Documents.
Authentication devices.
Password records.
Other incriminating material.
XIII. Court Proceedings
The Investigating Officer shall:
Oppose bail where justified.
File applications through the Public Prosecutor for:
Remand extension.
Verification of sureties.
Test Identification Parade (where applicable).
Maintain coordination with Cyber Forensic Experts and Prosecutors.
XIV. Property and Evidence Management
Deposit seized property before Court as required.
Obtain Property Identification (PI) Number.
Maintain chain of custody for all digital exhibits.
Preserve forensic images and reports securely.
XV. Charge Sheet and Final Report
Analyze all technical, documentary, and oral evidence.
Correlate:
IP addresses.
User accounts.
Device ownership.
Financial transactions.
Digital footprints.
Obtain expert opinions and forensic reports.
Prepare Draft Charge Sheet.
Obtain opinion from PP/APP.
Submit Charge Sheet/Final Report within the stipulated period.
Responsibility of Investigating Officer
The Investigating Officer shall ensure:
Proper classification of cyber offences.
Preservation of electronic evidence.
Timely forensic examination.
Coordination with banks, ISPs, and experts.
Scientific and legally sustainable investigation.
Effective prosecution through technical evidence.
Timely filing of Charge Sheet and Final Report.
Goal
To identify cyber offenders through scientific digital investigation, preserve and present electronic evidence in a legally admissible manner, recover losses wherever possible, secure conviction of offenders, and strengthen public confidence in cyber law enforcement.