1. Legal Framework Governing Mobile Forensics in India

A. Information Technology Act, 2000 (IT Act)

Key provisions:

• Section 43 & 66 → unauthorized access and malware attacks
• Section 66B → receiving stolen computer resource/data
• Section 66C → identity theft (SIM swapping, credential theft)
• Section 66D → phishing and impersonation scams
• Section 66F → cyber terrorism (in severe malware cases)

B. Indian Evidence Act, 1872 (Section 65B)

• Governs admissibility of electronic evidence
• Requires certificate under Section 65B(4) for digital evidence in court

C. Criminal Procedure Code (CrPC)

• Enables seizure of digital devices during investigation
• Supports forensic examination under lawful custody

D. CERT-In Guidelines (India Computer Emergency Response Team)

• Mandatory reporting of cybersecurity incidents
• Log retention and cooperation obligations for service providers

2. Mobile Device Forensic Investigation Process in Malware Cases

Step 1: Identification

Investigators identify:

• Malware-infected mobile devices
• Suspicious APKs or apps
• Unusual battery/network usage
• Unauthorized background processes

Step 2: Preservation

• Device placed in Faraday bag to prevent remote wipe
• Airplane mode enabled
• Hash values recorded to preserve integrity

Step 3: Acquisition

Methods used:

• Logical extraction (SMS, contacts, app data)
• Physical extraction (full memory dump)
• File system extraction
• Cloud extraction (Google Drive, iCloud backups)

Step 4: Examination

Analysts inspect:

• Malicious APK code
• Hidden services
• Command-and-control (C2) connections
• Permissions abuse (SMS, accessibility, microphone)

Step 5: Analysis

Key forensic indicators:

• Reverse engineering malware APK
• Network traffic analysis
• Timeline reconstruction
• Data exfiltration paths

Step 6: Reporting

Final forensic report includes:

• Chain of custody
• Hash verification
• Malware behavior analysis
• Evidence mapping to IT Act violations

3. Types of Mobile Malware in India

• Banking Trojans (fake banking apps)
• Spyware (silent SMS/call recording)
• Ransomware apps (device lock + payment demand)
• Phishing APKs (fake delivery/courier apps)
• WhatsApp malware links
• SIM toolkit exploitation malware

4. Key Case Laws in India Related to Mobile Malware & Digital Forensics

1. State of Tamil Nadu v. Suhas Katti (2004)

Facts:

Cyber harassment and obscene messages posted via online platforms using digital tools.

Legal Issue:

Admissibility of electronic evidence and cyber harassment liability.

Holding:

Conviction upheld using electronic evidence under IT Act and Indian Evidence Act.

Significance for Mobile Forensics:

• First Indian case relying heavily on digital evidence
• Established admissibility of electronic records in cybercrime cases
• Foundation for mobile forensic evidence acceptance

2. Anvar P.V. v. P.K. Basheer (2014) (Supreme Court)

Facts:

Dispute over election evidence supported by electronic records.

Legal Issue:

Validity of electronic evidence without proper certification.

Holding:

Electronic evidence is inadmissible without Section 65B certificate.

Significance:

• Critical for mobile forensic reports
• Forensic data from phones must be certified to be valid in court
• Strengthened procedural discipline in malware cases

3. Arjun Panditrao Khotkar v. Kailash Kushanrao Gorantyal (2020)

Facts:

Challenge to admissibility of electronic records in election dispute.

Legal Issue:

Whether Section 65B certificate is mandatory.

Holding:

Reaffirmed mandatory requirement of 65B certificate, with limited exceptions.

Significance for Mobile Forensics:

• Mobile phone extraction reports require proper certification
• Without certification, malware evidence may be rejected
• Standardized forensic reporting became essential

4. Shafi Mohammad v. State of Himachal Pradesh (2018)

Facts:

Use of recorded electronic evidence in criminal proceedings.

Legal Issue:

Flexibility in producing electronic evidence when certificate is unavailable.

Holding:

Allowed limited relaxation when device is not in party’s control.

Significance:

• Important in malware cases where device is seized by police
• Ensures forensic evidence is not excluded due to procedural impossibility

5. Puttaswamy v. Union of India (2017)

Facts:

Challenge to Aadhaar biometric system and privacy rights.

Legal Issue:

Right to privacy under Indian Constitution.

Holding:

Privacy is a fundamental right under Article 21.

Significance for Mobile Malware Forensics:

• Limits invasive mobile surveillance during investigation
• Forensic access must balance privacy and necessity
• Regulates spyware investigation boundaries

6. K.S. Puttaswamy (Aadhaar) v. Union of India (2018 – Aadhaar Judgment Follow-up)

Facts:

Challenge to biometric authentication systems.

Legal Issue:

Data protection and surveillance concerns.

Holding:

Data collection must follow proportionality and safeguards.

Significance:

• Mobile forensic extraction must follow proportional safeguards
• Prevents overreach in accessing personal phone data
• Influences lawful interception procedures

7. State (NCT of Delhi) v. Navjot Sandhu (Parliament Attack Case) (2005)

Facts:

Use of call records and digital communication logs in terrorism case.

Legal Issue:

Admissibility of telecom and electronic data.

Holding:

Electronic call records admissible with proper proof.

Significance:

• Validates telecom data in mobile forensic investigations
• Supports tracking malware command-and-control communications

8. Avnish Bajaj v. State (Bazee.com Case) (2008)

Facts:

Online platform allegedly involved in circulation of illegal content.

Legal Issue:

Intermediary liability and digital responsibility.

Holding:

Platforms can be investigated under IT Act provisions.

Significance for Malware Forensics:

• Establishes accountability of digital intermediaries
• Relevant for app stores distributing malicious APKs
• Supports forensic tracing of malware distribution chains

5. Mobile Forensic Tools Used in India (Common Practice)

Investigators use:

• UFED (Cellebrite)
• Oxygen Forensic Suite
• Autopsy (open-source)
• Magnet AXIOM
• Mobiledit Forensic

These tools extract:

• Deleted messages
• App logs
• Browser history
• GPS traces
• Malware artifacts

6. Challenges in Mobile Malware Forensics in India

A. Encryption

End-to-end encrypted apps limit access (WhatsApp, Signal)

B. Anti-forensic malware

• Self-deleting apps
• Obfuscated code
• Root detection bypass

C. Cloud dependency

Data often stored outside India

D. Rapid malware evolution

New APK-based scams evolve weekly

E. Legal compliance delays

65B certificate and procedural delays slow investigations

7. Conclusion

Mobile device forensic investigation in India plays a crucial role in detecting and proving malware attacks. The legal system strongly depends on Section 65B compliance, IT Act provisions, and Supreme Court rulings on electronic evidence.

Key takeaway from case law:

Mobile forensic evidence is powerful but only legally valid when properly extracted, preserved, and certified under strict evidentiary standards.