DIGITAL FORENSICS LAB NOTEBOOK - Lab 04 — Kharian Cyber Harassment Case

01 — CASE INTAKE INFORMATION PECA Sec-29 · Sec-30 · Sec-31 — Investigation Powers

STATUS: CLOSED ACCUSED CONVICTED CASE YEAR: 2016

Case Reference No. * FIA Cybercrime Wing — Lahore

FIR No.

PECA Section(s) Invoked *

Date of Complaint *

Date of Lab Assignment *

Reporting Centre (CCRC)

Offence Category *

Investigation Priority

COMPLAINANT / VICTIM INFORMATION QSO Art. 164 — Victim as Witness

NOTE: Under PECA Sec-21, victim identity in cases involving personal data / intimate images shall be kept confidential. Name withheld per court order — Dawn News (Nov 30, 2016).

Full Name *

CNIC / Passport No.

Contact No.

Gender

City / District

Brief Description of Incident *

ACCUSED INFORMATION PECA Sec-29 — Accused Particulars

Name of Accused

Occupation

Relation to Victim

Arrest Status

Court

Final Verdict

LEAD INVESTIGATOR & EXAMINER ASSIGNMENT

Investigating Officer Name *

Badge / Employee No.

Forensic Examiner (DFE) Name *

Forensic Lab Reference

Prosecuting Officer / Law Officer

Supervisor / DD Approval

02 — DIGITAL EVIDENCE INTAKE LOG PECA Sec-29(2) — Seizure of Evidence

CASE NOTE: Evidence included digital artifacts from the accused's device(s), Facebook account activity logs, and uploaded morphed images. FIA Lahore collected and processed all digital evidence. Conviction was supported by digital evidence and a court confession.

EV-ID	Type	Description / Model / SN	Collected From	Date/Time	Collected By	Condition

HASH VERIFICATION (INTEGRITY CHECK) ISO 27037 · NIST SP 800-86

MANDATORY: Hash values MUST be computed immediately upon acquisition and again after examination to confirm no tampering occurred. Values below are placeholders — must be completed by assigned DFE.

EVIDENCE ITEM: EV-001 — Accused Device

MD5:

SHA-256:

Tool Used:

Verified By:

Time:

EVIDENCE ITEM: EV-003 — Morphed Image Files

MD5:

SHA-256:

Tool Used:

Verified By:

Time:

03 — CHAIN OF CUSTODY (CoC) PECA Sec-30 · Police Rules 1934 Ch. XVII

LEGAL BASIS: Pakistani courts require a documented CoC to confirm evidence was not tampered. The conviction in this case was upheld partly due to intact digital evidence and a recorded confession. (Additional Sessions Judge, Lahore, 2016)

ENTRY #1 — VICTIM COMPLAINT & INITIAL INTAKE

Evidence ID(s)

Transferred From

Transferred To

Date & Time

Purpose

Officer Name

Remarks

ENTRY #2 — SUSPECT DEVICE SEIZURE AT ARREST

Evidence ID(s)

Transferred From

Transferred To

Date & Time

Purpose

Officer Name

Remarks

ENTRY #3 — FORENSIC LAB EXAMINATION

Evidence ID(s)

Transferred From

Transferred To

Date & Time

Purpose

Officer Name

Remarks

ENTRY #4 — TRANSFER TO COURT (Sessions Court, Lahore)

Evidence ID(s)

Transferred From

Transferred To

Date & Time

Purpose

Officer Name

Remarks

04 — FORENSIC EXAMINATION NOTES PECA Sec-29 · NIST SP 800-86

Examination Start Date/Time *

Examination End Date/Time

Forensic Workstation / System

Operating Environment

Primary Tool Used

Secondary Tool(s)

Write Blocker Used?

Examination Steps / Methodology *

1. Received all evidence items (EV-001, EV-002, EV-003) under formal receipt from FIA Evidence Room.
2. Placed accused's device (EV-001) in hardware write-blocker before connection.
3. Created bit-for-bit forensic image using FTK Imager; MD5 and SHA-256 hashes computed and recorded immediately.
4. Loaded forensic image into Autopsy — full file system indexed.
5. Keyword search conducted: victim's name, Facebook credentials, image editing software artifacts.
6. Browser artifacts extracted — Facebook login sessions, saved credentials, upload history identified.
7. Facebook activity logs (EV-002) reviewed: unauthorized logins from accused's IP address confirmed, timestamps correlated with victim's complaint timeline.
8. Morphed image files (EV-003) examined using ExifTool — metadata confirmed image creation on accused's device; editing software traces found.
9. Recovered deleted files from unallocated space — additional incriminating data located.
10. Full forensic report compiled and submitted to prosecuting officer.

Attack Vector Analysis (Cybersecurity Perspective)

Network / Communication Artefacts

05 — KEY FINDINGS & ARTEFACTS QSO Art. 164 · PECA Sec-29 — Admissibility

FORMAT GUIDANCE: Each finding states: what was found, where, when, how it links to the offence, and evidentiary weight. All findings corroborated by accused's court confession (November 2016).

FINDING #1 HIGH

Artefact Path / Location

Timestamp (Created / Modified)

Linked PECA Section

Evidence ID Source

Description & Significance

FINDING #2 HIGH

Artefact Path / Location

Timestamp (Created / Modified)

Linked PECA Section

Evidence ID Source

Description & Significance

FINDING #3 HIGH

Artefact Path / Location

Timestamp (Created / Modified)

Linked PECA Section

Evidence ID Source

Description & Significance

FINDING #4 HIGH

Artefact Path / Location

Timestamp (Created / Modified)

Linked PECA Section

Evidence ID Source

Description & Significance

EXECUTIVE SUMMARY OF FINDINGS

Summary for Court / Prosecuting Officer

Digital forensic examination conducted by FIA Cybercrime Wing (Lahore) on evidence items EV-001 through EV-004 confirmed the following: (1) The accused, Yasir Lateef, gained unauthorized access to the complainant's Facebook account through password compromise; (2) The accused created morphed/edited objectionable images of the victim using software on his personal device; (3) The accused uploaded these images to the victim's hacked account as part of a blackmail campaign demanding a personal relationship; (4) All digital evidence was corroborated by the accused's voluntary confession before the Additional Sessions Judge, Lahore. The digital evidence timeline is internally consistent and no tampering was detected in examined exhibits. The case was prosecuted under the Electronic Transaction Ordinance 2002 (applicable law in 2016). Under current PECA 2016 provisions, the offences would attract Sec-3 (Unauthorized Access), Sec-20 (Cyber Harassment), and Sec-21 (Offences Against Dignity of Persons).

Conclusion / Opinion of Forensic Examiner

07 — OFFICIAL SIGN-OFF & CERTIFICATION CrPC Sec-510 · PECA Sec-30

LEGAL NOTE: Under CrPC Sec-510, this report when signed by a qualified examiner constitutes prima facie evidence in court. In this case, the Additional Sessions Judge, Lahore accepted the digital forensic evidence alongside the accused's court confession, resulting in conviction (November 2016).

FORENSIC EXAMINER DECLARATION

DECLARATION: I certify that the digital forensic examination described herein was conducted by me or under my direct supervision; that all procedures followed accepted forensic standards; that the evidence was handled in a manner preserving its integrity; and that the findings documented are accurate and complete to the best of my professional knowledge.

FORENSIC EXAMINER (DFE)

INVESTIGATING OFFICER

DEPUTY DIRECTOR / SUPERVISOR

Lab Case File No.

Court Cause No.

Date Report Submitted to Prosecution

Submission Method

CASE OUTCOME: Verdict delivered by Additional Sessions Judge, Lahore — Accused Yasir Lateef CONVICTED. Sentence: 2 years imprisonment + Rs. 30,000 fine. Case reported: Dawn News, November 30, 2016. Victim refused out-of-court settlement and pursued full legal proceedings — a landmark outcome for digital justice in Pakistan.

08A — OFFICIAL PAKISTAN LEGAL & AGENCY LINKS

Government — Pakistan FIA Official Website www.fia.gov.pk Federal Investigation Agency — primary law enforcement body that investigated this case. Government — Pakistan FIA Cybercrime Wing (CCW) www.fia.gov.pk/ccw Wing responsible for investigating this case; now succeeded by NCCIA (April 2025). Government — Pakistan NCCIA — National Cyber Crime Investigation Agency www.nccia.gov.pk Replaced FIA CCW from April 2025 as primary cybercrime investigation authority in Pakistan. Government — Pakistan FIA Complaint Portal complaint.fia.gov.pk Official online portal for lodging cybercrime complaints — used for cases like this one. Primary Source — Case Report Dawn News — Case Report (Nov 30, 2016) www.dawn.com Primary news source for this case — Dawn News reported the conviction on November 30, 2016. Government — Pakistan Pakistan Telecommunication Authority (PTA) www.pta.gov.pk Regulatory body for telecom — relevant for IP tracing and SIM-related evidence in cybercrime cases.

08B — PECA 2016 & LEGAL FRAMEWORK REFERENCES

Legal Reference — Pakistan Digital Rights Foundation — FIA CCW Chapter (PDF) digitalrightsfoundation.pk Detailed chapter on FIA Cybercrime Wing structure, procedures, and PECA application. Research — Pakistan Digital Forensics & Criminal Investigations in Pakistan (RSIL 2024) rsilpak.org Authoritative legal analysis of digital forensics in Pakistan's criminal justice system. Covers PECA, QSO, CERT Rules 2023. Research — Pakistan Admissibility of Digital Evidence — Pakistani Justice System (PDF) pssr.org.pk Academic paper on chain of custody requirements, QSO Art. 164, and digital evidence admissibility. Research — Pakistan Digital Evidence in Pakistan: Legal Framework & Judicial Reliability assajournal.com Comprehensive 2025 study on PECA gaps, QSO standards, and chain of custody failures in Pakistani courts.

08C — INTERNATIONAL STANDARDS & LAB MANUAL REFERENCES

Standard Procedures Manual Digital Forensic Unit Procedures Manual (ISP, USA) in.gov/isp/labs Comprehensive DFU procedures manual covering chip-off, mobile forensics, LIMS documentation. Lab Manual — Academic Cybercrime Investigation & Digital Forensics Lab Manual (MRCET) mrcet.com Full university lab manual: browser history forensics, hash verification, Autopsy tool exercises. Standard — Chain of Custody CoC Practices in Digital Forensics — SEFCOM (ASU) 2024 sefcom.asu.edu Taxonomy of CoC practices including NIST 2012 CoC template for digital evidence management. Best Practice — Notebook How to Document Digital Forensic Investigations (ForensicNotes) forensicnotes.com Industry-standard guide: intake notes, chain of custody documentation, court disclosure best practices.

08D — APPROVED FORENSIC TOOLS REFERENCE

Autopsy

FREE · OPEN SOURCE

Full-featured digital forensics platform. Disk imaging, file recovery, timeline, keyword search. Applicable to cases like this.

FTK Imager

FREE (Imager only)

Forensic image creation, hash generation (MD5/SHA). Used for EV-001 imaging in this case.

ExifTool

FREE · METADATA

Image metadata extraction — used to confirm morphed images (EV-003) were created on accused's device.

Cellebrite UFED

COMMERCIAL · MOBILE

Leading mobile device forensics tool. Extracts WhatsApp, call logs, deleted files from Android/iOS.

Wireshark

FREE · NETWORK

Network packet capture. Useful for IP tracing in account hijacking cases.

Nirsoft Tools

FREE · WINDOWS

BrowserHistoryView, LastActivityView — useful for extracting Facebook session artifacts from Windows.

HashCalc / md5sum

FREE · HASHING

Hash verification utility. Used to verify integrity of individual image files (EV-003).

CAINE Linux

FREE · LIVE OS

Bootable forensic OS with built-in write blocking. Used in FIA-style training environments.

EnCase

COMMERCIAL

Enterprise-grade forensic platform. Court-accepted in Pakistan for major FIA investigations.

DIGITAL FORENSICS LAB NOTEBOOK — Lab 04