Forensic Science

UGC-NET/JRF Syllabus (UNIT- VII)

Archana Singh
 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

Contents
Hair 4
Structure Of Hair 4
Different Types Of Hairs 5
difference Between Human And Animal Hair 6
Determination Of The Gender From The Hair 7
Identification Of The Site Of The Hair 8
Forensic Comparison Of Hair 10
Observations Of Microscopic Examination 12
Microtomy 14
Fibers 16
Types Of Fibres 16
Collection: 21
Testing Of Fiber 21
Fibre Analysis 22
1. Preliminary Examination 22
2. Microscopic Examination 24
3. Instrumental Examination 25
4. Chemical Examination 30
Diatoms 32
Examination Of Diatoms 35
Pollens 39
Dust & Soil 41
Soil Examination 41
Paint 52
1. Documentation Of Evidence 52
2. Visual Examinations 53

1 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

3. Chemical Tests 54
4. Physical Match 55
5. Instrumental Methods Of Analysis 56
Glass 61
Ingredients: 61
Types Of Glasses: 64
Glass Fractures 67
Tests For Physical Properties Of Glass: 68
Cement 84
Major Components Of Cement 85
Types Of Cement 85
Forensic Analyses In Cement: 89
Sample: 89
Preliminary Adulteration Test Of Cement 89
Chemical Analysis Of Adulteration Of Cement 92
Instrumental Analysis Of Adulteration Of Cement 94
Petrographic Testing 95
Computer/Cyber Forensics: 96
Functions: 96
Parts 97
Category 97
Computer Hardware 98
Computer Software 98
Computer Network 100
Computer Forensics 101
Different Types Of Computer/Cyber Crimes 102

2 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

The Cardinal Rules Of Cyber Forensic 122

Steps Taken By Computer Forensics Experts 122
Computer Evidence Processing Steps 124
Digital Evidence 125
Collection Of Digital Evidences 125
Volatile Evidence 126
Disk Imaging 129
Different Types Of Computer Virus 130
The Four Phases Of Data Recovery 135
Software Used For Data Recovery 135
Types Of Digital Forensic Tools 136
Tools Used For Forensic Analysis 137
Mobile Forensics 142
Examination & Analysis 143
Non-Invasive Methods 143
Invasive Methods 144
Mobile Analysis Phases 145
Reference: 152

3 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

Hair
Hairs, which are comprises chiefly the protein
keratin, can be well-defined as slender extensions of
the covering of mammals. Every class of animal
retains hair with specific measurement, pigment,
structure, root exterior, and inner minute features
which differentiate animals from each other.

Structure Of Hair

Hair strands has a complex arrangement containing

of numerous layers if we start from the exterior we
find

1. The cuticle, The outer layer of the human hair

shaft is called cuticle.,

2. Cortex is a hollow cylindrical composed of fine

fibers of protein material, comprises the majority of
the hair and carries pigment material.

3. The medulla that is disordered and exposed

surface at the fiber's middle. The medulla begins
less or more near the root. In many animals, the
medulla is very broad; occupying two-third or more
of the shaft diameter .In man it is narrow occupying

4 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

only about 1/3rd of the width. Medulla may be

classified into two types continuous or fragmented.

Different Types Of Hairs

The diversity of various kinds of hair is enormous,

inconsistent from close-fitting lean curls to ruler-
straight. The pigment and form of hair differ.

Scientists have identified three basic types of hair in

today's human population, and have related them to
these three early races: Asian, Caucasoid and
African.

Caucasoid (European)

Hairs of Caucasoid or Caucasian origin can be of

sufficient to medium coarseness, are usually
straight or wavy in look, and display shades ranging
from pale to brown to black. The hair strand of
Caucasian hairs differs from round to oval in cross
section and has reasonable to medium-sized,
consistently distributed pigment granules.

Mongoloid (Asian)

5 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

Hairs of Mongoloid or Asian origin are frequently

rough, straight, and round in cross section, with a
broader thickness than the hairs of the former
racial groups. The outer coating of the hair, the
cuticle, is typically expressively denser than the
cuticle of Negroid and Caucasian hairs, and the
medulla, or central canal, is continuous and wide.

Mongoloid hair can have a distinctive reddish look

as a product of its pigment.

Negroid (African)

Hairs of Negroid or African origin are repeatedly

curly or kinky, have a compressed cross section, and
can look like curly, wavy, or twisted. Negroid color
grains are bigger than those originate in Mongoloid
and Caucasian hair and are assembled in masses of
dissimilar sizes and shapes. The thickness of the dye
in the hair shaft can be so abundant as to make the
hair dense.

DIFFERENCE BETWEEN HUMAN AND ANIMAL HAIR

Characteristic Human Hair Animal Hair

1 Scale are small, Scales are large,

6 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

Cuticle flattened and polyhedral,

surround the wavy and do not
shaft completely. surround the
shaft completely

2 Narrow, may be Broad, always

absent, present and
Medulla
fragmented or continuous.
discontinuous

3 Thick, 4 to 10 Thin, rarely

times broad as more than twice
Cortex
medulla the breath of
medulla.

4 Medullary Less than 0.3 More than 0.5

Index

5 Pigment More towards the Uniform,

periphery of peripheral or
cortex central

Determination Of The Gender From The

Hair
The sex of a person cannot be confirmed from hair
examination. Length of a complete hair and its

7 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

refractive index will sometimes be indicative of the

sex. Recently success has been observed in
determining the sex on the existence or
nonexistence of Barr-bodies from the hair root
sheath cells. The absence of Barr body indicates the
sex to be of a male while its presence to be that of
females. The males hairs are morphologically much
thicker than female‘s hairs.

Identification Of The Site Of The Hair

General features of the hair in determining body
areas from where, the hair have been originated.

1. Scalp Hairs
Scalp hairs are extended enough with variable shaft
diameter.
Medulla lacking to uninterrupted and quite narrow
when, associated with its arrangement of hairs from
further body areas. These types of hair are with cut
or divided ends.

2. Pubic Hairs
Pubic hairs has shaft diameter course, with wide-
ranging variation and „buckling‖. The medulla is
relatively broader and mostly unbroken if present.
The roots are frequently with follicular tags, and the

8 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

tips are usually rounded or abraded. They has a stiff

texture.

3. Limb Hairs (arm or leg)

Limb hairs of diameter are very fine in with slight
deviation. The gross presence of hair has arc-like
shape. The medulla is broad, discontinuous and
with a rough appearance and they have a soft
surface.

4. Moustache Hairs
The diameter of the moustache hairs is very coarse
with irregular or trilateral cross sectional structure.
The medulla is very wide and uninterrupted.

5. Chest Hairs
The shaft diameters of the chest hairs are
appropriate and adjustable. The tips are elongated
and fine, arc-like and have a stiff texture.

6. Auxiliary or underarm Hairs

They resemble like pubic hairs in overall
appearance. The diameter is appropriate and
variable, with fewer ―buckling‖ than the pubic hairs.
The tips are elongated and fine and have a bleached
appearance.

7. Other

9 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

1. In case of eyebrow hair: some fluctuation

fusiform in appearance.
2. In case of eyelash hair: little, stubby with small
shaft diameter fluctuation and fusiform in
appearance.
3. In case of Trunk hair it is a mixture of structures
of limb and pubic hairs.

Forensic Comparison Of Hair

Morphological features for comparison

Morphological features of hair are a comparative
study used in anatomy, histological and biological
variations. For human hairs, these characteristics
can be broadly grouped into Colour, structure and
treatment. Hair Colour, shaft, medulla and scales
characterize variable animal hairs.

1. Colour
The colour of hair depends on its pigment, surface,
transparency and reflectivity.Colour is probably the
most useful characteristic for comparison.

10 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

2. Structure
The diameter, medullation, cross section, cortical
fusi and spatial configuration reflect the hair‘s
structure. The diameter can be measured and the
medullation can be classified according to various
schemes.

3. Treatment
Cut tips may be freshly cut, split, frayed or worn and
the angle of cut may be significant. The shape of root
may not only indicate the method of hair removal,
but abnormalities may also provide valuable
comparative data. Bleached or dyed hair can usually
be identified by distinct demarcation near the
proximal end between the treated and untreated
portion of the shaft. The treatment of hair shaft
sometimes shows the signs of chemical where, the
cuticle is often damaged and cortical cells,
separating under the chemical assault, may be
distinct.

Various types of microscopes are used for

examination of hair. These are:

11 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

Stereomicroscope
For initial examination of mounted or unmounted
hairs stereomicroscopes are used with
magnification range of upto 100X.

Transmitted Light Microscope

For identification and examination of hair high
quality transmitted light microscope is required.
The objectives and eyepieces should permit
observations in the range of approximately 40X to
400X. Examiner‘s ability to observe certain features
is enhanced by using a polarized light microscope.

Comparison Microscope
While comparing microscopic characteristics of
hairs, high quality transmitted light microscope is
necessary. High quality objectives are important.
The objectives and eyepieces selected should permit
observations in the range of approximately 40X to
400X.

Observations Of Microscopic Examination

Preliminary microscopic examination is carried out
without cleaning or mounting the hairs. It reveals
their color, contamination and character whether
they are curly, wavy, soft or coarse, whether the
12 Edited by forensicfield (Archana Singh)
 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

ends are frayed or have tips or whether roots are

present or not. It is possible to say whether the hair
have been pulled out, cut or fallen. Pulled out hair
have live bulbs and signs of stretching near the bulb
while the fallen hairs the root bulbs are found
shrunken. The detailed microscopic examination of
hairs is done after cleaning them in alcohol-ether
mixture (or acetone). They are then mounted in
Canada Balsam on a microscopic slide and
examined with a magnification of about 400X.

The examination reveals:

 Actual color of hairs

 Whether the hairs have been dyed or bleached.
 The part of the body from which the hairs have
come.
 The morphology of the hair.
 The Medullary Index. The medullary index of the
human hair is commonly less than 0.3 and in
animals generally it is more than 0.5.
 Medullary index varies somewhat in male and
female hairs and in the hairs from different parts
of the body. Ordinarily, the medullary index is
greater in woman when hair from the
corresponding parts of the body is compared. The
13 Edited by forensicfield (Archana Singh)
 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

male beard hairs have greater medullary index

than hairs from other parts.
 Medulla may be continuous, fragmentary or it may
be absent in human beings. It may be masked
sometimes by the hair pigment. It is made visible
by bleaching the hair.
 Pigmentation distribution
 The roots and the ends- They reveal whether the
hair has been pulled out or not. Whether they have
been cut and if so when they were last cut.
 Any deformity or disease in the hair.
 Vacuoles- They give characteristic formations in
certain species which are useful in their
identification. They are also known as air bubbles.

Microtomy
The cross sections of hairs are obtained with the
help of an instrument called microtome, clean hair
is embedded in hard wax, plastics or flesh
(hardened by special treatment) and sliced. The
cross sections of hairs, obtained, are placed on a
microscope slide treated with albumen. The
embedding material is removed with a suitable
solvent and the sections are fixed in Canada Balsam.

14 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

Microscopy reveals the cross sectional structure of

hair.

Microtomy is helpful to determine pigment

distribution, medullary shape and medullary index
of the hair. In human hair the pigment is found
concentrated near the periphery of the cortex close
to cuticles while in animals, pigment concentration
are near the medulla and in the cortex. It also
permits proper study of the shape of cross sectional
area.

15 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

Fibers
Fibres are thread like structures from fabric and
other materials which are easily identifiable under a
microscope. The fibre examination can determine
whether the fibres are natural or manmade. Its
source can be determined by comparing it with fibre
from a known source.

Types Of Fibres

Depending upon their source, fibres are broadly

divided into two categories:

Natural Fibres
Natural fibres are further divided into two
categories:

16 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

Natural fibers include those produced by plants,

animals, and geological processes. They are
biodegradable. Natural fiber divides into 3 parts.
1) Animal fiber
2) Vegetable fiber/Plant Fiber
3) Mineral fiber

 Synthetic Or Man-Made Fibres

These fibres are alternative to the natural fibres.
More than 50 percent of the fibres are man-made.
They may be originated from natural materials like
cotton and some from synthetic materials like
rayon. The most common examples of man-made
fibres are nylon, Dacron followed by acrylic etc.
These are mostly used in garments, foam padding
and sound proofing etc.

Synthetic fiber is classified into:

1. Regenerated Fibres

Regenerated fibers are manufactured from natural

sources, including modal, and Lyocell.

17 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

2. Semi-Synthetic Fibres

Semi-synthetic fibers are made from raw materials

with naturally long-chain polymer structure and are
only modified and partially degraded by chemical
processes, in contrast to completely synthetic fibers
such as nylon (polyamide) or dacron (polyester),
which the chemist synthesizes from low-molecular
weight compounds by polymerization (chain-
building) reactions.
The first semi-synthetic fiber is rayon.

3. Synthetic Fibers

Synthetic come entirely from synthetic materials.

Synthetic fiber more than natural fiber.it is low of
cast in comparison to natural fibers. Synthetic
fibers are as follows:

 Metallic fibers
Metallic fibers can be drawn from ductile metals
such as copper, gold or silver and extruded or
deposited from more brittle ones, such as nickel,
aluminum or iron. See also Stainless steel fibers.
 Carbon fiber

18 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

Carbon fibers are often based on oxydized and

via pyrolysis carbonized polymers like PAN, but
the end product is almost pure carbon.
 Fiberglass
Fiberglass, made from specific glass, and optical
fiber, made from purified natural quartz, are also
man-made fibers that come from natural raw
materials, silica fiber, made from sodium silicate
(water glass) and basalt fiber made from melted
basalt.
 Polymer fibers
Polymer fibers are a subset of man-made fibers,
which are based on synthetic chemicals (often
from petrochemical sources) rather than arising
from natural materials by a purely physical
process. These fibers are made from:
 Polyamide Nylon
 PET or PBT Polyester
 Phenol-Formaldehyde (PF)
 Polyvinyl Chloride Fiber (PVC) Vinyon
 Polyolefins (PP and PE) Olefin Fiber

RAYON is made from wood, smooth and glass-like

rods, stretchable. It doesn't wrinkle, is soft and

19 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

absorbent. Viscose fiber of rayon looks irregular

when viewed cross sectionally.
ACETATE is a created from wood. Under the
microscope there are grooves that run the length of
the fibers. Acetate is soft, smooth, and will melt
under a hot iron. It does not absorb water. The
fabric is cool.
NYLON is derived from coal. The fibers under the
microscope are smooth and clear rods. Nylon is
shiny, tough, and stretchable and melts under a hot
iron. The fibers are nonabsorbent, quick drying, and
don‘t wrinkle. the fabric is cool but clammy.
ACRYLIC is made from petroleum. Under the
microscope the fiber is dog-bone shaped with
apparent cut ends. The fabric is lightweight, warm,
and quick drying.
POLYESTER is derived from petroleum. Under the
microscope the rod shaped fiber looks like nylon but
is not clear. The fiber does not wrinkle, is silk-like,
strong, and absorbent.
SPANDEX: Spandex fiber has the outstanding
characteristic of appearing like groups of fibers
fused together. However, different variants of
spandex show different characteristics too. The

20 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

Lycra fiber looks like fused multifilaments cross

sectionally. Individual fibers are dotted and in
shape like that of dog-bone. If viewed longitudinally,
they appear straight.
GLASS: The glass fiber looks smooth, round,
translucent, shiny and flexible.

Collection:

Collect large items such as clothing in separate

paper bags.
Some of the common collection methods include
individual fibre collection using tweezers or
vacuuming or by tape lifting.

Testing Of Fiber

• Burn Test- Look at how a fiber burns, its odor, and

appearance of ash.
• Thermal decomposition- How a fiber breaks down
when heated.
• Chemical test- Test the solubility and
decomposition of a fabric using strong acids
(Hydrochloric acid or sulfuric acid) or strong bases
(NaOCl, acetone, NaOH).This determines the fabrics
polymers.

21 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

• Density- Density of water is 1.00 g/ml. Olefin is the

only fabric that will float in water.
• Refractive index- Bending of light as it passes from
air into a solid or liquid. Investigators measure the
refractive index of an unknown sample with liquids
of a known refractive index. Place the sample in
different liquids until Becke line is no longer visible.
• Fluorescence- Some fibers will fluoresce when
exposed to UV light. Laundry soap and some bleach
have whiting agents that cause blue light to be
reflected making it appear whiter.
• Dyes- Investigators use a fabric to see if it accepts a
particular dye so as to identify and compare it to an
unknown sample.

Fibre Analysis
1. Preliminary Examination
The fibres are examined visually with a hand
magnifier and under stereomicroscope. The study
includes:
1. The twist of the thread, string, rope or cord.
2. The number of strands
3. The number of threads in the string
4. The number of fibres in each thread.
22 Edited by forensicfield (Archana Singh)
 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

5. The defect in the thread or weave pattern.

6. The thread counts of cloth, both in weft and warp.
7. If recovered torn piece of cloth originally formed
part of the standard provided, a mechanical fit may
indicate the common source.
Using ultraviolet rays and polarized light extends
the microscopic examination and provides
additional discriminating data.
 PHYSICAL PROPERTIES
Density, refractive index, melting and softening
point and tensile strength give important
information about the fibres.
 FIBER COLOR
Various dyes are used to give fibre its desired color.
Colouring of individual fibres is done before being
spun into yarns. The dyes of crime and specimens
samples can be compared using comparison
microscope and other instrumental techniques.
 MICROTOMY
The cross sections of fibres are obtained with the
help of an instrument called microtome, clean fibre
is embedded in hard wax, plastics or flesh
(hardened by special treatment) and sliced. The

23 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

cross sections of fibres, obtained, are placed on a

microscope slide treated with albumen. Microscopy
reveals the cross sectional structure of hair.

2. Microscopic Examination
Apart from the visual examination of single fibre
with a comparison microscope, some of the methods
for fibre examination are:

Scanning Electron Microscopy

Scanning electron microscopy is a method of
photography which requires an instrument called
scanning electron microscope. This type of
microscope uses electrons rather than light to form
an image. There are many advantages of using SEM
instead of light as it allows a large amount of sample
to be in focus at one time.

Atomic Force Microscopy

Atomic force microscopy is a method which is
carried out using an atomic force microscope. It is
an instrument to analyze and characterize samples
at the microscopic level. The instrument will allow
an analyst to look at the surface characteristics with
very accurate resolution ranging from 100
micrometers to even less than 1 micrometer.

24 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

Stereomicroscope
This is used for low-magnifications, where its long
working distance and upright image assist in
searching small items of evidence or tapes and in
recovery and manipulation of individual fibers.
Polarizing microscope
The polarizing microscope is similar to a
conventional biological microscope with additional
features which facilitate observations and
measurements with plane polarized light.

Comparison microscope
This instrument permits direct comparison of such
fiber properties as morphology, diameter and color.
Fluorescence microscope
This microscope should be of modern design,
equipped for incident illumination.

3. Instrumental Examination
1. Infrared Spectroscopy
Infrared spectroscopy is an important tool in
determination of functional groups within a fiber.
Functional groups in dyes and finishes also can be
detected by this technique.

25 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

2. Ultraviolet-Visible Spectroscopy
The UV spectra of fibers, dyes, and finishes may
offer clues regarding the structure of the materials,
besides it may also demonstrate the nature of
electronic transitions that takes place within the
material when light is absorbed at various
wavelengths by unsaturated groups giving an
electronically excited molecule.

3. Nuclear Magnetic Resonance Spectroscopy

It measures the relative magnitude and direction
(moment) of spin orientation of the nucleus of the
individual atoms within a polymer from a fiber in
solution in a high- intensity magnetic field.

4. X-Ray Diffraction
X-rays diffracted from or reflected off of crystalline
or semi-crystalline polymeric materials will exhibit
patterns associated to the crystalline and
amorphous areas in the fiber.

5. Thermal Analysis
The chemical and physical changes within fibers
may be examined by measuring changes in certain
properties as minor samples of fiber are heated at a
steady rate over a given temperature range in an

26 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

inert atmosphere such as nitrogen. The four

thermal characterization methods are
(1) Differential thermal analysis (DTA)
(2) Differential scanning calorimetry (DSC)
(3) Thermal gravimetric analysis (TGA)
(4) Thermal mechanical analysis (TMA)

6. Scanning Electron Microscope (SEM)

The microscopic examination is useful to find out
the structure, nature, diameter, presence or
absence of contamination, colour and the cross
sectional structure.

7. Atomic Force Microscopy

Atomic force microscopy is a method which is
carried out by using an atomic force microscope,
which is an instrument that can analyze and
characterize the sample at the microscopic level.

8. Pyrolysis Gas Chromatography (PGC)

This is a technique in which the synthetic fibers are
pyrolysed under controlled condition.

9. Thin Layer Chromatography (TLC)

Thin layer chromatography is the technique for the
identifications and comparisons of the dyes on the

27 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

fibers. TLC has a limitation that is it cannot be done

for the yellow coloured fiber and also for small
lengths of fiber.

10. FTIR
It is based on the absorption and wavelength of light
in a fabric polymer and it can be used on a single
fiber. It is non-destructive in nature.

11. PGS-MS
This technique burns and separates each
combustion product of sample, match results of
chromatogram & products to the known. It can be
used in short length fibers but is destructive in
nature.

Sample Physical Specific Burning Microscopic

examination gravity examination examination
White
colored In flame it Single,
thread, ignites elongated
rough in immediately cell,
touch, high , and gets spirally,
Cotton crystalline, 1.54 easily twisted,
hydrophilic converted ribbon and
nature, not into ash. tube like
dissolved in structure.
common
solvent.
Fiber is In flame Fiber has
Brownish in non- single and
color, hard continuous elongated
Coconut and rough in 1.35 burning is thread like
seen,

28 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

touch. converts structure.

into ash
easily.
Fiber has
Nodal point It Burns irregular,
of thread is slowly and roughly
Wool 1.25 cylindrical,
black in converts
color, warm into ash as multi
in touch. like small cellular
beads. structure
with
tapered end.
Ignite
immediately
, continuous
to burn, and
after Fiber has
Jute Rough and 1.50 complete non-
feel cool in burning continuous
touch. convert into filaments.
light colored
ash.
Shining Fiber has
appearance, Burns slowly fine and
sticky to and self- lustrous
Silk touch. It has 1.25- filament
1.30 extinguishab
moderate le. which is
electrical triangular
resistivity. and rod
shaped in
structure.
Moderate
recovery On burning
from low the thread of
elongations, Fiber has
this fiber smooth and
moderate melts slowly,
heat straight
Polyester 1.38 self- thread like
conductivity, extinguishab
high appearance.
le, convert
resistivity, into ash as
shining like brittle
appearance, bead.
feels sticky
to touch.

29 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

It does not It has

It has burnt on smooth,
Smooth and heating, rounded,
straight flame can transparent,
Glass thread like 2.5 melt the shiny and
structure. fiber flexible
slightly, no thread.
conversion
in ash.
On burning It has
It has strong, it melts rounded,
perfectly slowly, self- smooth, fine
Nylon 1.30- extinguishab and
elastic, quite 1.35
stiff and le, ash is like translucent
brittle plastic thread.
structure. beads. Some time it
has shiny
appearance.

4. Chemical Examination

The chemical properties of fibers comprises the effects of

chemical agents including acids, bases, oxidizing agents,
reducing agents, and biological agents such as molds and
funguses on the fiber and chemical changes induced
within the fiber due to light and heat. Acids and bases
cause hydrolytic attack of molecular chains within a
fiber, whereas oxidizing and reducing agents will cause
chemica1 attack of functiona1 groups by oxidation i.e.
removal of electrons or reduction i.e. addition of
electrons. Such chemical attack can change the fiber's
structure and possibly leave the molecular chains within
the fiber.

30 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

Samples Conc. Conc. Conc. Conc. C2H5O CCl4 Effect

HCl H2SO4 HNO3 NaOH H On
Litmus
Paper
Cotton Soluble Soluble Soluble Not Not Not Red To
soluble soluble soluble Blue
(Basic)
Coconut Soluble Not Soluble Not Not Not -------
soluble soluble soluble soluble
Wool Not Not Not Soluble Not Not Blue
soluble soluble soluble soluble soluble To Red
(Acidic
)
Jute Soluble Not Soluble Not Not Soluble -------
soluble soluble soluble
Silk Soluble Soluble Soluble Soluble Not Not Blue
(slightl soluble soluble To Red
y) (Acidic
)
Polyester Soluble Not Soluble Not Not Not Red To
soluble soluble soluble soluble Blue
(Basic)
Glass Not Not Not Soluble Not Not -------
soluble soluble soluble soluble soluble
Nylon Soluble Not Not Not Not Not Red To
soluble soluble soluble soluble soluble Blue
(Basic)

31 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

Diatoms
Diatoms (class Bacillariophyta) are a type of mainly
aquatic, photosynthetic algae. Similar to many other
algae, they can live as unicellular organisms,
colonial, or filamentous. Diatoms generally range in
size from 2-200m and are composed of a cell wall
comprising of silica.
They are found in marine and freshwater
ecosystems as well as brackish water (Bold, 1978).
Of the 200 genera and 5000 species known, all are
eukaryotic and photosynthetic (Alexopoulos, 1967).
They contain chloroplasts that have been found to
have numerous photosynthetic pigments giving the
chloroplasts a typically golden brown color
(Garrison, 1997) Photosynthetic pigments include
chlorophylls a and c (green), as well as B-carotene
(yellow), fucoxanthin (brown), and small amounts
of diatoxanthin, diadinoxanthin, and other
carotenoids (Bold, 1978). Because of the
photosynthetic nature of diatoms, they have
traditionally been placed in the plant kingdom, but
many scientists today place them in the kingdom
Protista (Garrison, 1997)

32 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

All diatom skeletons are made of silica and consist

of two parts or frustules that fit inside each other
like a petri dish: the epitheca and the hypotheca
(Alexopoulos, 1967). The hypotheca is smaller and
fits inside the larger epitheca. The shape of the
frustule is the defining feature that is used to break
the diatoms into two distinct classes: the centric or
Centrobacillariophyceae and the pennate or
Pennatibacillariophyceae. The pennate diatoms are
usually radially symmetrical while the centric
diatoms are generally bilaterally symmetrical
(Alexopoulos, 1967). These two classes can be found
in both marine and freshwater habitats, but centric
diatoms are more likely found in the oceans while
the pennate diatoms are predominately found in
freshwater (Round, 1990). Reproduction of diatoms
can be either sexual or asexual (cellular division).
Cellular division is the ordinary method of
reproduction in diatoms (Bold 1978). In this
method, during the processes of mitosis and
cytokinesis, the two valves (hypotheca and epitheca)
separate slightly and the division of the protoplast
occurs in a plane parallel to the valves. Both parts of
the parent frustule become the epitheca of the new

33 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

cells resulting in one of the two cells being smaller

than the parent (Bold, 1978). The progressive
reduction in individuals' size is overcome because of
the flexibility of the new cell walls (Alexopoulos,
1967) or by sexual reproduction.
The predominant method of reproduction in
diatoms is sexual reproduction. Bold (1978) writes
that sexuality in diatoms has been associated with
diatom size: only individuals less than a certain size
can reproduce sexually. Sexual reproduction in the
centric diatoms is oogamous, meaning that this
process has a motile sperm or nonmotile
spermatium that reaches a nonmotile egg. The
pennate diatoms are a bit different. This order has
isogamous sexual reproduction meaning that the
gametes (egg and sperm) are indistinguishable. The
"offspring" of diatoms are called auxospores. These
new diatoms will increase in volume while forming
vegetative cells and solid silica shells (Alexopoulos,
1967).

34 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

Examination of Diatoms

In 1942 Incze demonstrated that, during drowning,

diatoms could enter the systemic circulation via the
lungs. Their presence can be demonstrated in such
tissues as liver, brain and bone marrow following
acid digestion of the tissue. The use of diatoms as a
diagnostic test for drowning is based upon the
hypothesis that diatoms will not enter the systemic
circulation and be deposited in such organs as the
bone marrow unless the circulation is still
functioning thus implying that the decedent was
alive in the water. Before diatoms can be examined,
they have to be cleaned. This involves the removal of
cell contents, pigments, sand, mud or other material
likely to interfere with microscope examination.

Extraction methods

Acid digestion method: The Acid digestion method

for diatoms extraction accepted worldwide. It is
easy to perform and gives good results; [2,11,16-44]
are examples of workers who favoured this method
for dissolving tissues samples.

Nitric Acid Method:

35 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

1. Samples are collected from the suspected

drowning victim.
Care should be taken as to not contaminate the
sample with foreign diatoms during the process.
2. Intact femurs, for example, are removed at
autopsy and washed in distilled water. Femurs are
longitudinally sectioned using a clean band saw, and
the bone marrow about 50g is removed using a
clean spatula and placed into a boiling flask.
3. Approximately 50 mL of concentrated nitric acid
is added to the flask, and the marrow-acid
suspension is boiled on a hot plate for
approximately 48 hours-under a fume hood.
4. The suspension is then cooled and centrifuged, in
some instances two separate times, with the
supernatant discarded and the resulting acid-
resistant material dropped onto clean microscope
slides and the sediment is examined under the
microscope.

Sulphuric Acid Method:

1. This has the advantage of not causing violent

foaming. Check that all calcareous compounds have
been removed first; otherwise the sample will

36 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

become totally useless because gypsum crystals will

form.
2. When sample has settled completely, discard
supernatant.
3. Add concentrated sulphuric acid until the volume
is twice that of the original sample.
4. Add potassium bichromate. In contrast to the
H2O2 method, no special care is necessary as no
violent reaction occurs. Just add enough bichromate
to make for a saturated solution.
5. Let stand for 24 hours or more, or speed up the
reaction in a water-bath 60 degrees. Even so, it may
take several hours before the sample is clean. The
sediment should look grayish and no plant
fragments etc. should remain.
6. Let settle completely, discard supernatant and
rinse several times as described above.

Electron Microscopy

In order to examine the morphology of diatoms,

both transmission and scanning electron
microscopes are able to provide a much more
detailed image than light microscopes. These
microscopes were necessary for taxonomical

37 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

purposes, with the distinctions between species

being so minute at times. Electron or dark phase
microscopy is currently the main methods used for
analysis. These allow for more detailed imaging
than simple light microscopy.

Transmission Electron Microscopy (TEM):

This type of microscopy is best able to see the finer,

delicate details of the diatom frustule (even if the
frustule is not heavily silicified).

Scanning Electron Microscopy (SEM):

SEM is best suited for visualizing the entire diatom

frustule. It is a tool that can aid in viewing the gross
morphology of a diatom (both internal and external
parts).

38 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

Pollens
 Pollen analysis begins in 1916 in Sweden with the
concept that was first outlined by Lennart von
Post.
 Earliest use of pollen as a forensics technique
may be unrecorded prior to 1950s.
 Earliest known use was in 1959.
 The key pollen evidence from the Shroud focuses
on four main types, all four are insect-pollinated
 Zygophyllum dunosum, Gundelia tournefortii,
Cistus creticus and Capparis aegyptia

Palynology is the study of pollen grains of seed

plants and the spores of ferns. These microscopic
particles (often referred to simply as ―pollen‖) are
abundant in almost all environments, are very
durable and may persist on surfaces and in soils for
many years; some of the oldest known fossils are
spores. Pollen grains are present in the air, they
constantly settle on surfaces and they are a
significant cause of hay fever.

Pollen is a form of trace evidence (trace material

being that which is present in small but measurable

39 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

amounts or that is microscopic in size – this may

also include fibres, hair, glass, etc.). The main
forensic application of pollen analysis is assisting to
prove or disprove a link between people and objects
with places or with other people.

One of the roles of a Palynologist (Pollen Expert) is

to reconstruct the vegetation of an area by analysis
of soil samples or other material containing pollen.
Examples include:

 Soil on clothing and shoes analysed for pollen

and compared with control soil samples from a
crime scene;
 Identification of pollen grains in drugs and
associated packaging may reveal whether or not
illicit drugs material originated overseas;
 Pollen on a body and associated clothing/items
may reveal whether an individual died at the
location where they were discovered.

40 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

Dust & Soil

Forensic soil science uses soil morphology,
mapping, mineralogy, chemistry, geophysics,
biology, and molecular biology to address legal
questions, problems, or hypotheses. Knowledgeable
field soil scientists have much to offer the forensic
communities. Because of their unique ability to read
the landscape and describe and compare soil details,
they can recognize natural versus disturbed soils
and the extent of disturbance in a field. They can
also help by interpreting soil survey data, testing
soil reaction (pH), and identifying unmarked or
mismarked graves using geophysical tools.

Soil Examination

This is the preliminary stage for soil examination.

Differences in the visual features between
questioned and control samples mean that they
originated from different locations, suggesting that
any further examination is not necessary. If unique
foreign particles, soil aggregates, or other trace
evidence are found in soil samples, these particles
should be removed and preserved separately for
further examination.

41 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

Screening of Soil Samples

The significance of a match between questioned

samples and control samples must be interpreted in
light of the variations among the questioned
samples and that among the control samples.

Color comparison and the determination of particle

size distribution of soil samples can be carried out
quite easily, and the combined data from those
measurements can be quite useful for
discriminating among samples.

1. Soil Color

Soil color, which reflects the pedogenic

environment and history, is one of the most
distinguishable characteristics of soil. Generally, the
Munsell Color System is used for soil color
determination, and the color is expressed by the
combination of hue, value, and chroma. Soil Color
Standards, in which color chips from the Munsell
Color System that cover the typical soil-color range
are arranged, are widely used in the laboratory and
the field. Dudley examined the usefulness of color
examination for forensic soil discrimination, and
proposed multiple color comparisons consisting of
42 Edited by forensicfield (Archana Singh)
 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

three color measurements for each soil sample,

carried out on air-dried, moistened, and ashed
(850°C, 30 min) sample. He concluded that ashing
had very good discriminatory potential, but
moistening was less useful.

Color comparison of air-dried soil alone is

insufficient for sample discrimination. Soil color
can be seen as a result of a mixture of soil materials.
Iron oxides give soil a reddish, brownish, or
yellowish color, and humic substances make the soil
darker.

2. Particle Size Distribution

The method generally used to separate particle size

fractions is sieving, and the relative abundance of
particles in different size ranges, the so-called
particle size distribution, is useful to compare soil
samples.

Density Gradient Distribution

The observation of distribution of soil particles in a

density gradient column is the most traditional
method used for forensic soil comparison.

43 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

A density gradient tube is prepared by layering

liquids of varying densities in a glass tube such that
they gradually become less dense from the bottom
to the top. Liquids of varying densities are made by
mixing heavy and light liquids in various
proportions. Generally, bromoform (2.89 g/mL) or
tetrabromoethane (2.96 g/mL) is used as the heavy
liquid, and bromobenzene (1.50 g/mL) or ethanol
(0.789g/mL) is used as the light liquid. A soil sample
that has been dried and gently crushed is placed
onto the density gradient tube.

Rock Fragments and Sand Particles

As the brownish color of soil mineral particles are

mostly the result of staining by iron oxides, removal
of iron oxides is required prior to mineralogical
examination.

1. Rock Fragments

Rock fragments can be easily examined under a low-

power binocular microscope.

2. Sand Particles

44 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

Microscopic examination of sand particles is an

essential technique for forensic soil comparison
because the sand fraction is one of the core
components of soil, and mineralogical information
on sand particles can be used to infer reasonable
relationships between questioned soil samples and
control ones. As examination of optical properties
using a polarizing microscope requires experience
and skill, as well as long and tedious effort.

We use 15 categories of mineral for identification:

quartz, alkaline feldspars, plagioclase, volcanic
glass, biotite, hornblende, hypersthene, augite,
olivine, chlorite, zircon, magnetite, rock fragments,
weathered particles, and other. If unique minerals
other than those categorized minerals exist in the
soil samples, they should be recorded.

X-ray differactometry (XRD) can also be applied to

the identification of primary minerals.

The amount of sample required for XRD can be

reduced to 2 mg by using a quartz non-reflecting
sample plate.

Examination with a polarized microscope.

45 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

Application of a scanning electron microscope

equipped with an energy dispersive x-ray
spectrometer (SEM-EDX) to mineralogical
examination is the most promising approach for the
future.

Clay Minerals

Clay mineralogical composition reflects both the

pedogenic environment and the parent material,
such as sediments or metamorphic rocks. Clay
minerals relies on instrumental analyses.

Organic Matter

There is incredible complexity in the soil ecosystem

involving soil water, the cation-exchange and
adsorption capacity of clay minerals, temperature,
pH, soil atmosphere, solar radiation, oxidation-
reduction potential, and legions of biological
interactions.

Biotic Materials

1. Plant Fragments

Plant fragments are also frequently found on clothes

or car floors, providing useful information about a

46 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

link between a suspect and a crime scene. If leaves

are in a good condition of preservation, it is not
difficult to identify their species.

2. Plant Opals

Plant opals in soils are dependent principally on

vegetation and are independent of geological
materials. Surface soil contains silica particles
called plant opals or opal phytoliths, which are
formed through progressive silicification of cells in
plant bodies.

3. Diatoms

Diatoms are frequently observed in soil, since they

can found in various environments even during
temporary wet conditions. Because of the distinctive
diversity of diatom species and assemblages,
diatoms can provide useful information for forensic
soil identification.

Soil where sand from alluvial or diluvial deposits

has been used for construction may contain
microfossils.

4. Pollen and Spores

47 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

Pollen of insect-pollinated species tends to remain

near the site of deposition of their flowers, whereas
wind-pollinated species disperse pollen long
distances and distribute it over an extensive area.

5. Microbiology

Soil is a treasury of microorganisms.

Instrumental Analysis

Inorganic Analysis
Elemental Analysis

• Soil characterisation
• Food provenancing

Particle Size Analysis

• Using laser diffraction to predict slope stability

Trace Particle Identification – SEM-EDS Analysis

• Compare fragments found on clothing with

identification of compounds and linking with
potential sources of contaminant XRD Analysis
• Identify contaminants in a consignment and
determine point of origin

48 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

XRF Analysis

• Provenance of whisky, composition of gold

ancient artefact

Organic Analysis
GC and GC- MS
• Sewage sludge concentrations and comparison of
source
• Comparison of soil from a vehicle from a crime
scene and assessing signature markers
• Isotope analysis to link to source
• Samples of soil found on carpets at entry/exit
points of aggravated burglary
• Faeces – the source animal can be identified using
molecular approaches
Organisms
• Comparison of soil from a grave site with soil from
a spade
• Characterisation of a diatom community to
represent type of habitat
Plant characterisation (natural species, tree species,
crop species, including potatoes, soft fruits and
cereals)

49 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

• Plant identification - fragments compared with

control varieties
• Crop cereal identification
• Plant DNA analysis to identify species from
unknown fragments
Other Methods
Geographical Information Systems (GIS)
 Mapping of soil and vegetation characteristics in
a georeferenced model system, used to narrow
areas of search
Organism identification
 Bacteria, fungi, diatoms, etc

Ceramics and Concrete

Hashimoto et al. reported an appropriate method

for forensic identification of ceramics. Their results
showed that sulfuric acid etching yields favorable
results for micromorphological observation by SEM.

Dust

If a particular combination of some unique

components in dust can be established, it can be
strong proof of contact with a particular place.
Benko described polarized microscopic observation

50 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

and FTIR analysis of dust. Cooking grease, vegetable

oils, some candle wax formulations, and certain
semivolatiles may provide definitive spectra.
Residues from cleaning/polishing products also
gave unique IR spectra.

51 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

Paint
Paint is found on the surface of many things. It is
used mainly to protect the material it is placed on
and for decorative purposes. Paint formulations are
specific for what the paint will be used for. There
are automotive paints, architectural paints, tool
paints, bike paints, cosmetic paint (fingernail
polish), boat paints, etc. Through examination of
paint obtained at the scene of a crime a link could be
made between people, places, and/or objects. The
examination of paint usually involves the
comparison of paint from the crime scene with a
sample of paint that has been taken from a known
source.

1. Documentation Of Evidence

 The outermost sealed container must be marked

with the date received and the analyst's initials.
The evidence is then stored in a secured area until
analysis begins.

 At the beginning of the analysis, each item of

evidence is to be removed so that no cross-
contamination occurs and so that the item can be
clearly associated with its container.

52 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

2. Visual Examinations

Macroscopic Examination
The visual and macroscopic evaluation, description,
and documentation of the sample's original
condition is the first step in an analysis. It may also
be the final step if exclusionary features or
conditions are identified.
1. Describe as many physical features as possible.
These may include color, size, layers, texture, and
general condition.

Microscopic Examination
A stereomicroscope with a magnification ability of 5
-100 power or a polarizing light microscope may be
used for further evaluation of the physical
characteristics of paint samples.
1. Determine the number of layers and sequence of
layers in a paint sample. This may be accomplished
by turning the paint chip on its edge and viewing
with high magnification. If the layer characteristics
cannot be thoroughly determined, the paint chip
may be sliced with a razor blade or scalpel blade.

53 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

3. Chemical Tests

A. Solvent tests.
Paint samples may react with solvents by dissolving,
swelling, curling, softening or other physical
reactions. Acrylic lacquers are soluble in both
chloroform and acetone; nitrocellulose lacquers are
soluble in acetone and insoluble in chloroform.
Enamels are insoluble in both acetone and
chloroform.
1. Place the sample to be tested in spot plate well or
on a glass slide over a contrasting background.
Prepare the sample by slicing a thin cross-section or
by individually separating the layers. Place one drop
of chloroform on the paint sample and observe the
reaction with a microscope. Record the results.
2. Repeat the procedure with one drop of acetone. If
the sample treated with chloroform does not react
in any significant way, the same sample may be used
for the acetone test. If the sample does react with
chloroform, a new sample must be prepared.
Other solvent can also be used.
B. Chemical reagents.

54 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

1. The sample to be tested is prepared as described

for solvent tests. Diphenylamine solution is
prepared by mixing one gram of diphenylamine with
40 mls water and 200 mls concentrated sulfuric
acid. One drop of this solution is placed on the paint
sample and it is observed through a microscope to
determine if a cobalt blue color develops where the
solution contacts the paint. (The diphenylamine
solution must be verified by testing with a known
sample of nitrocellulose paint prior to use).
2. Other reagents may be employed as needed to test
for dye solubility, pigment effervescence,
flocculation, and color changes.

4. Physical Match

The most definitive comparison that can be made

between two otherwise visually similar paint
samples is the matching of reference and questioned
sample edges for a physical fit or matching the
surface on the underside of a paint fragment to
those on a parent surface. This assumes that the
samples in question exhibit sufficient uniqueness
for comparison.

55 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

A. The edges (or striae) of the samples are visually

examined macroscopically and, if appropriate,
microscopically for a physical fit.
B. Any physical fits should be documented by
photography or video microscopy or other
appropriate means.

5. Instrumental methods of analysis

A. Fourier Transform Infrared Spectroscopy (FTIR)

FTIR is employed whenever a comparison and/or

identification of paint film binders is necessary.
Also, some of the inorganic components of a paint
sample may be determined by FTIR.
The SBI Laboratory has two FTIRs available in the
Trace Evidence Section:
Perkin-Elmer 1725X with a SpectraTech IR-Plan
microscope.
Perkin-Elmer 2000 with a PE microscope
1. Paint samples may be prepared for FTIR analysis
by slicing a thin cross-section or by slicing thin peels
of each layer individually. The samples are then
rolled out on a glass slide using the roller end of a

56 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

roller knife. The prepared samples are transferred

to the surface of a KBr plate.
2. The KBr plate with the prepared paint sample is
placed on the stage of the FTIR microscope and
transmission IR data is collected in accordance with
the instrumental procedure for the particular FTIR
employed.

B. Pyrolysis/Gas Chromatography (PGC)

Pyrolysis is utilized when greater discrimination of

the paint binder constituents is needed.
The pyrograms may show minor components that
are not visible by FTIR. However, PGC may not be
appropriate for samples that are contaminated or
present in insufficient quantity for analysis.
1. The quartz sample tubes are cleaned for
approximately one minute over a Bunsen burner
and placed in a clean beaker to cool.
2. The paint samples are cut to the appropriate size
and placed in a foil. The foil is folded and placed into
the quartz tube. The procedures manual for this
method contains a diagram of how the sample is to
be prepared. (See JHP-22 Curie-Point Pyrolyzer
Instrument Manual).

57 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

3. A blank must be run prior to introducing any

sample.
4. Each item should be run at least two times to
ensure reproducibility. A blank must be run prior to
each new item.

C. Scanning Electron Microscopy/Energy Dispersive

Spectrometry (SEM/EDS).

Many paint samples contain one or more inorganic

extenders and/or hiding pigments.
Although most of these can be detected by FTIR,
some cannot. Also, if paint contains several
inorganic components, one or more may be masked.
1. Some samples, such as a clean, single-layer paint
film, may not require any preparation. However, if
more than one layer is present or if the sample is
not clean, it may be sliced in a cross-section or peel
as appropriate.
2. The prepared sample is placed on an SEM
mounting stub and submitted to one of the SEM
operators for analysis.

D. Microspectrophotometry

Colorimetry is used to discriminate the color of

visually similar paint samples.

58 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

Microspectrophotometry is required to provide

colorimetric data for most forensic paint
comparisons due to the typically small size of the
specimens.
1. Diffuse reflectance (DR)
a. The surface of a paint layer is cleaned or
otherwise prepared for DR. The sample is placed on
a glass slide and data collected in accordance with
the instrumental procedure method for the
Nanometrics Nano 100 UVIR Microspot
Reflectometer Microspectrophotometer.
2. Transmission microspectroscopy
a. The paint sample is sliced in a thin section by
microtome or razor blade or scalpel blade and
placed on a glass slide. The data is collected in
accordance with the instrumental procedure
method for the Nanometrics Nano 100. If a
microtome is not available, care must be taken to
make the paint slices as uniform as possible.

E. X-ray Fluorescence (XRF)

This procedure is seldom used for paint analysis

but may be a useful complement to SEM/EDS.

F. X-ray Diffraction (XRD)

59 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

The procedure requires a larger amount of sample

than what is typically available in a paint evidence
case. However, if sufficient sample exists, XRD is
useful for determining precisely which inorganic
compounds are present.

60 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

Glass
The raw materials for glass manufacturing are first
mixed together to form a batch and then melted in a
furnace to produce liquid glass.
Glass is defined as an amorphous, hard, brittle
substance which is usually transparent but
translucent and also opaque at times. It is formed by
the fusion of one or more oxides like that of silica,
boric oxide, phosphoric oxide and some metallic
oxides followed by rapid cooling of the fused
material to prevent crystallization of the
components involved.
In other words, glass can be considered as a super
cooled liquid of extremely high viscosity.

Ingredients:

Sand Or Silica:
Silica is the main ingredient for glass making, with a
very high melting point of around 2000 degree C.
This is the major reason why it is possible to make
products like halogen lamps from just silica itself.
It‘s mainly obtained from the pure sands of
Parengarenga Harbour of North Cape.

61 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

It is washed and sifted to remove shells, stones

before mixing.
Sodium Carbonate (Soda Ash) :
Sodium Carbonate is added to make the process of
glass manufacturing more efficient as it reduces the
melting point of silica to around 10000C. It was
earlier found in the ash of some plants but is now
produced from the table salt itself.
Lime or calcium oxide:
Calcium oxide is extracted from limestone. It is
added to counter the effect of sodium carbonate and
makes the glass non soluble in water. Its main
source is Waitomo.
Metallic Oxides:
Aluminium oxide and magnesium oxide are added
to further enhance the properties of glass.
Other Additives:
A number of different other ingredients are added
in order to change the properties of the finished
glass as per the requirement. Some examples are:
 Lead: Lead is added to make crystal glasses.
Because of its good reflective properties.
 Boron: The addition of boron changes the
thermal and electrical properties of the glass and

62 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

is thus, used to make Pyrex glassware that can

withstand extreme temperatures.
 Lanthium Oxide: With its excellent light
reflective properties, it is used to make high
quality lenses in glasses.
 Iron: It is used to absorb infrared energy in the
heat absorbing filters installed in the movie
projectors.

Colour Additives:

Colour to the glass can be done either by glass

oxidation or by introducing a large variety of
additives.
Glass oxidation is promoted by the addition of
carbon while the degree of oxidation is measured on
an arbitrary scale known as carbon number.
For example:
Clear glass has Carbon no : 0

Dark green glass has Carbon no : -28

Various additives and the colors they give :

Iron oxide: Blue green

Iron oxide and Chromium: Richer green

Sulphur, Carbon and iron salts: amber, yellow

63 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

Manganese: purple

Selenium: Red or pink

Cobalt: Blue

Tin oxide, antimony and arsenic: White opaque

Copper oxide: Turquoise

Nickel: blue, Etc.

Types Of Glasses:

Depending upon the chemical composition, all

commercial glasses are divided into six basic
categories:
1. Soda lime Glass:
It is the most common and cheapest form of glass. It
is used for manufacturing window glass, bottles,
containers, light bulbs, bangles, ophthalmic lenses,
car head lamp etc. The common oxides found are
Na, Ca, Mg, Al.
The composition is as follows:

Silica : 60% - 70%

Soda : 12% - 18%

Lime : 5% - 10%

2. Lead Glass:
64 Edited by forensicfield (Archana Singh)
 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

This type of glass has fairly high percentage of lead

oxide. It is quite soft and because of its high
refractive index, it gives brilliance to the glass. As a
result, it is used to make decorative glassware, neon
sign tubes, thermometer tubes, for the absorption of
X-rays and other radiations.
The composition is as follows:

Silica : 54% - 65%

Lead Oxide : 18% - 38%

Soda/Potash : 13% - 15%

3. Borosilicate glass:
This type of glass has got substantial amount of
Boric Oxide which makes it resistant to heat, acid
corrosion and alkalis. These glasses are used for
making laboratory glassware, domestic oven ware,
in industry for gauge glasses, pipelines,
photochromic glasses, sealed beam headlights etc.
The composition is as follows:

Silica : 70% - 80%

Boric oxide : 7% - 13%

Alkali : 4% - 8%

Aluminum Oxide : 2% - 7%

65 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

4. Aluminosilicate glass:
This type of glass has got aluminum oxide added to
it. Although it is similar to borosilicate glass but is
harder to fabricate and has got greater chemical
durability. It can withstand very high temperature
as its melting point is almost 10000C.It can be used
as resistors for electronic circuits.
The composition is as follows:

Silica : 67%

Aluminum oxide : 17%

Calcium oxide : 8%

Magnesium oxide : 7%

5. Ninety six percent silica glass:

It is a type of borosilicate glass from which all the
non silicate elements have been removed. This glass
is resistant to temperature up to 9000C.
6. Fused silica glass :
It is a glass which is pure silicon dioxide in a non-
crystalline state. It is very difficult to fabricate and is
the most expensive of all types. It can sustain
temperatures up to 12000C.

66 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

Glass fractures

Depending on whether the fracture is caused by a

high velocity projectile or a low velocity projectile,
there are different kinds of fractures:
Radial Fractures:
This we have already studied in the last module. To
be precise, this may occur in both the cases, that is
low or high velocity projectile.
Concentric Fractures:
These also we have studied in detail in the last
module.
Broken edges:

When there is a cut in the surface placed under

tension, the glass may not break squarely across.
When a piece of glass is broken by bending from a
larger piece, the sharp edge remaining on the larger
piece will probably be there on the side to which the
force was applied.

67 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

Tests For Physical Properties Of Glass:

The physical properties can be assessed using
various methods. These tests are rapid and
nondestructive:

COLOR

Color assessment is performed visually against a

white background in natural light with the particle
on edge. Side-by-side comparison should be used
with similarly sized particles.

FLUORESCENCE

Many glass specimens will fluoresce when exposed

to short-wave (~254 nm) and/or long-wave (~350
nm) ultraviolet light. This fluorescence can be used
as a basis to differentiate glass specimens (Lloyd
1981).

Fluorescence examinations can also be performed

using fluorescence spectroscopy on specimens as
small as 0.05 mm2.

THICKNESS

For a sheet of glass and if the pieces of smaller

sample have portions of both the surfaces present,
then it becomes more useful to measure the

68 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

thickness using a micrometer screw gauge. The

thickness of the glass sheet may vary from one place
to the other and may not have uniform thickness
throughout. Thus, it becomes beneficial to study the
variations in their thickness before comparing the
thickness of the controlled sample and that of the
crime exhibit.
A micrometer screw gauge incorporates a calibrated
screw mostly used for precise measurements of
components.

SURFACE FEATURES

Surface features can be formed either intentionally

or accidentally during manufacturing or fabricating
processes. These form another basis of comparison
to distinguish between different sources of glass.
They can serve as identifying features while
examining the glass fragments for fracture match if
the feature is present on both the fragments.
Surface features include coatings, thin films and
mirrored backings, etching, texturing etc.

CURVATURE

Whether or not a fragment of glass is flat or curved

often can be determined visually with the aid of low-

69 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

power magnification. For small particles,

interferometry can be used. The curvature of glass
can be used as a point of comparison and as a
method of determining a broad product type.

OPTICAL PROPERTIES

Refractive index (n) is a unitless measure of the

speed of light in a transparent medium and is
defined by Snell‘s law as the ratio of the velocity of
light in a vacuum to the velocity of the wave in the
transparent medium (Stoiber and Morse 1981).
Refractive index is the most commonly measured
property in the forensic examination of glass
fragments (Koons et al. 2002), because:
 Precise refractive indices can be measured rapidly
on the small fragments typically found in casework.
 It can aid in the characterization of glass.
 It provides good discrimination potential. (Koons
et al. 2002)
The refractive index of several glasses is given
below:
 Head light glass – 1.47 – 1.49
 Television glass - 1.49 – 1.51
 Window glass - 1.51 – 1.52
 Bottle glass - 1.52 – 1.52

70 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

 Ophthalmic lens - 1.52 – 1.53

 Common flat glass –1.51 – 1.53

Different instruments used for refractive index

measurements:

There are a number of instruments to calculate the

refractive index of glass fragments. Some of them
are as follows:

 Glass Refractive Index Machine (GRIM)

Glass Refractive Index Machine designed by Foster

and Freeman, utilizes the oil
immersion/temperature variation method for the
determination of the refractive index of glass.

 Refractometer

 It is a laboratory or field device for the

measurement of refractive index using Snell‘s Law.
 Dispersion can also be measured by Abbe
Refractometer.

 Hot stage microscope

It has a furnace with a heating element beneath and

above the sample, which guarantees outstanding
temperature uniformity in the sample. In the

71 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

method using hot stage microscope, the glass

sample is immersed in the high boiling liquid.

 Phase contrast microscope

Phase-contrast microscope is an interference

microscope which converts phase shifts in light
passing through a transparent specimen to
brightness changes in the image. Phase shifts
themselves are invisible but become visible when
shown as brightness with variation.

 Polarized light microscope

Polarized light microscope is a microscope equipped

with two polarizing elements; one of them is the
polarizer which is located between the light source
and the sample while the other is analyzer which is
located between the sample and the observer.

 Different methods for calculating refractive

index

It is not possible to measure refractive index

directly as it is not possible to practically measure
the speed of light as it passes through the glass.
Instead indirect methods are used.

72 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

 We can detect transparent objects in air such as

glass fragments as they refract light. Suppose two
objects have got same refractive index, then it would
be difficult to observe any difference in the light that
passed through them. If a piece of glass is immersed
in a liquid whose refractive index matches that of a
glass, then the glass becomes invisible as the light
that passes through the glass would be same
refractive index.

The various methods are based on this principle

only. Some of the methods are as follows in brief:

Emmons Double variation method:

In this method, glass is immersed in oil. Here, a

circular water bath is used to heat the oil, with glass
fragment immersed in it. In a way, this is a
temperature variation method.

Automated Glass Refractive Index Measurement:

This method is also temperature variation method

but here glass sample is not immersed in oil. The
refractive index is calculated automatically from the
data.

Immersion Methods

73 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

Immersion methods are used to measure refractive

index in some laboratories. These methods take
advantage of the fact that when using
monochromatic light, a particle immersed in a
liquid of identical refractive index will become
invisible (Bloss 1961). The particle is viewed through
a microscope. A classic technique used is called the
Becke line method. As summarized in the SWGMAT
Glass Refractive Index Determination guideline:
In the BECKE LINE METHOD, a bright halo (Becke
line) is observed around the particle. Movement of
the Becke line with respect to the particle on
changing the microscope focus indicates refractive
index of the particle relative to the immersion oil.
The amount of contrast between the particle and the
immersion liquid indicates the magnitude of the
difference in refractive index. The fragment is then
removed from the liquid, washed, and placed in
another liquid with a refractive index closer to the
match point. This process is repeated until the
refractive index of the match point has either been
reached or bracketed by two oils. When the match
point is approached, the results can be plotted on

74 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

Hartmann dispersion nets, which allows for the

extrapolation of the results between liquids.
Dispersion Staining is very similar to the Becke line
method. In dispersion staining, a stop is placed in
the back focal plane of the objective. Slight
differences in refractive index between the particle
and the liquid are seen as colored halos. The color of
the halo is characteristic of the difference in
wavelength to the refractive index match point.
Variability in refractive index across a 12-foot-wide
ribbon of flat glass is approximately 0.0001
(Almirall 1996) to 0.0002 (Underhill 1980).
Variability from the interior to the glass surface is
0.003 (Davies et al. 1980). The expected variation
within a single float source is in the range of
±0.00004 for annealed glass and ±0.0016 for
tempered glass (Locke et al. 1985).

Emmons Double Variation

R. C. Emmons first described the double-variation

method in 1928 (Emmons 1928). He suggested the
use of a monochromator and hot stage to allow for
the variation of temperature and wavelength
simultaneously. In this method, a phase-contrast
microscope converts the difference in index

75 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

between a particle and the immersion liquid into a

difference in brightness contrast. This brightness
contrast enhances the Becke line (Abramowitz 1987.
For the Emmons double-variation method,
fragments of glass are mounted in the previously
calibrated, appropriate immersion liquid on a glass
microscope slide and covered with a glass cover slip.
The slide is inserted into a hot stage mounted on a
phase-contrast microscope. The hot stage is set to a
temperature within the stable range of the liquid,
and the wavelength of the monochromator is
adjusted until the match point is reached. The
match point and temperature are noted. This
process is repeated for at least two additional
temperatures.
By comparing these measured points with the
previous calibration data for the liquid, the
refractive index of the particles at a particular
wavelength—normally nC, nD , and nF—can be
calculated or determined graphically. Results are
typically reported to the nearest 0.0001 (SWGMAT
2005d). The precision of the method is
approximately 0.00004 to 0.00006 (Cassista and
Sandercock 1994).

76 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

Automated Method
An automated method for refractive index
determination of glass fragments using a phase-
contrast microscope, hot stage, and monochromatic
light source has been published by ASTM. In this
method, a video camera captures the image of the
particle edge, and a computer calculates the point of
minimum contrast—the match point—across the
particle edge while automatically varying the
temperature. This method parallels the AOAC
method in that the wavelength is fixed and the
temperature varies.

Density

Density is mass per unit volume. Like refractive

index, density is a function of chemical composition
and atomic arrangement, which are controlled by
the composition of the batch and the cooling history
of the glass, respectively (Varshneya 1994). Density
measurements are performed less frequently than
refractive index determinations because:
 The glass fragment must be scrupulously clean
and free of inclusions.
 Accurate density measurements require a
sample that is two to three millimeters in diameter,

77 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

much larger than particles typically encountered in

forensic casework. Additionally, particles of this
size are suitable for chemical analysis, which is a
more discriminating technique.
 Density and refractive index are correlated in
the majority of glass samples (Smalldon and Brown
1973). Refractive index determinations are more
rapid and can be performed with smaller samples,
so most laboratories choose to perform refractive
index determinations first.
 Until recently, density measurements required
the use of hazardous liquids, such as bromoform
(Koons 2002).
Most quantitative density measurements are
performed in forensic laboratories using a density
meter.
Relative density determinations can be made by
using density gradients (McCrone and Hudson
1969).
Another relative method for measuring density is
the sink-float comparator method. In this method,
glass fragments are placed in a heavy liquid mixture
in a test tube. The tube is placed in a water bath that
is heated automatically at a uniform rate. As the

78 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

particles settle and become suspended, the

temperature is noted. The precision of this method
is 0.0001 gm/cm3 (ASTM C729-05; Knight 1945),
which is better than the measurable variation of a
glass object.

Elemental Analysis

Manufacturers control the concentrations of many

chemical elements to impart specific properties to
their glass product. Glass composition analysis,
therefore, can be used to differentiate between
glasses made by different manufacturers, glasses
from different production lines of the same
manufacturer, and glasses made over a period of
time in a single production line (Koons 2002).
Many methods have been used for compositional
analysis of glass. These methods include
semiquantitative techniques such as scanning
electron microscopy-energy dispersive
spectrometry (Ryland 1986; Terry et al. 1982) and X-
ray fluorescence (Andrasko and Maehly 1978; Reeve
et al. 1976) and quantitative techniques such as
neutron activation analysis (Coleman and Goode
1973), flameless atomic absorption spectrometry
(Hughes et al. 1976), spark-source mass

79 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

spectrometry (Dabbs et al. 1973), inductively

coupled plasma-optical emission spectrometry
(Hickman 1987; Koons et al. 1988), inductively
coupled plasma-mass spectrometry (Zurharr and
Mullings 1990; Parouchais et al. 1996), and laser
ablation-inductively coupled plasma-mass
spectrometry (Moenke-Blankenburg et al. 1992).

Scanning Electron Microscopy and X-ray

Fluorescence:

Both of these semi quantitative methods, scanning

electron microscopy (SEM) and X-ray fluorescence
(XRF), are rapid and essentially nondestructive and
use XRF to determine chemical composition.
Scanning Electron Microscopy-Energy Dispersive
Spectrometry (SEM-EDS):
In SEM-EDS, a focused beam of electrons
systematically scans across a specimen and
produces many signals, including X-rays with
energies characteristic of specific elements (Postek
and Howard 1980). Ratios of the intensities of some
of the major and minor elements in glass can be
used to discriminate between sources of glass, with
38 of 40 specimens being distinguishable in one
study (Andrasko and Maehly 1978). This method

80 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

also has been used successfully to classify glass

fragments into sheet or container categories
(Ryland 1986; Terry et al. 1982).

Neutron Activation Analysis

The basis for neutron activation analysis (NAA) is

the measurement of the radioactivity induced as a
result of irradiation by nuclear particles. A gamma-
ray spectrometer is used to measure radiation of
different energies. By comparing these energies
with those of a standard, the type and quantity of
atoms can be determined.
Spark-Source Mass Spectrometry
In spark-source mass spectrometry, the specimen is
vaporized into gaseous ionic plasma by a radio-
frequency spark source, and the resultant ions are
swept into a mass spectrometer. Spark-source mass
spectrometry has been used successfully to
discriminate specimens that were indistinguishable
by refractive index and density determination
(Dabbs et al. 1973). This technique is not readily
available to forensic science laboratories, and
applications to glass analysis have not been widely
studied.
Flameless Atomic Absorption Spectrometry

81 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

In flameless atomic absorption spectrometry

(FAAS), the specimen is first dissolved, then
introduced to a graphite furnace and vaporized. A
beam of monochromatic light is directed through
the vapor, and the absorption is measured. The
wavelength of the light is matched to the
characteristic absorption of the element of interest.
Absorption is proportional to the number of atoms
in the light path (Skoog and West 1980). Use of
FAAS has been supplanted largely by various
inductively coupled plasma (ICP) methods because
ICP can analyze multiple elements simultaneously.

Inductively Coupled Plasma Methods

All of the ICP methods rely on the use of a plasma

torch to produce extensive atomization, ionization,
and excitation of the atoms of the specimen. In
inductively coupled plasma-optical emission
spectrometry (ICP-OES), the detector is a
spectrometer that detects the characteristic
wavelengths of light emitted by the excited atoms.
The intensity of the light is proportional to the
concentration of the atoms (Skoog and West 1980).
In inductively coupled plasma-mass spectrometry
(ICP-MS), the excited ions are swept into a mass

82 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

spectrometer, similar to spark- source mass

spectrometry, but using the plasma to ionize the
specimen (Skoog and West 1980). In ICP-OES and
ICP-MS, a glass specimen is first digested in
hydrofluoric acid, brought to dryness, and then
placed into solution (SWGMAT 2005a).
Detection limits for most elements by ICP-OES are
on the order of 0.01 μg/g; and for ICP-MS, 0.001
μg/g. The better detection limit for ICP-MS is
acquired at a slight loss in precision and accuracy
(SWGMAT 2005a).
It was reported that inductively coupled plasma-
optical emission spectrophotometry measurements
provide very high discrimination capability. The
probability that two glass fragments from different
sources will have indistinguishable concentrations
of ten elements is extremely.

83 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

Cement
Cement:

Cement is a mixture of chemicals such as

mostly calcium carbonate, silica, alumina, and iron
oxide-bearing materials, etc.

 Binding element in both concrete & mortar.

 Made of limestone, clay, shells & silica sand.
 Sets & hardens when combined with water.

Concrete:

 Made of cement, sand & gravel

 Used for building: foundations, slabs, patios, &
masonry
 Most flexible, forming into any mold & rock hard.

Mortar:

 Made of cement & Sand

 Used as the glue to hold bricks, blocks etc.
together
 Various types available for specific applications

84 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

Major components of Cement

The Main Constituents of Cement are:

 Dicalcium Silicate2CaO.SiO2- 30%

 Tri calcium Silicate3CaO.SiO2- 40%
 Tri calcium AluminateCa3Al2O6, or 3CaO·Al2O3-
11%
 Tetracalcium Alumino Ferrite4CaO. Al2O3
Fe2O3- 11%

Types Of Cement

1. Ordinary Portland Cement (OPC)

In usual construction work, Ordinary Portland

Cement is widely used. The composition of Ordinary
Portland Cement:
 Argillaceous or silicates of alumina (clay and shale)
 Calcareous or calcium carbonate (limestone, chalk,
and marl)
It is widely used for all purposes including:
 Concrete
 Mortar
 Plaster

2. Rapid Hardening Cement

85 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

Rapid Hardening Cement is made when finely

grounded Tri-calcium silicate (C3S) is displayed in
OPC with higher concrete, it gains strength more
quickly than OPC. It‘s initial Setting Time 30 minutes
and Final Setting Time 600 minutes.

3. Quick Setting Cement

The composition of Quick Setting Cement:

 Clinker
 Aluminium sulphate (1% to 3% by weight of
clinker)
 The aluminium sulphate increases the hydration
rate of silicate.
 The initial setting time is 5 minutes and the final
setting time is 30 minutes.

4. Blast Furnace Cement

This type of cement is manufactured by grinding the

clinker with about 60% slag and it is similar to
Portland cement.

5. Low Heat Cement

86 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

It is a spatial type of cement which produce low heat

of hydration during setting. The chemical
composition of low heat cement:
 5% of tricalcium aluminate (C3A)
 46% of declaiming silicate (C2S).

6. Sulphate Resisting Cement

Sulphate resisting cement is used to resist sulphate

attacks in concrete.

7. Hydrophobic Cement

To resist the hydration process in the transportation

or storage stage, clinkers are grinded with water
repellent film substance such as Oleic Acid or Stearic
Acid. These chemicals form a layer on the cement
particle and do not allow water to mix and start the
hydration process. When cement and aggregate are
thoroughly mixed in the mixer, protective layers
break and start normal hydration with some air-
entrainment which increases workability.

8. High Alumina Cement

High alumina cement is obtained by mixing

calcining bauxite and lime with clinker during the

87 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

manufacturing process of OPC. In which the total

amount of alumina content should not be lesser than
32% and it should maintain the ratio by weight of
alumina to the lime between 0.85 to 1.30.

9. White Cement

This type of cement is manufactured by using raw

materials that are free from iron and oxide. White
cement needs to have lime and clay in a higher
proportion.

10. Coloured Cement

To make 5 to 10 per cent of suitable pigments are

grinded with OPC. Types of pigments are selected
according to the desired colour.

11. Air Entraining Cement

Air-entraining cement is a special type of cement

which entrains tinny air bubbles in concrete. It is
produced by grinding minute air entertaining
materials with clinker by adding some resinous
materials e.g. vinsol resin to ordinary portland
cement.

88 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

Forensic Analyses In Cement:

Sample:
1 kg sample of cement should be collected in an
airtight plastic jar.

Preliminary Adulteration Test of Cement

Preliminary test for cement analysis for
adulteration is listed as:

1. Color Test And Luminescence

Take 1 gm of sample and spread evenly on the petri

dish or plate and observe the color under normal
light as well as in alternative light sources.

2. Fine Test

Take a small sample between your fingertips.

Smooth Particles are indicator of unaltered cement
while uneven particles are indicator of altered
cement.

3. Smell Test

89 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

Adulterant like ashes, pounded clay and slit have an

earthy smell, and if these are mixed with the cement
then it will also smell like earthy.

4. Presence of Lumps

Lumps are defined as the hardening of the cement

on the application of moisture. The size of lumps
defined the amount of water gets reacted with
cement.
Take a 100 gm of sample and check for the
observable lumps.

5. Temperature Test

This test can be done when adequate amount of

cement is present. For this test about 500gm sample
should be taken in palm and feel the temperature if
it is cold then its not altered and if it is warm then
alteration has been done with some sand and
others.

6. Heat Test

Take 1 gm of the sample, heat it for about 20

minutes on a steel plate.

90 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

If the sample changes its color then it is adulterated

cement, But in a case of un-adulterated cement, it
retains its color.

7. Float Test

Take a few grams of sample and put into 100 ml of

beaker filled with water.
Unadulterated cement will take some time to settle
on the base of the beaker after floating on surface of
water.
While in the case of adulterated cement, particle-
like ashes start settling immediately when sprinkles
on the water surface.

8. Shape/Performance Test

Take 10gm of cement sample and make a paste using

water and settle it like a block then put it in another
250ml beaker containing water for 24 hours.
If the cement set without a crack, this may be the
indication of unadulterated cement. This
phenomenon also related to the term called ―the
hydraulic cement‖.

9. Strength Test

91 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

A block of cement can be made and immersed in

water for 7 days to 28 days according to type of
cement. After that Then one side of the cement block
is held firm with a hook and the other side has
attached to the stings of 34kg of weight.
If the cement doesn‘t break it is an indication of
cement is unadulterated.

Chemical Analysis of Adulteration of Cement

These are some chemical forensic analysis of

cement tests that helps in determination of
adulteration:

1. Thymolphthalein Test

Preparation of Thymolphthalein Indicator:

Materials Required:
 0.04 g thymolphthalein
 50 ml of 95% ethanol
 100 ml of distilled water
Procedure
Take a beaker of 250 ml and dissolve 0.04 g
thymolphthalein in 50 ml of ethanol.
Now dilute the solution to 100 ml with distilled
water.

92 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

Procedure:
Take 10 mg of cement sample in a test tube.
Add 1-2 ml water followed by 1-2 drops of indicator.
Result:
The development of the blue color indicates the
presence of cement. And colorless solution indicates
that the sample is stone powder.

2. Acid Insoluble Test

Principle: The Acid Insoluble Residue test is based

on the proportion of a sample that is not hydrolyzed
by sulphuric acid with the original sample.

3. Determination of Calcium by EDTA Titration

It is based on a complex metric titration, which can

also be used to determine the calcium content of
milk, or water, and also the amount of calcium
carbonate in various solid materials.
This titration is based on the reaction of
Ca2++ [EDTA]4-→ [Ca-EDTA]2 = Pink/Red Blue

4. Direct Cement Percentage by Acid Titration

This is based on the two-phase analysis;

93 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

Phase 1: The cement is mixed with a known amount

of HCl causing the dissolution of the carbonate (
CaCO3) by creating Calcium chloride (CaCl2), water
and carbon dioxide.
Reaction Involved:
CaCO3 2HCl ⇒ CaCl2 + H2O + CO2
Phase 2: The amount of acid leftover is measured by
titrating against sodium hydroxide (NaOH) to
produce sodium chloride (NaCl) and water. Adding
a phenolphthalein indicator to the solution causes it
to turn pink.
Reaction Involved:
HCL + NaOH= NaCL + H2O

Instrumental Analysis of Adulteration of

Cement
Generally following two instruments are used for
cement adulteration :
1.) ICP-AES
2.) XRD

1. ICP- AES

94 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

Inductively Coupled Plasma Atomic Emission

Spectroscopy is an analytical technique for the
detection of chemical elements.
2. X-Ray Diffraction (XRD)
It is a rapid analytical technique that is primarily
employed for phase identification of crystalline
material.

Petrographic Testing
Petrographic analysis is a diagnostic tool for
examining failures in concrete.
Once onsite, we can carry out an initial visual
examination of the area in order to ascertain
possible causes of the problem and to determine the
best position for taking samples. Our engineers can
take core samples and return them to the laboratory
where thin sections will be prepared for
examination using Scanning Electron Microscopy
(SEM) and Polarized Light Microscopy (PLM).
Forensic analysis can be supplemented by
additional techniques which also include, but are
not limited to chemical analysis, SEM and X-Ray
Diffraction (XRD).

95 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

Computer/Cyber Forensics:
COMPUTER- Common Operating Machine
Purposely Used For Technological And Educational
Research.
Computer system= Hardware+ software + user
A computer is an electronic device, wherein the user
inputs raw data and it processes this raw data using
a set of commands called as programs and gives the
output to the user and at the last stage, saves the
output for future use. The most important task of a
computer is to accept data. The different PC ports
and connectors are Parallel ports
 Serial port
 USB port
 Firewire port
 PS/2 Port
 Monitor Socket
 Audio ports

Functions:
A computer has 4 functions:
1.) Input
2.) Processing
3.) Output

96 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

4.) Storage

Parts:
The major parts of the computer are –
 Input devices
 Processor
 Output Devices
 Storage Devices
 Peripheral devices
 Internal components
 Software

Category:
Computers are categorized on the basis of:
 operational principle
 Size
 On the basis of working principle they are:
1. Analog computers
2. Digital computers
3. Hybrid computers
 On the basis of size, they are
1. Super computers

97 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

2. Mainframe computers
3. Mini computers
4. Microcomputers

Computer Hardware:
A computer Peripheral device can be defined as any
device that is connected to the computer externally
or internally and can be touched. The peripheral
devices fall into three categories, they are:
1. Input Devices: Some of the most used input
devices are- Keyboard, Mouse, Joystick,
microphone, etc.
2. Output Devices: Output device is a device used to
display or deliver the processed data from the
computer that was fed by the user to it.
3. Storage Devices: Hard disk, CD-ROM, DVD, Pen
drive, etc.

Computer Software:
Software is the computerised instructions that
control the computer, execute specific functions or
tasks, and manipulate the data. That is, the
instructions required to be written in a
programming language that the computer can

98 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

recognize. Computer software is divided into two

types:
1. Application software is the end user software. The
programs written under application software are
designed for general purpose and special purpose
applications. Examples of application software
are Microsoft Internet Explorer, Spreadsheets,
Database management applications, Presentation
packages and graphics. Word processing is the
most common applications software.
2. System Software enables application software to
interact with the computer hardware. The most
important system software is the operating
system. The system software performs important
tasks such as running the program, storing data,
processing data etc.
3. Utility Software: These are the application
programs designed to help System Administrator
or the Developer to accomplish their work. We
can include security software ex. anti-virus,
firewall, backup software, recovery software and
many more. These are the supportive software for
our system.

99 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

Computer Network:
Network consists of two or more computers that are
connected for resource sharing, exchanging files or
allowing electronic communications,
A network is a multipurpose connection, which
allows an individual computer to do more.
Computer networks have opened up an entire
frontier in the world of computing called the
client/server model.
The computer networks are required for the
following reasons:
 File sharing: Networks allows us to share data
between the computers of other networks making
the files available to everyone at any time,
wherever required.
 Resource sharing: Resources like the printer,
servers and the internet can be shared among
these networks.
 Communication and collaboration: Being a part of
the network means we are able to connect to
different services and computers of different
networks, thus increasing the communication
with the rest of the world.

100 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

 Remote access: Remote access allows us to access

the resources remotely from anywhere without
being present at the place where the computer is.
The different networking devices are: Repeaters,
Routers, Switches, Bridge, Ethernet Hub, and
Gateway.
The Different types of networks are :
 Personal Area Network (PAN)
 Local Area Network (LAN
 Metropolitan Area Network (MAN)
 Wide Area Network (WAN)
 Storage Area Network (SAN)
 Enterprise private network (EPN)
 Virtual Private Network (VPN)

Computer Forensics:

Computer forensics is the process of methodically

examining computer media (hard disks, diskettes,
tapes, etc.) for evidence. In other words,
computer forensics is the collection, preservation,
analysis, and presentation of computer-related
evidence.

101 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

USE OF COMPUTER FORENSICS IN LAW

ENFORCEMENT:
 Recovering deleted files such as documents,
graphics, and photos.
 Searching unallocated space on the hard drive,
places where an abundance of data often resides.
 Tracing artifacts, those tidbits of data left behind
by the operating system. Our experts know how to
find these artifacts and, more importantly, they
know how to evaluate the value of the information
they find.
 Processing hidden files — files that are not visible
or accessible to the user — that contain past usage
information. Often, this process requires
reconstructing and analyzing the date codes for
each file and determining when each file was
created, last modified, last accessed and when
deleted.
 Running a string-search for e-mail, when no e-
mail client is obvious.

Different Types Of Computer/Cyber Crimes:

Computer crimes refer to criminal activity where
the computer or the network is the source, tool,
target or place of the crime.

102 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

 Cyber terrorism: The U.S. Department of State

defines terrorism as ―premeditated politically
motivated violence perpetrated against
noncombatant targets by subnational groups or
clandestine agents.‖ Cyber terrorism is
sometimes referred to as Information war or
electronic terrorism.

 Assault by threat: This computer crime involves

placing people in fear for their lives, blackmailing
or threatening the lives of their loved ones.

 Child pornography and Child abuse: It consists of

various facets: individuals who are engaged in the
activity of creating pornographic materials using
minor children, individuals who distribute these
items, and also those people use them via using
network and computers.

 Dissemination of offensive materials: This

includes sexually explicit materials, racist
propaganda and many a times instructions for the
fabrication of explosive devices.

Sections of 292, 293, 294 of the Indian Penal

Code, Sections 3 and 4 of the Indecent
Representation of Women (Prohibition) Act and

103 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

Section 67 of the Information and Technology Act

deals with Obscenity and Pornography as the case
may be

 Harassment: It can be defined as the vulgarities at

particular persons centering such as on gender,
race, religion, nationality, sexual orientation and
more. This often occurs by sending hate e-mails to
the victim and defaming them publicly.

 Computer Frauds: Computer frauds can be

defined as the use of information technology to
commit frauds that include computers, the
internet, money transactions, investments, and
credit cards, tax refunds to cause monetary or a
financial gain at the end.

 Cyber Frauds: Cyber frauds involve offering

falsehoods to obtain something of value or
benefit.

 Tax refund fraud: The cybercriminal first obtains

a valid name and social security number. The
cybercriminal then makes a withholding
information, claims standard deductions and
perhaps tax credits and completes a return that
creates or generates a large refund. The

104 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

cybercriminal files the return. The criminal then

simply waits for either a check to be mailed, a
direct transfer of fund to be made to a 'safe' bank
account.

 Investment frauds: In these types of frauds

fraudsters usually want the individual to invest
their money in a company or an opportunity
which seems to be offering very high rates of
return.

 Electronic funds transfer frauds: Valid credit card

numbers can be intercepted electronically, and
the digital information stored on the card can be
counterfeited and used by the criminal. This
crime also includes transferring large amount of
money or shares from one bank account to
another account.

 Credit card frauds: Credit card fraud is a form of

identity theft that involves an unauthorized taking
of another's credit card information for making
purchases of huge amount or just withdrawing
funds from them.

105 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

 Cyber trespass: In these offences, criminal

accesses resources that a computer or a network
needs without any kind of authorization.

 Drug trafficking: Drug traffickers are increasingly

taking advantage of the internet to sell the illegal
drugs and substance through encrypted e-mails
and other internet technologies.

 Corporate account takeover: Corporate account

takeover means the purchase of one corporate
account by another. It begins by illicitly acquiring
login credentials by using a malicious program so
that the victim uses the malicious program
without noticing it. The attacker then gains access
to the victim‘s computer and transfers the funds
to the account of the criminal.

 Piracy: Piracy can be defined as the act of

unauthorized copying of copyrighted software,
music, movies, art, books and so on, resulting in
the loss of revenue and benefits to the legitimate
owner of the copyright.

 Electronic money laundering and tax evasion: It

involves using the internet to hide the origins of
money which was obtained through illegal means.

106 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

 Illegal Interception of telecommunications: Illegal

interception means interception of the personal
and confidential without the consent of the
members of the conversation.

 IRC (Internet relay chat) crimes: Criminals use

IRC rooms to meet co-conspirators, hackers use
them to discuss their exploits or share their
techniques.

 Net Extortion: Cyber extortion or net extortion is

a crime involving an attack or threat of attack
against an enterprise or a corporate company,
coupled with a demand for money to stop or avert
the attack.

 Cyber vandalism: Cyber vandalism can be random

act done 'just for fun‘ by bored hackers with a
malicious streak, or it might be a form of
computer sabotage for profit which includes
erasing all the files of business competitor, or
erasing someone's personal identifiable data.

 Internet drug sales: Buying and selling

prescription drugs on the internet results in
criminal charges of illegal drug distribution or
conspiracy to manufacture illegal drugs.

107 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

 Cyber contraband: Cyber contraband simply

refers to transferring illegal items through the
internet that is banned in some places.

 Malware Attacks: Malware is software designed to

infiltrate or damage a computer system without
the knowledge of the owner. It includes:

 VIRUS: - It stands for ―Vital Information and

Resources Under Siege‖. It works on a host file
and either replicates itself or causes improper
functioning of the system.

 RAT: - It stands for ―Remotely Access Tool‖. This

software is designed to remotely control the
system without even the prior knowledge of the
victim.

 Worms: - These are the software which goes on

replicating itself until the whole system memory
is consumed. But unlike VIRUS, it does not need a
host file.

 Spyware: - These are the software use to spy on

the victim‘s computer and his activities remotely.

 Backdoors: - These are specially designed

software or codes of programming that give an

108 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

access to bypass the security features of a

computer.

 Key Loggers: - These are the softwares which

records the strokes made on the keyboard by the
victim.

 E-mail Based Attacks:

 E-Mail Bombing: - Cyber activists has specially
designed softwares to send mail to a specify
person email address and it results in potential
shut down of the entire system.

 Spam: - Spam is the exploitation of electronic

messaging systems to send spontaneous bulk
message indiscriminately.

 Espionage: Cyber Espionage is the act of obtaining

personnel, sensitive proprietary or classified
information, generally in corporate sectors,
without permission.

 WEB Page Hacking: In this method the genuine

page of a web site is mutilated by altering the
content of the file and appearance causing
embarrassment to any reputed firm an may lead
to denial of service, causing a heavy loss. These
can be achieved through following ways:

109 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

 Web Jacking: in this Attackers create a fake

website and when the victim opens the link a page
appears with the message that the website has
moved and they need to click another link. If the
victim clicks the link that looks real he will
redirected to a fake page. Common Methods of
Web Jacking:
SQL Injection Attacks.
 To find the flaws present in Web sites that have
databases running behind them.
 To look for a poorly validated input field present
in a Web input form may allow an attacker or
jacker to insert or introduce additional SQL
instructions later which might then be passed
directly into the backend database.
Malicious Advertisements.
 By introduction of malicious advertisements for
example: A number of sites on internet project
ads that are presented by third party advertising
sites.
Cross-site scripting (XSS) attacks.

 Click Jacking: Click jacking occurs when a scam

artist or a cyber-expert places an invisible button
or other user interface element over top of a

110 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

seemingly innocent web page button or interface

element using a transparency layer, which one
can't see. For example the functioning of right
mouse button can be interchanged with Delete
command.

 Cyber Bullying: It refers to bullying of one person

by another person over a digital media on the
condition of any data that is significant & valuable
to him or just for the purpose of harassing the
victim and gaining pleasure from it.

 Cyber Stalking: It is the use of the Internet or

other electronic means to stalk someone. This
term is interchangeably used with online
harassment or online abuse.

 DoS & D-DoS Attack: It involves flooding a

computer system with more requests than it can
handle at a time, leading to system crash.

 Cross Site Script: An attacker can use cross site

scripting technique to implement malicious script
(into a server), which is then sent to unsuspecting
users accessing the same server.

 Spoofing: Spoofing of sites normally happens in

banks official page with an intention of financial

111 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

fraud. Other sites are spoofed either for

personnel pleasure or misleading the audience or
for causing embracement to a particular group of
people.

 IP spoofing: - IP spoofing involves changing the

packet headers of a message to indicate that it
came from an IP address other than the true
source. Any Service that uses IP address
authentication is susceptible to IP spoofing.

 ARP spoofing: ARP spoofing also called as ARP

poisoning, is a method of sending forged replies
which result in incorrect entries in the cache. This
result in subsequent messages sent to the wrong
computer.

 DNS spoofing: - The DNS is responsible for

managing the resolution of domain names into an
equivalent IP address. Any successful
replacement of a valid address with an alternate
address causes people attempting to access the
domain name to visit the wrong website. This
gives attackers a chance to create their own Web
site that masquerades as a legitimate site and to
attempt to steal all kinds of information by getting
between the user and the real site.
112 Edited by forensicfield (Archana Singh)
 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

 Phishing: This involves creating a fake page which

is very similar to the genuine page for secretly
capturing the credentials of the victims.

 Vishing (Voice Phishing) sometimes uses fake

caller-ID data to give the appearance that calls are
originated from a trusted organization.

 Online Fraud: This is the next step after phishing

or spoofing. Once the culprit gets the valuable
credentials of the victim he can use it for online
shopping, e-banking, etc.

 Online Gambling: This is much worse than real

life gambling as such pages are deliberately made
to lure the victim and fall a prey to the tricks of a
cyber-criminal / expert, causing them to lose a
good amount of wealth.

 Cyber Laundering: Black money is transformed

into white money through various portals of
online gambling or online shopping.

 Intellectual Property Theft: It involves the

duplicating the original and genuine work of a
person without his proper consent and without
any accreditation to him.

113 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

 Patent & Copyright Infringement: This is a

traditional type of intellectual property theft
where one produces copied material or process
from another for profit.

 Software Piracy: One gets a copy of original

software & duplicates it for the purpose of selling
it for a profit.

 Reseller Piracy: Original hardware‘s are sold with

pirated property.

 Data Theft: Data theft stands for the alteration of

form of data by entering, suppressing or
corrupting the original data by unscrupulous
means so as to gain undue advantage. These can
be done in various forms such as:

 Data Didling: - It involves changing data with

malicious intention during or before processing it
into the computer.

 Data Leakage: - It pertains to illegally copying the

master file information from a computer for
ransom, blackmailing, or any other fraudulent
purpose.

 Data Spying: - It refers to accessing the files or

digital data from a remote location by using

114 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

legitimate password or cracking the password.

This data is then sold to others for a profit.

 Data Leakage: - It pertains to illegally copying the

master file information from a computer for
ransom, blackmailing, or any other fraudulent
purpose.

 Data Spying: - It refers to accessing the files or

digital data from a remote location by using
legitimate password or cracking the password.
This data is then sold to others for a profit.

 Scavenging: - It refers to obtaining and reusing

the information which have been left over
processing in or around the computer system.

 Cyber theft: Cyber theft refers to the act of

stealing of financial and/or personal information
through the use of computers for making its
fraudulent or other illegal use. Many different
types of Cyber theft are:-

 Theft of sensitive data: The sensitive data consists

of unencrypted credit card information,
personally identifiable information, trade secrets,
source code of any software or application, all
employee records and so on.

115 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

 Theft of Intellectual property: - Intellectual

property includes commercial copyrighted
materials like music, movies and books.

 Identity Theft: It involves stealing the identity of a

person by dishonest use of someone‘s electronic
signature, password, or other unique identifying
features. It includes credit card fraud, Online
Share trading scams, e-banking crimes,
fraudulent transactions, etc.

 Embezzlement: - It involves misappropriating

money or property for one‘s own use that has
been given or entrusted to them by someone else
or some organization.

 Unlawful appropriation: - In this crime the

criminal gains access to the valuables from
outside the organization and transfers the funds,
modifies documents giving him the title of the
owner of the property that he never owned.

 Corporate/industrial espionage: - In this crime

person inside or outside the company use the
network to steal the important data of the
company. This important data includes the trade

116 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

secrets, financial data, confidential client lists,

marketing strategies, etc.

 Plagiarism: - It is the theft of someone else‘s

original writing with the intent of passing it off as
one‘s own.

 DNS cache poisoning: - It is a form of

unauthorized interception in which the contents
of the computer‘s DNS cache is manipulated so
that all the network transmissions going to that
specific domain name is redirected to the
attackers servers.

 Social Engineering: This is neither a virus nor a

malicious line of coding but it is just a trick which
lures people into revealing their password and
other valuable credential by making them false
stories or by taking them under confidence.

 Making Offensive Calls: Offenders can also harass

others by making offensive calls to them and
annoying them. Many a time anonymous calls are
used by the criminals as an effective tool in
making extortion or threatening call. Females are
often harassed by stalkers by this means of
communication.

117 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

1. Landline/Mobile Calls

 Landlines having no Caller Ids pose a problem for

the quick analysis of an incoming call, which is an
undue advantage to the cyber stalkers, cyber
bullies, etc.

 Unidentified callers from fake addresses or from

someone else‘s phone by line tapping are also a
serious threat.

2. WEB Based Calls

 Calls can be made by spoofing the mobile number

using various sites.

 Such calls are intended to hide the actual location

of the caller and any fake or annoying calls are
made. Such calls are often used for terrorist
activity and for trafficking illegal goods or for any
ransom or blackmailing purposes.

3. Overseas Calls

 Cyber Criminals operating from overseas and

indulged in forgery are hard to trace without the
co-operation of international agencies.

 ISD calls are prevalent in spreading obscenity in

terms of pleasure calls which are in actual

118 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

recorded messages intended for financial trap by

asking vital financial information of the caller.

 Sending Annoying Messages:

 Text Message: Annoying, Insulting, Misleading,

Defaming messages are often sent using mobile
phones in bulk. Hence the actual source could not
be fixed.

 Multimedia Messaging: Multimedia messages

often defaming the identity of a person are
distributed among small groups using mobile
phones. Pornography, Obscene messages and
cyber bullying are becoming very common and
very popular, for e.g. Delhi MMS Scandal.
Obscene videos are often captured in remote
places unknowingly of the victim for future
exploitation.

 Hacking: A hacker is an unauthorized user who

tries to or gains access to an information system.
Hacking is a crime even if there is no noticeable
damage to the system, since it is an incursion in to
the privacy of data. There are different types of
Hackers, like:

119 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

 White Hat Hackers: They consider that

information distribution is good, and that it is
their responsibility to share their knowledge by
enabling access to information. However, there
are some white hat hackers who are just ―joy
riding" on computer systems.
 Black Hat Hackers: They cause damage after
invasion. They may steal or alter data or
introduce viruses or worms which damage the
system. They are also called ‗crackers‘.
 Grey Hat Hackers: Characteristically ethical but
occasionally violates hacker ethics. Hackers will
hack into networks, standalone computers and
software. Network hackers attempt to gain
unauthorized access to isolated computer
networks just for challenge, inquisitiveness, and
circulation of information.
 Blue Hat Hackers: These are free-lance service
providers who offer their expertise for hire to
computer security firms. Before a new system is
introduced in the market, the services of blue hats
are called for, to check the system for any
potential weaknesses.

120 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

 Elite Hackers: They are the first ones to break into

a seemingly impenetrable system and write
programs to do so. The elite status is generally
conferred on them by the hacking community to
which they belong.
 Skiddie: The term "skiddie" is short for "Script
Kiddie". These are the amateur level hackers who
manage to break into and access systems by
making use of programs written by other expert
level hackers.

121 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

The Cardinal Rules of Cyber Forensic:

There are basically five cardinal rules to be followed
systematically by cyber forensic examiner.

1. Never Mishandle the Evidence

2. Never work on the Original Evidence
3. Never Trust the Subject‘s Operating System
4. Document Everything
5. The results should be repeatable and verifiable by
a third party

Steps Taken By Computer Forensics Experts:

The following steps should be taken:

1. Protect the subject computer system during the
forensic examination from any possible alteration,
damage, data corruption, or virus introduction.
2. Discover all files on the subject system. This
includes existing normal files, deleted yet remaining
files, hidden files, password-protected files, and
encrypted files.
3. Recover all of discovered deleted files.
4. Reveal the contents of hidden files as well as
temporary or swap files used by both the application
programs and the operating system.

122 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

5. Access the contents of protected or encrypted

files.
6. Analyze all possibly relevant data found in special
areas of a disk. This includes but is not limited to
what is called unallocated space on a disk, as well as
slack space in a file.
7. Print out an overall analysis of the subject
computer system, as well as a listing of all possibly
relevant files and discovered file data.
8. Provide an opinion of the system layout and
anything discovered.
9. Provide expert consultation and/or testimony, as
required.

123 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

Computer Evidence Processing Steps:

The following are general computer evidence

processing steps:
1. Shut down the computer.
2. Document the hardware configuration of the
system.
Be-fore dismantling the computer, it is important
that pictures are taken of the computer from all
angles to document the system hardware
components and how they are connected. Labeling
each wire is also important.
3. Transport the computer system to a secure
location.
4. Make bit stream backups of hard disks and floppy
disks.
5. Mathematically authenticate data on all storage
devices.
6. Document the system date and time.
7. Make a list of key search words.
8. Evaluate the Windows swap file.
9. Evaluate file slack.
10. Evaluate unallocated space (erased files).
11. Search files, file slack, and unallocated space for
keywords.

124 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

12. Document file names, dates, and times.

13. Identify file, program, and storage anomalies. .
14. Evaluate program functionality.
15. Document your findings.
16. Retain copies of software used.

Digital Evidence:
It is information and data of significance to a
particular case that is store on received, or put out
by an electronic device. This evidence is obtained
when data or electronic devices are seized and
protected for inspection.
Digital evidence:
 Is hidden, like fingerprints or DNA evidence.
 Crosses jurisdictional borders rapidly and
effortlessly.
 Can be changed, spoiled, or ruined quickly.
 May be time sensitive.

Collection of Digital Evidences:

First responders may track the steps given below to
direct their management of digital evidence at an
electronic scene of crime:

125 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

 Recognize, identify, seize, and secure all digital

evidences at the scene.
 Document the complete scene and the detailed
place of the evidence established.
 Gather, tag, and protect the digital evidence.
 Wrap up and move digital evidence in a protected
way.
 Before gathering evidence at a scene of crime,
first responders must make sure that—
1. Lawful authority is present to seize evidence.
2. The scene has been protected and documented.
3. Suitable special defensive tools are used.

Volatile Evidence

Always try to collect the most volatile evidence first.

An example an order of volatility would be:
1. Registers and cache

2. Routing tables

3. Arp cache

4. Process table

5. Kernel statistics and modules

126 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

6. Main memory

7. Temporary file systems

8. Secondary memory

9. Router configuration

10. Network topology

Other Electronic and Peripheral Devices of Potential

Evidential Value:

The following are examples of electronic devices,

components, and peripherals that first responders
may need to collect as digital evidence:
 Audio recorders.
 GPS accessories.
 Answering machines.
 Computer chips.
 Pagers.
 Cordless landline telephones.
 Copy machines.
 Cellular telephones.
 Hard drive duplicators.
 Facsimile (fax) machines.

127 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

 Multifunction machines (printer, scanner, copier,

and fax).
 Wireless access points.
 Laptop power supplies and accessories.
 Smart cards.
 Videocassette recorders (VCRs).
 Scanners.
 Telephone caller ID units.
 Personal Computer Memory Card International
Association (PCMCIA) cards.
 PDAs.

128 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

Disk Imaging
 Disk Imaging is a fundamental process in digital
forensics.
 In disk imaging, we make exact copies of storage
devices or its partition and then store it in a larger
storage or directly burn it on another device.
 Only Storage devices may contain digital evidence
(all devices may contain physical evidences too).
 Several standard algorithms like MD5, SHA etc.
accepts file or file system or disk as input and
produces a string value as output.
 This operation is irreversible and any small
change in input will affect the output.
 The different tools available for Imaging and
Cloning are: SOLO 4, Forensic Dossier, SuperSonix,
WinHex, FTK Imager, EnCase Forensic Imager,
Acronis True Image Home, CloneZilla, DriveImage
XML V2.50, etc.
 SHA and MD5 are the most popular algorithms
used by experts to calculate the hash values and
check the integrity of the evidence.

129 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

Different Types Of Computer Virus On The Basis

Of Action

1. Macro Viruses
These viruses infect the files formed using several
applications or programs that include macros like
doc, pps, xls and mdb. They involuntarily infect the
archive with macros and also templates and
documents that are enclosed in the file. They hide in
files shared from e-mail and networks.
 Macro viruses include:
 Relax
 bablas
 Melissa.A
 097M/Y2K

2. Memory Resident Viruses

They generally attach themselves within the
computer memory. They become active when the OS
runs and end up infecting other open files. They
conceal in RAM.
Memory Resident Viruses Include:
 CMJ
 meve

130 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

 randex
 mrklunky

3. Overwrite Viruses
These kinds of viruses erase any information in a
file they infect, making them partially or entirely
useless if they are infected.
Overwrite Viruses Include:
 Trj.Reboot
 Way
 Trivial.88.D

4. Direct Action Viruses

These viruses mostly duplicate or take action once
they are executed. When a certain condition is met,
the viruses will act by infecting the files in the
directory or the folder specified in the
AUTOEXEC.BAT. The viruses are usually seen in the
hard disk‘s root index, but they keep on changing
location. For example: Vienna virus.

5. Directory Virus

131 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

It is also recognized as cluster virus or file system

virus. They infect the computer‘s directory by
altering the pathway signifying file position.

6. Web Scripting Virus

The majority web pages consist of some intricate
codes in order to generate an interactive and
attention-grabbing content.

7. Multipartite Virus
These kinds of viruses can spread in various ways.
Their method varies according to their OS installed
and existence of certain files. They tend to hide in
the computer‘s memory but do not infect the hard
disk.

Some Other Types Of Viruses

 Trojan horse: A program formed to distribute a

malicious program that may then cause damage to
your computer. A Trojan horse is delivered by
somebody or hidden inside another program that
may seem undamaging.
 Spyware: A general type of spyware is a key-logger
program. This program can trace every key stroke

132 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

and mouse click you have done. Spyware can be

delivered via a Trojan horse program. Some
spyware is not meant to be malicious, such as
tracking cookies. A tracking cookie tracks your
internet usage and sends the information back to its
source.
 Adware: Adware is a form of malware. One word -
pop-ups. Adware is formed to pop up
advertisements. Adware can be very annoying.
 Worms: A nasty little program can cause less
speed in a network. A worm will duplicate itself
and multiply from computer to computer. Worms
are commonly spread through email attachments.
 Boot Sector Virus: Not so usual any longer, but
they were spiteful little programs that got
encumbered into your master boot record. Most
frequently multiply by floppy disks. These viruses
could then commence themselves ahead of your
operating system even loaded. Today most BIOS
avert code from being written to the boot sector.
 Time Bomb: A virus made to perform at a later
date or upon an action done. These programs lay
inactive until an incident occurs.

133 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

 Browser Hijacker: A virus will cover your web

browser and involuntarily readdress you to
another website.
 File Infector Virus: A virus that live inside a file,
usually a .exe file. When the file is executed, it will
then run its malicious code.
 Polymorphic Virus: A virus is made to change
itself in way to evade virus detection.
 Worms: A computer worm is a standalone
malware computer program that duplicates itself
so that it can extend to other computers.

134 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

The Four Phases Of Data Recovery

Phase 1: Repair the storage drive

Phase 2: Image the drive to a new drive or a disk
image file
Phase 3: Logical recovery of the files, partition, MBR
(Master Boot Records) and MFT (Managed File
transfer)
Phase 4: Repair of damaged files that were retrieved

Software used for Data Recovery

The data recovery software offer various features

like: recovering deleted data from hard drive, SSD
cards, USB pen drives, CD/DVD, camera, media
players, and other devices and support various file
systems like FAT, FAT16, FAT32, NTFS, EXT2/EXT3
etc.
They also scan, filter results, use wildcards for
searching specific files, retrieval of files with
various file formats including DOC, XLS, JPG,
JPEG, PNG, PSD, ZIP, MP4, HTML and many other
formats and more.
The 10 Best Data recovery software are mentioned
below:
1. Data Rescue PC3

135 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

2. Ontrack EasyRecovery
3. Stellar Phoenix Windows Data Recovery
professional
4. Seagate File recovery
5. R-Studio
6. Data recovery wizard Professional
7. Recover my files Professional
8. Get Data Back
9. Power Data recovery
10. Salvage data Recovery

Types of Digital Forensic Tools

There are two basic criteria to categorize digital

forensic tools. They are:
a. Based on developer they are two types:

1. Open source

2. Proprietary

b. Based on use of software/tools they are of three

types:

1. Live acquisition

2. Imaging

3. Analysis
136 Edited by forensicfield (Archana Singh)
 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

Tools used for Forensic Analysis

1 EnCase: ‗Computer forensic‘ and ‗Encase‘ both are

very close words. EnCase software is developed by
‗Guidance Software‘.

2. The Sleuth kit: It is one of the many popular open

source tools. It provides command line interface.

3. FTK Imager: This software is developed by Access

Data. It is a free tool and occupies around 30 MB
of memory. FTK Imager provides support for
VXFS, exFAT, and Ext4 file systems. It safely
mounts a forensic Image
(AFF/DD/RAW/001/E01/S01) as a physical device
or logically as a drive letter. FTK imager can be
used to create image and then mount it as a
physical drive. It also provides recovery of deleted
files. This tool has built in MD5 calculator to
ensure the integrity of evidence. It facilitates disk
access in hexadecimal interface. Deleted files can
be searched easily. We can also perform search by
header values for which FTK uses Master File
table.

137 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

4. DEFT: It is a live operating system along with the

collection of several forensic tools. It is Ubuntu
based.

5. Volatility: One of the popular tools in memory

forensic is Volatility. It can be used to investigate
the content of RAM. Malware present in RAM can
be identified by the experts by using volatility. It is
available for windows, Linux and Mac operating
systems.

6. Last Activity View: Last Activity tool is for

Windows operating system. It collects information
from various sources on a running system, and
displays a log of actions made by the user and
events occurred in the computer..

The following actions and events are currently

supported by Last Activity View:

 Run .EXE file

 Select file in open/save dialog-box.
 Open file or folder
 View Folder in Explorer
 Software Installation
 System Started

138 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

 System Shutdown
 Resumed from sleep
 Network Connected
 Network Disconnected
 Software Crash
 Software stopped responding (hang)

7. HxD: It is a free tool. It is simple hex editor of disk

image and RAM. It is very useful to analyze disk or
file system manually.

8. CAINE (Computer Aided Investigative

Environment): It is also a live Linux CD with
collection of forensic tools. CAINE offers a
complete forensic environment that is organized
to integrate existing software tools as software
modules and to provide a friendly graphical
interface.

9. Mandiant Redline: ―Redline, Mandiant‘s premier

free tool, provides host investigative capabilities to
users to find signs of malicious activity by memory
and file analysis, and the development of a threat
assessment profile.

139 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

10. Plain Sight tool: It has a comprehensive forensic

environment with powerful open source tools
which allow the investigator to grab vital
information from the target system. Functions are
follows:

 Disk and partition information

 User and group information
 Internet history
 Acquiring windows firewall configuration
 Discover recent document
 USB storage information

11. Nirosoft: It is a compilation of following:

 Password recovery utilities

 Network monitoring utility
 Web browser tool
 Multimedia related utility (video and audio
)
 Internet utility
 Command line utility
 Desktop utilities

Write blockers

140 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

 Write blocker is an important tool. It might be a

hardware or software version. Hardware tools
are considered to be more reliable. During
imaging or processing evidence, it can be
tempered (by mistake or intention). If the
investigation system is affected by viruses, they
can infect evidence. To avoid this situation
investigator connects evidence to system through
a write blocker. Write blockers are totally
transparent to operating system.

141 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

Mobile Forensics
The term ―mobile devices‖ encompasses a wide
array of gadgets ranging from mobile phones,
smartphones, tablets, and GPS units to wearables
and PDAs. What they all have in common is the fact
that they can contain a lot of user information.

Information that resides on mobile devices:

 Incoming, outgoing, missed call history

 Phonebook or contact lists
 SMS text, application based, and multimedia
messaging content
 Pictures, videos, and audio files and
sometimes voicemail messages
 Internet browsing history, content, cookies,
search history, analytics information
 To-do lists, notes, calendar entries, ringtones
 Documents, spreadsheets, presentation files and
other user-created data
 Passwords, passcodes, swipe codes, user account
credentials
 Historical geolocation data, cell phone tower
related location data, Wi-Fi connection
information
 User dictionary content
 Data from various installed apps
 System files, usage logs, error messages

142 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

 Deleted data from all of the above

The mobile forensics process aims to recover
digital evidence or relevant data from a mobile
device in a way that will preserve the evidence in a
forensically sound condition. To achieve that, the
mobile forensic process needs to set out precise
rules that will seize, isolate, transport, store for
analysis and proof digital evidence safely
originating from mobile devices.

Examination & Analysis

As the first step of every digital investigation

involving a mobile device, the forensic expert
needs to identify:

Type of the mobile device(s) – e.g., GPS,

smartphone, tablet, etc.
 Type of network – GSM, CDMA, and TDMA
 Carrier
 Service provider (Reverse Lookup)
Non-Invasive Methods
Non-invasive methods can deal with other tasks,
such as unlocking the SIM lock or/and the operator
lock, the operating system update, IMEI number
modification, etc. These techniques are virtually
inapplicable in cases where the device has

143 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

sustained severe physical damage. Types of non-

invasive mobile forensic methods:

 Manual extraction: The forensic examiner

merely browses through the data using the
mobile device‘s touchscreen or keypad.
 Logical extraction: This approach involves
instituting a connection between the mobile
device and the forensic workstation using a USB
cable, Bluetooth, Infrared or RJ-45 cable.
 JTAG method: JTAG is a non-invasive form of
physical acquisition that could extract data from
a mobile device even when data was difficult to
access through software avenues because the
device is damaged, locked or encrypted. The
device, however, must be at least partially
functional (minor damages would not hinder this
method).
 Hex Dump: Similar to JTAG, Hex dump is
another method for physical extraction of raw
information stored in flash memory.

Invasive Methods
 Chip-off: A process that refers to obtaining data
straight from the mobile device‘s memory chip.
The whole process consists of five stages:

144 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

1. Detect the memory chip typology of the device

2. Physical extraction of the chip (for example, by

unwelding it)

3. Interfacing of the chip using

reading/programming software.

4. Reading and transferring data from the chip to a

PC

5. Interpretation of the acquired data (using

reverse engineering)

 Micro read: This method refers to manually

taking an all-around view through the lenses of
an electron microscope and analyzing data seen
on the memory chip, more specifically the
physical gates on the chip.

Mobile Analysis Phases

The Identification Phase

The forensic examiner should identify the following

details for every examination of a mobile device:

1. The legal authority: It is important for the

forensic examiner to determine and document
what legal authority exists for the acquisition and
examination of the device as well as any

145 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

limitations placed on the media prior to the

examination of the device.
2. The goals of the examination: The examiner will
identify how in-depth the examination needs to
be based upon the data requested. The goal of the
examination makes a significant difference in
selecting the tools and techniques to examine the
phone and increases the efficiency of the
examination process.
3. The make, model, and identifying information
for the device: The make, model, and identifying
information for the device As part of the
examination, identifying the make and model of
the phone assists in determining what tools
would work with the phone.
4. Removable and external data storage: Many
mobile phones provide an option to extend the
memory with removable storage devices, such as
the Trans Flash Micro SD memory expansion
card. In cases when such a card is found in a
mobile phone that is submitted for examination,
the card should be removed and processed using
traditional digital forensic techniques. It is wise
to also acquire the card while in the mobile

146 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

device to ensure data stored on both the handset

memory and card are linked for easier analysis.
5. Other sources of potential evidence: Mobile
phones act as good sources of fingerprint and
other biological evidence. Such evidence should
be collected prior to the examination of the
mobile phone to avoid contamination issues
unless the collection method will damage the
device. Examiners should wear gloves when
handling the evidence.

The Preparation Phase

Once the mobile phone model is identified, the

preparation phase involves research regarding the
particular mobile phone to be examined and the
appropriate methods and tools to be used for
acquisition and examination.

The Isolation Phase

Mobile phones are by design intended to

communicate via cellular phone networks,
Bluetooth, Infrared, and wireless (Wi-Fi) network
capabilities. When the phone is connected to a
network, new data is added to the phone through
incoming calls, messages, and application data,
147 Edited by forensicfield (Archana Singh)
 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

which modifies the evidence on the phone. Complete

destruction of data is also possible through remote
access or remote wiping commands. For this
reason, isolation of the device from communication
sources is important prior to the acquisition and
examination of the device. Isolation of the phone
can be accomplished through the use of faraday
bags, which block the radio signals to or from the
phone. Past research has found inconsistencies in
total communication protection with faraday bags.
Therefore, network isolation is advisable. This can
be done by placing the phone in radio frequency
shielding cloth and then placing the phone into
airplane or flight mode.

The Processing Phase

Once the phone has been isolated from the

communication networks, the actual processing of
the mobile phone begins. The phone should be
acquired using a tested method that is repeatable
and is as forensically sounded as possible. Physical
acquisition is the preferred method as it extracts the
raw memory data and the device is commonly
powered off during the acquisition process. On most

148 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

devices, the least amount of changes occur to the

device during physical acquisition. If physical
acquisition is not possible or fails, an attempt
should be made to acquire the file system of the
mobile device. A logical acquisition should always
be obtained as it may contain only the parsed data
and provide pointers to examine the raw memory
image.

The Verification Phase

After processing the phone, the examiner needs to

verify the accuracy of the data extracted from the
phone to ensure that data is not modified. The
verification of the extracted data can be
accomplished in several ways. Comparing extracted
data to the handset data Check if the data extracted
from the device matches the data displayed by the
device. The data extracted can be compared to the
device itself or a logical report, whichever is
preferred.

The Document And Reporting Phase

The forensic examiner is required to document

throughout the examination process in the form of
contemporaneous notes relating to what was done
149 Edited by forensicfield (Archana Singh)
 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

during the acquisition and examination. Once the

examiner completes the investigation, the results
must go through some form of peer-review to
ensure the data is checked and the investigation is
complete.

The examiner‘s notes and documentation may

include information such as the following:

 Examination start date and time

 The physical condition of the phone
 Photos of the phone and individual components
 Phone status when received—turned on or off
 Phone make and model
 Tools used for the acquisition
 Tools used for the examination
 Data found during the examination
 Notes from peer-review

The Presentation Phase

Throughout the investigation, it is important to

make sure that the information extracted and
documented from a mobile device can be clearly
presented to any other examiner or to a court.
Creating a forensic report of data extracted from the

150 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

mobile device during acquisition and analysis is

important. This may include data in both paper and
electronic formats.

The Archiving Phase

Preserving the data extracted from the mobile

phone is an important part of the overall process. It
is also important that the data is retained in a
useable format for the ongoing court process, for
future reference, should the current evidence file
become corrupt, and for record keeping
requirements.

151 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

Reference:

 Alexopoulos, C.J. and H.C. Bold. 1967. Algae and Fungi. The
Macmillan Company. New York.
 Bold, Harold C. and Michael J. Wynne. 1978. Introduction to the
Algae: Structure and Reproduction. Prentice-Hall, Inc.
Englewood Cliffs, New Jersey.
 Dixit, Sushil S., John P Smol, Donald F Charles, Robert M
Hughes. 1999. "Assessing Water Quality Changes in the Lakes of
the Northeastern United States using
 Sediment Diaatoms." Canadian Journal of Fisheries and Aquatic
Sciences. Volume 56, pp 131-152.
 Garrison, David L. "Diatoms". New World encyclopedia. 1992.
 Introduction to Bacillariophyta. Online.
Available: http://www.ucmp.berkeley.edu/chromista/bacillario
phyta.html
 Prescott, Gerald Webber. 1968. The Algae: A Review. Houghton
Mifflin Company. New York.
 Tiffany, Lewis H. 1968. Algae: The Grass of many
Waters. Charles C. Thomas Publisher. Springfield, Illinois.
 Auer A (1991) Qualitative diatom analysis as a tool to diagnose
drowning. Am J Forensic Med Pathol 12: 213-218.
 Holden HS, Crosfill JWL (1955) The significance of foreign
bodies in the alveoli of the apparently drowned. J For. Med 2:
141-50.
 RUSHTON DG (1961) Drowning--a review. Med Leg J 29: 90-97.
 Timperman J (1979) personal communication.
 Peabody AJ (1980) Diatoms and drowning--a review. Med Sci
Law 20: 254-261.
 Pollanen MS (1996) The diatom test for drowning in Ontario.
Canadian Society of Forensic Science 29: 205-211.
 Ludes B, Quantin S, Coste M, Mangin P (1994) Application of a
simple enzymatic digestion method for diatom detection in the
diagnosis of drowning in putrified corpses by diatom analysis.
Int J Legal Med 107: 37-41.
 Rohn EJ, Frade PD (2006) The role of diatoms in medico legal
investigations

152 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

 The history contemporary science and application of the diatom

test for drowning. Forensic Examiner: 10-15.
 Pachar JV, Cameron JM (1992) Scanning electron microscopy:
application in the identification of diatoms in cases of drowning.
J Forensic Sci 37: 860-866.
 Gruspier KL, Pollanen MS (2000) Limbs found in water:
investigation using anthropological analysis and the diatom test.
Forensic Sci Int 112: 1-9.
 Hürlimann J, Feer P, Elber F, Niederberger K, Dirnhofer R, et al.
(2000) Diatom detection in the diagnosis of death by drowning.
Int J Legal Med 114: 6-14.
 Natasha D, Aleksej D (2005) Differential diagnostic elements in
the determination of drowning. Rom J Leg Med 13: 22 -30.
 Horton BP, Boreham S, Hillier C (2006) The development and
application of a diatom-based quantitative reconstruction
technique in forensic science. J Forensic Sci 51: 643-650.
 MUELLER B (1952) [The problem of diagnosis in death by
drowning]. Dtsch Z Gesamte Gerichtl Med 41: 400-404.
 Tomonaga T (1954) The diagnosis of drowning by wet digestion.
Jpn. J. Legal Med 8: 143-149.
 THOMAS F, VAN HECKE W, TIMPERMAN J (1961) The
detection of diatoms in the bone marrow as evidence of death by
drowing. J Forensic Med 8: 142-144.
 Andrews, A. B. Design of Blasts. Emphasis on Blasting. Ensign
Bickford Co. Abramowitz, M. Contrast Methods in Microscopy:
Transmitted Light. vol. 2. Olympus Corporation, New York,
1987.
 Allen, T. J. and Scranage, J. K. The transfer of glass—Part 1:
Transfer of glass to individuals at different distances, Forensic
Science International (1998) 93:167–174.
 Allen, T. J., Cox, A. R., Barton, S., Messam, P., and Lambert, J.
A. The transfer of glass—Part 4: The transfer of glass fragments
from the surface of an item to the person carrying it, Forensic
Science International (1998a) 93:201–208.
 Allen, T. J., Hoefler, K., and Rose, S. J. The transfer of glass—
Part 2: A study of the transfer of glass to a person by various
methods, Forensic Science International (1998b) 93:175–193.
 Allen, T. J., Hoefler, K., and Rose, S. J. The transfer of glass—
Part 3: The transfer of glass from a contaminated person to

153 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

another uncontaminated person during a ride in a car, Forensic

Science International (1998c) 93:195–200.
 Almirall, J. R. Forensic Glass Analysis: Overview and New
Developments. Presented at the International Symposium on the
Forensic Examination of Trace Evidence in Transition, San
Antonio, Texas, 1996.
 American Society for Crime Laboratory Directors/Laboratory
Accreditation Board (ASCLD/LAB). Supplemental
Requirements for the Accreditation of Forensic Science Testing
and Calibration Laboratories. ASCLD/LAB, Raleigh, North
Carolina, 2006.
 ASTM International. ASTM C162-05 Standard Terminology of
Glass and Glass Products. ASTM International, West
Conshohocken, Pennsylvania.
Available: http://www.astm.org/Standards/C162.htm.
 ASTM International. ASTM C729-05 Standard Test Method for
Density of Glass by the Sink-Float Comparator. ASTM
International, West Conshohocken, Pennsylvania.
Available: http://www.astm.org/Standards/C729-05.htm.
 ASTM International. ASTM C1036-06 Standard Specification
for Flat Glass. ASTM International, West Conshohocken,
Pennsylvania.
Available: http://www.astm.org/Standards/C1036.htm.
 ASTM International. ASTM E1967-98(2003) Standard Test
Method for the Automated Determination of Refractive Index of
Glass Samples Using the Oil Immersion Method and a Phase
Contrast Microscope. ASTM International, West Conshohocken,
Pennsylvania.
Available: http://www.astm.org/Standards/E1967.htm.
 Andrasko, J. and Maehly, A. C. The discrimination between
samples of window glass by combining physical and chemical
techniques, Journal of Forensic Sciences (1978) 23:250–262.
 Arbab, M., Shelestak, L. J., and Harris, C. S. Value-added flat-
glass products for the building, transportation markets, part
1, American Ceramic Society Bulletin (2005) 84:30–35.
 Arribart, H. and Abriou, D. Using atomic force microscopy for
study of glass surfaces: Part 1, The Glass Researcher: Bulletin of
Glass Science and Engineering (1999) 9:10.

154 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

 Association of Official Analytical Chemists (AOAC). Method

973.65, characterization and matching of glass fragments:
Dispersion microscopy (double variation method). In: Official
Methods of Analysis of the Association of Official Analytical
Chemists. vol. 1, 15th ed. AOAC, Gaithersburg, Maryland, 1990.
 Batten, R. A. Unpublished report. Results of Window Breaking
Experiments in the Birmingham Laboratory. Technical Note
No. 694. Forensic Science Service, Birmingham, England, 1989.
 Beveridge, A. D. and Semen, C. Glass density measurement
using a calculating digital density meter, Canadian Society of
Forensic Science Journal (1979) 12:113–116.
 Bloss, F. D. An Introduction to the Methods of Optical
Crystallography. Holt, Rinehart and Winston, New York, 1961.
 Bottrell, M. C., Webb, J. B., Buscaglia, J., and Koons, R.
D. Distribution of Elemental Concentrations Within Individual
Sheets of Float Glass. Presented at the American Academy of
Forensic Sciences Annual Meeting, San Antonio, February 2007.

 Real Digital Forensics by Keith j.Jones, Richard Bejitlich,Curtis
W.Rose ,Addison-Wesley Pearson Education
 Forensic Compiling,A Tractitioneris Guide by Tony Sammes and
Brain Jenkinson,Springer International edition.
 Computer Evidence Collection &Presentation by Chrostopher
L.T. Brown,Firewall Media.
 Homeland Security ,Techniques& Technologies by Jesus
Mena,Firewall Media.
 Software Forensics Collecting Evidence from the Scene of a
Digital Crime by Robert M.Slade ,TMH 2005
 Windows Forensics by chad Steel,Wiley India Edition.
 Attwood, S. (2017). The Value of Mobile Device (cell phone)
Forensic Examination During an Investigation. Available
at http://complianceandethics.org/value-mobile-device-cell-
phone-forensic-examination-investigation/ (06/08/2017)
 eforensicsmag (2015). Introduction to Mobile Forensics.
Available at https://eforensicsmag.com/introduction-to-
mobile-forensics/ (06/08/2017)
 Farjamfar, A., Abdullah, M., Mahmod, R. and Udzir, N.
(2014). A Review on Mobile Device’s Digital Forensic Process
Models. Available

155 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

at https://pdfs.semanticscholar.org/91c9/843bf17f5311f09031
f111ce4ce9f02d89db.pdf (06/08/2017)
 Francis, R. (2017). Computer forensics follows the bread
crumbs left by perpetrators. Available
at http://www.csoonline.com/article/3192348/security/comp
uter-forensics-follows-the-bread-crumbs-left-by-
perpetrators.html (06/08/2017)
 IntaForensics. Mobile Phone Forensics. Available
at https://www.intaforensics.com/digital-forensics/mobile-
phone-and-tablet-forensics/?v=461b1990fe86 (06/08/2017)
 Gillware Digital Forensics. Chip-Off Forensics Services.
Available at https://www.gillware.com/forensics/chip-off-
forensics-services (06/08/2017)
 Gillware Digital Forensics. JTAG Forensics Services. Available
at https://www.gillware.com/forensics/jtag-forensics-
services (06/08/2017)
 Gillware Digital Forensics. Mobile Forensics. Available
at https://www.gillware.com/forensics/mobile (06/08/2017)
 Jahankhani, H. (2010). Handbook of Electronic Security and
Digital Forensics. Available
at https://books.google.bg/books?id=vK5pDQAAQBAJ&pg=P
A367&lpg=PA367&dq=Non-
invasive+digital+forensics&source=bl&ots=jDPiyQnlNb&sig=
kI4YJm-
T6H2ssEF89c9ytCwrq8I&hl=bg&sa=X&ved=0ahUKEwi6ycD
AxqzUAhUCkRQKHWVlDWUQ6AEISTAD#v=onepage&q=No
n-invasive%20digital%20forensics&f=false (06/08/2017)
 Mahalik, H. (2014). Introduction to Mobile Forensics.
Available
at https://www.packtpub.com/books/content/introduction-
mobile-forensics (06/08/2017)
 Mohamud, L. (2016). Mobile Forensics – How do they do it –
Series Part one. Available
at https://www.linkedin.com/pulse/mobile-forensics-how-do-
series-liban-mohamud?trk=pulse_spock-
articles (06/08/2017)
 Mohamud, L. (2016). Mobile Forensics – How do they do it –
Series Part two. Available
at http://www.linkedin.com/pulse/mobile-forensics-how-do-

156 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

series-liban-mohamud?trk=pulse_spock-
articles (06/08/2017)
 Polus, S. (2016). Mobile Device Forensics. Available
at http://www.lawtechnologytoday.org/2016/12/mobile-
device-forensics/ (06/08/2017)
 Tahiri, S. (2016). Mastering Mobile
Forensics. https://books.google.bg/books?id=qgRwDQAAQBA
J&pg=PA4&lpg=PA4&dq=mobile+forensics+models&source=
bl&ots=DvQhzqsqmG&sig=qfVzl0_EH6AH60pSJnOCBDv-
uss&hl=bg&sa=X&ved=0ahUKEwiE1qnLwqzUAhXJDpoKHV3
gB804ChDoAQgrMAA#v=onepage&q=mobile%20forensics%2
0models&f=false (06/08/2017)
 UK Essays (2015). Digital Forensic Computers Forensic
Forensic Models Information Technology Essay. Available
at https://www.ukessays.com/essays/information-
technology/digital-forensic-computers-forensic-forensic-
models-information-technology-essay.php (06/08/2017)
 Wikipedia. Mobile device forensics. Available
at https://en.wikipedia.org/wiki/Mobile_device_forensics (06
/08/2017)

157 Edited by forensicfield (Archana Singh)

 Forensic Science UGC-NET/JRF Syllabus UNIT- VII

158 Edited by forensicfield (Archana Singh)