IP logs and WhatsApp metadata put centre-stage in Barasat headless-body trial — cyber-forensics reconstruct video-call timeline
In a hearing at the Barasat court last week, prosecutors in the murder case of Hazrat Laskar used Internet Protocol Detail Records (IPDR) alongside WhatsApp metadata to technically corroborate that a WhatsApp video call took place minutes before the victim was killed. The development marks an early and important instance in India of IPDR and IP-level logs being relied upon in open court to reconstruct digital timelines and place suspects at the scene.
What happened — the case in brief
Police in North 24 Parganas discovered a mutilated, partially burnt body on January 31. The victim’s severed head was recovered 16 days later. Investigators alleged that a personal dispute involving the victim and members of his extended family led to the killing.
The principal accused, Obaidullah Gazi (also known as Jalil), along with two others, has been charged in the case. During the trial, the prosecution presented cyber-forensic analysis showing that the victim’s wife made a WhatsApp video call — and saw the accused with the victim — just minutes before the murder.
How investigators proved the call — a plain-language technical summary
Prosecutors went beyond witness testimony and introduced metadata from two complementary sources to establish the digital timeline.
- Internet Protocol Detail Records (IPDR) — structured logs maintained by ISPs or telecom operators that record session-level internet metadata, including source and destination IP addresses, ports, timestamps, session duration and data volumes. IPDRs do not contain message contents but show which IP endpoints communicated and when.
- WhatsApp session metadata and port analysis — the cyber-forensic expert explained that the combination of IP addresses and specific transport ports in the IPDRs matched WhatsApp’s known signalling and traffic patterns for a video call during the relevant time window.
Taken together, these logs supplied a “who, when and where” digital trail — functionally similar to Call Detail Records (CDRs) for voice calls — allowing the prosecution to anchor oral testimony to objective network-level evidence.
Why IPDR and app metadata matter in modern investigations
- They work around end-to-end encryption. While services like WhatsApp encrypt message contents and media, IPDR and session metadata are generated at the network layer and can establish that two endpoints were connected via a specific service at a specific time.
- They help reconstruct timelines even when devices are wiped or destroyed. Local deletions do not erase ISP-level session logs, which can provide independent corroboration.
- They add forensic weight in court. When lawfully obtained, preserved and clearly explained, IPDRs can bridge gaps between witness statements and material proof.
Legal and evidentiary considerations
When courts assess IPDR and related metadata as evidence, several factors are typically examined.
- Authenticity and chain of custody — who requested the logs, how they were obtained, and what safeguards were in place to prevent tampering.
- Expert explanation and reproducibility — the court relies on qualified experts to translate raw IP addresses, ports and timestamps into clear findings while addressing alternative explanations.
- Corroboration — metadata is strongest when triangulated with other evidence such as CCTV footage, seized devices or witness testimony.
What the prosecution presented in Barasat
The state’s cyber-forensic expert testified that the source IP associated with the victim’s wife matched the destination IP associated with the victim during the session in question. Port-level analysis further aligned with traffic patterns expected of a WhatsApp video call.
The special public prosecutor stated that IPDRs and WhatsApp metadata were studied specifically to move beyond oral testimony and provide technical corroboration.
Practical limits and defence arguments
- Shared IP addresses and NAT issues — mobile networks frequently use Network Address Translation, making subscriber-to-device mapping critical.
- Use of VPNs or proxies — investigators must address whether endpoint obfuscation could explain the observed traffic.
- Interpretation risks — IP and port data are indicative but not always conclusive without supporting logs or device-level artifacts.
Forensic best-practice checklist
- Obtain ISP and telecom logs through lawful process and preserve full chain of custody.
- Collect endpoint evidence such as device images, SIM data and backups for triangulation.
- Document analysis steps using reproducible tools and maintain cryptographic hashes.
- Prepare expert testimony that explains technical findings in clear, accessible language.
What this case signals for India
The Barasat trial reflects a growing willingness among Indian investigators and courts to rely on IP-level metadata in cases involving encrypted messaging platforms. It highlights the evidentiary value of ISP session logs and the need for improved preservation mechanisms and specialised forensic training.
Sources and further reading
- Times of India — reporting on the Barasat headless-body case and court testimony
- Wikipedia — Internet Protocol Detail Record (IPDR)
- Academic literature on CDR and IPDR analysis in criminal investigations
- Industry explainers on ISP logging and IPDR interpretation
