admissions@cyberlawacademy.com | +91-XXXXXXXXXX
DPDPA ResourcesLegal Services
Part 4 of 6

Evidence Preservation & Chain of Custody

Master digital evidence handling, forensic investigation support, and BSA Section 63 compliance requirements to ensure evidence admissibility in court proceedings.

~90 minutes 5 Sections 10 Quiz Questions

4.1 Legal Framework for Digital Evidence

Digital evidence in India is governed by the Bharatiya Sakshya Adhiniyam, 2023 (BSA), which replaced the Indian Evidence Act, 1872. Section 63 of BSA (previously Section 65B of IEA) establishes the framework for admissibility of electronic records.

BSA Section 63: Core Requirements

63 - Admissibility of Electronic Records
Any information contained in an electronic record which is printed on paper, stored, recorded or copied in optical or magnetic media produced by a computer shall be deemed to be also a document if the conditions mentioned in this section are satisfied.

Four Conditions Under Section 63(2)

  1. Regular Use: The computer was used regularly to store or process information for activities regularly carried on
  2. Regular Feeding: Information was fed into the computer in the ordinary course of activities
  3. Proper Working: The computer was operating properly during the material period (or if not, any malfunction did not affect the record)
  4. Accurate Reproduction: Information reproduced or derived is such that is fed into the computer in the ordinary course
*Certificate Requirement

Section 63(4) requires a certificate from a person occupying a responsible official position in relation to the computer. This certificate must identify the electronic record, describe the manner of production, and provide particulars of the device. WITHOUT this certificate, electronic evidence is INADMISSIBLE.

Certificate Contents (Section 63(4))

  • Identification: Identify the electronic record containing the statement
  • Production method: Describe the manner in which it was produced
  • Device particulars: Give particulars of the device involved in production
  • Compliance statement: Deal with any of the conditions in subsection (2)
!Arjun Panditrao (2020) - Mandatory Certificate

The Supreme Court in Arjun Panditrao Khotkar v. Kailash Gorantyal (2020) 7 SCC 1 held that the Section 65B certificate is MANDATORY and cannot be waived. Electronic evidence without proper certification is inadmissible, regardless of how relevant it may be.

4.2 Evidence Preservation Protocol

Proper evidence preservation during incident response is critical for both regulatory compliance and potential litigation. Legal counsel must ensure forensic processes support evidentiary requirements.

Immediate Preservation Actions

  1. Issue Legal Hold: Suspend routine data deletion/overwriting policies
  2. Secure Volatile Data: RAM contents, network connections, running processes
  3. Create Forensic Images: Bit-by-bit copies of affected systems
  4. Preserve Logs: Server logs, firewall logs, access logs, application logs
  5. Document Environment: Network diagrams, system configurations, user lists
  6. Timestamp Everything: All actions must be timestamped and documented

Legal Hold Notice Elements

ElementDescriptionImportance
Scope DefinitionWhich systems, data types, date rangesPrevents over-preservation and under-preservation
Custodian ListIndividuals responsible for preserved dataEstablishes accountability
Preservation ActionsSpecific steps required (stop deletion, backup)Operational clarity
DurationHow long hold remains in effectResource planning
ConsequencesPenalty for non-complianceEnsures compliance
*Preservation Priority

Prioritize volatile evidence: (1) RAM/memory, (2) network connections, (3) running processes, (4) system logs, (5) disk images. Volatile evidence disappears when systems are powered down - act fast but document everything.

4.3 Chain of Custody Requirements

Chain of custody documents the complete journey of evidence from collection to court presentation. Any break in the chain can render evidence inadmissible or subject to challenge.

Chain of Custody Documentation

Every evidence item requires documentation of:

  • Collection: Who collected, when, where, how (tools used)
  • Transfer: Each handover - from whom, to whom, date/time, condition
  • Storage: Location, access controls, environmental conditions
  • Access: Every access instance - who, when, purpose, actions taken
  • Analysis: What analysis performed, by whom, using what tools
  • Return/Disposal: Final disposition of evidence

Evidence Integrity Verification

MethodPurposeApplication
Hash Values (MD5/SHA-256)Verify data has not been alteredCalculate at collection, verify at each transfer
Write BlockersPrevent accidental modification during imagingUse for all forensic imaging
Sealed ContainersPhysical security of storage mediaEvidence bags with tamper-evident seals
Access LogsTrack all access to evidenceEvidence management systems
*Hash Value Documentation

Document hash values immediately upon collection. SHA-256 is preferred for legal purposes. Record: (1) original hash at collection, (2) hash after each transfer, (3) hash before analysis, (4) hash after analysis. Any mismatch invalidates the evidence.

4.4 Supporting Forensic Investigations

Legal counsel's role in forensic investigations is to ensure that technical investigation processes produce legally admissible evidence while maintaining privilege where appropriate.

Legal Guidance for Forensic Teams

  1. Scope Definition: Legal defines what data can be accessed (privacy constraints, privilege)
  2. Tool Validation: Ensure forensic tools are court-accepted (EnCase, FTK, etc.)
  3. Documentation Standards: Require detailed notes meeting legal standards
  4. Reporting Format: Reports must support Section 63 certificate requirements
  5. Witness Preparation: Forensic examiners may need to testify - prepare early

Section 63 Certificate Preparation

The certificate under Section 63(4) BSA must be prepared by someone with knowledge of the computer systems. Legal should coordinate with IT to identify the appropriate certifying officer and ensure certificate completeness:

*Certificate Best Practices

Prepare Section 63 certificates DURING investigation, not after. The certifying officer should: (1) be involved from evidence collection, (2) understand the systems, (3) personally verify the conditions in Section 63(2), (4) sign with full designation and date. Courts scrutinize certificates closely.

BNSS Section 176(3): Mandatory Forensics

Under BNSS, forensic evidence collection is MANDATORY for offenses punishable with 7+ years imprisonment:

  • Videography: Mandatory video recording of search/seizure
  • Forensic expert: Must involve forensic expert for evidence collection
  • Documentation: Detailed record of forensic process
  • Non-compliance consequence: Defence can challenge evidence admissibility
!Prosecution Risk

If your organization may file criminal complaints, ensure evidence collection meets BNSS Section 176(3) requirements from the start. Evidence collected without proper forensic protocols may be challenged by the defence, weakening the prosecution case.

4.5 Practical Challenges and Solutions

Evidence preservation in incident response faces practical challenges - from cloud environments to encrypted data to international data flows. Legal counsel must navigate these complexities.

Cloud Evidence Challenges

ChallengeIssueSolution
Data LocationData may be stored across jurisdictionsReview cloud contracts for data location provisions
Provider AccessOrganization may not have direct accessEnsure contracts include forensic cooperation clauses
Log AvailabilityCloud providers may not retain logs long enoughConfigure extended log retention; local log copies
Shared InfrastructureEvidence from multi-tenant environmentRequest provider attestation of evidence isolation

Encryption Considerations

  • Key Management: Preserve encryption keys separately from encrypted data
  • Access Rights: Document who has decryption authority
  • Decryption Record: Document when and why decryption was performed
  • Legal Obligations: Section 69 IT Act - decryption order from Controller

Evidence from Mobile Devices

  • Isolation: Immediately place in Faraday bag to prevent remote wipe
  • Battery: Maintain power to prevent data loss
  • BYOD Issues: Personal devices may have personal and corporate data mixed
  • Consent: For employee devices, ensure consent or policy basis for access
*Pre-Incident Preparation

Include forensic cooperation clauses in all cloud and vendor contracts. Ensure employment policies authorize device access for investigations. Maintain relationships with forensic vendors for rapid engagement. Preparation before incidents enables effective response during incidents.

Key Takeaways

  • Section 63 Certificate: MANDATORY for electronic evidence - no certificate, no admissibility
  • Hash Values: Document at collection, verify at each transfer - any mismatch invalidates evidence
  • Chain of Custody: Document every handover, access, and action - breaks can exclude evidence
  • BNSS 176(3): Mandatory forensics for 7+ year offenses - ensure compliance from start
  • Cloud Evidence: Review contracts for forensic cooperation, log retention, data location

Part 4 Quiz: Test Your Knowledge

Evidence Preservation & Chain of Custody

Test your understanding of digital evidence requirements and forensic protocols

0/10
Questions Correct