A decade ago, digital evidence in an Indian dispute usually meant a printed email chain and a witness prepared to swear to it. That is no longer true. Financial fraud is planned over encrypted messaging apps. Construction delay claims are proved or disproved through project-management software logs. Employment disputes hinge on access logs and metadata. Asset-tracing exercises in insolvency proceedings depend on forensic reconstruction of deleted accounting records. In almost every sector Exlitem India covers - arbitration, forensic investigation, construction, and expert evidence generally - the underlying record is now digital, and the question of whether that record survives scrutiny has become a specialist discipline in its own right.
That discipline is digital forensics: the science of identifying, preserving, collecting, examining, and presenting electronic data in a way that a court, tribunal, or arbitral panel can rely on. Done well, it turns a laptop, a phone, or a server into evidence as solid as a signed contract. Done badly - or done late - it turns what should have been decisive proof into an argument about admissibility that the merits of the case never get to address.
This explainer sets out the legal framework that governs digital evidence in India, what a competent forensic process actually looks like, where digital forensics shows up most often in disputes work, and what attorneys should do before they ever brief an expert.
Why this is now a front-line issue, not a technical footnote
For years, digital evidence disputes in India were treated as a procedural side-show - a fight over whether a printout was admissible, resolved by a certificate nobody read closely. That changed with the volume and centrality of digital records in commercial life. A typical shareholder dispute, fraud investigation, or construction arbitration today generates more probative material from email servers, accounting software, and messaging apps than from paper files. Regulators - the Securities and Exchange Board of India, the Reserve Bank of India, the Enforcement Directorate, and the Central Bureau of Investigation among them - increasingly build cases around forensic reconstruction of financial and communications data. The National Company Law Tribunal and its appellate counterpart routinely see valuation and fraud disputes where forensic accounting and digital forensics work side by side. Arbitral tribunals seated in India, and increasingly those administered by the Mumbai Centre for International Arbitration, the India International Arbitration Centre, and the arbitration facilities coming up in GIFT City, are being asked to rule on the authenticity of electronic records as a matter of course rather than exception.
The result is that “digital forensics as expert evidence” is no longer a niche practice area. It is close to a prerequisite for anyone litigating or arbitrating a commercial dispute of any size in India today.
The legal foundation: from Section 65B to the Bharatiya Sakshya Adhiniyam
The starting point for any discussion of electronic evidence in India is Section 65B of the Indian Evidence Act, 1872 - now succeeded by Section 63 of the Bharatiya Sakshya Adhiniyam, 2023 (BSA), which came into force on 1 July 2024 alongside the wider overhaul of India's criminal statutes. Section 63 carries forward the essential architecture of Section 65B: electronic records are treated as secondary evidence unless accompanied by a certificate confirming how the record was generated, stored, and extracted.
The Supreme Court's most consequential ruling on this framework remains Arjun Panditrao Khotkar v. Kailash Kushanrao Gorantyal (2020), decided by a three-judge bench on 14 July 2020. The Court resolved years of inconsistency between Anvar P.V. v. P.K. Basheer (2014), which held that a certificate under Section 65B(4) was mandatory for admitting electronic records, and Shafhi Mohammad (2018), which had suggested that requirement could be relaxed in the interests of justice. Arjun Panditrao overruled Shafhi Mohammad and held, unambiguously, that the certificate is a condition precedent to admissibility of an electronic record as secondary evidence - with one important exception: if the original device itself is produced in court and its owner or operator gives evidence to authenticate it, no certificate is required at all. The Court also clarified that where a party is unable to obtain the certificate from a party in adversarial control of the device, the court has power to summon the certificate or the device, and that the certificate may in appropriate cases be filed at a later stage of the proceedings, provided the trial court is satisfied that the requirement was not deliberately or by design left over.
The BSA has tightened this further. Section 63's certificate now typically requires dual sign-off - a declaration from the person in operational control of the device or system generating the record, and a supporting certificate from an expert addressing the technical process by which the record was extracted and its hash value preserved. Where the old regime often saw certificates completed by IT administrators with limited forensic training, the new format is designed to make the involvement of a properly qualified expert closer to standard practice, not an optional extra.
Running alongside the evidence statute is Section 39 of the BSA - the successor to Section 45 of the Evidence Act - which governs when expert opinion is a relevant fact at all. It permits the court to rely on the opinion of persons specially skilled in science, art, foreign law, or, under language introduced by the BSA, any other field, when the point in issue is one the court cannot resolve on its own. Digital forensic testimony sits squarely within this provision: a judge, arbitrator, or tribunal member is not expected to independently verify a hash value or reconstruct a deleted file, and the expert's role is to make that technical judgment available for the court to test through cross-examination - not to have it accepted as binding proof. Indian courts have consistently treated expert opinion as advisory rather than conclusive, weighing it against the transparency of the expert's methodology and the internal consistency of the underlying data.
A third and less-discussed layer of the framework is Section 79A of the Information Technology Act, 2000, under which the Ministry of Electronics and Information Technology can notify forensic laboratories as an Examiner of Electronic Evidence. A handful of government and quasi-government laboratories - including CERT-In's own cyber forensic laboratory and select state forensic science laboratories - hold this notification, which allows their opinions on electronic evidence to carry statutory weight before courts and other authorities. For high-value or criminal-adjacent disputes, whether a report originates from a notified examiner, a private forensic laboratory, or an in-house IT team can materially affect how much scrutiny the opposing side gives it.
What a competent forensic process actually looks like
Stripped of jargon, digital forensics as a discipline follows five stages, and international standards - principally the ISO/IEC 27037, 27041, and 27042 family - describe them in almost identical terms regardless of jurisdiction.
Identification is the first stage: working out, often under time pressure, which devices, accounts, servers, or cloud services are likely to hold relevant data before that data is altered or lost. In a fraud investigation this might mean identifying every laptop, email account, and accounting system used by a finance team; in a construction dispute it might mean identifying the project-management platform, the site engineer's tablet, and the contractor's shared drive.
Preservation follows immediately - securing the digital crime scene so that ordinary use of a device does not overwrite or alter the very data that will later be relied on. This is the stage where cases are most often lost before they begin: a well-meaning employee who continues using a laptop, or an IT department that clears a server before litigation is contemplated, can destroy evidentiary value that no amount of later forensic skill can recover.
Collection is the forensically sound acquisition of that data - typically a bit-for-bit forensic image of a device or system, created using validated tools and a write blocker that prevents any alteration to the source. The image is hashed, commonly using SHA-256, at the point of collection, producing a unique digital fingerprint that will be recalculated at every later stage to prove nothing has changed.
Examination and analysis is where the forensic expert actually does the investigative work - recovering deleted files, reconstructing timelines, tracing communications, identifying metadata inconsistencies, or establishing whether a document was altered after the date it purports to bear. This stage must be conducted on a working copy of the forensic image, never the original, and every action taken must be logged.
Presentation is the final stage: translating the technical findings into a report and, where required, oral testimony that a court or tribunal - assumed to have no forensic background - can actually evaluate. The best forensic reports in this field are the ones that could be understood by an intelligent reader with no technical training, because that is, in effect, exactly who is judging them.
Chain of custody: the discipline that decides whether any of this matters
Chain of custody is the documented, unbroken record of everyone who has handled a piece of digital evidence, when, why, and what they did to it - from the moment it is identified through to the moment it is placed before a court. In practice this means a log recording who collected the evidence and when; where the original device or forensic image has been stored at every point since; who has accessed the working copy and for what purpose; and what analysis was performed, by whom, using what tools and software versions.
Indian courts scrutinise chain of custody heavily, in no small part because it is the single easiest ground on which to challenge digital evidence without engaging with its substance at all. A forensic report that is technically flawless is worthless if the opposing side can show a two-week gap during which the original device was in the custody of a party with an interest in the outcome, unaccompanied by any log of what happened to it. The most common and most avoidable failure in the reporting reviewed for this piece is not bad forensic science - it is bad paperwork: a missing signature, a certificate obtained after the fact rather than contemporaneously, or an image taken by someone with no record of their own qualifications.
Where digital forensics actually shows up in Indian disputes
In fraud and financial crime investigations, digital forensics is now the primary tool for reconstructing what happened to money that has disappeared tracing deleted accounting entries, recovering wiped email accounts, and correlating messaging app records with bank transaction data to establish who knew what and when. Asset-tracing exercises increasingly extend into digital assets themselves: cryptocurrency wallets, exchange records, and blockchain transaction histories are now routinely within the scope of a forensic accountant's brief, particularly as crypto and digital-payment fraud has grown as a category of dispute in India.
In arbitration, digital forensics most commonly surfaces in two forms: authenticity challenges, where one party disputes whether an email, WhatsApp message, or document is genuine or has been altered; and reconstruction exercises, where a forensic expert is asked to establish a factual timeline - for instance, when a variation order was actually communicated in a construction dispute, or when a board was actually informed of a risk in a shareholder dispute. Tribunals seated in India generally have wide discretion over the admission and weight of evidence under Section 19 of the Arbitration and Conciliation Act, 1996, and many India-seated tribunals look to the IBA Rules on the Taking of Evidence in International Arbitration for procedural guidance on electronic document production, even though those rules are not binding as a matter of Indian law.
In construction and infrastructure disputes specifically, digital forensics increasingly intersects with delay and disruption analysis: project-management software logs, site diaries maintained on tablets, and photographic metadata are used to establish or rebut the factual record underpinning an extension-of-time or prolongation claim. As new labour-code compliance obligations add fresh categories of cost and schedule disputes on infrastructure projects, the digital trail generated by workforce and compliance-tracking systems is becoming a further source of forensic evidence in this space.
In insolvency and company law matters before the NCLT and NCLAT, digital forensics is frequently used alongside forensic accounting to establish preferential transactions, related-party dealings, or diversion of funds ahead of insolvency - often the only route to reconstructing a paper trail that the parties in control of the company have an incentive not to preserve.
Why cases actually fail: the admissibility trap
The recurring pattern across Indian digital evidence disputes is that cases are rarely lost because the underlying forensic science was wrong. They are lost, or badly weakened, because the evidentiary formalities were not respected early enough. Arjun Panditrao gave some flexibility on timing - a certificate can, in appropriate circumstances, be produced later in the proceedings - but that flexibility is not a substitute for getting the process right from the outset. A party that waits until a hearing is imminent to think about certification, hashing, or chain-of-custody documentation is gambling on a court's discretion rather than relying on its own diligence.
The practical rule attorneys should take from this is straightforward: treat the possibility of a dispute as beginning the moment a document or device becomes relevant, not the moment a claim is filed. Preservation obligations, and the forensic opportunity that comes with early action, do not wait for pleadings to close.
What makes a digital forensics expert credible before an Indian court or tribunal
Four things distinguish forensic evidence that survives cross-examination from evidence that collapses under it.
Independence matters as much in digital forensics as in any other expert discipline. An expert who is, or appears to be, aligned with the instructing party's commercial interest invites exactly the kind of challenge that derails a hearing on a collateral issue rather than the merits. The most persuasive forensic evidence in Indian proceedings tends to come from experts who can demonstrate they reached their conclusions independently of which side retained them.
Transparency of methodology is the second requirement. A report that states a conclusion without describing, step by step, how the expert got there - which tools were used, what versions, what settings, what was excluded and why - gives an opposing expert nothing to engage with except the conclusion itself, which is precisely the kind of report that invites a court to discount it as unverifiable assertion.
Tool validation is the third. Courts and tribunals are increasingly attentive to whether the forensic software used has itself been validated for the specific task at hand, particularly as open-source and less well-established tools proliferate. An expert who can show that a tool's outputs have been cross-checked against an independent method is in a considerably stronger position than one who treats a tool's output as self-evidently correct.
Qualification and cross-examination readiness is the fourth. Under Section 39 of the BSA, the expert's opinion is only as persuasive as the expert's demonstrated skill in the relevant field - formal certification, relevant case experience, and the ability to explain technical findings clearly and consistently under cross-examination all bear directly on how much weight a court or tribunal will give the evidence.
A practical checklist for attorneys briefing a digital forensics expert
Preserve first and ask questions later. The moment a dispute becomes reasonably foreseeable, take steps to prevent ordinary use of relevant devices, accounts, or systems from continuing unchecked. A litigation hold notice, however informal, that goes out on day one is worth more than the most sophisticated forensic report commissioned six months later.
Appoint an expert who is genuinely independent of the client's chain of command, and brief that expert on scope in writing - what devices, accounts, date ranges, and questions the engagement covers - so that the eventual report can be defended as responsive to a defined mandate rather than an open-ended fishing exercise.
Insist on a forensic image, not a manual copy, of any device or account central to the dispute, and insist that the hash value be recorded and independently verifiable at every subsequent stage.
Build the chain-of-custody log from day one, not retrospectively. A log reconstructed after the fact, however accurate, is inherently less persuasive than a contemporaneous one.
Sequence the certification carefully. Under Section 63 of the BSA, plan for both the operational certificate from the person in control of the device or system and the technical certificate from the forensic expert, and do not assume the two can be assembled at the last minute.
Brief the expert on the forum, not just the facts. A report destined for an NCLT bench, a court, or an arbitral tribunal applying the IBA Rules may need to be framed differently depending on the audience's familiarity with digital forensic concepts and the procedural rules of that forum.
Emerging pressure points
Three developments are reshaping this field faster than the case law can keep pace with. Cloud and cross-border data storage means the device at the centre of a dispute is often a server sitting outside India, raising questions of jurisdiction, data-localisation obligations, and the practical mechanics of obtaining a certifiable extract. Encrypted messaging platforms complicate both preservation and authentication, since the same end-to-end encryption that protects legitimate communication also makes independent verification of a message's origin and integrity harder to establish forensically. And the growing sophistication of AI-generated and AI-altered media - audio, video, and even text styled to imitate a particular author - is beginning to force forensic experts and, eventually, Indian courts to develop authentication standards for content that can no longer be assumed genuine simply because it looks plausible. Expect this last issue, in particular, to generate significant case law over the next few years as deepfake-adjacent disputes reach Indian tribunals.
The bigger picture
None of this is really a story about technology. It is a story about proof - about what it takes, in an economy that now runs on servers and messaging apps rather than filing cabinets, to establish what actually happened between two parties to a dispute. India's evidentiary framework, from the Evidence Act's Section 65B through to the BSA's Section 63, has been playing catch-up with that shift for over a decade, and Arjun Panditrao Khotkar was the moment the Supreme Court tried to draw a clear line under the uncertainty. The line it drew is workable, but only for parties who treat digital forensics as a discipline to be engaged early, not a formality to be assembled under pressure once a hearing date is fixed.
For attorneys advising on disputes of any real value in India today, the operating assumption should be that the decisive evidence is already sitting on a server, a phone, or a cloud account somewhere - and that whether it ever reaches the tribunal in a form anyone can rely on depends on decisions made in the first weeks of the dispute, not the last.
Takeaway
• Digital evidence now sits at the centre of most Indian commercial disputes, from fraud investigations to construction arbitration - treat forensic preservation as a day-one priority, not a pre-hearing formality.
• Section 63 of the Bharatiya Sakshya Adhiniyam, 2023 has tightened certification requirements beyond the old Section 65B regime; plan for dual certification (operational and expert) well before a hearing is in sight.
• Cases are rarely lost on the forensic science itself - they are lost on chain of custody, late certification, and experts who cannot demonstrate independence or transparent methodology.
• An independent, appropriately qualified digital forensics expert, briefed early and in writing, is the single biggest determinant of whether electronic evidence survives cross-examination.
Position yourself where the legal industry looks for expertise - sign up on exlitem.com to get discovered by leading lawyers and high-value clients.



