EpochZero Learn
EpochZero LearnMulti-Domain Tech Learning Hub
Courses
LeaderboardAbout
Dashboard
EpochZero
EpochZero Learn
Multi-Domain Tech Learning Hub

Structured learning for Reverse Engineering, Cloud Security, Cryptography, and Web Development. Articles, videos, tests, and peer discussion.

Learn

  • Learning Path
  • All Articles
  • Video Lessons
  • Podcast
  • eBooks & PDFs
  • Question Banks
  • Cheatsheets
  • MCQ Banks

Tests & Forum

  • All Tests
  • REMA Tests
  • Cloud Tests
  • Forum
  • REMA Forum
  • Cloud Forum
  • Crypto Forum
  • Web Dev Forum

Campus

  • REMA Club
  • Full Stack Dev Club
  • Extension Activity
  • Events
  • CTF Competitions
  • Workshops
  • Industrial Visits

Platform

  • Dashboard
  • Leaderboard
  • About
  • Verify Certificate

© 2026 EpochZero Learn. Educational content for learning purposes.

Course Instructor: Ashish Revar

All articles
cloud-securityforensic-reportBSA-2023Section-63

Cloud Forensics Legal Framework & Expert Witness Reports

Cloud forensic evidence must satisfy the legal admissibility standards of the jurisdiction in which it will be used. This article covers the Indian legal framework for digital evidence, the structure of a forensic report, expert witness obligations, and the BSA 2023 Section 63 certificate.

Ashish Revar3 July 202620 min read1 views

Sign in to mark this article as read and track your progress.

Related to this topic

Continue learning

Reference material

eBook
Cloud Security — eBook
v2026
Open resource
Cheatsheet
Cloud Security — Cheatsheet
v2026
Open resource
MCQ Bank
Cloud Security — MCQ Bank
v2026
Open resource
Question Bank
Cloud Security — Question Bank
v2026
Open resource

External references

Bharatiya Sakshya Adhiniyam 2023 — Full Text

Full text of the Bharatiya Sakshya Adhiniyam 2023 including Section 63 on electronic records.

BNSS 2023 — Bharatiya Nagarik Suraksha Sanhita

Full text of BNSS 2023 including Section 94 on production orders for electronic records.

NIST SP 800-86: Guide to Integrating Forensic Techniques

NIST guide to forensic report structure and expert witness methodology standards.

AWS Law Enforcement and Legal Process Guidelines

AWS guidelines for law enforcement requests for cloud evidence and data disclosure.

More articlesTest your knowledge

Legal Admissibility of Digital Evidence in India

India's primary legislation governing digital evidence has evolved through several acts:

ActRelevance to Cloud Forensics
Information Technology Act, 2000Section 65B: Electronic records admissible if accompanied by a certificate from the responsible person; establishes computer output as evidence
Indian Evidence Act, 1872 (amended 2000)Section 65A/65B: Conditions for admissibility of electronic evidence
Bharatiya Sakshya Adhiniyam, 2023 (BSA)Replaced Indian Evidence Act; Section 63 is the new 65B equivalent; defines computer-generated electronic record requirements
BNSS 2023 (Bharatiya Nagarik Suraksha Sanhita)Replaced CrPC; Section 94 allows production orders for electronic records from any person in possession
IT (Amendment) Act, 2008Section 43A, 72A: Liability for data breach; relevance to breach investigation evidence

BSA 2023 Section 63: The Digital Evidence Certificate

Section 63 of the Bharatiya Sakshya Adhiniyam 2023 is the most important provision for cloud forensic practitioners in India. It replaces Section 65B of the Indian Evidence Act and establishes the conditions under which a computer-generated electronic record is admissible as evidence.

Requirements Under Section 63

For a cloud-sourced log file (e.g., CloudTrail export) to be admissible as evidence:

  1. The computer from which the output was produced was used regularly for that kind of activity in the course of normal activity
  2. During the material time, the computer was operating properly or, if not, any malfunction did not affect the electronic record or its accuracy
  3. The information in the electronic record was supplied to or stored in the computer in the ordinary course of activities
  4. The electronic record was produced from information stored in the computer in the ordinary course of those activities

Section 63 Certificate: Required Contents

The certificate must:

  • Identify the electronic record with particularity
  • Describe the manner in which it was produced
  • Give the particulars of the device from which it was produced
  • Deal with any of the foregoing matters as may be appropriate
  • Be signed by a person occupying a responsible official position in the organisation

Sample Section 63 Certificate for CloudTrail Evidence:

CERTIFICATE UNDER SECTION 63 OF THE BHARATIYA SAKSHYA ADHINIYAM, 2023

I, [Name], employed as [Designation] at [Organisation Name] with
registered address at [Address], do hereby certify as follows:

1. I am responsible for the management and operation of the AWS
   CloudTrail logging service maintained by [Organisation Name].

2. The electronic records described below were produced by the AWS
   CloudTrail service, a computer-based system regularly used by
   [Organisation Name] in the ordinary course of business to record
   all management API events on AWS Account ID [ACCOUNT_ID].

3. The AWS CloudTrail service was operating normally during the
   period from [START_DATE] to [END_DATE]. I am not aware of any
   malfunction that would have affected the accuracy of the records.

4. The records are identified as:
   - File names: [LIST OF CLOUDTRAIL LOG FILES]
   - SHA-256 hashes: [LIST OF HASHES]
   - Stored at: s3://[BUCKET-NAME]/[PATH]/
   - Covering period: [START_DATE UTC] to [END_DATE UTC]

5. The log file integrity was validated using the AWS CloudTrail
   Log File Validation feature, which confirmed no logs were
   modified after delivery.

Signed: _________________
Name: [Full Name]
Designation: [Role]
Organisation: [Name]
Date: [DATE]
Place: [City]

Structure of a Cloud Forensic Report

A cloud forensic report for legal proceedings must be structured, comprehensive, and intellectually honest. The standard structure:

1. Executive Summary (1-2 pages)

  • What happened (brief non-technical description)
  • When (UTC timestamps converted to IST)
  • Who was affected and how many records/systems
  • Key findings in plain language
  • Forensic examiner's conclusion (unambiguous, qualified appropriately)

2. Scope and Methodology

  • What systems and log sources were in scope
  • What was explicitly excluded and why
  • Tools used (Athena, Splunk, LiME, etc.)
  • Dates and times of evidence collection
  • Chain of custody documentation reference

3. Technical Findings

For each finding:

  • Finding: What was observed (supported by specific log entries with timestamps)
  • Evidence reference: CloudTrail Event ID, log file name, S3 path
  • Interpretation: What the finding means in the context of the investigation
  • Alternative explanations considered and ruled out (intellectual honesty requirement)

4. Timeline Reconstruction

A consolidated timeline of events in chronological order, cross-referencing multiple log sources:

Time (UTC)Time (IST)SourceEventSignificance
2024-07-01 04:23:1109:53:11CloudTrailConsoleLogin success from 185.x.x.xInitial access
2024-07-01 04:24:0209:54:02CloudTrailCreateUser: backdoor-adminPersistence established
2024-07-01 04:24:4509:54:45CloudTrailAttachUserPolicy: AdministratorAccessPrivilege escalation
2024-07-01 04:31:1810:01:18VPC Flow Log5.2GB outbound to 91.x.x.xData exfiltration

5. Conclusions

Clearly stated conclusions with appropriate qualifications:

  • "The evidence indicates, beyond reasonable doubt, that..." (where supported)
  • "The evidence is consistent with, but does not conclusively prove, that..." (where alternative explanations exist)
  • "The evidence does not address whether..." (where scope limits conclusions)

6. Appendices

  • Evidence manifest with hashes
  • Section 63 certificate
  • Tool output screenshots
  • Relevant log excerpts with line references

Expert Witness Obligations

A cloud forensic expert witness in Indian proceedings has specific obligations under BSA 2023 and the rules of evidence:

ObligationWhat It Requires
ImpartialityThe expert's duty is to the court, not to the party that retained them
Intellectual honestyConclusions must reflect the evidence; overstating certainty is perjury
Disclosure of limitationsIf logs are incomplete, the report must say so
Methodology transparencyAll analysis steps must be reproducible by another expert
No speculationState only what the evidence supports; separate observation from inference

The Supreme Court of India has consistently held that expert opinion evidence must be supported by the underlying data and methodology — not just the expert's conclusion. A cloud forensic expert whose methodology cannot withstand cross-examination on the technical procedures they followed risks having their evidence set aside.