Digital Forensics Services in India — What Happens During a Cyber Investigation
A senior employee resigns abruptly and walks out with what appears to be a significant portion of your customer database. A ransomware attack encrypts your servers at 3 AM, and you need to know exactly how the attacker got in and what they accessed. A business partner is accusing your company of data theft, and you need to prove your systems were not involved. A regulatory auditor is asking for evidence of who accessed a specific file on a specific date six months ago.
In all of these scenarios, you need digital forensics.
Digital forensics is the science of identifying, preserving, extracting, analysing, and presenting digital evidence in a legally admissible manner. It is what happens when cybersecurity meets legal accountability. This guide explains what digital forensics is, how cyber investigations are conducted in India, the Indian legal framework for electronic evidence, and when to engage a professional forensics team.
What is Digital Forensics?
Digital forensics (also called cyber forensics or computer forensics) is a branch of forensic science concerned with the recovery and investigation of material found in digital devices in a way that is forensically sound — meaning the integrity of evidence is preserved and the methodology can withstand legal scrutiny.
The goal of digital forensics is not just to answer “what happened?” but to answer it with evidence that can be documented, verified, and presented in legal or regulatory proceedings.
Types of Digital Forensics
1. Disk Forensics (Computer Forensics)
The most common type. Involves the forensic analysis of storage media — hard drives, SSDs, USB drives, and other storage devices. Forensic examiners create a bit-for-bit copy (forensic image) of the storage device and analyse it for relevant data including deleted files, browsing history, file access timestamps, document metadata, and user activity logs.
2. Network Forensics
Involves capturing and analysing network traffic to reconstruct communication events, identify data exfiltration, trace attack sources, or investigate policy violations. Network forensics uses tools like Wireshark, Zeek, and Security Onion to analyse packet captures, NetFlow data, and proxy logs. Particularly valuable in investigating data breach scenarios where the exfiltration path needs to be established.
3. Mobile Device Forensics
Extraction and analysis of data from smartphones, tablets, and other mobile devices. Mobile forensics can recover call logs, SMS/WhatsApp messages, emails, photos, location data, deleted content, and app data. In India, mobile forensics is frequently used in employee misconduct investigations, matrimonial disputes, and financial fraud cases. Specialised tools (Cellebrite UFED, Oxygen Forensics) are required for locked device extraction.
4. Memory Forensics (RAM Forensics)
The analysis of a computer’s volatile memory (RAM) at a specific point in time. Memory forensics can reveal running processes, network connections, decrypted content (encryption keys, plaintext from encrypted files), user credentials, and malware that exists only in memory without writing to disk (fileless malware). Requires a live memory capture before the system is powered off — which is why powering off a compromised machine is generally the wrong first response.
5. Cloud Forensics
Investigation of incidents occurring in cloud environments (AWS, Azure, GCP, SaaS applications). Cloud forensics involves collecting and analysing cloud audit logs, access logs, API call records, and storage access logs. It is complicated by the multi-tenant nature of cloud infrastructure and the limited ability to directly access underlying hardware. Proper logging must be pre-configured before an incident — you cannot forensically collect logs that were never generated.
6. Database Forensics
Investigation of database systems to determine what data was accessed, modified, exfiltrated, or deleted. Database forensics analyses transaction logs, audit trails, query histories, and database artefacts. Particularly important in SQL injection attack investigations and insider data theft cases.
When Do You Need Digital Forensics?
Engage a digital forensics team when:
- Security breach or suspected breach: You believe your systems have been compromised and need to understand the scope, impact, and attack vector
- Ransomware attack: Post-ransomware forensics determines the initial entry point, dwell time, data accessed or exfiltrated, and whether all malicious artefacts have been removed
- Employee misconduct investigation: IP theft, data exfiltration, policy violation, or fraud by a current or former employee
- Legal dispute: Digital evidence is needed to support or defend against litigation — contract disputes, fraud accusations, defamation
- Regulatory requirement: RBI, SEBI, or CERT-In require a forensic investigation report as part of incident reporting or regulatory inquiry
- Insurance claim: Cyber insurance carriers typically require a forensic investigation report to process claims
- Pre-litigation evidence preservation: You anticipate legal proceedings and want to preserve digital evidence before it is lost or overwritten
Indian Legal Framework for Electronic Evidence
Information Technology Act 2000 (IT Act)
The IT Act is the primary legislation governing cybercrime in India. Relevant provisions for digital forensics:
- Section 43: Unauthorised access, data theft, introduction of viruses — civil liability
- Section 66: Computer-related offences — criminal penalties for hacking, data theft
- Section 66C: Identity theft using electronic means
- Section 66D: Cheating by impersonation using computer resources
- Section 72: Breach of confidentiality by persons who have accessed electronic records during investigations
- Section 79: Safe harbour provisions for intermediaries — relevant in social media investigation contexts
Section 65B of the Indian Evidence Act 1872 — The Critical Rule
Section 65B is the most important legal provision for digital forensics practitioners in India. It governs the admissibility of electronic evidence in Indian courts. Key requirements:
- Electronic records are admissible as documentary evidence if accompanied by a Section 65B certificate
- The certificate must be signed by a responsible official of the organisation that owns or operates the computer from which the electronic record was produced
- The certificate must state that the computer was in lawful use during the relevant period, that the computer was operating properly, and that the electronic record was produced from the data stored in that computer
- Without a Section 65B certificate, electronic evidence (emails, WhatsApp messages, server logs) may not be admitted by an Indian court
Practical implication: If you anticipate that digital evidence may be used in Indian legal proceedings, engage a forensics professional who understands Section 65B requirements from the outset of the investigation — not after the fact.
Supreme Court Ruling — Arjun Panditrao Khotkar v. Kailash Kushanrao Gorantyal (2020)
The Supreme Court of India clarified in this landmark 2020 judgment that Section 65B certificates are mandatory for electronic evidence admissibility and cannot be replaced by oral testimony. This makes proper evidence collection and certification by a qualified forensics professional essential in any matter that may go to court.
The Forensic Investigation Process
Phase 1: Identification
Define the scope of the investigation. Identify which systems, devices, accounts, or data sources are relevant to the investigation. Understand the legal and business objectives — what questions does the investigation need to answer? Engage legal counsel before beginning to ensure the investigation is properly framed and legally privileged if required.
Phase 2: Preservation (Chain of Custody)
Preserve all potentially relevant evidence before it is altered, overwritten, or destroyed. This includes:
- Creating forensic images (bit-for-bit copies) of storage devices using write blockers to prevent any modification of original evidence
- Capturing memory dumps from live systems before shutdown
- Collecting and preserving log files, making copies of cloud audit logs
- Documenting the chain of custody — who collected what evidence, when, how, and where it was stored
- Using cryptographic hashing (MD5/SHA-256) to verify the integrity of evidence copies
Chain of custody is critical. Any break in the chain — a missing signature, an undocumented handover, a non-write-blocked device — can undermine the admissibility and credibility of the evidence in legal proceedings.
Phase 3: Extraction
Extract relevant data from the forensic images and collected evidence. This includes recovering deleted files, parsing log formats, extracting browser history, recovering email artifacts, decoding chat application databases, and reconstructing file access timelines.
Phase 4: Analysis
Analyse the extracted data to answer the investigation’s key questions. In an incident investigation, this involves:
- Establishing the timeline of events (who did what, when, in what sequence)
- Identifying indicators of compromise (IoCs) — malicious files, IP addresses, domains, registry keys
- Tracing the attacker’s lateral movement path
- Determining what data was accessed, copied, or exfiltrated
- Identifying the root cause of the incident
Phase 5: Reporting
Produce a forensic investigation report that documents findings clearly and completely. A good forensic report includes:
- Executive summary of findings and their business impact
- Methodology and tools used
- Detailed technical findings with evidence references
- Timeline reconstruction
- Conclusions and opinions supported by evidence
- Appendices with evidence inventory, chain of custody records, and technical artefacts
Phase 6: Expert Testimony
In legal proceedings, the forensic examiner may be called as an expert witness to explain findings to a court, tribunal, or regulatory body. A credible forensics professional should be able to clearly explain complex technical findings in terms accessible to judges and laypersons, and withstand cross-examination on methodology.
Key Digital Forensics Tools
| Tool | Type | Primary Use |
|---|---|---|
| FTK (Forensic Toolkit) | Commercial | Disk imaging, file system analysis, email parsing, case management |
| Autopsy | Open Source | Disk analysis, timeline generation, keyword search, artefact parsing |
| Volatility | Open Source | Memory forensics — process analysis, network connections, malware detection in RAM |
| Wireshark | Open Source | Network traffic capture and analysis, protocol dissection |
| Cellebrite UFED | Commercial | Mobile device extraction — iPhone, Android, locked devices |
| X-Ways Forensics | Commercial | Advanced disk forensics, evidence processing, efficient triage |
| AXIOM (Magnet Forensics) | Commercial | Unified platform — computer, cloud, and mobile forensics |
| Eric Zimmerman Tools | Open Source | Windows artefact parsing — prefetch, registry, event logs, LNK files |
CERT-In Reporting Obligations During Cyber Incidents
India’s CERT-In (Computer Emergency Response Team India) issued mandatory reporting directions in April 2022 (MeitY notification), requiring organisations to report certain cyber incidents within 6 hours of becoming aware of them. Incidents requiring mandatory reporting include:
- Ransomware attacks
- Data breaches involving personal data
- Attacks on critical information infrastructure
- Targeted attacks against government organisations
- Phishing attacks impersonating government or financial institutions
Forensic investigations generate the evidence and documentation needed to file accurate CERT-In reports and fulfil follow-up RCA (Root Cause Analysis) reporting requirements within 21 days.
Cost of Digital Forensics Services in India
| Engagement Type | Typical Cost in India | Timeline |
|---|---|---|
| Incident response + forensic investigation (ransomware) | ₹3 lakh – ₹15 lakh | 1–4 weeks |
| Employee misconduct investigation | ₹1 lakh – ₹5 lakh | 1–3 weeks |
| Mobile device forensics | ₹50,000 – ₹2 lakh per device | 3–10 business days |
| Network forensics (full PCAP analysis) | ₹2 lakh – ₹8 lakh | 1–3 weeks |
| Expert witness / court testimony | ₹1 lakh – ₹5 lakh | As required |
How MDIT Services Conducts Forensic Investigations
MDIT Services’ Digital Forensics and Incident Response (DFIR) team has conducted forensic investigations across data breaches, ransomware incidents, employee fraud cases, and regulatory investigations for clients in BFSI, healthcare, government, and IT sectors.
Our approach:
- Rapid response — typically on-site or remote engagement initiated within 4 hours of engagement
- Forensically sound evidence collection with full chain of custody documentation
- Section 65B certificate preparation for court-admissible evidence
- CERT-In mandatory reporting support — we help draft and submit required notifications
- Clear, business-contextual reporting for both technical and executive audiences
- Expert witness capability for Indian courts and regulatory proceedings
- Coordination with law enforcement where criminal referral is appropriate
Contact MDIT Services DFIR Team for immediate forensic assistance or to establish a forensic retainer for pre-negotiated response terms.
Emergency: +91-11-XXXX-XXXX (24×7) | Email: dfir@mditservices.in | Website: mditservices.in
