Guidance Note for Forensic Accounting and Investigation Standard No. 420 on Evidence Gathering in the Digital Domain outlines the approach for Professionals to prepare and execute work procedures when implementing the requirements of the Standard on e-gathering in the digital domain during a Forensic Accounting and Investigation (FAI) engagement. The Professional is expected to evaluate the role of digital evidence in the digital domain, determine the appropriate processes and procedures for collecting and analyzing the evidence, and consider the unique risk factors associated with e-gathering. Furthermore, the Professional must exercise judgment in determining how the digital evidence will be used in the overall engagement. The guidance note also includes examples and illustrations to assist Professionals in applying similar work procedures that are relevant to the specific circumstances of the engagement.

Digital Accounting Assurance Board
The Institute of Chartered Accountants of India
1st June, 2023


EXPOSURE DRAFT Approved by DAAB (On 1 June’23)

This Guidance Note provides technical clarifications and implementation guidance on how to prepare for and conduct work procedures on Forensic Accounting and Investigation Standard Number 420, on “Evidence Gathering in Digital Domain,” issued by the Institute of Chartered Accountants of India (ICAI) and should be read in conjunction with all the Standards relevant to the topic. The contents of this Guidance Note are recommendatory in nature and do not represent the official position of the ICAI. The reader is advised to apply his best Professional judgement in the application of this Guidance Note considering the relevant context and prevailing circumstances.

1.0 Introduction

1.1 The Forensic Accounting and Investigation Standard (FAIS) 420 on “Evidence Gathering in Digital Domain” provides guidance to the Professional for the gathering of electronic evidence in the Digital Domain, or DD for short (as defined in the Standard), ensuring that it satisfies the requirements of judicial scrutiny. DD is of volatile nature, and the evidence gathering in this domain is a continuous challenge, requiring the Professional to keep upgrading on various developments underway. The primary understanding and knowledge of the Professional of the DD and its components is assumed along with the Digital evidence as these are well introduced and defined in the Standard.

1.2 The Standard expects the Professional to recognise the need for a well-planned approach when seeking to gather evidence in the DD. The requirements of the Standard are expected to be implemented through:

(a) Having the requisite skills and an overall understanding of the Information Systems to undertake e-gathering of evidence.

(b) Conducting the e-gathering exercise in a process driven manner and following certain legal precautions and technical protocols.

(c) Undertaking some key activities, covering key elements and collecting certain important information.

(d) Taking full benefit of available tools and techniques to complete a successful e-gathering exercise.

1.3 In the Indian context, the applicable legal and regulatory environment for digital evidence and cybercrimes consists of, but not limited to:

(a) The Indian Evidence Act, 1872

(b) The Information Technology Act, 2000 revised 2008

(c) The Code of Criminal Procedure, 1973

(d) Indian Penal Code, 1860

(e) Bankers’ Book of Evidence Act, 1891

2.0 Objectives

2.1 This Guidance Note (GN) outlines the manner in which the Professional prepares and executes work procedures when implementing the requirements of the Standard on e-gathering in DD during the course of a Forensic Accounting and Investigation (FAI) engagement.

2.2 For this the Professional is expected to take the following into account:

(a) Evaluate the role of digital evidence in DD, supporting the overall FAI engagement objectives.

(b) The most appropriate process and procedures to be followed for collecting and analysing the evidence.

(c) Consider all the unique risk factors in e-gathering of the evidence and steps required to mitigate these.

 2.3 Further, the Professional has to use his judgements in ensuring the type and mode in which the digital evidence will be used in the overall engagement.

2.4 The GN also provides examples and illustrations to help the Professional apply similar work procedures which may be relevant to the circumstances of the engagement.

3.0 Procedures

3.1 An organization’s information system may include

(a) Email system, file servers and databases.

(b) Enterprise Resource Planning (ERP) system.

(c) Customer Relationship Management (CRM) system.

(d) Management Information System (MIS).

(e) Financial Accounting System.

(f) Human Resource Information System.

(g) Document Management System (DMS).

(h) Learning Management System (LMS) etc.

3.2 Digital evidence refers to data or information that is acquired, stored, accessed, examined, transmitted, and used in an entity’s DD. Digital evidence may be found in the form of:

(a) Emails, instant messages in an organisation’s email system.

(b) Electronic records in ERP, CRM, MIS, Financial accounting systems etc.

(c) Computer files such as documents, spreadsheets, presentations, databases including meta data such as date and time stamps, author information, and file properties.

(d) Web browsing history, search queries, cookies collected from a computer or mobile device.

(e) Images, videos captured by surveillance cameras or other monitoring

(f) Social media posts, comments, or private messages.

(g) System logs, audit trails generated by computer systems or

3.3 The Professional may consider the following prior to conducting evidence gathering in the digital domain:

3.3.1 Understanding of Information System environment: This would include a number of steps, such as the following (indicative list):

(a) Identifying the relevant hardware and software systems, including their purpose and function in the organization’s overall IT infrastructure.

(b) Examining the network architecture, including its topology, protocols, and security features.

(c) Reviewing the organization’s policies and procedures for information security and data management, as well as any applicable regulatory

(d) Identifying the location of data storage and backups, and the procedures for accessing and securing that data.

(e) Reviewing the organization’s incident response and business continuity plans.

(f) Identifying any third-party providers involved in the organization’s IT infrastructure and understanding their role in the overall system.

3.3.2 Understanding risk factors: The following risks may be involved in e-gathering of evidence, which would require appropriate mitigation steps (indicative list):

(a) Technical risks such as data corruption, incomplete data collection, inaccurate data analysis, and errors in data conversion.

(b) Legal risks such as violation of data protection laws, non-compliance with data collection requests, and inadvertent disclosure of privileged

(c) Human risks such as errors in data collection or analysis, breach of confidentiality, and intentional destruction of evidence.

3.3.3 Defining a timeline for E-gathering: The timeline for e-gathering may vary depending on the size and complexity of the data involved, the scope of the request, and the urgency of the investigation.

3.3.4 Use of experts and appropriate tools: The Professional would assess the resources needed for e-gathering, including the availability of specialized software tools and experts if appropriate.

3.4 Use of Documented, laid down procedure: The Professional may conduct the e-gathering procedures, which are documented in writing to ensure consistency and accuracy. The documented process may stipulate technical as well as regulatory considerations for e-gathering of evidence.

3.5 Technical considerations for e-gathering:

(a) Data Collection and Preservation: Use of specialized software tools to preserve and collect data from computers, servers, mobile devices, and other digital devices in the digital domain. This includes preserving metadata such as date and time stamps, file size, and file format, and maintaining the integrity of data throughout the e-gathering process.

(b) Data Processing: Filtering out irrelevant data, converting data to a usable format and indexing the data to facilitate searching and review using software tools.

(c) Data Analysis: Use of specialized software tools to identify patterns, trends, and anomalies in the data.

(d) Encryption: Use of Industry-standard encryption techniques such to protect sensitive data during transmission and storage and implementing secure key management practices.

(e) Data Storage: Storing data on secure, redundant storage media and implementing data retention and deletion policies.

(f) Quality Control: Ensure quality control checks in e-gathering process to ensure the accuracy and reliability of the data.

(g) Search and Review: Use of software tools to search for relevant information and review the data for relevance and privilege.

3.6 Relevant regulatory considerations for e-gathering process:

(a) Rules of Evidence: Compliance with rules of evidence required as per court of law.

(b) Chain of Custody Requirements: Compliance with chain of custody requires a detailed record of the movement of evidence through the e-gathering process to ensure that the evidence is admissible in

(c) Confidentiality Agreements: Compliance with confidentiality agreements, which may be required to protect the confidentiality of sensitive information during the e-gathering process.

(d) Data Protection Laws: Compliance with data protection laws which require that personal data be collected and processed lawfully and transparently.

(e) Privacy Laws: Compliance with privacy laws which require that data be protected from unauthorized access and disclosure.

(f) Data Retention Laws: Compliance with data retention laws, which require that data be retained for a specified period.

(g) Preservation Orders: Compliance with preservation orders, which require that evidence be preserved pending the outcome of legal

(h) Search Warrants: Compliance with search warrants, which may be required for the collection of certain types of evidence, such as email or social media data.

(i) Summons: Compliance with summons, which may be required for the production of certain types of evidence, such as financial records or corporate emails.

4.0 Explanations with Examples

4.1 An illustrative description of evidence gathering process in the DD is as follows:

1 Identify Data Source
  • Identify data sources from the digital domain such as laptops, mobile phones, server data etc.
  • Identify relevant custodians, date range of data to be collected.
2 Data Preservation
  • Prevent any loss or alteration of data in the digital domain
  • It may involve creating a copy of the data or implementing legal holds to prevent destruction of any relevant data
3 Data Collection
  • Use of specialised software to collect digital evidence/footprints from various sources while maintaining its integrity.
4 Data Processing
  • Filtering out relevant data, and converting data into a usable format
  • Indexing the data to facilitate searching and review.
5 Data Review and Analysis
  • Review of data by human expert for relevance, privilege and confidentiality.
  • Categorising of data for further analysis to identify patterns, trends and anomalies
  • Use of data analysis techniques such as keyword searching, data visualisation and statistical analysis to identify relevant facts.
6 Presentation/ Reporting
  • Preparation of fact-finding report and production of data in a format that is admissible in court
  • Expert Testimony, as required

5.0 Annexures

5.1 Annexure 1 – Authorization Letter




Sub: Authorized personnel to collect, remove, image and analyse hard disk on behalf of M/s ABC

Dear Sir,

I, XYZ is hereby authorizing OPC Associate at ABC to collect, remove, image and analyse the hard disk on behalf of M/s XYZ

Enclosed a copy of my company ID and I take the responsibility for delivery and safety of the collected disk to the organisation.

Thank you

Authorized personal

Company Stamp:

5.2 Annexure 2 – Backup Details (illustrative)

Forensic –
Hard Disk

Actual Imaged
Capacity Used Space Free Space Capacity Used Space Free Space
Local Disk ( C ) 98.6GB 54.6GB 43.9GB 98.6GB 54.7GB 43.9GB
Local Disk ( D ) 376GB 0GB 376GB 376GB 0GB 376GB
Local Disk ( E ) 499MB 37MB 462MB 499MB 3MB 496MB
System Reserved (H) 907MB 554MB 353MB

Recovered deleted files    4622 items

Recovered deleted size  4.75 GB

5.3 Annexure 3 – Digital Evidence Collection Form

5.4 Annexure 4 – Email Format Investigation Details


The Manager

ABC Company.

ISP Division: City name/District name

Subject: Request to furnish the details about the IP Address.

5HIeren{e {rHm FnuLPHr QXEH…

With Reference to above citated subject, the undersigned is investigating officer of the XXX case mentioned above, for the purpose of investigation, details of the suXs{riFer’sEanU his/hDrQpGysi{L\ addresU detai\s LrF rOq iDeG as Her the Ge\ow mentioned above IP Address.

IP Address Access date Access time

Please treat the matter as most urgent

Regards Signature/Seal details

Join Taxguru’s Network for Latest updates on Income Tax, GST, Company Law, Corporate Laws and other related subjects.

Join us on Whatsapp

taxguru on whatsapp GROUP LINK

Join us on Whatsapp

taxguru on whatsapp GROUP LINK

Join us on Whatsapp

taxguru on whatsapp GROUP LINK

Join us on Whatsapp

taxguru on whatsapp GROUP LINK

Join us on Whatsapp

taxguru on whatsapp GROUP LINK

Join us on Whatsapp

taxguru on whatsapp GROUP LINK

Join us on Whatsapp

taxguru on whatsapp GROUP LINK

Join us on Whatsapp

taxguru on whatsapp GROUP LINK

Join us on Whatsapp

taxguru on whatsapp GROUP LINK

Join us on Whatsapp

taxguru on whatsapp GROUP LINK

Join us on Telegram

taxguru on telegram GROUP LINK

Download our App


More Under CA, CS, CMA

Leave a Comment

Your email address will not be published. Required fields are marked *

Search Posts by Date

October 2023