Guidance Note for Forensic Accounting and Investigation Standard No. 420 on Evidence Gathering in the Digital Domain outlines the approach for Professionals to prepare and execute work procedures when implementing the requirements of the Standard on e-gathering in the digital domain during a Forensic Accounting and Investigation (FAI) engagement. The Professional is expected to evaluate the role of digital evidence in the digital domain, determine the appropriate processes and procedures for collecting and analyzing the evidence, and consider the unique risk factors associated with e-gathering. Furthermore, the Professional must exercise judgment in determining how the digital evidence will be used in the overall engagement. The guidance note also includes examples and illustrations to assist Professionals in applying similar work procedures that are relevant to the specific circumstances of the engagement.
Digital Accounting Assurance Board
The Institute of Chartered Accountants of India
1st June, 2023
GUIDANCE NOTE FOR FORENSIC ACCOUNTING AND INVESTIGATION STANDARD NO. 420 ON EVIDENCE GATHERING IN DIGITAL DOMAIN
EXPOSURE DRAFT Approved by DAAB (On 1 June’23)
This Guidance Note provides technical clarifications and implementation guidance on how to prepare for and conduct work procedures on Forensic Accounting and Investigation Standard Number 420, on “Evidence Gathering in Digital Domain,” issued by the Institute of Chartered Accountants of India (ICAI) and should be read in conjunction with all the Standards relevant to the topic. The contents of this Guidance Note are recommendatory in nature and do not represent the official position of the ICAI. The reader is advised to apply his best Professional judgement in the application of this Guidance Note considering the relevant context and prevailing circumstances.
Page Contents
1.0 Introduction
1.1 The Forensic Accounting and Investigation Standard (FAIS) 420 on “Evidence Gathering in Digital Domain” provides guidance to the Professional for the gathering of electronic evidence in the Digital Domain, or DD for short (as defined in the Standard), ensuring that it satisfies the requirements of judicial scrutiny. DD is of volatile nature, and the evidence gathering in this domain is a continuous challenge, requiring the Professional to keep upgrading on various developments underway. The primary understanding and knowledge of the Professional of the DD and its components is assumed along with the Digital evidence as these are well introduced and defined in the Standard.
1.2 The Standard expects the Professional to recognise the need for a well-planned approach when seeking to gather evidence in the DD. The requirements of the Standard are expected to be implemented through:
(a) Having the requisite skills and an overall understanding of the Information Systems to undertake e-gathering of evidence.
(b) Conducting the e-gathering exercise in a process driven manner and following certain legal precautions and technical protocols.
(c) Undertaking some key activities, covering key elements and collecting certain important information.
(d) Taking full benefit of available tools and techniques to complete a successful e-gathering exercise.
1.3 In the Indian context, the applicable legal and regulatory environment for digital evidence and cybercrimes consists of, but not limited to:
(a) The Indian Evidence Act, 1872
(b) The Information Technology Act, 2000 revised 2008
(c) The Code of Criminal Procedure, 1973
(d) Indian Penal Code, 1860
(e) Bankers’ Book of Evidence Act, 1891
2.0 Objectives
2.1 This Guidance Note (GN) outlines the manner in which the Professional prepares and executes work procedures when implementing the requirements of the Standard on e-gathering in DD during the course of a Forensic Accounting and Investigation (FAI) engagement.
2.2 For this the Professional is expected to take the following into account:
(a) Evaluate the role of digital evidence in DD, supporting the overall FAI engagement objectives.
(b) The most appropriate process and procedures to be followed for collecting and analysing the evidence.
(c) Consider all the unique risk factors in e-gathering of the evidence and steps required to mitigate these.
2.3 Further, the Professional has to use his judgements in ensuring the type and mode in which the digital evidence will be used in the overall engagement.
2.4 The GN also provides examples and illustrations to help the Professional apply similar work procedures which may be relevant to the circumstances of the engagement.
3.0 Procedures
3.1 An organization’s information system may include
(a) Email system, file servers and databases.
(b) Enterprise Resource Planning (ERP) system.
(c) Customer Relationship Management (CRM) system.
(d) Management Information System (MIS).
(e) Financial Accounting System.
(f) Human Resource Information System.
(g) Document Management System (DMS).
(h) Learning Management System (LMS) etc.
3.2 Digital evidence refers to data or information that is acquired, stored, accessed, examined, transmitted, and used in an entity’s DD. Digital evidence may be found in the form of:
(a) Emails, instant messages in an organisation’s email system.
(b) Electronic records in ERP, CRM, MIS, Financial accounting systems etc.
(c) Computer files such as documents, spreadsheets, presentations, databases including meta data such as date and time stamps, author information, and file properties.
(d) Web browsing history, search queries, cookies collected from a computer or mobile device.
(e) Images, videos captured by surveillance cameras or other monitoring
(f) Social media posts, comments, or private messages.
(g) System logs, audit trails generated by computer systems or
3.3 The Professional may consider the following prior to conducting evidence gathering in the digital domain:
3.3.1 Understanding of Information System environment: This would include a number of steps, such as the following (indicative list):
(a) Identifying the relevant hardware and software systems, including their purpose and function in the organization’s overall IT infrastructure.
(b) Examining the network architecture, including its topology, protocols, and security features.
(c) Reviewing the organization’s policies and procedures for information security and data management, as well as any applicable regulatory
(d) Identifying the location of data storage and backups, and the procedures for accessing and securing that data.
(e) Reviewing the organization’s incident response and business continuity plans.
(f) Identifying any third-party providers involved in the organization’s IT infrastructure and understanding their role in the overall system.
3.3.2 Understanding risk factors: The following risks may be involved in e-gathering of evidence, which would require appropriate mitigation steps (indicative list):
(a) Technical risks such as data corruption, incomplete data collection, inaccurate data analysis, and errors in data conversion.
(b) Legal risks such as violation of data protection laws, non-compliance with data collection requests, and inadvertent disclosure of privileged
(c) Human risks such as errors in data collection or analysis, breach of confidentiality, and intentional destruction of evidence.
3.3.3 Defining a timeline for E-gathering: The timeline for e-gathering may vary depending on the size and complexity of the data involved, the scope of the request, and the urgency of the investigation.
3.3.4 Use of experts and appropriate tools: The Professional would assess the resources needed for e-gathering, including the availability of specialized software tools and experts if appropriate.
3.4 Use of Documented, laid down procedure: The Professional may conduct the e-gathering procedures, which are documented in writing to ensure consistency and accuracy. The documented process may stipulate technical as well as regulatory considerations for e-gathering of evidence.
3.5 Technical considerations for e-gathering:
(a) Data Collection and Preservation: Use of specialized software tools to preserve and collect data from computers, servers, mobile devices, and other digital devices in the digital domain. This includes preserving metadata such as date and time stamps, file size, and file format, and maintaining the integrity of data throughout the e-gathering process.
(b) Data Processing: Filtering out irrelevant data, converting data to a usable format and indexing the data to facilitate searching and review using software tools.
(c) Data Analysis: Use of specialized software tools to identify patterns, trends, and anomalies in the data.
(d) Encryption: Use of Industry-standard encryption techniques such to protect sensitive data during transmission and storage and implementing secure key management practices.
(e) Data Storage: Storing data on secure, redundant storage media and implementing data retention and deletion policies.
(f) Quality Control: Ensure quality control checks in e-gathering process to ensure the accuracy and reliability of the data.
(g) Search and Review: Use of software tools to search for relevant information and review the data for relevance and privilege.
3.6 Relevant regulatory considerations for e-gathering process:
(a) Rules of Evidence: Compliance with rules of evidence required as per court of law.
(b) Chain of Custody Requirements: Compliance with chain of custody requires a detailed record of the movement of evidence through the e-gathering process to ensure that the evidence is admissible in
(c) Confidentiality Agreements: Compliance with confidentiality agreements, which may be required to protect the confidentiality of sensitive information during the e-gathering process.
(d) Data Protection Laws: Compliance with data protection laws which require that personal data be collected and processed lawfully and transparently.
(e) Privacy Laws: Compliance with privacy laws which require that data be protected from unauthorized access and disclosure.
(f) Data Retention Laws: Compliance with data retention laws, which require that data be retained for a specified period.
(g) Preservation Orders: Compliance with preservation orders, which require that evidence be preserved pending the outcome of legal
(h) Search Warrants: Compliance with search warrants, which may be required for the collection of certain types of evidence, such as email or social media data.
(i) Summons: Compliance with summons, which may be required for the production of certain types of evidence, such as financial records or corporate emails.
4.0 Explanations with Examples
4.1 An illustrative description of evidence gathering process in the DD is as follows:
| 1 | Identify Data Source |
|
| 2 | Data Preservation |
|
| 3 | Data Collection |
|
| 4 | Data Processing |
|
| 5 | Data Review and Analysis |
|
| 6 | Presentation/ Reporting |
|
5.0 Annexures
5.1 Annexure 1 – Authorization Letter
To,
XYZ
DD-MM-YYYY
Sub: Authorized personnel to collect, remove, image and analyse hard disk on behalf of M/s ABC
Dear Sir,
I, XYZ is hereby authorizing OPC Associate at ABC to collect, remove, image and analyse the hard disk on behalf of M/s XYZ
Enclosed a copy of my company ID and I take the responsibility for delivery and safety of the collected disk to the organisation.
Thank you
Authorized personal
Company Stamp:
5.2 Annexure 2 – Backup Details (illustrative)
XYZ
Digital
Forensic –
Hard Disk
| Actual | Imaged | |||||
| Capacity | Used Space | Free Space | Capacity | Used Space | Free Space | |
| Local Disk ( C ) | 98.6GB | 54.6GB | 43.9GB | 98.6GB | 54.7GB | 43.9GB |
| Local Disk ( D ) | 376GB | 0GB | 376GB | 376GB | 0GB | 376GB |
| Local Disk ( E ) | 499MB | 37MB | 462MB | 499MB | 3MB | 496MB |
| System Reserved (H) | – | – | – | 907MB | 554MB | 353MB |
Recovered deleted files 4622 items
Recovered deleted size 4.75 GB
5.3 Annexure 3 – Digital Evidence Collection Form
5.4 Annexure 4 – Email Format Investigation Details
To
The Manager
ABC Company.
ISP Division: City name/District name
Subject: Request to furnish the details about the IP Address.
5HIeren{e {rHm FnuLPHr QXEH…
With Reference to above citated subject, the undersigned is investigating officer of the XXX case mentioned above, for the purpose of investigation, details of the suXs{riFer’sEanU his/hDrQpGysi{L\ addresU detai\s LrF rOq iDeG as Her the Ge\ow mentioned above IP Address.
| IP Address | Access date | Access time |
Please treat the matter as most urgent
Regards Signature/Seal details
