BNS 2023 Cyber Provisions and BSA 2023 Electronic Evidence

BNS structures offences by harm, not by medium. There is no chapter titled "Cyber Offences" because the drafters chose to fold cyber-relevant fact patterns into the general offence sections by either expanding the definition or expressly mentioning the electronic mode. Stalking under Section 78 names "monitoring the use by a woman of the internet, email or any other form of electronic communication" as a mode of the offence. Cheating under Section 318 captures any dishonest inducement, which covers OTP fraud, online cheating and pig-butchering without a special section. Forgery under Sections 336 to 338 applies to electronic records because BSA expanded the "document" definition to expressly include electronic records.

The investigative consequence is that an examiner whose work supports a cyber chargesheet should expect questions on both layers. The defence will challenge the IT Act provision on technical grounds (was a computer resource actually used? Was the credential actually impersonated?) and the BNS provision on classical grounds (was there dishonest inducement? Was there intent to cause harm?). The artifact set has to support both attacks.

Offences can be sorted into three categories. Some are IT Act only because they require a computer resource by definition (cyber terrorism under Section 66F is the cleanest example). Some are BNS only because the medium is incidental (a defamation on paper and a defamation on Twitter both sit under BNS Section 354). Most cyber FIRs sit in the third bucket where both apply, and the prosecution charges both.

The investigative practice is that the IO drafts the FIR with the IT Act sections, the local court (the JMFC for cyber crimes in most states, or a designated cyber court where one exists) takes cognisance, and the FSL or state cyber cell examiner is asked for opinion on both layers in the chargesheet. Section 39 BSA is what authorises the examiner to give expert opinion on the electronic evidence; the underlying offences then sit on a mix of IT Act and BNS sections.

Section 63 BSA is the rule that decides whether a screenshot, a CDR printout, a server-log export, or a forensic image is admitted at trial. The substance is materially the same as IEA Section 65B. The provision says that any copy or output of an electronic record produced from a "computer system" is admissible only if it is accompanied by a certificate that identifies the electronic record, describes the manner of its production, particulars of the device involved, and is signed by a person occupying a responsible official position in relation to the operation of the relevant device.

1. Identify the electronic record
   Name the file, log, message or image. State the format (PDF, CSV, EML, raw forensic image, hash value). Attach the record itself or refer to the exhibit list.
2. Describe production manner
   Was the record exported from a server, captured from a mobile, imaged from a disk? Name the tool (e.g. FTK Imager 4.7.1, Cellebrite UFED 4PC 7.62, dd 8.32), the command or workflow, and the output path.
3. Particulars of the device
   Make, model, serial number or unique identifier of the device that produced or stored the record. For server-side records, the hostname, IP and the role of the system.
4. Operating conditions
   State that the device was operating ordinarily during the relevant period, or where it was not, describe the deviation. The 'computer system' was used regularly to store or process information of that kind.
5. Person responsible
   Name and designation of a person occupying a responsible official position in relation to the operation of the relevant device. The signatory must be in a position to depose on the device's regular operation.
6. Sign and date
   Date the certificate to the time of production, not earlier. Late certificates have survived where Anvar PV principles are met; certificates antedated to before the record was produced are routinely rejected.

The "computer system" definition in BSA is broader than the original IEA definition. It includes any data processing device or system, which means a smartphone, a tablet, a network switch, a CCTV DVR and a vehicle telematics unit all qualify. This matters because the certificate is required for any output from any of these devices, not just for outputs from desktop or server machines.

Three Supreme Court judgments define the current certificate jurisprudence.

Anvar P V v P K Basheer (2014)

A three-judge bench of the Supreme Court held that any electronic record produced as secondary evidence must be accompanied by a Section 65B IEA certificate. The judgment overruled the earlier State (NCT of Delhi) v Navjot Sandhu line that had treated 65B as one of multiple routes to admit electronic evidence. After Anvar, the certificate became the only route for secondary electronic evidence. The proposition transfers cleanly onto Section 63 BSA.

Shafhi Mohammad v State of HP (2018)

A two-judge bench held that the certificate requirement could be relaxed where the party producing the record was not in possession of the device that produced it. The decision was widely cited for the proposition that a strict certificate rule could defeat justice in cases where the device belonged to a third party (a telecom operator, a social media platform).

Arjun Pandit Rao Khotkar v Kailash Kushanrao Gorantyal (2020)

A three-judge bench of the Supreme Court overruled Shafhi Mohammad and restored Anvar P V as the settled rule. The certificate is mandatory. Where the party producing the record cannot itself sign the certificate (because the device belongs to a third party), the party must apply to the court for production of the certificate from the third party under Section 165 IEA, now Section 168 BSA. The certificate must accompany the electronic record at the time it is produced; a certificate filed later is admissible only if the court permits the late filing on cause shown.

The Section 63 BSA certificate is a legal document, but its credibility rests on the technical record an examiner builds at the time of acquisition. The standard discipline is to acquire a forensic image with a tool that produces a verified hash, store the source hash and the image hash side by side, and document every subsequent operation against the image (not the original). The hash chain is what tells the trial court that the bit-for-bit copy analysed at the FSL is the bit-for-bit copy seized at the scene.

This work overlaps directly with the chain-of-custody discipline covered in Chain of Custody and with the acquisition discipline in Digital First Responder: Volatility, Seizure, Imaging. The hash chain is the technical record; the seizure and forwarding memos are the procedural record; the Section 63 BSA certificate is the courtroom-facing document that pulls both together.

Section 39 BSA is the provision under which the examiner is admitted as an expert and the report is admitted as evidence of the opinion stated. The cross-examination then probes the expert's qualifications, the methods used, the chain of custody, and the limits of the opinion. A digital forensic expert in an Indian trial court should expect a recognisable script.

• Qualifications. Degree, institution, additional certifications (CHFI, EnCE, GCFA), years of practice, number of similar cases handled. Have a one-page CV ready to be marked as an exhibit.
• Tool validation. The make, model and version of the tool used, the testing the tool has undergone (NIST CFTT references where relevant), the limits of the tool, the alternative tools considered.
• Chain of custody. Every link from seizure to analysis. The examiner must be able to identify each handoff, the signatures and the seals, and confirm that the artifact analysed is the artifact seized.
• Hash chain. The hash at each step. The defence will ask whether any hash differed and what was done about it.
• Scope of opinion. The expert can speak to what the data shows, not to who put it there. Attribution of an act to a person is for the court to infer from the data combined with other evidence.
• Limits of the method. What the analysis cannot tell. An examiner who acknowledges limits on direct examination is harder to corner on cross than one who overclaims.

A clean Section 63 BSA certificate, a documented hash chain, and a report that distinguishes observation from inference together provide the foundation for withstanding cross-examination. Section 39 BSA governs expert depositions across forensic disciplines, but electronic evidence is where the documentary record is most explicit and the cross-examination most technically demanding.