Case Study · Digital Forensics & Expert Witness
Email Spoofing Forensics, Section 65B Certification, and Expert Witness Testimony in a ₹18Cr Commercial Fraud Dispute
Home → Case Studies → Digital Forensics → Email Spoofing Forensics, Section 65B Certification, and Expert Witness Testimony in a ₹18Cr Commercial Fraud Dispute
Engagement Background
The Situation When We Were Engaged
A Hyderabad commodities trading company discovered that ₹18 crore in payments had been redirected to a fraudulent bank account over a six-month period. The company’s former business partner was suspected of operating a business email compromise scheme — intercepting genuine email communications and substituting fraudulent payment instructions with lookalike email addresses.
The opposing party denied involvement and claimed all emails were genuine — asserting the payment instructions were authentic and the company had simply made errors in its payment process. The entire dispute turned on the authenticity of the email communications: were the payment instruction emails genuine communications from the business partner, or were they spoofed and intercepted?
SIRI Law LLP was engaged to conduct forensic analysis of the email chain, obtain Section 65B certificates for all digital evidence, and provide expert witness testimony before the High Court on the technical findings. The forensic analysis would determine whether the emails were genuine or spoofed — and the outcome of the ₹18 crore dispute depended on it.
Client Profile
Assessment Scope
Forensic Email Analysis, Section 65B Certification, and Expert Witness
Email Header Forensics
Forensic analysis of full email headers — SMTP relay path, SPF/DKIM/DMARC authentication results, originating IP geolocation, send timestamps, and message-ID chain analysis across 340 emails spanning 6 months.
Section 65B Certification
Indian Evidence Act Section 65B certificates prepared by a qualified person for all digital evidence: email exports, server logs, device forensic images, and wire transfer confirmation records. Certificate chain maintained for admissibility.
Expert Witness Testimony
Expert witness report prepared in court-compliant format. Cross-examination preparation. Testimony before the High Court on email authentication, spoofing mechanics, and the technical basis for the forensic findings. Opposing technical evidence rebutted.
Key Findings
What We Found
Each finding documented with evidence. Root cause and remediation guidance provided for every item.
Forensic analysis revealed that a lookalike domain — differing from the genuine partner domain by a single character — had been registered 7 months before the first fraudulent payment instruction. WHOIS records, DNS history, and registration metadata traced the lookalike domain to infrastructure consistent with the opposing party’s known IP allocation. All 14 fraudulent payment instruction emails originated from this lookalike domain.
Genuine emails from the business partner’s domain passed SPF, DKIM, and DMARC authentication. All 14 fraudulent payment instruction emails failed SPF authentication — originating from IP addresses not authorised to send on behalf of the claimed sender domain. This technical distinction — invisible to a non-forensic reader of the email — proved the emails were not sent from the genuine partner’s mail infrastructure.
Mobile device forensic analysis (pursuant to court order) of a device associated with the opposing party revealed browser history accessing the lookalike domain’s mail interface, and DNS queries consistent with managing the lookalike domain’s mail server configuration. This evidence directly connected the opposing party to the operation of the fraudulent email infrastructure.
The opposing party produced an email archive in discovery that was forensically incomplete — 14 wire transfer confirmation emails that should appear in a genuine business email archive were absent. Metadata analysis of the archive export revealed selective deletion prior to export. The pattern of deletions aligned precisely with the fraudulent payment confirmation dates.
Engagement Timeline
Phase-by-Phase Execution
Evidence Preservation and Section 65B Chain
Immediate forensic imaging of client’s email server (on-premises) and email client devices. Section 65B certificate chain established at point of imaging — chain of custody documentation, hash verification, and qualified person certification. 340 emails spanning 6 months preserved and authenticated.
Email Header and Authentication Analysis
Full header analysis across all 340 emails. SPF/DKIM/DMARC authentication results extracted and tabulated. SMTP relay path mapping. Originating IP geolocation — fraudulent emails traced to a VPS provider in Eastern Europe consistent with the lookalike domain’s mail server. Timeline reconstruction of genuine vs fraudulent email sequences.
Domain Registration and Infrastructure Forensics
Lookalike domain registration history, WHOIS records, DNS history, and hosting infrastructure documented. Historical DNS records showing mail server configuration timeline. Correlation between lookalike domain mail server IP and other infrastructure associated with the opposing party.
Expert Witness Report and High Court Testimony
Expert witness report prepared: technical findings, methodology, standards applied (RFC 5321, RFC 7208, RFC 6376), and conclusions stated in court-accessible language. Cross-examination preparation with lead counsel. Testimony given before High Court — opposing technical expert’s evidence rebutted on three specific technical grounds. Evidence admitted and findings accepted by court.
Legal & Regulatory Risk Analysis
Why This Mattered Legally
Section 65B — Admissibility of Digital Evidence
Without a compliant Section 65B certificate from a qualified person, electronic evidence is inadmissible in Indian courts under the Indian Evidence Act. The entire forensic case depended on proper Section 65B certification — an error in the certification process would have rendered the email evidence inadmissible and collapsed the case.
Expert Witness — Qualification and Independence
Indian courts require expert witnesses to be independent and qualified. SIRI Law LLP’s forensic experts hold CFCE, EnCE, and CEH certifications and have prior court testimony experience. The expert report was prepared to meet the Supreme Court’s standards for expert evidence — methodology, independence, and conclusions clearly stated.
IT Act Section 66C — Identity Theft via Electronic Means
The lookalike domain scheme — impersonating the business partner’s email identity to redirect payments — constitutes identity theft via electronic means under IT Act Section 66C. The forensic evidence supported a parallel criminal complaint to the cybercrime cell, creating criminal proceedings alongside the civil High Court dispute.
IPC Section 420 — Cheating and Dishonesty
The fraudulent payment instructions — causing the company to transfer ₹18 crore to a fraudulent account — constitute cheating under IPC Section 420. The forensic evidence establishing the email spoofing mechanism and the connection to the opposing party provided the evidentiary foundation for the criminal complaint alongside the civil proceedings.
Outcomes & Remediation
What Changed After Our Assessment
Digital Evidence Admitted — Section 65B Certification Upheld
All forensic evidence admitted by the High Court without objection to the Section 65B certificates. Opposing party’s challenge to the certification process dismissed. Forensic methodology accepted by court as sound.
Expert Witness Testimony Accepted — Spoofing Mechanism Established
Expert witness testimony accepted by court. The technical mechanism of email domain spoofing, SPF/DKIM/DMARC failure, and the lookalike domain operation established as proved facts. Opposing technical evidence rebutted successfully.
Interim Injunction — Asset Freezing Order Obtained
Based on forensic evidence, the court granted an interim injunction freezing the opposing party’s bank accounts and property pending final hearing. Asset preservation prevented dissipation of recoverable assets.
Criminal Complaint — Cybercrime Cell Investigation Initiated
Parallel criminal complaint filed with cybercrime cell supported by forensic evidence package. Section 65B certificates filed with the complaint. FIR registered under IT Act Section 66C and IPC Section 420. Investigation ongoing.
Compliance Frameworks
Standards Applied in This Engagement
Why Choose SIRI Law LLP
Unique Advantage
Section 65B certification by qualified persons — admissibility guaranteed
Court-experienced expert witnesses — prior High Court testimony
Civil + criminal parallel proceedings — legal and forensic team in one
Email forensics + legal argument combined — we write the report and argue the case
Director GRC & Legal — Adv. Chetan Seripally
Need Digital Forensics or Expert Witness Support?
Contact SIRI Law LLP for a confidential scoping call with our legal and technical experts.