Blog Details

Introduction

Most corporate evidence no longer lives on a hard drive in an office. It lives in the cloud — in Microsoft 365 mailboxes and SharePoint sites, in Google Workspace, in AWS storage and logs. When a dispute, investigation or regulatory request arises, someone exports the relevant data and hands it over. But an export is only useful in court if you can show where it came from and that it has not changed since. That is the job of a cloud evidence collection certificate: a document that records the provider, the account, the collection method and the cryptographic hash of every exported object. This article explains what such a certificate should contain and how e-Dex (formerly Hash Calculator) helps you produce one after the export is done.

Why Cloud Data Needs Its Own Certificate

Cloud data is not handled like a seized laptop. There is no physical device to image; instead, an administrator or investigator runs an export and downloads a package of files. That creates two questions a court will want answered: which exact account and service produced the data, and how do we know the downloaded copy matches what the provider released? In India, exported cloud records are electronic records like any other, so they generally need the certificate required under Section 63 of the Bharatiya Sakshya Adhiniyam, 2023 (the successor to Section 65B of the Indian Evidence Act). A cloud evidence collection certificate answers both questions in one place.

What the Certificate Documents

A good cloud evidence collection certificate captures the particulars of the collection so the export can be traced back to its source. In practice that means:

Provider and service — for example Microsoft 365 (Exchange Online, SharePoint or OneDrive), Google Workspace, or a specific AWS account and region.
Account or tenant — the mailbox, custodian, tenant ID or bucket the data came from.
Collection method and tool — Microsoft Purview eDiscovery export, Google Vault, an admin console download, or a documented API / native export.
Collection window — the date range or query used, and when the export was run.
Custodian / operator — who performed the collection.
Exported objects and hashes — an itemised list of the downloaded files with their cryptographic fingerprints.

e-Dex Certifies the Export — It Does Not Touch the Cloud

This is the important boundary. e-Dex does not connect to Microsoft 365, Google Workspace or AWS, and it does not perform the collection. You run the export yourself, using the provider's own trusted tooling — Purview, Vault, the admin console or an API. Once the package is on your machine, you point e-Dex at the downloaded files. e-Dex then hashes those objects and records the collection particulars you supply, producing a certificate after the fact. Keeping the tool outside the collection path is deliberate: the provider's native export remains the authoritative source, and e-Dex simply seals and documents what you received.

Where Hashing Fits In

The backbone of the certificate is the cryptographic hash of each exported object — a fixed-length digital fingerprint (MD5, SHA-256, SHA-512, BLAKE3 and others) computed over the file. Recompute the hash later and, if it matches, the export is bit-for-bit identical to what you collected; change a single byte and the hash changes completely. e-Dex records these hashes against each item in the certificate with an explicit MATCH / MISMATCH statement, so the integrity of a multi-gigabyte Purview or Vault export is verifiable at a glance rather than taken on trust. This is the same integrity backbone described in our note on the evidence integrity certificate.

Signing and Time-Stamping the Certificate

Two things make a certificate genuinely defensible: who signed it and when. e-Dex can apply a PAdES digital signature using a Digital Signature Certificate (DSC) on a USB token, binding the deponent's identity to the document so any later edit is detectable. It can also attach an RFC-3161 trusted timestamp from a Time-Stamping Authority, giving independent proof of the exact moment the certificate was produced. For cloud collections — where the original data stays with the provider and you only hold an export — this signed, timestamped record is often the strongest evidence you have that the export was captured as stated.

How It Fits the Wider Workflow

A cloud evidence collection certificate rarely stands alone. A SaaS export is often one strand of a larger discovery exercise — see our note on the eDiscovery collection certificate in India — or part of an incident response, where preserving and certifying cloud logs and mailboxes early matters, as covered in our piece on the incident response evidence certificate. In each case the workflow is the same: export with the provider's tools, hash the package with e-Dex, record the particulars, and sign and timestamp the certificate.

A Note on Legal Advice

e-Dex helps you produce a well-structured, integrity-backed certificate; it is a tool, not a substitute for legal counsel. The precise wording, who must depose, and how a cloud export is tendered depend on the facts of your matter and the current text of the statute and the Schedule. Always read the provision as it stands and take advice where the stakes warrant it. e-Dex does not guarantee that any export will be admitted — that is a decision for the court.

Frequently Asked Questions

Is a cloud evidence collection certificate admissible in India?
There is no special rule for cloud data. Exported records from Microsoft 365, Google Workspace or AWS are electronic records like any other, so they generally need to be accompanied by the certificate required under Section 63 of the Bharatiya Sakshya Adhiniyam, 2023 (the successor to Section 65B of the Indian Evidence Act). A well-prepared certificate identifies the provider, the account or tenant, the collection method and the integrity hashes of every exported object. e-Dex helps you produce that documentation, but admissibility is decided by the court on the facts of your matter.

Does e-Dex connect to Microsoft 365, Google Workspace or AWS to collect the data?
No. e-Dex never touches the cloud service. You run the export yourself using the provider's own tools — Microsoft Purview eDiscovery, Google Vault, an admin console or an API — and then point e-Dex at the downloaded files. e-Dex hashes those files and records the collection particulars in the certificate after the fact. It runs fully offline on your own Windows machine and does not need internet to do its job.

What should a cloud evidence collection certificate contain?
It should identify the cloud provider and service (for example Microsoft 365 Exchange Online or SharePoint, Google Workspace, or an AWS account), the account or tenant the data came from, the collection method and tool used, the collection window or date range, the custodian or person who ran the export, and an itemised list of the exported objects with their cryptographic hashes. The hashes let anyone recompute and confirm the files have not changed since collection.

What is the difference between a cloud evidence collection certificate and an eDiscovery collection certificate?
They overlap heavily. An eDiscovery collection certificate documents a structured collection across one or more sources as part of a discovery process. A cloud evidence collection certificate is the same idea narrowed to data that lives in a SaaS or cloud platform — it emphasises the provider, the tenant and the native export method (Purview, Vault, an API). In practice many cloud collections are part of a wider eDiscovery exercise, and the same hashing and certification approach applies to both.

Can e-Dex sign and timestamp a cloud evidence certificate?
Yes. e-Dex can apply a PAdES digital signature to the certificate using a Digital Signature Certificate (DSC) on a USB token, binding the deponent's identity to the document so later edits are detectable. It can also attach an RFC-3161 trusted timestamp from a Time-Stamping Authority, giving independent proof of when the certificate was produced. Both happen on your own machine.

Conclusion

Cloud and SaaS platforms now hold most of the evidence that matters, and an export is only as credible as the record that accompanies it. A cloud evidence collection certificate — provider, account, method, window and the verified hash of every object — turns a downloaded package into something you can defend. Run the export with your provider's tools, then let e-Dex — the Digital Evidence Integrity Suite hash, certify, sign and timestamp it on your own Windows machine.