Your evidence vanishes when you shut the machine. The law still demands it.

When the evidence vanishes when you flip the switch

Imagine this: you’re a film producer who has spent a significant amount on a blockbuster. You discover a website is illegally streaming your movie. You file a suit. The court orders the site’s operator to hand over server logs that will prove exactly who uploaded the content and when. The operator replies: “Those logs existed only in the computer’s temporary memory. They were overwritten six hours later. There is nothing to hand over.”

That is not a hypothetical. That is the exact fight that played out in Columbia Pictures Industries v Justin Bunnell—the TorrentSpy case—in the US District Court for the Central District of California. And the question at its heart was deceptively simple: does the law care about data that was never meant to last?

The answer, as it turns out, is yes. And that answer has direct consequences for every Indian litigation involving electronic evidence—from cheque bounce cases to cybercrime complaints to high-stakes commercial disputes.

What RAM actually is—and why the law had to catch up

Random-Access Memory, or RAM, sits at the top of the computer storage hierarchy. It is primary storage. That means it is the fastest memory in the machine—the place where the processor grabs the data it needs right now. A hard disk drive (HDD) or solid-state drive (SSD) is secondary storage: slower, but permanent.

Here is the critical difference: RAM is volatile. The moment you cut power—whether by shutting down the system, pulling the plug, or even a momentary power flicker—everything in RAM disappears. It is designed that way. It is temporary workspace, not long-term filing cabinet.

For decades, this volatility made lawyers and judges treat RAM data as legally irrelevant. If it vanishes when the machine turns off, how could it possibly be evidence? The TorrentSpy case changed that thinking.

The defendants—operators of a website that facilitated peer-to-peer file sharing—argued that their server logs were stored only in RAM. They said the logs were overwritten every six hours to free up space. No permanent record existed. Therefore, they argued, there was nothing to discover.

The court disagreed. It held that data stored in RAM qualified as electronically stored data and was therefore discoverable. The fact that it was temporary did not make it legally invisible. The impact was immediate: once RAM data is an electronic record, discovery can be sought under Order XI of the Civil Procedure Code (CPC) in India, or under equivalent discovery rules in other jurisdictions.

Three questions that change how you handle RAM evidence

If you are a lawyer, a forensic expert, or a corporate counsel dealing with electronic evidence, here are the three moves that matter:

1. Ask whether the evidence lives in RAM before you touch the power button. Most lawyers think of hard drives when they think of digital evidence. But malware—Trojans, viruses, ransomware—often exists only in RAM. It never touches the hard drive. If you shut down the machine, you destroy the evidence. The first question in any digital investigation should be: “Is this data volatile?”
2. Use live forensics tools, not dead ones. A hard drive can be removed, connected to a write-blocker, and imaged safely. RAM cannot. To capture RAM contents, you need specialised tools—AccessData FTK Imager, PMDump, or similar—that run while the system is powered on. If you disconnect the power, you lose the data. Period.
3. Draft your discovery requests to explicitly include volatile data. In Indian litigation, a standard discovery request under Order XI CPC might ask for “all electronic records” or “server logs.” After TorrentSpy, you should add language that specifically covers data stored in RAM, cache memory, and other volatile storage. Otherwise, the opposing party may argue—as the TorrentSpy defendants did—that temporary data is not covered.

What this means for Indian courts and corporate counsel

The TorrentSpy case is a US federal court decision, but its logic has been absorbed into Indian jurisprudence through the Information Technology Act, 2000, and the Evidence Act, 1872. The IT Act defines “communication device” broadly. The IT Act, read with the Information Technology (Preservation and Retention of Information by Intermediaries) Rules, 2021, imposes preservation obligations on intermediaries. And the Supreme Court of India has held that electronic records are admissible if the conditions of the Evidence Act are satisfied.

But here is the gap that most lawyers miss: the Evidence Act requires a certificate that the computer was “used regularly” and that the data was “regularly fed.” If the data existed only in RAM for six hours and was then overwritten, can you certify that it was “regularly” stored? The answer is yes—if you can show that the system was configured to generate and overwrite that data as part of its normal operation. But you need to build that evidentiary foundation before the data disappears.

THE PLAY: In any case involving server logs, real-time monitoring, or malware analysis, file a preservation notice under the IT Act before the opposing party shuts down its systems. That notice should explicitly require preservation of volatile memory contents.

The counter-example: when RAM data is not enough

Not every case will turn on RAM data. In Columbia Pictures Industries v Justin Bunnell, the court allowed discovery, but the plaintiffs still had to prove that the data in RAM was relevant and not unduly burdensome to produce. The defendants argued that capturing RAM logs would require shutting down their servers, causing business disruption. The court balanced that against the plaintiffs’ need and ordered a phased production.

In India, the same balancing test applies. Under Order XI Rule 2 CPC, discovery must be “necessary for disposing fairly of the suit or for saving costs.” A court will not order RAM capture if it is disproportionate to the value of the dispute. But if the dispute involves a significant amount—or a criminal charge under the IT Act (cheating by personation using computer resource)—the balance shifts heavily in favour of preservation.

Here is the move

If you are in this spot—whether you are defending a client accused of downloading pirated content, or prosecuting a company that lost trade secrets to a RAM-resident Trojan—your first step is not to file a pleading. Your first step is to secure the volatile memory. Call a forensic expert. Do not let anyone turn off the machine. Document the chain of custody for the RAM capture. Then, and only then, draft your discovery request or your preservation notice.

The bottom line: RAM is primary storage, it is volatile, and the law now treats it as real evidence. But it only stays real as long as the power stays on. Act before the switch flips.