CYFOR Blog

What is considered electronic evidence and why is it important?

Electronic evidence, also more commonly known as digital evidence, is data stored within electronic devices or systems that can be recovered by digital forensic experts and used as admissible evidence in court. With the prolific use of smartphones and computers, the amount of actual data generated from these devices is vast. As such, there can be an expectation within almost any investigation for the need to identify electronic evidence. If identified, collected and analysed in a forensically sound manner, this digital evidence can prove crucial to the outcome of criminal, civil and corporate investigations.

What forms of media are considered electronic evidence?

Data that is recovered from the following devices and applications could be considered digital evidence. However, this is only admissible in court if recovered using a forensic methodology by a certified expert.

• Computers, laptops and tablets
• Mobile phone data
• HDD, RAID and SSD hard drives
• USB memory sticks and SD cards
• Social media information
• Whatsapp messages
• Cloud storage data
• Digital photographs
• CCTV

Applying the ACPO Guidelines to electronic evidence

The Association of Chief Police Officers (ACPO) guidelines are a set of principles for handling digital evidence. It is critical that these guidelines are strictly adhered to when investigating computers or digital media as it ensures evidence continuity and admissibility of digital evidence in court.

The main principles of the ACPO Good Practice Guide for Computer Based Electronic Evidence are:

• Principle 1:

No action taken by law enforcement agencies or their agents should change data held on a computer or storage media, which may subsequently be relied upon in court.

• Principle 2:

In exceptional circumstances, where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.

• Principle 3:

An audit trail or other record of all processes applied to computer-based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.

• Principle 4:

The person in charge of the investigation has overall responsibility for ensuring that the law and these principles are adhered to.

Applying the ACPO Guidelines in practice means that a chain of custody should be established. This ensures that no unauthorised access to digital media can occur. When the digital evidence is forensically interrogated a write-blocker is required, so that data cannot be overwritten or altered from its original format, preserving the evidence. Specialist forensic tools should be used, and all interrogations completed on a forensic image (or clone), not on the original media device.