Digital Evidence

Digital evidence is any information or data of value to an investigation that is stored on, received by, or transmitted by an electronic device. Text messages, emails, pictures and videos, and internet searches are some of the most common types of digital evidence.

Digital Trail

Most criminals now leave a digital trail; a suspect’s e-mail or mobile phone files might contain critical information:

  • Intent,
  • Location and time of crime,
  • Relationship with victim(s), and
  • Relationship with other suspect(s)

On Scene

As the first responding officer, the collection and preservation of digital evidence begins with you.

Once the scene has been secured and legal authority to seize the evidence has been confirmed, devices can be collected. First responders must be cautious when handling digital devices in addition to normal evidence collection procedures the preventing the exposure to extreme temperatures, static electricity and moisture are a must.

Frequently seized devices – Smartphones and other mobile devices

Step 1 – Document the device and all collection procedures and information
• Photograph OR Video OR Sketch
• Notes
• Chain of custody

Step 2 – Determine if the device is on or off
• Look for lights
• Listen for sounds
• Feel for vibrations or heat
NOTE – Many mobile devices save power by turning off screens after a specified amount of time.  Despite the screen status, the device is likely still active.  Ask if the device is currently powered on. Where legal, pressing the power button quickly will activate the screen.

Step 3 – If the device is off, do not turn it on
• Collect and package (see Step 5)
• Ask for password/pass pattern
• Transport (see Step 6)

Step 4 – If the device is on, proceed with CAUTION
WARNING – The two most significant challenges for officers seizing mobile devices are: (1) isolating the device from cellular and Wi-Fi networks; and (2) obtaining security passwords or pass patterns for the device so the evidence can be examined forensically.  Always ask if there is any security feature enabled on the phone. These can include passwords (simple or complex), security/wiping apps, pass patterns, or biometrics (facial scan). Document (see the attached consent form for guidance) and confirm the password or pass pattern. Turning the device off could result in the loss of evidence. The best option is to keep the device powered, unlocked (if locked, collect any available passwords, PIN codes, or security unlock information), and in airplane mode until it is in the hands of an experience technician.

Step 5 – Collection and Package
WARNING – You may need to collect other forensic evidence including fingerprints, biological samples, DNA, etc. from smartphones and mobile devices. Work with crime scene technicians or trained forensic personnel to preserve such evidence without disturbing the integrity of the data on the device. Be sure to advise forensic examiners in advance of submission of the possible existence of hazardous material on the device.
• Secure data and power cables
• Consider collecting computers that may contain device backups
• Package the device so it will not be physically damaged  or  deformed
• Package the device in evidence bags or boxes

Step 6 – Transport
• Deliver evidence to a secure law enforcement facility or digital evidence laboratory as soon as possible
• Protect from temperature extremes and moisture

Frequently seized devices – Laptop and Desktop Computer Systems

Step 1 – Document the device and all collection procedures and information
• Photograph OR Video OR Sketch
• Notes
• Chain of custody

Step 2 – Determine if the device is on or off
• Look for lights
• Listen for sounds
• Feel for vibrations or heat

Step 3 – If the system is off, do not turn it on
• Disassemble (see Step 5)
• Transport (see Step 6)

Step 4 – If the system is on, proceed with CAUTION
• Do not type, click the mouse, or explore files or directories without advanced training or expert consultation
• Ask about passwords and/or encyption of the system
• Observe the screen, and look for any running programs that indicate access to internet-based accounts, open files, encryption, or the presence of files or data of potential evidentiary value
• If you see anything on the screen that concerns you or needs to be preserved, consult with an expert (if you don’t know who to contact, call the number on the inside cover of this manual)
• Photograph the screen
• Once you are prepared to power down the system, pull the plug from the back of the computer system
• Remove the battery from a laptop system

Step 5 – Disassemble and package the system
WARNING – You may need to collect other forensic evidence including fingerprints, biological samples, DNA, etc. from computer systems, digital devices, and electronic media. Work with crime scene service technicians or trained forensic personnel to preserve such evidence without disturbing the integrity of the digital media.
• Photograph the system from all perspectives
• Clearly mark evidence and document chain of custody, location, and other important details about the seized item(s)
• Disconnect and secure cables
• Check media ports and cd/dvd trays for the presence of removable media
• Package the system, and peripheral devices, for transport using laptop bags (if applicable), boxes, or evidence bags

Step 6 – Transport
• Protect from temperature extremes and moisture
• Do not place evidence in the cruiser’s trunk
• Protect from electro-static discharge
• Package evidence so it will not be physically damaged or deformed
• Deliver evidence to a secure law enforcement facility or digital evidence laboratory as soon as practicable

Other commonly seized devices that may store digital evidence 

There are many other storage media and technical devices that may process and store digital evidence.  Examples of these devices include media cards (ie. secure digital, SIM, flash, memory sticks), thumb drives, optical media (ie. CD, DVD, and Blu-ray), digital cameras, MP3 players, iPods, servers, surveillance systems, gaming stations (ie. Xbox, PlayStation, Wii), and GPS devices. Each of these devices is capable of holding significant digital evidence that will help your case. And each is handled in a separate way. Seizure of these items should be performed with special care.   Consider working with an experienced digital evidence analyst to collect these items.

Step 1 – Document the device and all collection procedures and information
• Photograph OR Video OR Sketch
• Notes
• Chain of custody

Step 2 – Determine if the device is on or off
• Look for lights
• Listen for sounds
• Feel for vibrations or heat

Step 3 – Ask if there are any security features enabled on the device including passwords or encrypted file protection.

Step 4 – If the device is off, do not turn it on
• Collect and package (see Step 6)
• Transport  (see Step 7)

Step 5 – While assessing, collecting, packaging, and transporting, follow these device-specific rules
• Only trained personnel should collect data from a server. If you don’t know what you are doing, stop and call an expert. Be careful when asking for the assistance of information technology or other personnel on-site
• GPS devices, MP3 players, and digital cameras should be turned off to secure data.  Be sure to ask for any passwords or security features
• If available, paper evidence bags, or static-free evidence bags, are best for the storage of media
• Media contained in binders or carriers should remain in the container
• Be careful not to scratch optical media during seizure.
• Gaming stations should be seized in the same manner as computers

WARNING – Collecting evidence from surveillance systems can be difficult. Time is of the essence as digital surveillance systems often have proprietary software and hardware needs for playback.  Speak to your prosecutor or agency legal counsel when making a decision about the seizure of a digital surveillance system as opposed to footage or segments of video extracted from the system.  Also, be sure to get the company and installer name and contact information for the person that installed or maintains the system.

Step 6 – Collection and Package
• Follow chain-of-custody procedures
• Secure data and power cables
• Label the evidence container(s), not the device(s)
• Package the device so it will not be physically damaged or deformed
• Package the device in evidence bags or boxes

Step 7 – Transport
• Deliver evidence to a secure law enforcement facility or digital evidence laboratory as soon as practicable
• Protect from temperature extremes and moisture

For more information related to digital evidence, see the Investigator / Digital Evidence section of this website.

Additional Resources

Assistance for page content was provided by the Massachusetts Digital Evidence Consortium.

  • Was this article helpful ?
  • Yes   No

FBI Cyber Shield Alliance

IACP Conference

Contribute Content