Electronic evidence gathering

Guide to conduct security investigations to gather electronic evidence

2021 is a year which made everyone to connect and use the internet for the good. As per reports made by Statistica[1], the global usage of internet has been increased by 7.3% by the January 2021 when compared with the year 2020. That is a drastic difference and COVID 19 pandemic has made a huge impact on this due to restricted living conditions. Which made people to work/learn from home ever than before. As a side effect, global cyber attacks have been skyrocketed and to be exact, The Cybint[2] reported that the US FBI reported a 300% increase in reported cybercrimes. Because of that, the investigations of such crimes should be done in a layered process to retain the integrity and reliability of the evidence. Thus, the investigation personnel should extract, preserve, process and give conclusions based on the findings by following a specific guide led by a reputed institute to carry such actions in order to legally take an action against the cybercrime.

For the use of Computer Emergency Response Teams (CERTs), the European Union Agency for Cybersecurity (ENISA) has been published a guideline to deal with digital evidence and the way to gather digital evidence. This does not mean the CERTs should carry out the investigations exactly as the guide published by ENISA. As the name implies, it is just a guide for the CERTs to follow when gathering, manipulating evidence. As everyone knows, the digital evidence gathering is mostly ad-hoc since we work in a highly dynamic area of information systems. Thus, it is necessary to make decisions based on the actual scenario which may or may not be experienced and acclaimed by anyone.

Sources of evidence

It is just not the personal laptop/computer, mobile phone which contain digital evidence. Every dependency including the ISP, Router, CCTV Cameras, Pen drives, Digital cameras and also the social media accounts come into play. Those are not just stopping from there, it even spreads to the devices that he/she is being connected to, including the devices owned by the family, partner, friend of the suspect. Thus, it is not easy to draw a distinguishable line between the digital evidence sources and the ones who not. Anyway, the aforementioned devices are identified as some reputed sources for gathering evidence.  The volatile and non-volatile data should be highlighted here as the CERTs should be able to retain data as much as possible through the extraction process. Because the time, power availability, network connectivity plays a key role in changing the evidence swiftly. Because of that, it is essential for the CERTs to know the correct way of the data extraction when it comes to the data which contains in the RAM when the computer is turned on. As the computer RAM is becoming much more larger in size these days, it is a must to gather those dumps from volatile memory as those might give the evidence to prove that the attack is being done and it will help the investigator to prove or disprove a suspected offence.

Principles of electronic evidence gathering

When gathering the electronic evidence from various sources, it is better to follow the local ruleset if provided/available as the evidence extraction and processing procedure may differ among different countries. This article describes about basic guidelines to follow in an identification of a suspected offence. Following this guide alone does not mean the evidence gathered could be admissible in court.

The Electronic evidence guide – A basic guide for police officers, prosecutors and judges[3], developed within the framework of the European Union and the Council of Europe joint project (CyberCrime@IPA project17), for example, identifies five principles that establish a basis for all dealings with electronic evidence.

  • Principle 1 – Data Integrity
  • Principle 2 – Audit Trail
  • Principle 3 – Specialist Support
  • Principle 4 – Appropriate Training
  • Principle 5 – Legality

Data integrity

This may be the most important principle out of all the principles we have been focusing on. At the end, if there is no integrity or if the integrity cannot be proved of the provided evidence, then the court could not proceed with the case anymore as the investigation is done without reliable data. So, for the investigator, it is advisable to keep logs of everything which he/she/they has/have done to maintain the chain of custody through the data extraction and processing phase. Use of hash is encouraged as it is a good way to prove that the data has not been altered. In cases where a special personnel is needed to gather data, it should be done and have a written document with his/her signature to prove that he/she was on evidence gathering phase and they are unbiased and have the authority to perform such task. As an example, if the person is not competent enough to gather evidence from the volatile storage of a computer, then the evidence cannot be proved in court.

Audit Trail

This is also known as chain of custody. It is the process of keeping logs in the process of digital evidence gathering to preserve the integrity of the evidence. CERTs should be able to record each and every step they have used/followed to seize the evidence and an independent third party should be able to examine those actions and achieve the same result. So, the CERTs should record all the steps they have been carried out from the identification of a suspect to the moment the evidence is presented to court. Even if the seized evidence transportation and storage information should be thoroughly documented.

Specialist support

It is necessary to have the “call a friend” (informal) option when the necessary equipment or knowledge is lacking in CERTs. If possible, it’s better to call the right specialist to perform the evidence seizing task in such scenarios. The specialist could be either from internally or externally. The necessary factor is to call for the right specialist with right equipment with necessary provable qualifications to make sure the evidence is approved by the court.

Appropriate training

All the CERTs should have the necessary qualifications and should have a proper appropriate training before starting the evidence gathering tasks. This is very crucial in cyber security rather than physical security, since most of the stuff are changing very dynamically and the CERTs should be up to date to tackle those new technologies in order to provide a reliable, swift and effective service.


The person who is responsible for the investigation has the overall responsibility to the ensure that the evidence gathering and the whole process after that are adhering to the law of the specific jurisdiction.


It is very difficult to make a comprehensive article regarding the evidence gathering. However, in this article, I have tried my best to get the gist out of the guideline published by ENISA to summarise most of the content into something bearable. It is always advised to refer to the local regulations and guidelines for digital evidence gathering before you actually do a real-world evidence gathering. However, it is always recommend to refer to the international summarised guidelines to make sure the background knowledge is acquired.

[1] https://www.statista.com/statistics/617136/digital-population-worldwide/ 

[2] https://www.cybintsolutions.com/cyber-security-facts-stats/

[3] CyberCrime@IPA, EU/COE Joint Project on Regional Cooperation against Cybercrime, Electronic evidence guide – A basic guide for police officers, prosecutors and judges,Version 1.0, Authors: Jones, N., George, E., Insa Mérida, F., Rasmussen, U., Völzow, V. https://au.int/sites/default/files/newsevents/workingdocuments/34122-wd-annex_4_-_electronic_evidence_guide_2.0_final-complete.pdf [last accessed 11 May 2021]


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s