COLLECTION AND PRESERVATION OF DIGITAL &

FORENSIC EVIDENCE
A paper presented by Mr. Peter Mugisha B. (SA) at Judicial
Training Institute on 7th May 2021

INTRODUCTION:
WHAT IS ELECTRONIC/DIGITAL EVIDENCE?

Electronic evidence refers to information of probative value stored or transmitted

in binary form (1s and 0s as per instructions of software) that may be relied on in
court.
OR
It is also referred to as data (comprising the output of analogue devices or data in
digital format) that is manipulated, stored or communicated by any man made
device, computer or computer system, transmitted over a communication system
that has the potential to make the factual account of either party more probable or
less probable than it would beA presentation
withoutby the evidence.
Mugisha Peter B at JTI 7/5/2021 1
Examples of electronic evidence/ Where is Electronic Evidence?
• Any kind of storage device –Computers, computer printouts, CD’s,
DVD’s, floppy disks, hard drives, thumb drives –Electronic cameras, tapes
and microfilms, telegraphic transfers, electronic fund transfers, memory
sticks and memory/ SIM cards, cell phones –Fax machines, answering
machines, cordless phones, pagers, caller-ID, scanners, printers and
copiers –CCTV cameras, ATM Machines etc. For example, banks no
longer use ledge cards and vouchers everything now is computerized.
• Computers, Mobile phones and Internet are only source? What else?
• Impact of Social Media
N.B All Stake holders of judicial justice system need to update
themselves with the use of latest technology and cyber forensic
investigation techniques.
A presentation by Mugisha Peter B at JTI 7/5/2021 2
 

INTERNET USE (By Certified Forensic Computer Examiners’ Report 2018)

a. 3.2 Billion users on Internet.
b. Internet penetration estimated around 50% worldwide.
c. 1 trillion unique URLs accessible on Internet. (websites)
d. 281 billion e-mails sent daily (2018) & 2 billion videos viewed daily.
(Facebook, WhatsApp. Instagram, twitter etc.
e. 14% of global trade via Internet.
f. 1.4 + Billion Internet Auctions/ yearly.
g. 1 billion Google searches per day.
 

A presentation by Mugisha Peter B at JTI 7/5/2021 3

COLLECTION AND PRESERVATION OF DIGITAL EVIDENCE &
FORENSIC EVIDENCE
Under our Ugandan laws police is authorized to search persons,
premises and seize evidence relevant to the case under investigations.
These provisions include;
 Sections 26 and 27 of the Police Act
 Sections 6 and 7 of Criminal Procedure Code Act, and
 Section 28 of the Computer Misuse Act.

According to Edmond Locard (1877–1966);

“Anyone, or anything, entering a crime scene takes something of the
crime scene with them. They also leave behind something of
themselves when they depart”.
A presentation by Mugisha Peter B at JTI 7/5/2021 4
What are the Characteristics of Electronic Evidence;
• Is invisible, can be altered or and destroyed easily.
• Is latent like Fingerprint (FP) or DNA.
• Crosses jurisdictional borders.
• Can be time sensitive (has to be done/used/completed within a
specific time, normally soon).
• Requires special tools equipment and specialized training.
• Requires expert testimony.

A presentation by Mugisha Peter B at JTI 7/5/2021 5

 Stages of seizure and preservation of electronic evidence

discovery of
electronic is the equipment if yes, is the expert available? follow the advise. ie
communication switched on or remove the power supply cables from the equipment,
secure the scene and move connected to a
device to be people away from Do not switch off from the wall socket, label and
seized network? photograph/video the equipment, carefully remove
equipment and power
and package the equipment, record all the details on
the search form and mark with exhibit labels. search
area for diaries or papers with PWords on, conduct
technical interviews, transport the equipment, store
& submit the equipment for forensic exmn.

what shoud be seized?

if the answer is NO, Do not switch on the Equipment
and Do not touch the keyboard, Do not follow
computer system- main unit,
unverified advice from the suspect, Photograph and monitor, keyboard &mouse,
make note of what is on the display. power cables, harddisks not
fitted inside the computer,
Engage the expert for exmn.
moderms, printers, scanners,
floppy disks, CDs, papers with
passwords, phones, Ipads etc.
transport - keep all equipments away
from magnetic sources like loud
speakers, heated seats etc, place the
hard disks & circuit boards in anti-static
bags, Do not bend floppy disks,
Transport monitors face down on the
back seat of the car, Place keyboards &
mouse in aerated bags etc.

A presentation by Mugisha Peter B at JTI 7/5/2021 6

Digital forensics follows a similar process to crime scene forensics
when collecting evidence for a potential trial. The digital forensics
process involves collecting, analysing and reporting on digital data in
a way that is legally admissible. Digital evidence can also be used to
prove whether a person has been involved in crimes that are
unrelated to technology, such as murder or aggravated robbery.

A presentation by Mugisha Peter B at JTI 7/5/2021 7

Known best principles of handling digital evidence
 
 Under no circumstances should evidence be altered. No action should alter
data held on a computer, storage media or network which may
subsequently be relied on in court. Changes on a computer may occur by
merely turning it on or moving the mouse.
 Where a person finds it necessary to access original data held on a
computer or storage medium, they must be competent to do so and be
able to give evidence to explain the actions taken. This principle applies
even though an investigation may be time critical and evidence must be
examined immediately.
 An audit trail or record of all processes applied to computer-based
electronic evidence should be created and preserved. A third party should
be able to repeat these processes and replicate the results.
 The person in charge of the investigation has the overall responsibility for
ensuring that the law and the
A presentation above
by Mugisha Peter Bprinciples
at JTI 7/5/2021 are adhered to. 8
These best practices or principles can be summarised as follows;
 
a) Auditability – investigators should document all actions taken (Principle
3) to enable an independent assessor acting on behalf of an interested
party to evaluate said actions.
b) Justifiability – investigators should be able to justify all actions and
methods used in handling digital evidence and demonstrate that the
method chosen to obtain the potential evidence was the best choice by
successfully reproducing or validating the actions and methods used.
c) Repeatability – it should be possible for an independent assessor or the
authorised interested parties to repeat or reproduce the tasks
performed.
d) Reproducibility – it may be necessary to obtain the same results in a
different testing environment.
A presentation by Mugisha Peter B at JTI 7/5/2021 9
 
All the above processes and the principles are necessary in the
collection/handling or preserving electronic evidence to ensure that
the evidence sought to be relied upon in court is authentic, relevant
and reliable in the circumstances.

EVIDENCE……! • Evidence is evidence is evidence!

WHY? • Regardless of whether the evidence is physical evidence, or
not, biological matter, or electronic residing on a specialized device,
all evidence must be treated the same.
PURPOSE! • Integrity must be protected at all times.

A presentation by Mugisha Peter B at JTI 7/5/2021 10