Protecting Electronic Evidence

Electronic evidence is delicate. It is easily altered, damaged or destroyed by improper handling or examination.

It is important to know what you can do to help the Police further your complaint.
Any attempt to access data or run a computer program can jeopardise the integrity of the evidence.

Electronic evidence, like all other evidence, must be handled carefully and in a manner that protects its evidential integrity.

If you believe you are a victim of a crime that involves an electronic device (an e-crime), it is vital that you take the following steps:

1. Stop!
2. Do not allow further access to the machine.
3. If the machine is switched off, do not turn it on for any reason. (Microsoft Windows alters data in over 600 places when booting, overwriting potential evidence).
4. Collate any physical evidence relating to the problem (as detailed below).
5. Contact your Local Police Station immediately for advice on how to proceed.

World Wide Web (Websites)

Information to provide in a website investigation:

• Write down the website address (eg www.police.govt.nz). How did you become aware of the existence of the website?
• When did you contact the website (date and time)?
• Did you print a copy of the screen image? If so, provide a copy to the Police.
• Did you save a copy of the website in your computer? If so, provide a copy on floppy disk or CD-ROM.
• Provide the username, logon and password you used to access the website.
• Consider releasing the computer to the Police for forensic examination.

E-Mail

Information to provide in an e-mail investigation:

• Record the name of the Internet service provider (ISP).
• Do you have a printed copy of the e-mail message (ideally including the complete header)? If so, provide a copy.
• Did you save a copy of the e-mail message on your computer? If so, provide a copy on floppy disk or CD-ROM.
• If you do not have a copy of the e-mail message, is it still in the "computer mailbox" at the ISP? If so, provide a copy on floppy disk or CD-ROM.
• Record the alleged offender's screen name and e-mail address.
• Provide your username, logon and password.
• What e-mail program were you using?
• Consider releasing the computer to the Police for forensic examination.

Internet Relay Chat (IRC) and Instant Messaging (IM)

Information to provide in a chat room investigation:

• Record the name of the chat room or chat channel.
• Record the name of the server the chat room is on.
• Record the nickname, "handle" or screen name of the alleged offender.
• Did you note the Internet Protocol (IP) address next to your screen name in the users list? If so, provide the IP address.
• Did you print a copy of the chat dialogue window? If so, provide a copy.
• Provide the username, logon and password used to access the website.
• Did you save the chat dialogue on your computer? If so, provide a copy on floppy disk or CD-ROM.
• Consider releasing the computer to the Police for forensic examination.

Newsgroups

Information to provide in a newsgroup investigation:

• Who is your Internet service provider (ISP)?
• How did you discover the existence of the newsgroup?
• Record the name of the newsgroup.
• Record the name/subject of the posting (ideally including the complete header).
• Do you have a printed copy of the posting? If so, provide a copy.
• Did you download the posting onto your computer? If so, provide a copy on floppy disk or CD-ROM.
• Provide the username, logon and password used to access the newsgroup.
• Consider releasing the computer to the Police for forensic examination.

Unauthorised Access

Contact your Local Police Station immediately so that the Electronic Crime Laboratory can be involved from the earliest stages.