Cybercrime: how to make sure digital evidence is admissible

08 March, 2019

Cybercrime is one of the biggest threats facing Australian businesses in 2019. Internet crimes, data theft and other offences can originate inside or outside an organisation, and both intelligence and digital evidence are needed to connect the perpetrator with the crime. Much information gleaned in an investigation is merely intelligence. Not all intelligence information will have met the threshold of admissible ‘digital evidence.’

Unfortunately, attribution of the perpetrator of a cybercrime is rarely simple. Even if forensic cyber investigations track down digital evidence, careful steps must be taken to ensure that the evidence and the cyberfraud investigation itself comply with the standards of admissibility required by the courts. Hiring an experienced and certified private investigator can help.

What is the law of evidence in New South Wales?

New South Wales follows the Evidence Act 1995 (Cth) that recognises digital data as valid evidence and allows cyberintelligence specialists to explain how a system operates.

However, these laws of evidence do not always reflect the way evidence is produced, particularly how easily criminals can change digital data without detection.

To ensure digital evidence can be used for prosecution, law firms and investigators need to keep the following in mind:

1. Don't break the law

Private investigators and cyberlaw enforcement officers need to be careful that they don’t inadvertently break the law when searching for and seizing data, as this can lead to the automatic rejection by the court of vital evidence.

An appropriate search warrant must be obtained for searches of devices or databases. If evidence of other crimes is discovered during the investigation, additional warrants may be needed.

If a computer or data storage is used by more than one party, permission should be sought to avoid unintentional breaches of personal data.

Evidence found to be in breach of the Telecommunications (Interception and Access) Act 1979, will be automatically rejected.

2. Preserve evidence

Unlike hard copies, digital evidence is ephemeral and may be deleted or altered by criminals even after it's discovered. It may also be accidentally or automatically wiped, and logs may not be kept by service providers.

A certified digital forensics expert can take action to prevent tampering and data loss by blocking processes and preventing unauthorised persons from accessing devices during an investigation.

These experts can also recover deleted data using software accepted by the court – as long as proper procedures have been followed.

3. Prove a suspect's involvement

Even if data that proves a crime has taken place is secured, the hardest part can be proving the link to a suspect, especially as the internet enables people to operate with a level of anonymity.

Cybercrime investigators must find evidence that a suspect used the device or database at a crucial time. This can involve surveillance in public places and physical searches of premises for documents related to the crime. ISP records and financial account information can also be vital for proving when and where a crime took place.

Where to get help

For organisations needing assistance to connect the dots with digital evidence, IFW Global's certified private investigators can help. To find out how, download our free ebook, Law Firms and Investigations: How IFW Global Can Help You Win Cases.

New call-to-action

Return to Blog