Defining electronic evidence

Defining electronic evidence Image by Daekow [CC BY-SA 4.0 (], from Wikimedia Commons

There is hardly a criminal case these days that does not involve a component of electronic evidence – almost everybody has a smartphone, for instance, which is basically a small computer in our pockets. Electronic evidence raises some very interesting legal and practical challenges not the least of which is the skills and knowledge required by investigators to appropriately handle this type of evidence.

The topic being covered in this article is whether and how electronic evidence is defined in the law as a category of evidence. It is generally accepted that, where possible, electronic evidence should be defined specifically in the law and I will describe below some of the challenges that can arise if this isn’t done.

What's so special about electronic evidence?

Some of the characteristics of electronic evidence make it difficult to collect and manage properly.

First of all, it is invisible to the naked eye. It is also difficult to authenticate the validity of electronic evidence and, in many cases, it will require specialist skills to access and interpret. Electronic evidence is also extremely volatile. It can easily be deleted, changed, manipulated or damaged. It may also be ephemeral, in the sense that it might only be available for collection for a short period of time.

These difficulties are not unique to electronic evidence. Several different forms of trace evidence (DNA, fingerprints, etc.) share these features. Electronic evidence also has some other unique characteristics that can present challenges. Here are a few examples:

  • The evidence may not be located in the jurisdiction where the crime is being investigated. It may, in fact, be very difficult to determine which jurisdiction the evidence is actually located in.
  • The volume of data gathered may be extremely large. Often a huge volume of data (measured in terabytes) need to be analysed in order to identify the substantive evidence (the size of which might be measured in kilobytes). This means that the time taken to identify and analyse a specific piece of evidence is both (a) significant and (b) unpredictable. This, of course, presents huge resourcing and time management challenges for investigative units.
  • There may be inadmissible information, such as privileged communication, mixed in with the evidence.

It is the combination of all of these factors, particularly when more than one difficulty arises at the same time, which makes the collection and management of electronic evidence so interesting.

How has evidence traditionally been defined?

In most criminal procedure codes there is a definition of the categories of evidence that are admissible in court proceedings. This will often include things like witness testimony, forensic examination, results of a search of property, documentation, and so on. Some countries have updated their criminal procedure codes to include provisions specifically allowing for the admissibility of electronic evidence, whereas other countries interpret the existing provisions as allowing for the admissibility of electronic evidence.

For example, some might say that a document includes a document in any form (including a document in electronic form). The term “document” is then interpreted broadly to include any file stored on a computer. Another approach used is to say that any evidence that is the result of a properly conducted search is admissible and a search could include a search of any computers found, so any evidence collected through the subsequent search of the computer is thereby admissible.

Why is it important to have a specific definition of electronic evidence?

The problem with these approaches arises because electronic evidence covers such a broad range of sources of evidence, collected in such a broad variety of ways. The contortions required to shoehorn electronic evidence into a traditional evidence category become more and more difficult as different types of electronic evidence are encountered. Here are a few examples:

  1. If a broad interpretation of “document” is being used to encompass electronic evidence:
    1. Usually these provisions require production of an “original” version of the document. What does an “original” mean in the context of electronic evidence?
    2. What about when it comes to seizing categories of electronic evidence that could in no way be interpreted as a document? Examples that spring to mind are the content of RAM or data captured directly from a network.
    3. It is usually a requirement that copies of seized documents be provided to the defendant. Will this include copies of seized electronic evidence? If so, it may be the case that the investigators are handing back control of valuable assets (e.g. bitcoin wallets) to the suspect.
  2. If electronic evidence is admissible under “search” provisions:
    1. Which aspects of the electronic evidence analysis are covered by a search order. Does the scope of the search order also include forensic acquisition? What about the subsequent analysis of the acquired data? What about live data imaging?
    2. What if an investigating officer arrives at a scene and finds a computer connected to (for example) Dropbox. Is it acceptable for the investigator to browse around the Dropbox folder, even though that data is, in all probability, stored in a different jurisdiction?


In this article I have deliberately side-stepped all of the practical issues of collection and management of electronic evidence, focussing instead on what electronic evidence actually means and considering some of the aspects of its admissibility in court. It is by no means a simple matter to draw up an all-encompassing definition of electronic evidence but it is important to consider these matters and make sure that the legal framework supports electronic evidence.


Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.

We use cookies to ensure that we give you the best experience on our website. If you continue to use this site you are accepting the use of cookies in accordance with our privacy policy.
Privacy Policy Accept