All articles Incident Response

Preserving Digital Evidence: Your Guide to Online Incidents

7 min read

In today's digital world, online incidents are unfortunately becoming more common. Whether it's a scam, fraud, or a data breach, knowing how to properly preserve digital evidence is vital. This information can be critical for reporting the incident, supporting investigations, and potentially recovering losses. It might feel overwhelming in the moment, but following a few key steps can make a big difference.

Why Preserving Evidence Matters

Digital evidence serves as the factual foundation for understanding what happened during an online incident. It provides concrete proof, helping authorities like the AFP or Scamwatch, financial institutions, or even your internet service provider investigate claims and take appropriate action. Without proper evidence, it can be much harder to prove your case or get assistance.

Think of it like a crime scene – every detail counts. Digital incidents are no different. Properly collected evidence can help identify perpetrators, demonstrate financial losses, or resolve disputes. It ensures that when you report an issue, you have the necessary documentation to back up your claims.

Capturing Visual Proof: Screenshots and Recordings

Screenshots are often the simplest yet most effective form of digital evidence. They capture exactly what you see on your screen. When taking screenshots, make sure to include as much context as possible.

Always capture the date and time visible on your computer's clock (if possible) and ensure the URL or application name is included. If you're on a mobile device, a quick screen recording can sometimes be even more useful than multiple screenshots, especially for showing interactive elements or changing screens.

Here's what to capture with screenshots:

1. Full webpages, including URLs and timestamps.

2. Suspicious messages (SMS, email, social media) – show sender details and date/time.

3. Error messages or unexpected system behaviour.

4. Online transaction details or unrecognised account activity.

Decoding the Data: Email Headers and Transaction IDs

Email headers contain a wealth of technical information that can trace an email's journey from sender to recipient. While they might look like gibberish to the untrained eye, they're invaluable for verifying an email's origin and identifying spoofing attempts. Your email provider will have instructions on how to view full headers; search their help documentation.

Transaction IDs, reference numbers, or case numbers are equally critical for financial fraud or service disputes. Whenever you interact with an organisation, especially after a payment or a report, note down any unique identifiers they provide. These numbers are often the key to tracking inquiries and proving interactions.

For financial transactions, ensure you record:

1. The exact transaction time and date.

2. The amount and currency.

3. The recipient's name or account details (if visible).

4. Any unique transaction reference numbers provided by your bank or the payment processor.

Maintaining the Chain of Custody

The 'chain of custody' refers to the documented, unbroken trail of evidence, showing who has had access to it and when. While this concept is often associated with forensic investigations, it’s a good principle to apply even in personal incidents. Keep your collected evidence organised and secure.

Store your screenshots, recordings, and copied text in a dedicated folder, perhaps on a cloud drive or an external hard drive, timestamping files and noting where they came from. Avoid altering the original files if possible; if you need to annotate, do so on a copy. This practice helps ensure the integrity and trustworthiness of your evidence.

When you call KNOMI after an incident, we can also guide you on the best way to assemble and present this evidence to the relevant authorities, ensuring that your efforts are as effective as possible.

What Not to Do: Avoiding Common Mistakes

In the heat of the moment, it's easy to make mistakes that could compromise your evidence. Firstly, avoid deleting anything related to the incident, even if it seems irrelevant. Accidentally removing crucial information can hinder investigations.

Secondly, don't try to 'fix' the issue yourself by engaging with scammers or tampering with evidence. This includes deleting emails, clearing browser history, or altering screenshots. Your immediate priority should always be to preserve the scene as it is. If you're unsure, reach out to trusted experts like KNOMI before taking further action. We can provide calm, expert guidance when you need it most.

Frequently asked questions

What's the most important piece of evidence to collect?

Often, the most important piece of evidence is a clear screenshot or screen recording that captures the incident, including sender details, URLs, and timestamps, as it appeared on your device.

Should I contact the scammer to get more information?

No, you should never engage further with a suspected scammer. This can put you at further risk or alert them, potentially making it harder for authorities to investigate. Collect your evidence and then report to the appropriate body.

Where should I store the digital evidence?

Store your evidence in a secure, organised manner, ideally in a dedicated folder on a cloud service, external hard drive, or USB. Make sure to keep original files and avoid altering them.

Who should I report digital incidents to in Australia?

Depending on the incident, you might report to ReportCyber, Scamwatch, IDCARE, your bank, or the eSafety Commissioner. KNOMI can help you determine the correct authorities and guide you through the reporting process.