For use when digital material (messages, posts, photos, or emails) may be needed by police, lawyers, or forensic investigators

---

1. Do Not Alter Anything

• Do not delete, edit, or move any material that could be evidence.
• Avoid logging into or out of accounts unnecessarily — every action can change timestamps.
• Leave devices as-is if possible.

---

2. Capture Immediate Evidence

• Screenshots: Capture full screens showing the date, time, and web address or app name.
• Metadata: Note message timestamps, sender names, and account identifiers.
• Context: If posts or conversations show patterns of behaviour, capture the sequence, not just single messages.

---

3. Preserve Original Files

• Save data in its original format (e.g. .jpg, .mp4, .pdf) whenever possible.
• Use write-once media like CDs or WORM drives for long-term storage.
• Label all storage devices with:
  • Date created
  • Short description (e.g., “Forum screenshots 12 Oct 2025”)
  • Your name or initials

---

4. Maintain Chain of Custody

• Keep a simple log sheet noting:
  • Who collected the data
  • When and how it was stored
  • Every person who accessed or handled it afterward
• If you hand it to police or a lawyer, get a receipt or evidence record number.

---

5. Secure Physical & Digital Copies

• Store one copy offline (USB, DVD, or external drive) in a safe or sealed envelope.
• Store another encrypted copy (e.g. password-protected ZIP or BitLocker).
• Do not share copies via cloud links or social media.

---

6. Contact the Right Authority

• If a crime may have occurred:
  • UK: Contact local police or Action Fraud.
  • Spain: Contact Policía Nacional or Guardia Civil (Unidad de Delitos Informáticos).
  • US: Contact local law enforcement or the FBI’s Internet Crime Complaint Center (IC3).

Provide them with:

• A summary of what you preserved
• When and how you collected it
• Your contact details

---

7. Seek Professional Advice

• If unsure, consult a digital forensics expert or lawyer before transferring or copying devices.
• They can ensure the data remains admissible in court and technically sound for analysis.

---

🗝️ Golden Rule: “Preserve first, analyse later.”
The moment data is changed, its evidential value can be questioned.

---

⚖️ How Police and Forensics Access Online Data — by Country

---

🇬🇧 United Kingdom

Legal basis:

• Investigations follow the Police and Criminal Evidence Act (PACE) and Computer Misuse Act.
• Warrants and “Production Orders” under the Investigatory Powers Act (IPA) allow access to digital material.
• Online platforms (e.g., Meta, X, Reddit) respond to UK police requests via international cooperation agreements.

Timeline:

• Public posts: immediate viewing/collection
• Private messages or cloud data: weeks to months (requires judicial authorization and platform response)
• Evidence handling: Forensics units create verified clones (bit-by-bit images) to maintain integrity.

Special units:

• National Crime Agency (NCA) and Regional Cyber Crime Units handle complex digital evidence and online exploitation cases.

---

🇪🇸 Spain

Legal basis:

• Governed by the Ley de Enjuiciamiento Criminal (Criminal Procedure Law).
• Digital investigations must be authorized by a judge, particularly for private communications.
• Police units such as the Grupo de Delitos Telemáticos (Guardia Civil) and Brigada de Investigación Tecnológica (Policía Nacional) manage cybercrime cases.

Timeline:

• Initial evidence preservation: Immediate if data is public
• Requests to foreign platforms (like Meta or Google): 1–3 months via judicial cooperation
• Devices seized: sent to a certified Laboratorio de Informática Forense for imaging and analysis

Note:
Spanish forensics follow strict cadena de custodia (chain of custody) documentation.

---

🇺🇸 United States

Legal basis:

• Digital data access governed by the Stored Communications Act (SCA), Electronic Communications Privacy Act (ECPA), and CLOUD Act.
• Law enforcement uses subpoenas, court orders, or search warrants depending on the sensitivity of the data.
• Companies like Google, Meta, and X have Law Enforcement Portals for official data requests.

Timeline:

• Public data: immediate
• Account/subscriber data: days to weeks (subpoena)
• Message content: requires a search warrant; often several weeks to months

Special units:

• FBI’s Cyber Division, Homeland Security Investigations, and state cybercrime task forces manage most forensic and online data collection.

---

⚖️ Across All Jurisdictions

Forensics priorities are the same worldwide:

• Protect the original data.
• Record every step of handling.
• Maintain transparency and traceability.
• Ensure that evidence can be presented in court without claims of tampering or alteration.