ADVERTISEMENT

Handling digital evidence: a guide for civilian analysts

When I'm not writing articles, I do a lot of freelance OSINT work. While the majority of that work involves de-anonymizing predators or tracking missing persons, this realm of OSINT contains a vital, inalienable component: handling digital evidence.

man with a screen with numbers instead of a face, black baseball cat, hoodie, pink and orange

By Cybernews.

Jesse William McGraw
Jesse William McGraw Contributor
Jun 7, 2025 Updated: 6 June 2025 5 min read
brown teddy bear being torn by six black hands, pink background
By Cybernews.
  1. You know he’s a Facebook user.
  2. You know that the symbol he posted is commonly associated with CSAM.
  3. You have his WhatsApp username, jojodoebro1.
  4. You have a possible photo.
  5. You have a phone number.
  6. You have confirmation that John Doe is committing a serious crime.
6 brown adult shadows behind an orange filter and one boy shadow with ball
By Cybernews.

Chain of custody: your invisible shield

Ernestas Naprys Gintaras Radauskas Anton Mous Izabele Pukenaite
Join 25,260+ followers on Google News
Add us as your Preferred Source on Google.
  • Date & Time: When you discovered the incident
  • Who discovered the incident
  • What action was taken
  • Where the evidence was stored upon collecting it
  • Where is the location of the incident
  • Hash at the point of capture. When evidence is first collected, such as a screenshot or image, a hash is generated using a hashing algorithm like SHA256, SHA1, or MD5. This establishes file integrity and protects against tampering

What counts as evidence?

  • URLs, screenshots, hash of the image (without downloading prohibited images). This means to hash your screenshots and the images you found in the Telegram message
  • Username(s) of the suspects in question
  • Time and date you collected the evidence
  • Who collected it and who it was passed to
  • Chain of transfer to law enforcement, if it’s applicable
ADVERTISEMENT

Screenshots

blue and white police car, yellow curson in the middle, touching dotted square
By Cybernews.

Metadata: the digital fingerprint

  • IP addresses
  • Log files
  • EXIF data
  • GPS coordinates
  • Timestamps
  • Original uploads
  • Creation/modification dates
  • Original file paths
  • Usernames or devices used by the suspect
  • Thumbnail cache or embedded previews
  • Message ID’s
  • User IDs or handles
  • Post URLs or permalinks
  • Account Creation date
  • Display name patterns
fingerprint data

Hashes: integrity at capture

  • Screenshots
  • PDF exports
  • Text documents
  • Any other file formats in order to establish file integrity.
ADVERTISEMENT