The Digital Forensics Process
A disciplined digital forensics investigation follows six sequential phases — each dependent on the integrity of the preceding one:
- Identification: Determining what digital evidence exists and where — devices, accounts, cloud storage, email servers, CCTV systems, access logs
- Preservation: Securing evidence against alteration, deletion, or corruption — the most time-critical phase
- Collection: Forensically sound acquisition of evidence using validated tools and documented methodology
- Analysis: Examination of acquired evidence to identify relevant artifacts — deleted files, metadata, communication records, access logs
- Documentation: Comprehensive recording of every finding, method, and decision throughout the investigation
- Presentation: Communicating findings clearly to legal counsel, management, regulators, or the court
Chain of Custody — The Foundation of Admissibility
Chain of custody is the chronological documentation that accounts for the collection, transfer, analysis, and disposition of evidence. A broken chain of custody can — and regularly does — result in otherwise compelling evidence being ruled inadmissible.
| Chain of Custody Requirement | Practical Implementation |
|---|---|
| Documented collection | Signed evidence collection form with date, time, location, and collector's name |
| Unique evidence identifier | Numbered evidence tags applied to every item before removal from the scene |
| Transfer records | Signed acknowledgment every time evidence changes hands |
| Storage integrity | Evidence locker with restricted access and tamper-evident sealing |
| Hash verification | Cryptographic hash (SHA-256) of forensic images verified before and after analysis |
Forensic Acquisition — The Right Way
Forensic acquisition is the process of creating an exact, verifiable copy of a digital storage device for analysis — without modifying the original in any way.
- Write blocking: Hardware or software write blockers prevent any data from being written to the source device during acquisition — essential to prevent contamination
- Forensic imaging: Tools such as FTK Imager, dd, or Autopsy create sector-by-sector copies that include deleted files, slack space, and unallocated areas — locations where critical evidence frequently resides
- Hash verification: A SHA-256 hash of the source device is calculated before imaging and verified against the acquired image — any discrepancy indicates contamination
- Live acquisition: For powered-on systems, volatile memory (RAM) must be captured before shutdown — RAM contains encryption keys, running processes, and login sessions that are lost when power is removed
Types of Digital Evidence in Fraud Cases
- Email records: Communication between co-conspirators, vendor correspondence, instruction chains for fraudulent transactions
- Financial system logs: Transaction records, access logs, approval timestamps, override events
- Deleted files: Documents deliberately deleted by suspects — recoverable from unallocated disk space in most cases
- Metadata: Document creation dates, author names, modification history — frequently contradicts suspect statements
- Mobile device data: WhatsApp communications, call logs, GPS data, photographs — increasingly central to fraud investigations
- Cloud storage: Google Drive, Dropbox, OneDrive — organizations must have legal counsel guide data preservation requests
Nigerian Legal Framework
The Cybercrimes (Prohibition, Prevention, etc.) Act 2015 governs digital evidence in Nigerian proceedings. Section 38 requires that computer-generated evidence be accompanied by a certificate stating that the computer was operating properly, that the evidence was produced in the ordinary course of activities, and that the person tendering it is qualified to do so. Forensic investigators must be prepared to provide expert testimony satisfying these requirements.
Key Takeaway
Digital forensics is as much a legal discipline as a technical one. The value of any digital investigation is determined not by what the investigator finds, but by whether that finding can be presented in court with an unbroken chain of custody, a documented methodology, and a qualified expert who can explain every step under cross-examination.
Read: Evidence Collection & Handling →