Forensics & Investigations

Evidence Collection and Handling: Best Practices for Investigations

The quality of evidence collected in the first hours of a fraud investigation determines whether the case ends in prosecution, civil recovery, or the frustrated closure of an unprovable allegation. This guide covers the principles and practices of evidence collection aligned to Nigerian legal requirements and international forensic standards.

"Evidence poorly collected is evidence lost. Evidence well documented is the foundation of justice."
Effective evidence collection and handling is the bridge between discovering fraud and proving it. Whether the evidence is physical — documents, devices, cash — or digital — emails, system logs, forensic images — the same principles apply: identify, preserve, collect, document, and protect. A failure at any step can render otherwise conclusive evidence inadmissible in Nigerian courts.

Categories of Evidence in Fraud Investigations

Evidence TypeExamplesSpecial Considerations
DocumentaryInvoices, contracts, bank statements, board minutes, emailsPreserve originals; work from certified copies
PhysicalCash, company assets, stamps, official sealsPhotograph in situ before removal; tamper-evident packaging
DigitalComputer files, email servers, mobile devices, CCTV footageWrite-block before acquisition; hash verification mandatory
TestimonialWitness statements, interview recordsRecorded with consent; signed and dated transcripts
DemonstrativeCharts, timelines, data visualizationsMust be derived from and tied to primary evidence

The Evidence Collection Protocol

Step 1: Secure the Scene

Before collecting any evidence, the area must be secured to prevent contamination, tampering, or removal of items by suspects or uninformed staff. Access should be restricted to authorized investigators only.

Step 2: Document Before You Touch

Photograph, video, and describe the scene and all items in their original state before anything is moved or collected. The position, condition, and context of evidence can be as important as the evidence itself.

Step 3: Collect in Order of Volatility

Volatile evidence — data that changes or disappears quickly — must be collected first:

  1. RAM contents of powered-on computers
  2. Network connection state and active processes
  3. Temporary files and browser cache
  4. System logs and event logs
  5. Physical documents
  6. Archived data and backup media

Step 4: Tag and Seal Each Item

Every item collected receives a unique evidence identifier. Physical items are placed in tamper-evident bags or sealed containers. Digital media is placed in anti-static packaging. Each item is logged with: description, location found, date and time collected, and the name of both the collector and the witness.

Step 5: Maintain the Chain of Custody

Every transfer of evidence from one person to another, or one location to another, must be documented with signed acknowledgment from both parties. The evidence log must be comprehensive from collection through final disposition.

Document Evidence — Specific Protocols

  • Never write on original documents: Notes, annotations, or highlighting on original documents alters evidence and weakens admissibility
  • Certified copies: Working copies must be certified as true copies by an authorized officer before use in analysis
  • Metadata preservation: Electronic documents must be preserved in their native format — PDF conversion destroys metadata that may be crucial
  • Audit trails: Financial system audit trails must be exported and preserved immediately — most systems overwrite logs on a rolling basis

Evidence Storage and Security

  • Physical evidence stored in locked evidence room with restricted key access and a sign-out register
  • Digital evidence stored on encrypted, access-controlled media — never on general-purpose network drives
  • Temperature and humidity considerations for long-term storage of physical documents
  • Regular evidence inventory audits to confirm all items remain intact and accounted for

Key Takeaway

Evidence collection discipline is not a technicality — it is the infrastructure of accountability. Organizations and investigators who treat evidence handling as a procedural burden rather than a legal imperative consistently find their cases undermined at the point of prosecution, regardless of how clear the underlying fraud was.

Read: Fraud Investigation Process →