Categories of Evidence in Fraud Investigations
| Evidence Type | Examples | Special Considerations |
|---|---|---|
| Documentary | Invoices, contracts, bank statements, board minutes, emails | Preserve originals; work from certified copies |
| Physical | Cash, company assets, stamps, official seals | Photograph in situ before removal; tamper-evident packaging |
| Digital | Computer files, email servers, mobile devices, CCTV footage | Write-block before acquisition; hash verification mandatory |
| Testimonial | Witness statements, interview records | Recorded with consent; signed and dated transcripts |
| Demonstrative | Charts, timelines, data visualizations | Must be derived from and tied to primary evidence |
The Evidence Collection Protocol
Step 1: Secure the Scene
Before collecting any evidence, the area must be secured to prevent contamination, tampering, or removal of items by suspects or uninformed staff. Access should be restricted to authorized investigators only.
Step 2: Document Before You Touch
Photograph, video, and describe the scene and all items in their original state before anything is moved or collected. The position, condition, and context of evidence can be as important as the evidence itself.
Step 3: Collect in Order of Volatility
Volatile evidence — data that changes or disappears quickly — must be collected first:
- RAM contents of powered-on computers
- Network connection state and active processes
- Temporary files and browser cache
- System logs and event logs
- Physical documents
- Archived data and backup media
Step 4: Tag and Seal Each Item
Every item collected receives a unique evidence identifier. Physical items are placed in tamper-evident bags or sealed containers. Digital media is placed in anti-static packaging. Each item is logged with: description, location found, date and time collected, and the name of both the collector and the witness.
Step 5: Maintain the Chain of Custody
Every transfer of evidence from one person to another, or one location to another, must be documented with signed acknowledgment from both parties. The evidence log must be comprehensive from collection through final disposition.
Document Evidence — Specific Protocols
- Never write on original documents: Notes, annotations, or highlighting on original documents alters evidence and weakens admissibility
- Certified copies: Working copies must be certified as true copies by an authorized officer before use in analysis
- Metadata preservation: Electronic documents must be preserved in their native format — PDF conversion destroys metadata that may be crucial
- Audit trails: Financial system audit trails must be exported and preserved immediately — most systems overwrite logs on a rolling basis
Evidence Storage and Security
- Physical evidence stored in locked evidence room with restricted key access and a sign-out register
- Digital evidence stored on encrypted, access-controlled media — never on general-purpose network drives
- Temperature and humidity considerations for long-term storage of physical documents
- Regular evidence inventory audits to confirm all items remain intact and accounted for
Key Takeaway
Evidence collection discipline is not a technicality — it is the infrastructure of accountability. Organizations and investigators who treat evidence handling as a procedural burden rather than a legal imperative consistently find their cases undermined at the point of prosecution, regardless of how clear the underlying fraud was.
Read: Fraud Investigation Process →