• Users Online: 171
  • Home
  • Print this page
  • Email this page
Home About us Editorial board Ahead of print Current issue Search Archives Submit article Instructions Subscribe Contacts Login 

 Table of Contents  
Year : 2019  |  Volume : 5  |  Issue : 4  |  Page : 187-194

Collection and judgment of electronic data evidence in criminal cases: From the perspective of investigation and evidence collection by public security organs

1 Department of Hunan Public Security, The Comprehensive Case Handling Center, The Network Technology Team, Hunan, China
2 Department of Hunan Provincial Public Security, Police of The Legal Corps, Hunan, China

Date of Submission06-May-2019
Date of Decision15-Sep-2019
Date of Acceptance21-Nov-2019
Date of Web Publication11-Dec-2019

Correspondence Address:
Bo Wang
The Comprehensive Case Handling Center of The Network Technology Team of Hunan Public Security Bureau, Hunan
Login to access the Email id

Source of Support: None, Conflict of Interest: None

DOI: 10.4103/jfsm.jfsm_26_19

Rights and Permissions

With the continuous progress of science and technology, the Internet has gradually entered every field of daily life. In addition to the information generated by the Internet in the form of digitization, it has become the main media for people to store information. In the field of criminal offenses, the network is likely to be used to perpetrate criminal schemes, implement crimes, or help hinder investigations afterward. These acts will leave an electronic data trail, such as WeChat information, emails, or blogs. After a crime occurs, an evidence investigator should accurately, timely, and comprehensively obtain all electronic data related to the case by collecting, extracting, and transferring this data according to the law, and examining the authenticity, legality, and relevance of the evidence. Through a comprehensive review, the investigator should clarify the relationship between the electronic data and the facts to be proved and make full use of the obtained electronic evidence in criminal proceedings.

Keywords: Authenticity, collection, electronic data, extraction

How to cite this article:
Wang B, Liu Y. Collection and judgment of electronic data evidence in criminal cases: From the perspective of investigation and evidence collection by public security organs. J Forensic Sci Med 2019;5:187-94

How to cite this URL:
Wang B, Liu Y. Collection and judgment of electronic data evidence in criminal cases: From the perspective of investigation and evidence collection by public security organs. J Forensic Sci Med [serial online] 2019 [cited 2022 Nov 26];5:187-94. Available from: https://www.jfsmonline.com/text.asp?2019/5/4/187/272718

  Introduction Top

China has clearly defined the allowable types of criminal evidence in the form of statute law. Initially, electronic data were not considered a legal type of criminal evidence. However, electronic data became a kind of evidence to be collected in the investigation of criminal cases due to the rapid development of the Internet and the continuous innovation of information technology. Therefore, when the Criminal Procedure Law of China was amended in 2012, electronic data were combined with audiovisual materials as a kind of formal statutory evidence. In 2016, a special judicial interpretation of “Regulations on Collecting, Extracting and Judging Electronic Data in Criminal Cases” (hereinafter referred to as “Regulations on Electronic Data”) was issued. The new 2018 Criminal Procedure Law still stipulates electronic data as a separate type of evidence.

Electronic data are not the digitization of other kinds of evidence. While witness testimonies, statements from the victims, criminal suspects, defense, and defendants are recorded in digital form, they considered only the record of verbal evidence. Thus, this information still belongs to witness testimonies and the statements from victims, criminal suspects, defendants, and defense, and are not considered as electronic data. However, this information can be collected, extracted, and judged according to the provisions of electronic data.

Here, electronic data refers to the data collected in the course of a criminal case. It is stored, processed, and transmitted in digital form to prove the facts of the criminal case. Electronic data include two kinds of content: 1. Information: (1) information published by web pages, blogs, microblogs, WeChat friendship circles, paste bars, net disk, and other network platforms. For example, suspects may post information about drug trafficking in some net forums; (2) Short messages, emails, instant messaging, and communication information from network application services, such as communication groups. For example, suspects plan a robbery by chatting on WeChat with each other. Before electronic evidence was used as a separate type of evidence, smartphone short messages were usually classified as documentary evidence because of the specific content of their records, which can be used to prove the case; (3) User registration information, identity authentication information, electronic transaction records, communication records, login logs, and other information. For example, the suspect commits theft using illegal means to obtain the victim's online banking account number and password and 2. Electronic documents: i.e., files, pictures, audio, and video data, computer programs, and other electronic documents. For example, computer viruses used by suspects to attack government websites.

The charges involved in each criminal case are different and the specific content of evidence to be obtained also differs. The electronic evidence must meet the requirements of general electronic data evidence if it needs to be submitted to the court as the basis for the trial. Whether the process of obtaining evidence conforms to the relevant provisions is likely to be the key factor in deciding if a criminal case can be prosecuted successfully.

Next, we illustrate electronic data forensics in criminal cases from the perspective of an investigative and forensic investigator.

  Basis for Evidence Collection Top

When the criminal case investigation unit obtains the clues of the case through citizen reporting, accusations, or the suspect's automatic surrender, the unit will immediately verify the information, conduct preliminary inquiries, become acquainted with the relevant situation, make a record, and register the evidence obtained.

After verification of the case details in those cases where there is evidence to prove the existence of criminal facts, investigators can perform electronic data forensics after the case-handling unit accepts the case. Investigators should collect all electronic data related to the case, including electronic data directly stored in hardware and software, such as computer hard disks and software programs, as well as electronic data stored in peripheral devices, such as printers and disk drives. All electronic data should be collected to avoid omissions, regardless of its form, e.g., text information, images or videos, or evidence proving the guilt or innocence of a criminal suspect. In particular, criminals using electronic data may use their computer systems to erase the data related to the subject of criminal investigation, thereby destroying the evidence. The speed and confidentiality of criminal investigations play an important role in the success of an investigation.[1] If the electronic data are deleted by criminals or deleted for other reasons, we should use certain technical means to restore the data to prove the facts of the case more comprehensively.

However, investigators have no right to perform electronic data forensics without corresponding evidence in investigation documents. Even if the investigation and forensics work is performed, the obtained electronic data will not become evidence in criminal cases because of the violation of legal procedures.

In investigating and collecting electronic data involving state secrets, business secrets, personal privacy, and so on, we should pay attention to confidentiality and prevent leakage. When it is found that the obtained electronic data are irrelevant to the case, if there are clear legal owners, it should be returned in time, otherwise it should be destroyed.

  Collection and Extraction of Electronic Data Top

Impound and seal original storage media

When collecting electronic data evidence, the case officers who impound and seal the original storage media should ensure it is all collected as much as possible, including U disks, SD cards, and digital versatile discs. Electronic data can be replicated to obtain exactly the same data. In this way, the data are completely separated from the storage media and are not affected by changes in different storage media. This is a significant difference between electronic data and other evidence, such as documentary and material evidence. For example, the paper financial statements that prove the financial situation of the involved company, whether obtained through photocopying or scanning, cannot be the same paper documents as the original financial statements. However, when electronic data are printed from its storage medium, the original data cannot be identified. For example, the company's electronic financial statements stored on the computer hard disk only output raw data regardless of whether they are printed through a standard printer using black and white or color ink. Therefore, when talking about electronic data, we do not distinguish whether the electronic data are original, but whether its storage medium is original. Thus, the investigators can collect electronic data by seizing and storing the media that stored the electronic data.

The original storage medium of electronic data should be sealed and the object's condition at the time of sealing should be photographed to clearly reflect the condition at or after sealing. When necessary, these photos should clearly reflect the details of internal storage media from electronic devices to ensure that electronic data were not added, deleted nor modified, and ensure that the authenticity of electronic data cannot be affected by sealing. For example, an original storage medium is put into a material evidence bag and sealed. Considering storage media with wireless communication functionality, such as smartphones, measures such as blocking or shielding their wireless signals or cutting off their power supply should be taken to seal them. For example, turning off the smartphone's recovery function and turning on its flight mode. When necessary, electronic devices with data and information storage functions and internal storage media, such as hard disks and memory cards, can be sealed separately.

Extraction of electronic data

The electronic data can be extracted only when the original storage medium of electronic data cannot be impounded. The storage location of the original storage medium, the source of the electronic data, and the reasons why the original storage medium cannot be impounded should be recorded and the electronic data value should be checked for integrity and to verify the authenticity of the electronic data source.

The conditions that the original storage medium cannot be detained are as follows: (1) it is inconvenient to seal the original storage medium. For example, criminal suspects rely on a legitimate and regular portal website to commit criminal acts and the investigator must impound the entire server of the portal website, which is difficult and unnecessary. In this case, the investigators only need to extract the electronic data related to the case; (2) Extraction of computer memory data, network transmission data, and other electronic data not stored using storage media. There may be no storage medium for such electronic data, let alone physically seizing the original storage medium. For example, when investigating a suspect's distributed denial of service attack, the electronic data uploaded to the network are extracted and analyzed to determine the source. The transmission process of electronic evidence is a dynamic transportation process and the channel of transmission cannot be regarded as a storage medium for electronic data; (3) because the original storage medium is located abroad. Each country and region has its own geographical boundaries; therefore, it is necessary to fully respect the territorial and judicial sovereignties of each country and region. Therefore, it is difficult for investigators to directly obtain the original storage media from servers internationally. For example, State B investigators found that evidence from the suspects were placed on servers in State A. Without signing the relevant judicial assistance agreements with State A or without the permission of State A, investigators cannot enter into State A directly, let alone detain the servers involved in their case.

These are just a few cases that are frequently encountered in practice. Real cases may be more complex and diverse, but if the investigators can fully explain the reason why the original storage media cannot be impounded, that is enough. For example, when the working computer information system function or application program is shut down, it is impossible to extract the relevant electronic data without a password. Therefore, we can only choose to extract electronic data instead of shutting down the computer for seizure. After the situation that the original storage medium cannot be impounded disappears, the original storage medium should still be impounded and sealed in time.

Electronic data can be extracted in two ways: i.e., on-site or online network extraction. When extracting electronic data on site, the suspect or other relevant person should be separated from the electronic equipment in time to prevent their tampering with the electronic data if it is not possible to directly shut down the running electronic equipment to avoid losing data. If it is found that the on-site computer information system may be controlled remotely, measures such as signal shielding, signal blocking, disconnection of network connection, and other necessary protective measures, such as power supply protection, should be taken in time.

Online extraction of electronic data is mainly aimed at publicly released electronic data and electronic data on remote overseas computer information systems. Online extraction of electronic data from real-time networks does not actually acquire the physical ownership of the system because it uses a way to ensure that the electronic data are not changed and the data are copied without adding, deleting, or modifying the original data. Electronic data can be acquired in this way, but this acquisition differs from generally downloading web page information. Investigators often conduct surveys of remote networks to observe the use of remote computer information systems, which is, in fact, a process of online network extraction. For example, the survey collects electronic data-related information, such as status information, system architecture, internal system relations, file directory structure, and the system working mode from remote computer information systems.

Considering that the evidentiary effect of extracting electronic data is not as effective as that of detaining and storing the original storage media in some cases (such as cases seriously endangering national security and public security, criminal and noncriminal cases where electronic data are the key evidence for conviction and sentencing, whether to impose life imprisonment or the death penalty, cases with great social impact, or cases where the suspects may be sentenced to 5 years imprisonment), the online extraction and remote inspection of the network should be synchronized with a video recording throughout the whole process to enhance the power of the obtained electronic data as proof in criminal proceedings.

Print, photographs, and video recordings are supplementary data

Generally speaking, electronic data forensics can only be performed by printing, photographing, or video recording the process when it is objectively impossible to impound and seal the original storage media and extract the electronic data. This situation arises mainly because the investigators do not have access to the original storage equipment to impound and seal the data, or they may not have the professional forensic equipment to extract the electronic data when conducting preliminary investigations and evidence collection. For example, public security organs' police stations investigate after receiving information about criminal online gambling cases. The website servers involved in online gambling cases are usually located overseas and it is impossible to collect the electronic data from these website servers abroad using investigators from police stations. To fix the evidence on the interface of gambling websites and not delay the investigation and collection of evidence in the whole case, however, we can only take webpage screenshots and photographs.

If it was found that the electronic data had a self-destructive function or device, it is necessary to fix the evidence by printing, photographing, and video recording everything in time. For example, “burn after reading” communication tools appeared in the market, which were designed to better protect the privacy of users, but criminal suspects used the characteristics of these communication tools to engage in criminal activities and subsequently eliminate the evidence of their criminal acts. Thus, seizure and storage of these instant messaging tools are meaningless. It is necessary to take photos and print in time to fix the evidence.

Freezing electronic data

In some special cases, the investigators need to freeze the data of the case to fix the evidence and prevent the suspects from making further changes to the data. For example, for a large amount of electronic data stored in the cloud system, the investigators can neither impound or seal the entire cloud system, nor obtain the large amount of electronic data by extracting the data or printing photos. The two situations in which electronic data need to be frozen are: (1) Data too large or inconvenient to be extracted. For example, an operation providing Internet music on a platform may store a large number of music works without the copyright owner's permission, involving a total capacity of thousands of terabytes. To extract these electronic data, it is necessary to use the maximum capacity of hundreds of 2T hard disks and it is difficult to preserve such a large number of hard disks properly; (2) Long extraction time, which may cause electronic data to be tampered with or lost. When a large amount of electronic data is found and needs to be extracted from a network cloud disk, the forensics are obtained by an extraction method that may need a few hours or more than a few days or several months to complete the extraction. During this period, the criminal suspects may delete or modify the electronic data at any time. The best case is that the investigators have fully obtained the relevant electronic data involved in the case, while the worst case is that the investigators have just begun to extract the data as the criminal suspects have begun to delete or modify it. In the worst case, the value of the obtained electronic data as proof is absolutely discounted and probably has no effect of proof at all; and (3) Electronic data can be displayed more intuitively through network applications. For example, in a criminal case of network marketing using a pyramid scheme, the relationship between the upper and lower levels of the network platform formed a multitree network structure where the nodes of the tree can be as many as tens of thousands and the hierarchy can reach hundreds. Each level will not only set up static awards, but also set up a variety of dynamic awards, such as touching awards, recommendation awards, and agency awards. We can then intuitively understand the overall situation of various funds in the background of the website, which can be seen clearly. However, extracting all these data and recreating the same network operation environment is time-consuming and laborious and also reduces the investigation's efficiency. In this case, freezing the electronic data of the case will be more convenient for the investigation and forensics work. Of course, the investigators can also freeze electronic data when they find other situations that need to be frozen in the process of handling a case.

In general, electronic data are frozen by calculating the integrity check values of electronic data or locking the network application account. With the progress of science and technology, measures are being developed to prevent the increase, deletion, and modification of electronic data and can also be used to freeze electronic data. The period of freezing electronic data is usually 6 months. If there are special reasons for the extension of the freezing period, the freezing procedure will be continued before the expiration of the freezing period. The maximum duration of each data freeze shall not exceed 6 months. If investigators fail to complete the formalities of continuing the data freeze within the time limit, the freeze shall be deemed to be lifted automatically.

Access to electronic data

If an investigator, in accordance with the needs of investigating and handling a case, collects electronic data from relevant units and individuals, he or she wll issue a notice of evidence-gathering, specify the relevant information of electronic data that needs to be collected, and notify the holder of the electronic data, i.e., the network service provider or the relevant department to implement the notice.

A description of the methods for protecting the integrity of electronic data, such as integrity check values, will be attached to the unit or individual data to be collected. If the integrity of the electronic data cannot be protected due to objective conditions, the investigators shall assist in protecting the data's integrity.

  Review and Judgment of Electronic Data Top

Electronic data can be deleted and modified at will and can even be restored after deletion. Therefore, the authenticity of electronic data is often the most important review content because of its changeable nature. Thus, all electronic data with doubts of authenticity cannot be used as evidence. In addition, as a kind of evidence, electronic data also must have legitimacy and relevance.


Whether electronic data are true or not, the following contents should be examined:

1. If the original storage medium exists, whether to transfer the original storage medium or not. When the original storage medium cannot be sealed or moved inconveniently, the reasons should be explained, including the process of collecting and extracting electronic data, the storage location of the original storage medium, and the source of the electronic data

2. Whether the electronic data include any special identification, such as digital signatures or certificates. A digital signature is like an ordinary physical signature written on paper; i.e., it is a digital string that cannot be forged by others and can only be used by the sender, once it can be determined that the message was actually signed and sent by the sender. The integrity of the message can be determined by the sender's generated digital signature, which is an effective proof of the authenticity of the information sent by the sender.[2] Digital signatures usually include the sender's public and private keys. For example, the investigator intercepts a document that was encrypted using the criminal suspect's secret key, which generates unreadable ciphertext. This text is then sent to a recipient, who can restore the ciphertext using the sender's secret key to reveal division of labor plans for a bank robbery. Thus, it is reasonable to think that the receiver has had many contacts with the criminal suspect because the communications require that the receiver possesses the public key of the criminal suspect to decrypt the received ciphertext. A digital certificate is a series of digits that mark the identity information of all parties in Internet communications, which provides a way to verify the identity of communication entities on the Internet.[3] The simplest digital certificate contains the public key, name, and digital signature of the digital certificate authority and is similar to resident identification cards used in the real world. The difference is that the digital certificate is no longer a physical object, but electronic data containing the identification information of the certificate holder that have been checked and issued by the authentication center. The digital certificate randomly generates 128-bit ID codes (including English and numerals) when authenticating, which are different each time. For example, if software containing pornographic content extracted from a pornographic website has the digital certificate for the website, then it can be proved that the software originated from the pornographic website. However, while digital signatures and certificates can help verify the authenticity of electronic data, the absence of digital signatures or certificates does not mean that the electronic data are false

3. Whether the process of collecting and extracting electronic data can be reproduced. Most electronic data can be collected and extracted repeatedly, but when the suspect intentionally deletes electronic data, it is difficult for investigators to reproduce the process of data collection and extraction. Especially now that several software applications are available that include clearance functions. For example, Snapchat, a photo-sharing application, allows users to take photos, record videos, add text and pictures, and send them to their friends list on the application. All photos have a lifetime of only 1–10 s. These photos will be destroyed automatically and on time according to the user's preset time. Furthermore, users will be notified if the recipient attempts to take a screenshot during this period. The original purpose of this kind of application is to protect the users' privacy. Once used by criminal suspects, it will make it more difficult to collect evidence for investigators. It requires that the work of collecting evidence should be timely and cannot reproduce the process of collecting evidence

4. Whether the electronic data are added, deleted, or modified with instructions or not. No specific file format structure can be adapted to all file types. The file format always varies with the content of the file. In the Windows operating system environment, the file format can be easily identified by file extensions. If the extension is incorrect, opening the file will not display the correct content. For example, in a file hidden in the computer [Figure 1], Box annotated file], the suspect changes the actual extension of the file from “.ppt” to “.doc,” and hides it in a series of.doc files

You can open this.doc file by clicking on it directly, but you cannot see the true record content of the file [Figure 2].

If you want to open this file correctly, the application software that can open this type of file must already exist in the operating system. Otherwise, the Windows operating system does not know how to execute or process these files. For example, if the computer does not load the application software that opens the.caj file and you click on the extension for the.caj file, the system will not be recognized [Figure 3].

Only when the file has been edited with the correct file extension, the correct file content will be displayed [Figure 4].

The investigators modified the document extension from an extension that could not be used to view the content to the appropriate extension, so that the content of the document could be displayed normally. Accordingly, we should not consider that the authenticity of the electronic data has changed. However, if the investigators intentionally tampered with the obtained electronic data resulting in changes in the specific content, it will affect its authenticity.

5. Can the integrity of electronic data be guaranteed? The integrity of electronic data can be verified by examining whether the original storage medium has been kept secure after being seized and stored, checking whether the collection of electronic data, the video recording of the extraction process conforms to the requirements, and comparing the integrity check values for the electronic data.
Figure 1: Hidden document “2001 Convention on Cybercrime.doc.”

Click here to view
Figure 2: Windows system opens the document of “2001 Cybercrime Convention.doc” and displays the window of random code

Click here to view
Figure 3: Windows operating system cannot identify the pop-up window of “2001 Cybercrime Convention.caj” file

Click here to view
Figure 4: Windows system opens the “2001 Cybercrime Convention. ppt” file, showing the normal window

Click here to view

When collecting electronic data, hash values are often used to prove the integrity of electronic data. These hash values are created by mixing and scrambling data through hash functions (or hash algorithms). The widely accepted legal hashing algorithm is MD5 (128-bit hash) or SHA-1 (160-bit hash). Hash values are usually displayed in hexadecimal form and each hexadecimal character can represent four bits of binary data. Therefore, the hexadecimal value of 64 characters is equivalent to a 256-bit binary value. Similarly, 128-bit hexadecimal values can represent 512-bit hash values.[4] This is similar to a human fingerprint for electronic data, with uniqueness and particularity. Therefore, the hash value should be calculated before and after the electronic data acquisition. If the hash value is completely consistent, it shows the integrity of the electronic data because any change in the content of electronic data, even the addition or deletion of a space, will completely change the output of the algorithm, resulting in changes in the calculated hash value. It should be noted that no matter which method is adopted to verify the authenticity of the electronic data, the evidence copy of the electronic data should be used instead of the original electronic data.


Whether electronic data are legitimate or not, the following contents should be examined:

1. Whether the subject and equipment of evidence collection are legitimate or not. When investigators decide to perform electronic data forensics in cases, more than two investigators shall undertake the work. This does not require that only investigators from the network security department should undertake the forensics work because almost every criminal case will involve electronic data forensics due to its popularization. If only investigators from the network security department can perform the forensics work, it is difficult to manage the demand for forensic examinations. Therefore, investigators can hire network technicians to assist and provide technical support when they encounter technical obstacles during electronic data forensics

All devices used to investigate evidence must be documented in detail, including software, hardware, and connecting devices. Although these forensic devices are not required to meet the technical standards, they should be in normal operation when they are used for forensic purposes, and all the information of the equipment, including name, version, model, and so on, should be recorded in detail.

2. Whether the collection and extraction of electronic data records and lists are legitimate or not. Records and lists should be made to record the relevant cases, object information, the process of forensic collection, methods, and the integrity check values of electronic data obtained, so that they can be traced back to their sources when necessary.[5] After the record and list are made, the investigators, electronic data holders (providers), and witnesses shall sign or seal them. If the holder (provider) of electronic data has not signed, the reason for not signing shall be indicated. For example, some electronic data holders may hold an exclusive and uncooperative attitude toward the investigation and the investigators' forensics work and are unwilling to sign their acknowledgment of the record or list. According to that situation, the investigators can write “electronic data holder refuses to sign” on the record or list. Generally speaking, the category and file format of electronic data should be clearly marked to help auditors understand the relevant information to obtain electronic evidence more quickly. They can use the corresponding application program to open it in time when auditing the contents of electronic data

3. Whether the witness is legitimate or not. The new 2018 Criminal Procedure Law does not stipulate the scope of witnesses in investigative activities. It only stipulates that investigators should invite witnesses to be present when conducting investigations or inspections, seizures, and detentions. The new interpretation of the Criminal Procedure Law has not yet been published, but in the 2012 Interpretation of the Criminal Procedure Law, it clearly stipulates that three types of personnel cannot act as witnesses. These include “the staff of the public security and judicial organs exercising the functions and powers of criminal procedure, such as investigation, inspection, search and impound or the personnel employed by them.” These personnel cannot hold multiple responsibilities in criminal proceedings. They have assumed relevant litigation functions and can no longer assume the functions of witnesses. Witnesses only witness the legality of the process of collecting and extracting electronic data and do not need corresponding professional or competence. If there is no qualified person or no one is willing to be a witness at all, investigators need to note in the record and videotape the relevant activities to ensure the objectivity and impartiality of making the record and the list

4. Whether electronic data checking is legitimate or not. The checking of collected and extracted electronic data differ from the identification or examination of electronic data. Electronic data checking is the investigators' further discovery and extraction of clues and evidence related to cases through the recovery, cracking, searches, simulation, association, statistics, and comparison of electronic data. For example, investigators restored copies of pirated literature deleted by the suspects. Electronic data identification or examination is the identification and judgment of the special problems in a case, such as to identify whether electronic data belongs to a “computer virus and other destructive procedures” or “procedures and tools specially used for intrusion and illegal control of computer information systems.” Expert opinions should be issued by the judicial appraisal bodies with appraisal qualifications or by specific institutions. Expert opinions can be directly used as the basis for conviction, while examination reports can only be used as a reference for conviction and sentencing.

First, the checks of the electronic data must be performed by more than two professional investigators with the appropriate skills. If necessary, outside experts can be appointed or hired to check the integrity of the electronic data, the storage status of the original storage medium, and the access of the written protection equipment to the inspection equipment. A write protector should be used when collecting data because it allows data to be copied from the device and prevents any content from being written into the device. A hardware write protector is better than a software write protector.

Second, the investigator should check the backup for the electronic data. For example, the suspect's computer hard disk is sealed and impounded, and there are encrypted files stored in the hard disk. To see the relevant content, it is necessary to decrypt the encrypted files. Currently, the best way is to copy the entire hard disk and then decrypt the encrypted contents. Finally, the electronic data should be restored to the precheck state after checking. For example, photographs of the original storage media should be taken before and after the removal of the seal before the checking and the restorage after the checking to clearly reflect the status of the seal.

The electronic data check shall be recorded by indicating the method, process, and results. In the case that backup cannot be made and write protection devices cannot be used, the whole process of electronic data checking should be videotaped.


The collected material evidence should be able to prove a fact or situation of the case; therefore, it must have certain proof ability. Evidence materials can only be used as evidence in cases with relevance. When examining the relevance of evidence such as electronic data, the investigators mainly judge the relationship between criminal suspects and storage media, and the identity of network identity and real identity of actors through the testimony of relevant witnesses and the confession and defense of criminal suspects. When impounding the original storage medium, you can ask the relevant personnel about the management of the original storage medium and the application system, the network topology and system architecture, whether it was used and managed by many people, the identity of the users, the user names and passwords of the original storage medium and the application system. Through the above information, we can judge the relationship between the actor and the storage medium, and make sure whether the actor is the owner or user of the storage medium. For example, after the investigators found that a computer of a company was used for telecommunication fraud-related activities, they impounded the computer and the host computer. However, investigators need to make further investigations to determine who used the computer to engage in telecommunications fraud activities: i.e., Zhang Mou, the actual user of the company's computer, or Li Mou, the owner of the company's asset statement registered under his name, or other actors who had access to the computer. When necessary, we can also use the extracted fingerprints, hair, and other trace evidence to synthetically judge the relationship between the suspect and the storage media.

The perpetrator who commits crimes through the network can easily hide his true identity in real life from the network world. Therefore, when identifying the identity of the perpetrator in the network with that in real life, investigators need to make a comprehensive judgment based on various evidence, such as network activity records, attribution of Internet terminals, relevant witness testimony, and criminal suspect testimony. Actors can have multiple virtual identities simultaneously on the Internet that can also be used by multiple people together.

For example, in a case of telecommunication fraud, the victim claimed to have been cheated of 50,000 Yuan by a woman named “Cute Girl” on the Internet. The investigators used the victim's chat software (like QQ or wechat) to lock the Cute Girl account and obtain Cute Girl's physical online address to capture the criminal gang headed by Zhang Mou. Members of this group have been searching for victims on the Internet for a long time, chatting with the victims in stages after identifying the victims, trying to establish a romantic relationship to gain the trust of the victims, and then defrauding the victim's property by encountering major accidents at home. In addition, the actors' network and real identities can be synthetically judged by checking the relevant IP addresses, network logs, and testimony of informed witnesses.

  Conclusion Top

Electronic data are a new type of evidence that is stored or transmitted in electronic form. It can be added or deleted at will, yet it can also be restored to its original state. It is different from other kinds of evidence because it is not restricted by physical space, exists in virtual space, and can be obtained by certain technical means. However, the best choice for investigators to investigate and collect electronic data related to cases is to impound and seal up the original storage media. The obtained electronic data can be checked, but it is limited to backup electronic data to avoid affecting the evidentiary qualification of electronic data. If the data inspection involves professional issues, the data should be submitted to the appraisal body or relevant departments for inspection. In the case of protecting the integrity of the original storage media data, electronic data can be investigated and experimented on to verify whether a certain kind of operation of electronic data can be completed within a certain period of time, and some situations related to the case need to be identified. Investigative experiments on electronic data have the legitimacy, authenticity, and relevance of general evidence, but the method is speculative; therefore, it is relatively weak in proving the facts of the case. It is undeniable that with the development of information technology, electronic data investigative experiments have become an important investigative method for investigating and collecting witnesses to identify information about the case. However, the opportunity for using this evidence collection method in the process of practical evidence collection is rare.

Financial support and sponsorship


Conflicts of interest

There are no conflicts of interest.

  References Top

Zhilong G, Qi D, Yan G. Thoughts on the Amendment of the Convention on Cyber Crime. Beijing: China Legal Publishing House; 2016. p. 120.  Back to cited text no. 1
Baidu Encyclopedia. Digital Signature. Available from https://baike.baidu.com/item/%E6%95%B0%E5%AD%97%E7%AD%BE%E5%90%8D/212550?fr=aladdin. [Last accessed on 2019 Nov11].  Back to cited text no. 2
Baidu Encyclopedia. Digital Certificate. Available from https://baike.baidu.com/item/%E6%95%B0%E5%AD%97%E8%AF%81%E4%B9%A6/326874?fr=aladdin. [Last accessed on 2019 Nov 11].  Back to cited text no. 3
Albert J, Marcella JR. [US] Frederic Guillossou. Translated by Hongtao G. Internet Forensics: From Data to Electronic Evidence. Beijing: China People's Public Security University Press; 2015. p. 203.  Back to cited text no. 4
Haisong Y. Twenty Lectures on Cybercrime. Beijing: Law Press; 2018. p. 150.  Back to cited text no. 5


  [Figure 1], [Figure 2], [Figure 3], [Figure 4]


Similar in PUBMED
   Search Pubmed for
   Search in Google Scholar for
 Related articles
Access Statistics
Email Alert *
Add to My List *
* Registration required (free)

  In this article
Basis for Eviden...
Collection and E...
Review and Judgm...
Article Figures

 Article Access Statistics
    PDF Downloaded337    
    Comments [Add]    

Recommend this journal