Cyber crime and digital evidence are now part of almost every type of investigation. Whether you're dealing with a fraud victim, a domestic abuse case with key evidence on a phone, a drugs supply network communicating through encrypted apps, or a straightforward theft where CCTV and mobile data are the best evidence, understanding the basics of digital evidence handling is no longer optional for a frontline officer. You do not need to be a digital forensics expert. You do need to know what to do, what not to do, and when to call someone who knows more.
Why Digital Evidence Is Different
Physical evidence — a discarded weapon, a footprint, blood on a door handle — is relatively static once recovered. Digital evidence is volatile and fragile in ways that can destroy its value in seconds. A phone that receives a remote wipe command, a laptop whose owner guesses the wrong password ten times, a cloud account whose data expires because nobody requested preservation — all of these result in evidence that may be gone permanently. Understanding this is the first step to handling digital evidence properly.
Device Seizure: The Basics
The primary power to seize devices at a scene is Section 19 of PACE 1984. If you are lawfully on premises, you can seize anything you have reasonable grounds to believe is evidence of an offence or has been obtained through crime. This covers computers, laptops, tablets, mobile phones, USB drives, external hard drives, and any other storage media.
Do not switch off a running computer. This is counterintuitive — officers are used to making scenes safe and tidy. But a running computer holds live evidence in its RAM (random access memory): running processes, encryption keys, network connections, and live data that is permanently lost when power is cut. Photograph the screen before touching anything. Note every application that is open and every piece of visible content. Then call your Digital Forensics Unit and let them advise on next steps.
For mobile phones, use a Faraday bag immediately. A Faraday bag blocks electromagnetic signals, preventing anyone from remotely wiping the device after you've seized it. If you don't have a Faraday bag, put the phone in airplane mode — but photograph the screen first, because airplane mode changes what is displayed. Do not guess the passcode. Modern iPhones are configured to wipe after ten incorrect attempts. You will not get those attempts back.
Label every device as an exhibit the moment you seize it. Record the time, date, location, its physical state (on/off, screen content), and your exhibit reference. Everyone who subsequently handles the device must be recorded — continuity of evidence is as important for a phone as it is for a knife.
Action Fraud and Fraud Offences
For fraud offences, your principal referral route is Action Fraud — the national fraud and cyber crime reporting centre operated by the City of London Police. Victims can report online at actionfraud.police.uk or by calling 0300 123 2040. They receive a Police Reference Number on reporting, which the National Fraud Intelligence Bureau (NFIB) uses to identify patterns across thousands of reports.
As a frontline officer, your role in fraud cases is to take the initial report, advise the victim to preserve all evidence (emails, text messages, bank statements, receipts, communications with the suspect), and ensure an accurate report reaches Action Fraud. The investigation will typically be intelligence-led from the NFIB rather than locally conducted, but this does not mean local reports are irrelevant — they feed the intelligence picture that identifies organised crime groups targeting multiple victims.
For fraud in progress — a courier fraud victim currently being instructed to hand over cash, for example — treat it as an immediate response. Preserve the suspect's contact details, identify any vehicles involved, and consider whether financial investigation or arrest powers are available in your force area.
Social Media Evidence
Social media evidence appears in almost every category of offence. Threats made on Instagram, drug supply advertised on Snapchat, domestic abuse messages sent on WhatsApp, gang intelligence on TikTok — the platforms are different but the principles are the same.
Act quickly. Social media platforms do not retain content indefinitely, and suspects frequently delete posts or accounts when they become aware of police interest. Most major platforms (Meta, X/Twitter, TikTok, Snapchat) respond to law enforcement preservation requests by locking the relevant data while legal process is initiated. Your force's digital evidence team or specialist unit can advise on how to submit these requests — but time matters.
Screenshots are admissible but vulnerable to challenge. Defence solicitors will question whether a screenshot was cropped, edited, or fabricated. Where possible, obtain evidence through formal platform disclosure processes — this provides timestamped records and subscriber information that authenticates account ownership. When taking screenshots yourself, always include the URL and any visible timestamp in the frame. Note the date and time you captured it and your exhibit reference.
Cloud Data and Third-Party Production Orders
When evidence is stored in the cloud — iCloud, Google Drive, WhatsApp backups — seizing the physical device is necessary but not sufficient. You also need the cloud data, which requires a production order under Schedule 1 of PACE, served on the platform's UK legal representative.
For US-based companies (Apple, Google, Meta, Amazon), the UK-US CLOUD Act Agreement means UK authorities can make direct orders to US providers for certain data categories without going through the full mutual legal assistance process. This is a specialist area — your force's digital evidence team or the RCCU should handle production order applications for cloud data. Your job is to identify that cloud data exists and flag it early, so the process can be initiated before retention periods lapse.
When to Escalate
Know your limits. The following situations require specialist involvement beyond the frontline:
- Encrypted devices or those with unknown passwords — submit to your Digital Forensics Unit rather than attempting access - Ransomware attacks on businesses or organisations — your Regional Cyber Crime Unit (RCCU) - Cryptocurrency wallets or suspected crypto-related offending — RCCU and consider NCA involvement - Child sexual exploitation material found on a device — PPIU/CAIT, following your force's IIOC (indecent images of children) protocol - Hacking, network intrusions, or large-scale data theft — RCCU - International dimensions or organised crime group involvement — NCA
The Computer Misuse Act 1990
The Computer Misuse Act 1990 creates three principal offences. Section 1 covers unauthorised access to a computer — the basic hacking offence, summary only, maximum two years. Section 2 covers unauthorised access with intent to commit a further offence — either-way, maximum five years. Section 3 covers unauthorised acts that impair a computer — malware, ransomware, DDoS attacks — either-way, maximum ten years.
These offences are less commonly charged by frontline officers than fraud offences, but awareness matters. If a victim tells you their computer has been hacked, ransomware has encrypted their files, or someone has accessed their accounts without permission, the CMA 1990 is the relevant legislation. Action Fraud is still the referral route, with escalation to the RCCU for serious or complex cases.
Building Good Practice
The officers who handle digital evidence best are not necessarily the most technically literate — they are the ones who follow the fundamentals: photograph before touching, use Faraday bags, label exhibits immediately, maintain continuity, and escalate promptly when they are out of their depth. Curiosity is a professional virtue — asking your DFU or RCCU what you should have done is how you get better. The digital landscape in policing is changing faster than any training course can keep up with, and officers who stay curious and humble about the limits of their knowledge are the most effective in this space.