Q1. From your experience in digital forensics, how does digital evidence typically emerge in investigations involving organisations?
From my experience, digital evidence doesn’t really “emerge” anymore - it’s just there from the start.
Almost every investigation I’ve worked on has had a digital component. These days, nearly everything people do inside an organisation leaves some kind of digital trail, whether that’s emails, documents, system logs, CCTV, phone data, or managed devices. So when an allegation is raised, digital evidence is usually one of the first things we think about.
By way of background, I spent just over a decade with the NSW Police Force, most of that time as a detective based in the Sydney CBD. I worked investigations involving everything from small businesses through to large banks, insurance companies, casinos and other major organisations. Regardless of the size of the organisation, the pattern was always the same - once a matter was reported, there was almost always relevant digital evidence attached to it.
In organisational matters, investigations often start with a complaint or allegation. From there, the question becomes what systems, devices or records might objectively show what happened. Most organisations have managed laptops, phones, email systems, access controls, document management systems, or CCTV. If people have communicated, made decisions, accessed systems or moved through physical spaces, there is usually data that records at least part of that activity.
Digital evidence is also something we tend to prioritise early because it is volatile. Data can be deleted, overwritten, lost through retention policies, or simply disappear as systems change. If you wait too long, you can lose evidence that may never be recovered. That’s why, in practice, digital evidence is often one of the first areas we assess and preserve.
Another reason digital evidence features so heavily is that it is usually the most objective form of evidence available. Human recollection is fallible. Two people can have the same conversation and remember it very differently. In one-on-one matters especially, it can be extremely difficult to prove what was said or done based on memory alone. Digital evidence can cut through that. It can show who knew what, when they knew it, what actions were taken, and how information moved through an organisation.
In reality, every investigation involves the same basic considerations. What evidence exists? How reliable is it? What resources are required to obtain it? Digital evidence is always part of that equation. The only real question is how much weight it carries in the specific matter, and whether it justifies the time and cost involved in collecting and analysing it.
Q2. What types of digital evidence tend to carry the most weight in investigations, and why?
The digital evidence that carries the most weight is usually the evidence that is objective, system generated,
and difficult to dispute.
Emails, messages, documents, system logs, access records, and metadata are often critical because they exist independently of any one person’s version of events. They are created automatically as part of normal business processes and are not influenced by hindsight, bias or memory.
For example, communications data is often very powerful. Emails, chat messages, call records and timestamps can establish who communicated with whom, what was said, and when it occurred. This can be crucial in understanding decision-making, knowledge, intent and whether legal or regulatory obligations were met.
Document metadata is another area that frequently carries significant weight. Version histories, author details, creation and modification times can show how documents evolved, who made changes, and whether documents were altered after the fact. In disputes involving contracts, policies, reports or internal approvals, this type of evidence can be decisive.
Location and access data can also be highly relevant. Managed devices, building access systems and CCTV can help establish where someone was at a particular time or whether they had access to specific systems or locations. This is particularly useful where accounts differ about presence, timing or opportunity.
What makes this evidence so strong is that it is not based on opinion. It does not rely on someone remembering correctly or being honest. It simply reflects what the system recorded at the time. That objectivity is why digital evidence is often relied upon heavily in investigations involving organisations.
That said, it is always a balancing exercise. Investigators still need to consider proportionality. Just because digital evidence exists does not always mean it is worth pursuing in every case. The relevance, cost, time, and potential impact on the investigation all matter. But where the stakes are high, and where the digital evidence goes directly to the core issues, it is usually worth the effort.
Q3. Can you explain how digital evidence is captured and preserved to ensure it remains accurate, reliable, and defensible?
A lawyer’s favourite answer, “it depends” on the type of evidence, but the underlying principles are always the same.
Any time you interact with a digital device or system, you are changing it in some way. Even something as simple as logging into a computer or opening a file alters its state. Because of that, the goal when capturing digital evidence is not always to avoid change completely, but to understand, minimise and document it.
As a general rule, the more you can document how evidence was captured, the stronger it will be later. That documentation might be written notes, screenshots, system logs, or even video recordings of the capture process. The point is to be able to clearly explain what was done, when it was done, how it was done, and why it was done that way.
There are also specialised forensic tools designed to extract and preserve digital evidence accurately. These tools are built to collect data in a way that maintains its integrity, preserves metadata, and allows the process to be repeated or verified. That is important because reliability is not just about what the evidence shows, but about whether someone else could follow the same process and reach the same result.
Defensibility comes down to more than just the data itself. It comes from the person capturing it having the right training, experience and specialised knowledge, and from being able to explain the process clearly. In many matters, we see claims that evidence has been tampered with, altered, or manipulated. Often those claims are not correct, but without proper documentation and explanation, they can still undermine the weight given to the evidence.
Even if evidence is technically admissible, the real issue is often how much weight it carries. Evidence that has been captured using appropriate tools, with a clear chain of custody, and by someone who can explain the process, is far more likely to be relied upon. That is where experienced digital forensic practitioners add value, not just by extracting data, but by making sure it can stand up to scrutiny.
Q4. What are some of the most common errors organisations make when dealing with potential digital evidence?
There are a lot, but three come up repeatedly.
1. Creating new evidence instead of preserving the original
A very common example is CCTV footage.
We often see situations where someone records CCTV by filming a screen on their phone. While that might seem convenient, it creates a new piece of evidence rather than preserving the original. Important information is lost in the process, such as original timestamps, camera identifiers, system metadata, and file integrity.
When CCTV is properly extracted from the system, you can verify timing, camera numbers, recording parameters and other details that help establish accuracy and reliability. A phone recording cannot do that. Law enforcement and organisations both still fall into this trap, and it can cause problems much later when the evidence is challenged.
2. Leaving it too long or failing to secure access
Digital evidence is volatile.
Some data only exists while a device is powered on. Once it is shut down, that information is gone. Devices can also be remotely wiped, especially in organisations with managed phones or laptops. If someone still has access to systems after an incident, they may be able to delete logs, alter data, or remove evidence entirely.
We also see this in employment and executive matters. Someone is terminated or about to be terminated, but their access is not immediately revoked. That person may still have the ability to delete records, copy sensitive information, or interfere with systems. These issues are often completely avoidable with proper processes and planning.
If difficult conversations are expected, safeguards should already be in place. Permissions should be limited, access should be logged, and it should not be possible for one individual to unilaterally alter or destroy critical information.
3. Not understanding what data your systems can and cannot show
Many organisations simply do not know what information is available to them.
A common issue is shared logins. If multiple people use the same username and password, it becomes extremely difficult to determine who actually did what. That simplicity comes with real risk. It may make day-to-day operations easier, but it severely limits accountability during an investigation.
That does not mean shared access is always wrong, but organisations need to understand the trade-off. If individual logins are not feasible, are IP addresses logged? Are device details recorded? Is there user agent data or audit logging that can help ident ify activity at a later stage?
For higher-risk roles with significant access or authority, these controls become even more important. Adding individual users or additional logging is often not difficult, and it can make the difference between being able to investigate an issue properly or not at all.
Why this matters
Most problems with digital evidence are not technical failures. They are process failures.
Organisations often only realise the importance of digital evidence once something has already gone wrong. At that point, the opportunity to preserve it properly may already be lost. Understanding how evidence should be captured, preserved and managed upfront puts organisations in a far stronger position if and when an investigation arises.