The Incident Scene & Evidence Collection

• Locard’s Exchange Principle: A fundamental forensic concept stating that perpetrators always leave something behind and take something with them.

• Evidence Lifecycle: To ensure evidence is accepted in court, a strict lifecycle must be followed: Discovery->Protection->Recording->Collection->Analysis->Storage->Presentation->Return

• Chain of Custody: It is critical to document who handled the evidence, when, and where. This proves the proof has not been tampered with.

B. Types of Evidence

The reliability of evidence determines its weight in legal proceedings:

• Best Evidence: The original document or object. This is the most reliable form (e.g., the original contract, not a photocopy).

• Secondary Evidence: Copies of original documents or oral testimony about a document. It is generally not permitted if the "Best Evidence" is available.

• Direct Evidence: Prove a fact on its own without requiring inference (e.g., witness testimony of what they saw).

• Conclusive Evidence: Irrefutable evidence that requires no corroboration.

• Circumstantial Evidence: Evidence that implies a fact but cannot prove it directly; it requires inference.

• Hearsay: Second-hand evidence (e.g., "I heard him say..."). It is generally inadmissible, with the notable exception of business records (such as audit logs) created in the normal course of business.

Extended Insight on Digital Evidence:

Digital evidence is fragile. The notes emphasise the Order of Volatility—collect evidence from the most volatile sources first (like RAM) before less volatile sources (like hard drives). Never analyse the original media; always create a bit-level copy (image) and analyse the copy to preserve integrity