Part of the document management process is preserving original evidence so that it may someday be used in court. While an investigator often never knows if a case will ultimately end up in front of a judge, the most prudent way to handle evidence is to assume that you will be in court one day and to handle the evidence carefully.
Digital evidence is relatively easy to preserve if you use the help of a knowledgeable professional. Your best bet is to bring in someone who is an expert in computer forensics, preferably someone who has testified in court several times. That person is most likely to properly preserve digital evidence for later presentation in court.
At all costs, do not allow anyone to do anything to the computers used by a fraud suspect(s). The mere act of looking through computer files can destroy important data and can compromise the integrity of the digital evidence. Even turning a computer on or off makes changes to its hard drive, which could later call into question the evidence. Allow only a qualified computer forensics expert to touch the computers in question.
Documentary evidence will need to be preserved too, and the investigator will have to demonstrate a proper chain of custody of the evidence if the matter ends up in court. Chain of custody is a fancy way of saying that it is important to secure evidence and demonstrate that it was not tampered with or altered. You will have to show who had access to the evidence, how it was secured, and how its integrity was preserved.
If you are put in charge of a piece of evidence, it is best for you to lock it in a cabinet and/or office that has very limited access. You should know exactly who has keys to the room or storage device. If you need to move the evidence or give it to someone, you should have documentation prepared relative to that transfer of evidence, and the person receiving it should be prepared to keep it secure and document its whereabouts as well.
Investigators should not write on originals in any way or otherwise destroy or mark them. Make copies of the originals, and use the copies as your working documents for the investigation if you need to write on them or otherwise mark them. Do your best to keep the original evidence in exactly the same condition in which it was received. If you receive only copies of evidence, you do not have to worry about preserving it carefully. After all, it is not the actual evidence.
Digital evidence should not be manipulated in any way. Do not turn on the computer or phone. Do not open a database or a spreadsheet. Have all of the devices imaged by a professional, and work only with copies of the hard drives and/or databases.
The process of preserving evidence is especially important in cases in which the suspect is alleging that evidence has been altered, signatures are not authentic, or documents are forged or fabricated. As a general rule of thumb, make sure originals of all documents are secured and their chain of custody is documented.
Sometimes when a fraud investigator is called in, the integrity of some evidence has already been compromised. That is not the investigator’s fault, and the status of the evidence should be carefully documented so that the investigator doesn’t later get blamed for this situation.