Fraud / Evidence

Cybercrime Evidence: What to Preserve

CA Nikhil Gupta·June 2026·3 min readFraud / Evidence

Cybercrime evidence is fragile. Messages disappear, links expire, accounts are renamed and victims often erase the phone before saving the facts investigators need.

Quick View

First move

Write the event timeline.

Core proof

Original device and SIM details.

Main mistake

Cropping out timestamps.

Official route

National Cyber Crime Reporting Portal

What the Issue Means

Start with a timeline: first contact, instructions, payments, account changes, reports and later communication. Use exact dates and times. Separate what was seen from what is assumed.

Preserve original digital material where possible. Export chats, save email headers, record URLs, retain transaction receipts and avoid editing screenshots. An edited collage may be useful for explanation but should not replace the originals.

Containment and evidence can conflict. Credentials must be secured quickly, but a factory reset may destroy logs. Where malware or a large loss is involved, ask the police or a cyber-forensic professional before wiping the device.

Action Steps

  1. Write the event timeline.
  2. Export chats and emails.
  3. Save UTR, beneficiary and bank records.
  4. Capture app, URL and profile details.
  5. Record every complaint number.
  6. Store copies in a secure second location.

Decision Table

SituationMeaningResponse
Transaction evidenceUTR, bank statement, beneficiary and timestamp.Supports tracing.
CommunicationChat export, email headers and call logs.Shows inducement and identity.
Technical evidenceApp file, URL, device logs and permissions.Useful for forensic review.
Complaint evidenceBank, 1930, portal and police acknowledgements.Shows reporting speed.

Practical Example

A victim takes screenshots of a fake investment app but then deletes the app and chat group. The screenshots show balances but not the download link, package name or recruiter profile. Preserving the entire chat export and app details would have created a stronger trail.

Evidence to Keep

  • Original device and SIM details.
  • Chats, emails and full headers.
  • Phone numbers, usernames and profile links.
  • Bank, card and wallet records.
  • App-store or APK source.
  • Complaint acknowledgements and officer details.

Common Mistakes

  • Cropping out timestamps.
  • Forwarding evidence through apps that reduce quality.
  • Deleting the fraudster’s contact before export.
  • Resetting the device immediately.
  • Writing guesses as facts in the complaint.

Escalation Route

Submit the essential transaction data quickly even if the evidence file is not yet perfect. Additional documents can follow through the official process.

Maintain a read-only master folder and a separate working copy. Note who handled the device or file after the incident where forensic integrity may matter.

Working Principle

Evidence should answer five questions: who, what, when, where the money went and when the incident was reported.

The safest approach is to preserve the original record, use the official channel and explain the facts in chronological order. A portal acknowledgement, complaint number or filing receipt is part of the evidence and should be downloaded rather than assumed to remain available forever.

Rules and procedures can change, and the correct action depends on the exact transaction, policy, notice or account. Where money, limitation, criminal allegations, medical causation or a large tax position is involved, qualified professional advice should be obtained before taking an irreversible step.

Why Timing Matters

Fraud response has two parallel objectives: stop additional loss and preserve the evidence needed to trace the first loss. The immediate step is Write the event timeline. Record the exact time because bank liability, fund tracing, SIM or account containment and police follow-up can all depend on how quickly the incident was reported.

The evidence file should begin with Original device and SIM details. Add the transaction reference, beneficiary, phone number, link, app name, device state and every complaint acknowledgement. Keep original chats and files untouched; explanatory screenshots can be created as copies, but they should not replace the source material.

Do not continue following the fraudster’s instructions in the hope of recovering money. A frequent error is Cropping out timestamps. Use only independently located official numbers and portals. A bank dispute, cybercrime complaint and securities or telecom grievance may all be necessary because each route addresses a different part of the incident.

Also preserve the device model, operating-system version and time zone used when screenshots were captured. These details can help investigators align local timestamps with bank, telecom and platform logs.

Frequently Asked Questions

Are screenshots enough? â–¼
They help, but full chats, headers, statements and original files are stronger.
Should the fraudster be confronted? â–¼
Usually no. Preserve evidence and follow bank or police guidance.
Can evidence be edited for clarity? â–¼
Keep originals untouched; create labelled explanatory copies separately.
What should be reported first? â–¼
Financial transaction details, beneficiary information and reporting time.