Blog

Forensic Acquisition and Legal Handling of Digital Evidence: A Comparative Analysis of Turkish and International Practices

Tuncay Beşikçi 10 Ocak 2018

This academic paper explores the legal, procedural, and technical frameworks surrounding the acquisition and handling of digital evidence in criminal investigations. The analysis centres on both Turkish law enforcement procedures and their alignment (or lack thereof) with international forensic standards, drawing comparisons with best practices in the UK, EU, and the US.

The document critically examines several controversial investigative practices employed in Turkey, particularly the pre-operation imaging of memory cards, chain-of-custody discrepancies, and the judicial reliance on evidence collected prior to official seizure orders. The analysis highlights potential violations of procedural safeguards, referencing the Budapest Convention, ISO/IEC 27037, and UN Guidelines on the Use of Digital Evidence.

Key sections of the paper include:

  • Legal foundations for digital evidence acquisition (e.g. CMK Articles 134, 116–119)

  • Digital imaging standards and admissibility criteria

  • Role of forensic service providers (private vs. state-backed, including mention of PwC, EY, and DiFoSe)

  • Risks posed by early or unofficial imaging, including the possibility of evidence fabrication

  • Judicial evaluations of digital evidence in high-profile cases, with a focus on the case involving the seizure of materials at the İdil Cultural Centre

The paper concludes with a call for institutional reform, expert witness training, and greater judicial literacy in evaluating digital forensic reports. It strongly advocates for strict adherence to chain-of-custody protocols, and stresses the importance of transparency, independence, and reproducibility in all forensic procedures.

Search and SeIzure of ElectronIc EvIdence

Evidence comprises the means employed for the purpose of proof to clarify the incident that is the subject of adjudication and to reveal the material truth. As a conviction cannot be based without evidence, the process of obtaining evidence is encountered as a highly significant operation in criminal proceedings. With the proliferation of information systems, the importance of digital evidence (also referred to as electronic or numerical evidence) in the context of obtaining evidence has steadily increased. Matters concerning crime-scene investigation, search and seizure in relation to information systems are primarily set out in Article 134 of the Code of Criminal Procedure (“CMK”), published in the Official Gazette on 17 December 2014, and in Article 17, entitled “Search, copying and seizure in computers, computer programs and records”, of the Regulation on Judicial and Preventive Searches, published in the Official Gazette on 24 May 2003.

For the material truth to be uncovered and a fair trial to be conducted, the crime scene must be duly preserved and it must be ensured that evidence is obtained from the scene with integrity. In its judgment no. 1993/108 dated 19 April 1993, the Criminal General Assembly of the Court of Cassation set the contours of the requisite qualities of evidence by stating that “Truth must be elicited from reasonable and realistic proofs representing the whole or a part of the incident, or from the assessment of proofs as a whole. Reaching a conclusion by way of certain assumptions is absolutely contrary to the purpose of Criminal Procedure.” Within this framework, the qualities that evidence must possess have been listed as follows:

  • It must be obtained in accordance with the law.

  • It must be perceptible by our five senses.

  • It must facilitate the revelation of the material truth.

  • It must not give rise to doubts regarding its accuracy and authenticity.

  • The evidence or the report concerning the evidence must be open to all parties.

  • Where possible, it should be corroborated by different items of evidence.

Electronic evidence, just like other forms of evidence, must possess the qualities borne by all other evidence before being brought before the court. It must be obtained by lawful means, be authentic in nature confirming the allegations, be complete and reproducible (such that a third party examining it can reach the same results), be free of any doubt as to the manner of its collection, and be comprehensible to the courts.

For any item of evidence containing digital data to qualify as “conclusive proof”, it is first necessary that the alleged offence is not one for which the legislature has prescribed a specific catalogue of crimes; when the evidence is seized, the exact place, person from whom it was seized, and precise time of seizure must be recorded and minuted, including the identity of the person effecting the seizure and the legal basis of the operation. Likewise, the manner and methods by which it was copied—either to create the copy to be analysed (the forensic image) or to be provided to the parties—must be reduced to writing and minuted. During forensic copying, a contemporary and appropriate cryptographic hash (immutability) value of the original data or file must without fail be calculated.

Digital evidence consists of intangible data not visible to the naked eye. Unlike other forms of evidence, recognition of their existence is possible only with auxiliary devices and software. For instance, to view data contained in a text document, a display or a printed output is required. Even with such outputs, it is not possible to see the metadata of the file. Accordingly, the similar outputs included in the case file examined within the scope of this report are not the evidence itself; the evidence is the very form that resides in the digital environment.

The structural characteristics of digital evidence may be summarised as follows:

  • It can be easily copied and reproduced.

  • It may deteriorate due to magnetic fields, temperature, humidity, and similar factors.

  • It can easily be altered by processing.

  • It may be deleted irretrievably.

  • It may contain concealed or encrypted additional data.

Owing to the foregoing properties, digital data may be readily manipulated. Therefore, for digital data to be accepted as evidence, it is mandatory to prove that it is faithful to the original and has not been altered. Some of the qualities that digital evidence must possess can be listed as follows:

  • It must be reasonable and acceptable.

  • It must be genuine.

  • It must be error-free and accurate.

  • It must be complete and entire.

  • It must be reliable and trustworthy.

  • It must be persuasive.

  • It must be reproducible.

  • It must conform to existing legal regulations.

Compliance with the matters set out in Article 17 of the Regulation on Judicial and Preventive Searches, entitled “Search, copying and seizure in computers, computer programs and records”, is of substantial importance for the reliability of evidence, preservation of the chain of custody, and the legal admissibility of evidence by the courts. The measure of search, copying and seizure in computers, computer programs and records is regulated in Article 134 of the CMK. From the standpoint of evidential integrity and reliability, it is essential that procedures conform to the elements specified in CMK Article 134. Under this provision, where access to computers, computer programs and computer records cannot be obtained due to the inability to decrypt a password or to reach concealed information, such devices and equipment may be seized so that decryption can be carried out and the necessary copies can be taken. However, where decryption is performed and the necessary copies are taken, the seized devices shall be returned without delay. Moreover, during seizure of computers or computer records, a backup of all data in the system shall be made. Upon request, a copy of this backup shall be provided to the suspect or his/her counsel, and this matter shall be recorded and signed. Without seizing computers or computer records, copies of all or part of the data in the system may also be taken. The data copied shall be printed on paper; this matter shall be recorded and signed by the relevant persons (CMK Art. 134/2, 3, 4, 5).

Among these conditions, in particular, making a backup of all data in the system at the time of seizure and providing a copy of this backup to the suspect or counsel is of great significance. In the past, as many lawyers were unaware of this right to request, the provision remained dormant; with the amendment to the text of the article, it has been rendered mandatory. However, taking a backup from the hard disk to be examined is not in itself sufficient. In order to preserve the integrity of the evidence at the stage of acquisition, the law-enforcement officers performing the operation must first calculate the hash value of the computer’s hard disk at the moment of its removal and draw up a minute; all imaging, backup and similar operations must be performed in the presence of the suspect or counsel. If the backup operation is not carried out and the person’s computer is seized as is, the person would be left without any assurance if data—easily alterable in the system—were changed to his/her detriment after seizure, and as a result the person could be victimised in a manner infringing fundamental rights and freedoms. Since the protective measures set out in the CMK are restrictions upon fundamental rights and freedoms, in their application the proportionality between the severity of the procedural harm that may arise and the probability of its occurrence must be observed; while applying the measure, the fundamental rights and freedoms of the person against whom it is applied must not be curtailed beyond legal limits and his/her personal data must not be harmed. Especially in the application of the protective measure in CMK Art. 134, the primary duty of the authorities implementing the measure should be the protection of personal data in a manner consonant with the purpose of criminal procedure.

When evidence obtained during a forensic examination is presented before the court, it is expected—beyond any doubt—to be in the state first found, that no alteration, addition or removal has been made to it, that it has not been subsequently recorded onto the storage medium; in short, that it proves the alleged offence beyond any doubt. Only then may the validity of digital evidence be discussed. Certain mechanisms have been developed to prove the conformity of the obtained digital evidence with its original. The most important of these is the hash value, which may be defined as a one-way hashing algorithm used to verify data integrity. In digital forensics, hash values are used to demonstrate that the methods applied do not alter the evidence. Hash values are highly useful for revealing even the smallest change in data.

Even if digital evidence has been obtained lawfully, it cannot form the basis of judgment unless it is disclosed to the parties and debated in court. Pursuant to CMK Article 217, the judge may base the decision only on evidence that has been brought to the hearing and debated in his/her presence. Consequently, in the scrutiny of the legal validity of electronic evidence, it is indispensable that it possesses the fundamental requisites of law and the features required of other evidence: authenticity, rationality, accessibility, representativeness of the incident, common knowledge among the parties, and legality. In accordance with the requirement of common knowledge, electronic evidence adduced in a criminal trial must be known and open to contestation by all parties to the case.

In Turkish law there are differing views as to whether electronic evidence is to be accepted as a type of evidence in criminal proceedings and, if so, whether it is sufficient on its own to ground a conviction. According to one view, electronic data obtained as evidence during the investigation is not assessed as very robust evidence in the legal sense because it is kept in a computer environment and may be deleted, altered, or replaced. Another view is that, since the content of electronic data may be altered, the capacity of such data to stand alone as evidence is weakened, if not eliminated. According to yet another view, the use of electronic data as evidence often necessitates support by additional evidence or further inquiries. Nevertheless, establishing the robustness of electronic evidence should require expert examination. In this respect, the use of electronic data as evidence in criminal proceedings depends on bringing the data—on which it is very easy to make alterations but for which such alterations can also be technically detected—before the court without any change, after its robustness has been verified by an examination conducted by an expert pursuant to CMK Article 66.

The evidential nature of print-outs or photocopies of the content of electronic data in criminal proceedings depends upon strict verification of the print-outs and proof of their admissibility. In this regard, where data stored in the digital environment is identical to the printed copy, the printed copy of the electronic data will also have evidential quality. However, where the printed copy loses its authenticity or representativeness, it will not be possible to treat it as evidence.

With a view to greater alignment with the acquis of the European Union, the Republic of Turkey has undertaken to become a party to all necessary international conventions and has declared that it will take measures to ensure their effective implementation. The Council of Europe Convention on Cybercrime—being the first international convention to address digital and internet crimes—was enacted by publication in the Official Gazette on 2 May 2014 under the name “Law No. 6533 on the Approval of the Convention on Offences Committed in Cyberspace”. In Article 15(1) of the Convention on Cybercrime, to which the Republic of Turkey is a party (and which is binding upon Turkey), signatory states are obliged to protect fundamental rights in the course of obtaining and using evidence in information systems and to observe the principle of proportionality.

Within the framework of a European Union project led by the Council of Europe and involving Turkey, a document entitled “Electronic Evidence Guide; A Basic Guide for Police Officers, Prosecutors and Judges” (hereinafter referred to as the “CoE Draft Electronic Evidence Guide”) was prepared as an output of the work carried out. According to the Guide, digital evidence obtained through search and seizure in information systems must be: original; objectively connected to the incident under investigation and unchanged in that connection; secure; free from any doubt as to how the evidence was collected and processed; persuasive and comprehensible. The CoE Draft Electronic Evidence Guide also lays down general principles necessary for transporting electronic evidence, stipulating that no act that might cause changes in the information systems subject to investigation shall be performed and that a chain of custody shall be established from the first acquisition of the evidence. The second principle is that every operation performed in obtaining electronic evidence must be traceable in such a manner that it can be repeated by a third party. In accordance with this principle, each operation must be recorded, and thanks to these records, the same operation shall yield the same results when repeated by another expert. The third basic principle in the Guide is the timely use of expert or external specialist assistance. The fifth and final basic principle is the principle of legality. According to the Guide, while each member state applies its domestic rules, it must take into account the aforementioned fundamental principles in interpreting the provisions.

In the United States’ acquis, the issues of how digital evidence is to be searched and seized are set out in a guide published by the Federal Department of Justice. Under the Fourth Amendment to the US Constitution, the degree of suspicion required for searches and seizures conducted in investigations is probable cause (reasonable suspicion in some contexts). The issues concerning the collection, processing and storage of electronic evidence in the US are set out in the Stored Communications Act. Forensic search and seizure in information systems are likewise subject, at the stage of admissibility, to strict rules of procedural law similar to those in US legislation in countries such as England (Computer Misuse Act), Ireland (Criminal Damage Act, sections 2/1 and 2(a)), France (Criminal Code, Article 323-2), Germany (Criminal Code, Article 303a) and Norway (Criminal Code, Article 156). [30]

Conclusion

The examination of digital evidence in criminal investigations is one of the fundamental components of modern forensic and legal processes. As demonstrated in this study, by their nature electronic evidence is volatile, readily alterable, and not directly observable without specialised tools. This necessitates strict adherence to legal, technical, and procedural safeguards. In Turkey, regulations such as Article 134 of the Code of Criminal Procedure and Article 17 of the Regulation on Judicial and Preventive Searches define the processes of searching, copying, and seizing digital data. However, inconsistencies in practical application give rise to concerns regarding preservation of the chain of custody, data integrity, and violations of fundamental rights.

The criteria required for admissibility—originality, reliability, reproducibility, and lawful acquisition—must be meticulously satisfied. Mechanisms such as hash values, forensic imaging processes, and timely documentation are critical to ensuring evidential integrity. In addition, international standards such as the Council of Europe’s Electronic Evidence Guide and the Budapest Convention on Cybercrime emphasise the principles of proportionality, legality, and transparency. Nonetheless, there remains a hesitation in Turkish judicial practice as to whether digital evidence is sufficient on its own for conviction. This, in turn, creates a need for digital data to be supported by physical or testimonial evidence and to be verified through expert examinations. Interdisciplinary cooperation among law-enforcement, digital forensics specialists, and the judiciary will enhance the reliability of evidence. Ultimately, the legal validity of electronic data is possible not only through technical accuracy but also through compliance with legal procedures and the protection of individual rights. As digital crimes and evidentiary technologies evolve, legal systems must develop in tandem to ensure justice and safeguard fundamental rights. In Turkey’s process of aligning with international conventions, the use of digital evidence must be conducted not only with legal correctness but also with respect for human rights.

References

Hakeri, H. (2005) “Yeni Ceza Muhakemesi Kanununa Göre El Koyma Koruma Tedbiri”, TBB Dergisi, No. 60, 2005, pp. 97–104.
Koca, M. (2006). Ceza Muhakemesi Hukukunda Deliller. CHD 1(2), December. Turkey: Seçkin Yayinevi, p. 207.
Bıçak, V. (2011) Suç Muhakemesi Hukuku (2nd edn). Turkey: Seçkin Yayinevi, p. 461.
Kaygısız, M. (2007) Kriminalistik Olay Yeri İnceleme: Suç Yeri ve Delil Güvenliği, 1st edn, Ankara: Adalet Yayinevi, p. 39.
Casey, E. (2004) Digital Evidence and Computer Crime (2nd edn). USA: Academic Press, p. 218.
Değirmenci, O. (2014) Ceza Muhakemesinde Sayısal (Dijital) Delil. Turkey: Seçkin Yayinevi, p. 363.
Değirmenci, O. (2008) “Ceza ve Ceza Muhakemesi Hukukunda Mağdur Hakları”, Türkiye Barolar Birliği Dergisi, No. 77, pp. 33–86.
Toplaoğlu, N., Çakır, H. (2014) Adli Bilişim ve Elektronik Deliller, 1st edn, Ankara: Seçkin Yayincilik.
Peter Sommer, “Digital Footprints: Emerging Issues in Computer Forensics”, available at: http://pmsommer.com/digifootprint07.pdf (accessed 15 May 2016).
Ankara Barosu Dergisi, 2005/1; Source: Toroslu, Nevzat / Feyzioğlu, Metin, Ceza Muhakemesi Hukuku, Ankara, 2006.
Küzeci, E. (2010) Kişisel Verilerin Korunması, Ankara, p. 291 et seq.
Doğan, K. (2018) Ceza Muhakemesinde Belirsizlik: Kuşkudan Sanık Yararlanır İlkesi, 2nd edn, Ankara: Seçkin Yayincilik, p. 297.
Başlar, Y. (2016) Ceza Yargılamasında Elektronik Delil, 1st edn, Ankara: Yenkin Yayınları, p. 92.
Ergün, İ. (2008) Siber Suçların Cezalandırılması ve Türkiye’de Durum, Ankara: Adalet Yayinevi, p. 44.
Özbek, V. Ö. Elektronik Ortamda Saklı Bulunan Verilerin Ceza Muhakemesinde Delil Niteliği ve Değerlendirilmesi, pp. 185–186.
Kızılyar, M. (2014) “Ceza Yargılamasında Dijital Verilerin Delil Değeri”, Adalet Dergisi, No. 50, September 2014, pp. 72–89.
Kunter, Yenisey & Nuhoğlu, Muhakeme Hukuku Dalı Olarak Ceza Muhakemesi Hukuku, p. 1109.
Özkan, H. (2014) “Ceza Muhakemesinde Ekran Görüntüsü Çıktıların Delil Niteliği”, in Y. Ünver (ed), Ceza Muhakemesi Hukukunda Delil ve İspat. Ankara: Seçkin Yayıncılık, p. 282.
Değirmenci, O. (2014) “Bilgi Toplumunun Delil Türü: Sayısal Deliller ve Bilimselliği”, Terazi Hukuk Dergisi, Vol. 9, No. 97, September 2014, pp. 14–28.
http://ab.gov.tr/index.php?p195&1=1 (accessed 8 March 2013).
Electronic Evidence Guide; A Basic Guide for Police Officers, Prosecutors and Judges (accessed 8 March 2013).
CoE Electronic Evidence Guide, p. 14.
CoE Electronic Evidence Guide, p. 15.
Department of Justice (USA) (accessed 8 March 2013).
Henkoğlu, T. (2014) Adli Bilişim: Dijital Delillerin Elde Edilmesi ve Analizi, 2nd edn, Pusula Yayincilik, p. 196.