Electronic Evidence in Kenya

The courts must decide cases by ascertaining what the relevant facts are, ascertaining what the relevant law is and then marrying the law to the facts so as to reach a decisionAll facts must be proved.


  • Direct: Direct evidence establishes a fact
  • Circumstantial: Circumstantial evidence may establish one.

Digital evidence can be used to prove facts.  Circumstantial evidence may be as weighty as direct evidence.  For example, a computer logon record is circumstantial evidence that the individual who owns the account was responsible.  Someone else may have used the individual’s account and the other evidence will be required to prove that he actually logged into the system.

Digital evidence or electronic evidence is any probative information stored or transmitted in digital form that a party to a court case may use at trial.

Digital evidence encompasses any and all digital data that can establish that a crime has been committed.


Many sources of digital evidence are categorized into three groups, namely:

Open computer system;

This is what most people think of as computers – systems comprised of hard drives, keyboards, and monitors such as laptops, desktops, and servers that obey standards.  These systems with ever increasing amounts of storage space can be rich sources of digital evidence.

Communication systems

The traditional telephone systems, wireless telecommunication systems, the internet and the networks in general can be sources of digital evidence.

Embedded computer systems.

These include mobile telephones, personal digital assistants, smart cards, and many other systems with embedded computers may contain digital evidence.  For example, navigation system can be used to determine where a vehicle has been and Sensing and Diagnostic modules in many vehicles hold data that can be useful for understanding accidents, including the vehicle speed.



  • The Constitution of Kenya, 2010 {Article 260(a)}.
  • Kenya Communication Act,1998
  • Kenya Communication Amendment Act, 2009 (Section 83)
  • Evidence Act (Sec 106B)
  • Penal Code Act (Sec 267)

NB: Because data forensics is relatively new, laws dictating the validity of evidence are sketchy and not widely known.


All evidence must pass the test of admissibility and weight. Admissibility is a set of legal rules applied by a judge in order to allow the use of evidence in a court of law. These rules are extensive. (Check Evidence Act, section 106B)

Weight is a measure of the validity and importance of the evidence. Weight is essentially whether the judge or jury believes the evidence.


Digital evidence is just like any other evidence and it must be:

  • Authentic – It must be proven to come from where it purports. The process of determining whether the evidence is worthy is called authentication.  It means satisfying the court that (a) the contents of the record have remained unchanged; (b) that the information in the record does in fact originate from its purported source, whether human or machine, and (c) that the extraneous information such as the apparent date of the record is accurate. As with paper records, the necessary degree of authentication may be proved through oral and circumstantial evidence, if available, or via technological features in the system or the record and, (d) that computer system or process that generated digital evidence was working properly during the relevant time period.
  • Accurate – The evidence is accurate and reliable if the substance of the story the material tells is believed and is consistent, and there are no reasons for doubt.
  • Complete -Evidence is complete if the story that the material purports to tell is complete. Convincing to courts, and in conformity with common law and legislative rules.

Once the digital evidence is admitted, its reliability is assessed to determine its probative value.  For example, if there is a concern that evidence was tampered with prior to collection, these doubts may reduce the weight assigned to the evidence.  However the mere possibility of tampering does not affect the authenticity of a computer record.  In US v. Glasser, 773 F. 2d 1553.“ The fact that is possible to alter data contained in a computer is plainly insufficient to establish untrustworthiness.”

NB: Even if there is a reasonable doubt regarding the reliability of digital evidence, this does not necessarily make it inadmissible, but will reduce the amount of weight it is given by the court.


  • Contents of writing, recording or photographs, court used to require originals.
  • But with advent of photocopiers scanners and computers, copies became acceptable in place of originals unless genuine case is raised on the authenticity of the original or the accuracy of the copy.
  • Digital evidence is almost never in a format readable by humans, requiring additional steps to include digital documents as evidence (i.e. printing out the material). It has been argued that this change of format may mean digital evidence does not qualify under the “best evidence rule.”
  • Article 260 (b) of the Constitution recognizes electronic files as documents.


It is argued that digital evidence may not be admitted in court because the speaker or author of the evidence is not present in court to verify its truthfulness.

Evidence is hearsay where a person in court repeats a statement made out of court.  For instance, an e-mail message may be used to prove that an individual made certain statements but cannot be used to prove the truth of the statements it contains-killing of his daughter.  The investigators will need a confession another evidence to improve the case.

Exception to the rule

A memorandum, report, record, or data compilation, in any form or acts, events, conditions, opinions, or diagnoses, made at or near the time by or from information transmitted by a person with knowledge, if kept in the course of a regularly practice of the business activity to make the memorandum, report. Record, or data compilation, all as shown by the testimony of the source of information or method or circumstances of preparation indicate lack of trustworthiness.

Digital evidence that is computer generated versus computer stored.  Difference is in who created the content, whether human or computer.


Updated to ACPO Version 5 in October 2011

  • Principle 1: The data held on an exhibit must not be changed.
  • Principle 2: Any person accessing the exhibit must be competent to do so and explain the relevance and the implications of their actions.
  • Principle 3: A record of all processes applied to an exhibit should be kept. This record must be repeatable to an independent third party.
  • Principle 4: The person in charge of the investigation has responsibility for ensuring that the law and these principles are adhered to
  • The activities of the digital forensic practitioner should not alter the original data. If the requirements of the work mean that this is not possible then the effect of the practitioner’s actions on the original data should be clearly identified and the process that caused any changes justified.
  • A record of all activities associated with the acquisition and handling of the original data and any copies of the original data must be maintained. This includes compliance with the appropriate rules of evidence, such as maintaining a chain of custody record, and verification processes such as hashing.
  • The digital forensic practitioner must not undertake any activities which are beyond their ability or knowledge.
  • Digital evidence is almost never in a format readable by humans, requiring additional steps to include digital documents as evidence (i.e. printing out the material). It has been argued that this change of format may mean digital evidence does not qualify under the “best evidence rule.”

NB: Article 260 of the Constitution recognizes electronic files as documents.


  1. Preparation is one of the most important aspects of testifying in court.
  • Rehearsing with the prosecutor/lawyer a script of direct examination
  • Conclusions should be stated early
  1. Be prepared with clear explanations and supporting evidence.
  2. Advisable to pause before answering questions to give a lawyer or prosecutor time to express objections.
  3. If prompted to answer a complex question with simply “yes” or “no,” inform the court that you do not feel that you can adequately address the question with such a simplistic answer but follow the direction of the court. Above all, be honest.
  4. In addition to presenting findings, it necessary to explain how the evidence was handled and analyzed to demonstrate chain of custody and thoroughness of methods.
  5. When presenting technical aspects of digital evidence such as how files are recovered or how logon records are generated, first give a simplified, generalized example and then demonstrate how this applies to the evidence in the case.
  6. Digital investigators are often required to provide all notes related to their work and possibly different versions of an edited /corrected report. Therefore organize any screenshot or printouts (initialed, dated and numbered).


1.Criminal Case 9 of 2008: Edward Kirui 2010


2.Repulic v. Wilfred Machage, Fred Kapondi Chesebe & Christine Nyagitha Miller Criminal Case No.1140 of 2010