Press "Enter" to skip to content

Public Security Organs for Collecting Electronic Evidence in Criminal Cases

Promulgation Date: 2019-1-2
Title: Public Security Organs for Collecting Electronic Evidence in Criminal Cases
Document Number:
Expiration date: 
Promulgating Entities: Ministry of Public Security
Source of text: http://www.mps.gov.cn/n2254314/n2254409/n4904353/c6337154/content.html

Chapter I: General Provisions

Chapter II: Collection and Extraction of Electronic Data

Section 1: Ordinary Provisions

Section 2: Seizure and Sealing of Original Storage Media

Section 3: On-scene Extraction of Electronic Data

Section 4: Online Extraction of Electronic Data

Section 5: Freezing Electronic Data

Section 6: Collection of Electronic Data

Chapter III: Inspection and Investigative Testing of Electronic Data

Section 1: Examination of Electronic Data

Section 2: Investigative Tests of Electronic Data

Chapter IV: Commissioning Inspections and Evaluations of Electronic Data

Chapter V: Supplementary Provisions

 

Public Security Organs for Collecting Electronic Evidence in Criminal Cases

Ministry of Public Security

Public Security Organs for Collecting Electronic Evidence in Criminal Cases

Chapter I: General Provisions

Article 1: These Rules are made on the basis of the "Criminal Procedure Law of the People's Republic of China", the "Provisions on Procedures for Public Security Organs Handling Criminal Cases", and other relevant provisions, so as to regulate public security organs' efforts to collect electronic data evidence in in handling criminal cases, to ensure the quality of collected electronic data evidence, and to increase the efficiency of collecting electronic data evidence.

Article 2: Public security organs handling criminal cases shall follow the legally prescribed procedures and obey relevant technical standards to fully, objectively and promptly gather and extract electronic data involved in the cases, and ensure the veracity and integrity of the electronic data evidence.

Article 3: Collection of electronic data evidence includes, but is not limited to:

(1) Gathering or extraction of electronic data;

(2) Inspection or investigative testing of electronic data;

(3) Inspections and Evaluations of Electronic Data.

Article 4: Where public security organs' collection of electronic data evidence involves state secrets, police work secrets, commercial secrets, or personal privacy, they shall preserve confidentiality; collected materials that are unrelated to the case shall be promptly returned or destroyed.

Article 5: Electronic data received or lawfully collected by public security organs that was collected or extracted by other government organs in the course of administrative law enforcement or handling or reviewing cases, may be used as evidence in criminal cases.

Chapter II: Collection and Extraction of Electronic Data

Section 1: Ordinary Provisions

Article 6: The collection and extraction of electronic data shall be carried out by two or more investigators. When necessary, person with specialized knowledge may be appointed or hired to collect or extract electronic data under the supervision of investigators.

Article 7: One or more of the following measures or methods shall be employed when gathering or extracting electronic data:

(1) Sealing or seizing the original storage medium;

(2) On-scene extraction of electronic data;

(3) Online extraction of electronic data;

(4) Freezing electronic data;

(5) Collecting electronic data.

Article 8: In any of the following circumstances, methods such as printing, photographing, or recording may be used to fix the evidence:

(1) There is no way to seize the original storage medium and no way to extract the electronic data;

(2) The electronic data has self-destruct functions or apparatus and the relevant evidence needs to be promptly fixed;

(3) Where it is necessary to display or look over the relevant electronic data on-scene.

Where after evidence is fixed through methods such as printing, photography, or video recording on the basis of items (2) or (3) of the preceding paragraph, the original storage medium can be seized, it should be so seized; where the original storage medium cannot be seized but electronic data can be extracted, the electronic data shall be extracted.

Article 9: Where relevent evidence is fixed through methods such as printing, photography or video, it shall clearly reflect the content of the electronic data and the reaons for employing these methods to fix the evidence, and circumstances such as the place where the electronic data is saved and the characteristics and location of the original storage medium shall be noted in the record, and the investigators and the person in possession (providing) the electronic data are to sign it or affix a seal; where the person in possession (providing) the electronic data is unable to sign or refuses to do so, this shall be noted in the record and an authenticating witness is to sign or affix a seal.

Section 2: Seizure and Sealing of Original Storage Media

Article 10: Where during investigative activities electronic data is discovered that can show the criminal suspect is guilty or not guilty, that the crime was light or serious, and the original storage media can be seized, they shall be sealed and seized, and a record is to be made recording the sealing of the electronic data's original storage medium.

When inspecting or examining crime scenes related to electronic data, relevant norms shall be followed to handle equipment and seize and seal original storage media.

Article 11: Original strorage media that are seized shall be sealed according to the following requirements:

(1) While ensuring that there is no way to remove the seal, where there is no way to use or launch the sealed original storage media, when necessary, electronic equipment, hard drives, memory cards, and other internal storage media may be sealed separately,

(2) Pictures shall be taken before and after the sealing of the original storage medium. The pictures shall reflect the state of the original storage medium before and after sealing, clearly reflect state of the seals or saling tape, and when necessary, the pictures should also clearly reflect detailed of storage media internal to electronic equipment;

(3) Sealing of original storage media with wireless communications functions such as mobile phones shall employ measures such as signal blocking, cutting off signals, or cutting the power supply.

Article 12: Seized original storage media shall be checked in conjunction with authenticating witnesses and the persons in possession of (providing) the original storage medium, and a "Seizure List" is to be drawn up on-scene with three identifcal copies, stating the name, index number, quantity, characteristics, and source of the original storage medium, and the investigators, persons in possession (providers) and authenticating witnesses are to sign it or affix their seals, with one copy going to the persons in possession (providers), one copy given to the custodian of the public security organs, and one copy being put in the case file.

Article 13: Where there is no way to determine the person in possession of (providing) the original storage medium, or the person in possession of (providing) the original storage medium is unable to sign or affix a seal, or refuses to do so, this shall be noted in the relevant records and an authenticating witness is to sign or affix a seal. Where for objective reasons there is no way to have personnel who meet the requirements serve as witnesses, the situation shall be noted in the relevant record, and a video record made of the entire process of seizing the original storage medium.

Article 14: In seizing the original storage medium, evidence relevant to the original storage medium such as witness testimony and criminal suspects' statements and defenses shall be gathered.

Article 15: When seizing the original storage medium, the following may be learned of from relevant persons, gathered, and noted in the record:

(1) The circumstances of the original storage medium and application systems, network topology and system layout, whether there are multiple persons using or managing it, the identity of the users or managers;

(2) The user names and passwords for the original storage medium and application systems;

(3) The circumstances of data backups for the original storage medium, whether there are encrypted disks or containers, whether there are other mobile media, whether there backups have been made, the location of backup storage data, and so forth;

(4) Other relevant content.

Section 3: On-scene Extraction of Electronic Data

Article 16: In any of the following circumstances where the original storage medium cannot be seized, electronic data may be extracted at the scene.

(1) it is inconvenient to seal the original storage medium;

(2) the data is extracted from computer memory, network transmission data, or other such electronic data that is not stored in a storage medium;

(3) The case is urgent and if the electronic data is not immediately extracted, it might cause the electronic data to be destroyed or other serious consequences;

(4) Closing electronic equipment might lead to a service stoppage in important information systems;

(5) It is necessary to extract electronic data on-scene to check suspicious storage media;

(6) After currently operating computer information system functions or applications are closed, there will be no way to make extraction without a password;

(7) other situations where there is no way to seize the original storage medium.

After the circumstance making it impossible to seize the original storage medium have been eliminated, the original storage medium shall be promptly seized and sealed.

Article 17: The following measures may be employed to protect electronic equipment related to on-scene extraction of electronic data:

(1) Promptly separating the criminal suspect or other relevant personnel from the electronic equipment;

(2) In situations where it cannot be determined whether data is easily lost, not closing currently operating electronic equipment;

(3) Where on-scene computer information systems might be remotely controlled, measures such as signal blocking, signal obstructions, or signal disconnecting network connections shall be promptly employed;

(4) Protect the power supply;

(5) Other protective measures that need to be employed.

Article 18: On-scene extraction of electronic data shall comply with the following provisions:

(1) The extracted data must not be stored in the original storage medium;

(2) New applications must not be installed in the target system; If it is necessary to install new applications on the target system due to special circumstances, the goal of installing the applications shall be recorded in the records;

(3) A detailed and accurate recording of operations carried out shall be recorded in the relevant records.

Article 19: Where electronic data is extracted on-scene, a "Record of On-scene Extraction of Electronic Data" shall be drafted noting the source, subject matter, purpose, of the electronic data, and the time, place, method, and processes by which it was extracted, and the reasons why the original storage medium could not be seized, and the location where the original storage medium is stored, and attach the "Inventory of Extracted and Fixed Electronic Data", noting the type, file format, integrity check values, and other information; and the investigators and the person in possession (providing) the electronic data are to sign it or affix a seal; where the person in possession (providing) the electronic data is unable to sign or refuses to do so, this shall be noted in the record and an authenticating witness is to sign or affix a seal.

Article 20: Extracted electronic data may be compressed and the means of compression is to be noted in the records as is the integrity check value following compression.

Article 21: Where there are objective reasons for being unable to have qualified personnel serve as authenticating witnesses, the circumstances shall be noted in the " Record of On-scene Extraction of Electronic Data" and a video is to be made of the entire process and the video file shall have an integrity check value calculated and recorded in the record.

Article 22: Where there is no way to seize the original storage medium, and there is also no way to extract electronic data in one go; after registering, photographing, or making a video, then after it is sealed it may be given to the person in possession (providing) for keeping, and two copies of a "Registered Storage List" are two be made and signed or have a seal affixed by the investigators, persons in possession (providers), and authenticating witnesses, with one copy going to the persons in possession (providers) and the other copy being put in the file along with the pictures or video.

The person in possession (provider) shall appropriately keep it, and must not transfer, sell, or destroy it; must not unseal it; must not access networks without the permission of the case-handling departments; and must not add to, delete, or modify electronic data in it that might be used as evidence. When necessary, the computer information system shall be left in a turned on state.

A decision on the disposition of original storage media in registered storage shall be made within 7 days, and where a decision is not made in the time allowed, it will be viewed as automatically lifted. Where shown to be truly unrelated to the case through investigation, they shall be released within three days.

Section 4: Online Extraction of Electronic Data

Article 23: Electronic data that is published openly, and electronic data on remote computer information systems within the mainland territory, may be extracted online through the networks.

Article 24: Online extraction shall calculate the electronic data's integrity check value, and when necessary, relevant information such as electronic signature authentication certificates, digital signatures, or registration information may be extracted.

Article 25: During online extraction, methods such as recordings, photos, or capturing screen content, shall be employed to record the following information regarding electronic data for which repeat extraction might not be possible or which might be altered:

(1) The method of visiting the remote computer information system;

(2) The date and time of extraction;

(3) The tools and means used in extraction;

(4) The network address and storage path of the electronic data, or the steps taken for accessing the electronic data;

(5) The process and outcome of integrity checks.

Article 26: The source, subject, goals, and targets of online extraction of electronic data shall be indicated in relevant records; as well as the time, place, method, and process of the extraction of electronic data, and reasons for being unable to seize the original storage medium; an "Inventory of Extracted and Fixed Electronic Data" is to be attached, indicating the type, document format, integrity check value, and so forth, and the investigators are to sign it or affix a seal.

Article 27: When it is necessary in online extraction to further clarify the following situations, remote network inspections shall be conducted of the remote computer information systems:

(1) Where it is necessary to analyze and judge the scope of electronic data for extraction;

(2) Where it is necessary to present or describe the content or status of electronic data;

(3) Where it is necessary to install new applications on remote computer information systems;

(4) Where it is necessary to use inspection actions to make the remote computer information system create new electronic data beyond that of its normal operational data;

(5) Where it is necessary to collect remote computer information system status information, or other information related to electronic data such as on system architecture, internal system relations, file directory structure, and system work processes.

(6) Other situations in online extractions where it is necessary to further ascertain relevant circumstances.c

Article 28: The county-level public security organs handling the case are responsible for online remote inspections. Higher level public security organs are to provide technical support to lower level public security organs online remote inspections in criminal cases. The county-level public security organs handling the case are responsible for online remote inspections.

Article 29: Online remote inspections shall have a unified command, tight organization, a clear division of labor, and assigned responsibilities.

Article 30: Qualified personnel shall act as authenticating witnesses in online remote inspections. Where there are objective reasons for being unable to have qualified personnel serve as authenticating witnesses, the circumstances shall be noted in the "Remote Inspection Record" and a video is to be made in accordance with article 25 of these Rules; and the video may be made by means such as screen capture or video camera, and the video file shall have an integrity check value recorded in the record.

Article 31: After remote inspections are concluded, a "Remote Inspection Record" shall be promptly drafted, recording in detail the circumstances relevant to the remote inspection as well as inspection content such as pictures or screenshots. Investigators and authenticating witnesses are to sign it or affix a seal.

Where there are remote inspections and extraction of electronic data, the provisions of article 26 of these Rules are to be followed, with the relevant circumstances noted in the "Remote Inspection Record" and the "Inventory of Extracted and Fixed Electronic Data" attached.

Article 32: The "Remote Inspection Record" shall be objective, complete, detailed, accurate, and standardized; able to be the basis for restoring remote computer information systems to their original state, and meeting the legally-prescribed requirements for evidence.

Where multiple remote inspections are conducted of a computer information system, after the initial "Remote Inspection Record" is drafted, draft incremental supplemental "Remote Inspection Records" .

Article 33: When making online extractions or remote online inspections, the remote computer information system access authority, such as user names and passwords provided by the persons in possession of the electronic data or the network service providers shall be used.

Where technical investigation measures are employed to collect electronic data, approval formalities shall be completed in strict accordance with relevant provisions. When the collected electronic data is to be used as evidence in proceedings, the provisions of Criminal Procedure Law article 154 are to be followed.

Article 34: In the following types of criminal cases, the complete process of online extraction or remote inspections shall be recorded:

(1) cases seriously endangering national security or public safety;

(2) Cases where the electronic data is key evidence for conviction or sentencing, such as for showing whether there was a crime, or whether to impose indefinite detention or the death penalty;

(3) Cases with a larger social impact;

(4) Cases where the criminal suspect might be sentenced to a punishment of 5 years imprisonment or higher;

(5) Other major cases where synchronous recording of the entire process is necessary.

Article 35: Where online extraction or remote inspections use proxy servers, point-to-point transmission software, download acceleration software, or other such network tools; the name and version number of the software employed shall be noted in the "Online Extraction Record" and "Remote Inspection Record".

Section 5: Freezing Electronic Data

Article 36: In any of the following circumstances, electronic data may be frozen:

(1) There is a large volume of data, that is unable or inconvenient to be collected;

(2) The extraction time is long and might cause the electronic data to be tampered with or destroyed;

(3) the electronic data can be more intuitively displayed through network applications;

(4) Other situations where freezing is necessary.

Article 37: The freezing of electronic data shall be upon approval of the responsible person for a public security organ at the county level or above, with a "Notification of Sssistance in Freezing Electronic Data" drafted indicating information such as the network application account number of the frozen electronic data, and it shall be given to the person holding the electronic data, the network service providers, or relevant departments to assist in handling.

Article 38: When it is not necessary to coninue freezing electronic data, upon the approval of the responsible person for the public security organ at the county level or above, a "Notification of Unfreezing of Electronic Data" is to be drafted within 3 days, notifying the person in possession of the electronic data, the network service providers, or relevant departments for enforcement.

Article 39: The period for freezing of electronic data is 6 months. Where it is necessary to extend the time limits due to special reasons, the public security organ shall handle the formalities for continuation of the freezing before the completion of the freezing period. The period for each extension of freezing must not exceed six months. Where freezing is continued, the freezing formalities shall be newly conducted in accordance with the provisions of Article 37 of these Rules. Where the period is exceeded without handling formalities for the continuation of freezing, it is viewed as an automatic unfreezing.

Article 40: One or more of the following methods shall be employed when freezing electronic data:

(1) Calculating the electronic data's integrity check value;

(2) Locking network application accounts;

(3) Employing write-protection measures;

(4) Other measures to prevent the addition, deletion, or modification of electronic data.

Section 6: Collection of Electronic Data

Article 41: Public security organs collection of electronic data from relevant departments or indivduals shall be upon the approval of the responsible person for the case-handling department, and issuance of a "Notification of Collection of Electronic Data" indicating the relevant information about the electronic data to be collected, and notice given to the person holding the electronic data, the network service providers, or relevant departments for enforcement. Units and individuals from whom collections are made shall sign or affix a seal to an acknowledgment receipt for the Notification and attach an explanation of integrity check values and other methods for preserving the completeness of the electronic data; and where the units or individuals refuse to affix a seal or sign, or to attach the explanations, the public security organs shall note this. When necessary, methods such as audio or visual recording shall be employed to fix the content of evidence and the process of evidence collection.

Public security organs shall assist units and individauls from whom collections are made that objectively lack capacity to preserve the completeness of electronic data in conducting protections of electronic data's completeness.

Article 42: Where public security organs cross jurisdictions to investigate and collect evidence, they may send a "Case-handling Cooperation Letter", relevant legal documents and corroboration to the local public security organ by fax or transmit them through the public security organs' information systems. Upon review and confirmation, the cooperating local public security organ handling the case may investigate and collect evidence on their behalf after affixing the local case-handling department's seal to the received legal documents.

After the cooperating case-handling department collects evidence on their behalf, they may send relevant confirmation receipts for legal documents and records by mail to the public security organ handling the case, and send the explanation of electronic data or tools and methods used in obtaining or viewing the electronic data, to the public security organs handling the case through the public security organs information system.

The cooperating public security organs shall review the completeness of the extracted electronic data, and where there are doubts about the ensuring the completeness of the electronic data, the cooperating case-handling department shall help them make a new extraction.

Chapter III: Inspection and Investigative Testing of Electronic Data

Section 1: Examination of Electronic Data

Article 43: When it is necessary to use methods such as data recovery, unlocking, searching, simulation, relevance, statistics, or comparisons on seized original storage media or extracted electronic data in order to further discover and extract leads and evidence relating to the case, and examination of electronic data may be conducted.

Article 44: Examination of electronic data shall be carried out by two or more investigators who possess specialized skills. When necessary, persons with specialized knowledge may be appointed or hired to participate.

Article 45: Methods for examining electronic data shall comply with relevant technical standards.

Article 46: Examination of electronic data shall preserve the integrity of electronic data as it is transferred internally through the public security organs. When it is transferred, transfer formalities are to be completed and the electronic data is to be verified in accordance with the following means:

(1) Verifying the accuracy of integrity check values;

(2) Verifying whether photos are consistent with presealing state.

Where the integrity check value of electronic data is inaccurate when transferring, the state of the original storage medium is inconsistent, or not sealing might impact the accuracy or completeness of evidence, the inspectors shall note this in the record.

Article 47: Examination of electronic data shall comply with the following principles:

(1) Conducting examination using write-protection equipment to access the examined equipment, or make a backup of the electronic data and conduct examination of the backup.

(2) Where it is impossible to use write-protection equipment and also impossible to make a backup, the reasons are to be noted and the entire process recorded;

(3) Where unsealed before inspection and then resealed after inspection, pictures shall be taken before and after the sealing of the original storage medium, clearly reflecting the seal or sealing tape;

(4) Examiniation of original storage media with wireless communications functions shall employ measures such as signal blocking, cutting off signals, or cutting the power supply to preserve the integrity of electronic data.

Article 48: A "Record of Examination of Electronic Data" shall be drafted for examinations of electronic data, recording the following content:

(1) Basic circumstances. Including the time the examination began and concluded, the persons in command, the names and titles of the examiners, the subject of the examination, the goals of the examination, and so forth;

(2) The examination process. Including the tools used in the examination process, the method of examination, and its steps;

(3) The examination outcomes. Including case leads, electronic data, and other information discovered during the examination.

(4) Other content that needs to be recorded.

Article 49: Where it is necessary to extract electronic data when examining electronic data, an "Inventory of Extracted and Fixed Electronic Data" shall be drafted,recording the source of electronic data, the method of extraction, and integrity check values.

Section 2: Investigative Tests of Electronic Data

Article 50: When necessary to clarify case facts, with the approval of the responsible person at a public security organ at the county level or above, investigative tests may be conducted on electronic data.

Article 51: The tasks of investigative testing of electronic data include:

(1) To verify that uder certain conditions an abnormality of come kind occurs or that some change occurs to the electronic data;

(2) To verify whether some operation can be completed on the electronic data in a certain amount of time;

(3) To verify whether under certain conditions, specified software or hardware can complete certain actions, causing certain outcomes;

(4) To confirm if under certain conditions a certain computer information system is used or whether network actions can change or delete specified electronic data;

(5) Other situations requiring testing.

Article 52: Investigative testing of electronic data shall meet the following requirements:

(1) Technical measures shall be employed to preserve the integrity of data in the original storage medium;

(2) Where there is capacity, the investigative tests of electronic data shall be conducted two or more times;

(3) Electronic equipment, network environments, and so forth used in investigative tests shall be consistent or basicly consistent with the scene of the crime when committed; and when necessary relevant technical measures may be employed to simulate the relevant environment or contact comparative tests;

(4) Conduct that might disclose citizens personal information or impact the normal operation of computer information system other than the test environment is forbidden.

Article 53: One or more methods such as photographs, video, audio recording, or collection of communication data shall be used in carrying out of investigative tests of electronic data, to objectively record the testing process.

Article 54: A "Record of Investigative Testing of Electronic Data" shall be drafted where conducting investigative tests of electronic data, recording the conditions, process, and outcome of the investigative tests, and the persons participating in the investigative tests are to sign it or affix a seal.

Chapter IV: Commissioning Inspections and Evaluations of Electronic Data

Article 55: So as to clarify the case circumstances and resolve certain specialized issues in a case, persons with specialized knowledge shall be appointed or hired to conduct an appraisal, or an establishment designated by the Ministry of Public Security is to be retained to issue a report.

Where it is necessary to hire a person with specialized knowledge to conduct and appraisal,or to retain an establishment designated by the Ministry of Public Security to issue a report, it shall be upon approval of the responsible persons at a public security organ at the county level or above.

Article 56: When investigators make submissions for examination, they shall seal the original storage medium, employ measures to protect the integrity of the electronic data, and provide needed case information.

Article 57: Establishments designated by the Ministry of Public Security and their personnel taking on inspection work shall independently carry out operations and bear corresponding responsibility, they are not to be influenced by other establishments or individuals.

Article 58: Establishments designated by the Ministry of Public Security shall follow provisions of law and the requirements of the judicial adjudication organs in taking on obligations such as for recusal, confidentiality, and appearances in court to testify, and are responsible for the veracity and legality of reports.

The establishments designated by the Ministry of Public Security shall use scientific methods to conduct examinations and testing, and issue a report.

Article 59: The establishments designated by the Ministry of Public Security shall possess the necessary instruments and equipment, and have qualifications verified in accordance with law or laboratory acceptance.

Article 60: For other matters on the Ministry of Public Security commissioning of designated establishments to issue a report, proceed with reference to the "Public Security Organ Rules on Forensic Examinations" and other relevant provisions.

Chapter V: Supplementary Provisions

Article 61: These Rules are to take effect on February 2, 2019. Where documents previously released by the Ministry of Public Security differ from these Rules, these Rules control.

 

Click to rate this post!
[Total: 0 Average: 0]

Be First to Comment

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    Translate