Introduction
Digital forensics in Turkish cybercrime cases is one of the most decisive areas of modern criminal litigation. Cybercrime files rarely depend only on witness statements or physical evidence. They often depend on mobile phone extractions, computer images, IP logs, cloud records, social media data, e-mail headers, bank transaction records, server logs, screenshots, metadata, deleted files, GPS data, messaging application records, cryptocurrency wallet traces and expert reports.
In Turkey, cybercrime allegations may involve unlawful access to information systems, system interference, deletion or transfer of data, misuse of bank or credit cards, prohibited devices or programs, computer-related fraud, online threats, blackmail, personal data offences and privacy violations. The Council of Europe identifies Turkish Penal Code Articles 243, 244, 245 and 245/A as core Turkish cybercrime provisions and also refers to Article 158/1-f for computer and communications fraud.
Digital forensics is important because digital evidence is powerful but fragile. A single IP record, device image or chat export may influence the entire case. However, digital evidence can also be incomplete, manipulated, misunderstood, unlawfully obtained or technically insufficient to prove guilt. For this reason, Turkish cybercrime cases require careful analysis of how evidence was collected, whether legal procedure was followed, whether the original data was preserved, whether the expert report is reliable and whether the evidence truly proves the accused person’s identity, intent and conduct.
This article explains digital forensics in Turkish cybercrime cases from a practical legal perspective. It covers CMK Article 134, computer and mobile phone examinations, expert reports, screenshots, IP logs, chain of custody, unlawful evidence objections, victim strategy and defence strategy.
1. What Is Digital Forensics?
Digital forensics is the process of identifying, preserving, collecting, analyzing and presenting digital evidence in a legally reliable manner. In cybercrime cases, digital forensics may be used to determine whether a device was hacked, whether data was copied, whether files were deleted, whether a user logged into an account, whether a phone contained incriminating messages, whether malware was installed or whether money was transferred through digital channels.
Digital forensic evidence may come from many sources:
Mobile phones.
Computers and laptops.
External drives and USB devices.
Cloud storage accounts.
Social media accounts.
E-mail accounts.
Messaging applications.
Banking applications.
Cryptocurrency wallets.
Corporate servers.
Web hosting records.
Firewall logs.
VPN records.
Camera systems.
Vehicle infotainment systems.
Smart devices.
The legal importance of digital forensics is not limited to technical discovery. A forensic finding must be connected to criminal law elements. For example, finding a login from an IP address may show that a connection occurred, but it does not automatically prove who used the device. Finding a deleted file may show that deletion occurred, but it may not prove criminal intent. Finding a screenshot may support a complaint, but it may not prove authenticity without context.
2. Legal Framework: CMK Article 134
The central procedural rule for digital device examination in Turkish criminal investigations is Article 134 of the Criminal Procedure Code. Article 134 regulates search, copying and seizure of computers, computer programs and computer logs. It provides that, where there are strong suspicions based on concrete evidence and no other way to obtain evidence, a judge or, in urgent cases, a public prosecutor may authorize search of the suspect’s computer, computer programs and computer logs, copying of records, deciphering of records and conversion into text. Prosecutor decisions must be submitted to judicial approval within the statutory period.
Article 134 also provides procedural safeguards. Where access cannot be obtained because of password protection, hidden information or lengthy processing, devices may be seized for decryption and copying; once passwords are resolved and copies are made, seized devices must be returned without delay. During seizure of computers or computer logs, all data in the system must be backed up, and a copy from the backup must be given to the suspect or defence counsel, with this matter recorded and signed.
This provision is crucial in cybercrime defence and victim-side strategy. If a device examination is conducted without proper legal authorization, without preserving original data, without proper copying, or beyond the scope of the decision, the defence may challenge the evidence. On the victim side, a criminal complaint should request lawful and technically proper examination rather than relying only on informal screenshots or internal IT findings.
3. Why CMK Article 134 Matters in Cybercrime Cases
CMK Article 134 matters because digital evidence is easy to alter and difficult to interpret. A computer, phone or server may contain millions of files, logs and application records. Without forensic discipline, relevant evidence may be destroyed or contaminated.
The article also reflects a proportionality principle. Digital device examination may expose private life, personal data, commercial secrets, legal communications and third-party information. Therefore, the measure should not be used casually. It requires concrete suspicion and should be used where evidence cannot be obtained by less intrusive means.
In practice, CMK Article 134 may be relevant in cases involving:
Hacked social media accounts.
Unauthorized access to corporate systems.
Online banking fraud.
Phishing schemes.
Cryptocurrency fraud.
Digital blackmail.
Sextortion.
Malware and spyware.
DDoS attacks.
Employee data theft.
Source code theft.
Fake invoice fraud.
Personal data leaks.
Mobile phone messaging evidence.
A defence lawyer should examine whether the decision was specific, whether the device was within the scope of the decision, whether copying was performed properly, whether the suspect or counsel received a copy where requested, whether the data was searched for the relevant offence only, and whether unrelated private data was unlawfully reviewed.
4. Device Examination: Computers, Phones and Storage Media
Device examination may involve laptops, desktop computers, mobile phones, tablets, USB drives, external hard drives, memory cards, servers and cloud-connected devices. Although Article 134 refers to computers, computer programs and logs, modern practice often applies its logic broadly to digital devices where forensic examination is necessary.
A proper device examination should generally follow forensic principles:
The original device should be preserved.
A forensic image or copy should be created where possible.
Hash values should be calculated to verify integrity.
The examination should be documented.
The tools used should be recorded.
The scope should match the judicial authorization.
Relevant data should be separated from irrelevant private data.
Findings should be explained in a clear expert report.
The expert should distinguish between what is technically shown and what is legally inferred.
For example, a forensic report may say that a file existed on a device. That is a technical finding. Saying that the suspect intentionally downloaded the file for criminal use is a legal inference that may require additional evidence.
5. Mobile Phone Forensics
Mobile phones are among the most important evidence sources in Turkish cybercrime cases. A smartphone may contain WhatsApp messages, Telegram chats, SMS codes, call logs, e-mail accounts, banking applications, photographs, location records, browser history, cloud synchronization data, social media sessions, wallet applications and deleted files.
However, mobile phone forensics is also highly sensitive. Phones contain private life data far beyond the alleged offence. A broad and uncontrolled phone extraction may include family photographs, medical information, privileged communications, unrelated chats and personal secrets. Therefore, defence lawyers often challenge mobile phone examinations where the search was overbroad, lacked proper authorization, exceeded scope or failed to preserve forensic integrity.
Important mobile forensic questions include:
Was the phone lawfully seized or copied?
Was there a CMK Article 134 decision?
Was the extraction logical, file-system or physical?
Were hash values recorded?
Was cloud data separately accessed?
Were deleted messages recovered?
Was the time zone correctly interpreted?
Were screenshots supported by original message databases?
Were third-party private communications unnecessarily reviewed?
Was the defence given an opportunity to examine the data?
In cybercrime cases, a phone extraction should not be treated as automatically conclusive. It must be tested for legality, integrity, scope and relevance.
6. Expert Reports in Turkish Cybercrime Cases
Expert reports are central in digital forensics. Courts and prosecutors often rely on experts to explain technical issues that judges, prosecutors and lawyers cannot directly evaluate. An expert may analyze devices, logs, IP records, malware, screenshots, file metadata, blockchain transactions, deleted data, e-mail headers or system activity.
However, an expert report is not automatically reliable merely because it uses technical language. A strong expert report should explain:
What evidence was examined.
How the evidence was obtained.
Whether the original data was preserved.
Which tools were used.
Whether hash values were calculated.
What timestamps mean.
Whether the time zone was considered.
Whether the data was complete.
Whether alternative explanations exist.
What findings are certain.
What findings are probable.
What findings cannot be concluded.
A weak expert report may simply repeat screenshots, summarize police allegations, rely on incomplete logs or make legal conclusions beyond the expert’s technical role. In such cases, the defence may request an additional report, a new expert panel or specific answers to technical questions.
7. Common Weaknesses in Digital Forensic Reports
Digital forensic reports may suffer from several weaknesses:
No explanation of acquisition method.
No hash verification.
No clear chain of custody.
No original device examination.
Reliance only on screenshots.
Failure to analyze malware possibility.
Failure to examine remote access.
Failure to distinguish account ownership from account use.
Failure to check time zone differences.
Failure to compare logs with bank, telecom or platform records.
Failure to explain whether data was manually created, automatically generated or recovered.
Failure to identify who actually used the device.
Failure to separate technical findings from legal conclusions.
In cybercrime defence, objections should be specific. A general objection saying “the report is wrong” is usually weak. The defence should identify exact deficiencies and request precise additional examination.
For example, in an online banking fraud case, the defence may request whether the device contained remote access software. In an IP-based case, the defence may request port information, subscriber details, modem logs and user attribution. In a WhatsApp evidence case, the defence may request examination of the original message database rather than screenshots.
8. Chain of Custody
Chain of custody means the documented history of evidence from collection to court. It answers the question: who handled the evidence, when, how, where and under what conditions?
Chain of custody is critical for digital evidence because digital data can be copied, modified or deleted without visible physical traces. Turkish evidentiary practice places importance on lawful acquisition, preservation of original data, exact copies, chain-of-custody documentation and forensic reporting when evaluating the reliability and evidential weight of digital material.
A proper chain-of-custody record should show:
The device or data source.
Date and time of seizure or acquisition.
Identity of officers or experts involved.
Method of copying or imaging.
Hash values.
Storage location.
Access history.
Transfers between units.
Examination dates.
Tools used.
Reports generated.
If chain of custody is incomplete, the defence may argue that the evidence cannot be trusted. The issue becomes especially important in cases involving phones, USB devices, cloud exports, company IT records and privately collected evidence.
9. Hash Values and Forensic Integrity
Hash values are digital fingerprints. They help prove that a forensic copy has not changed since acquisition. If a device image has a hash value at the time of acquisition and the same hash value at the time of examination, this supports integrity.
In digital forensics, hash values are important because two visually identical files may not be identical at a binary level. Even a small change produces a different hash. Therefore, reports should identify whether hash values were calculated, which algorithm was used, whether the original and forensic copy match, and whether subsequent analysis used the forensic copy rather than the original device.
Where hash values are absent, the evidence is not automatically invalid. However, absence of hash verification may weaken reliability, especially where the defence alleges alteration, contamination or selective extraction.
10. Screenshots as Evidence
Screenshots are common in Turkish cybercrime files. Victims often submit screenshots of Instagram messages, WhatsApp chats, Telegram groups, fake websites, online banking screens, phishing messages, threats, blackmail, fake investment platforms or defamatory posts.
Screenshots are useful, but they are not ideal forensic evidence. They can be cropped, edited, taken out of context or fabricated. A screenshot may not show metadata, full URL, message ID, sender verification, device source or complete conversation history.
A stronger evidence package should include:
Original messages.
Device examination.
Full URLs.
E-mail headers.
Platform records.
Notarial determination where appropriate.
Account identifiers.
Timestamps.
Context before and after the screenshot.
Witness statements.
Server or platform logs where possible.
A court may consider screenshots, but a conviction should not rest solely on unsupported screenshots if authenticity, context and identity are disputed. The defence should challenge screenshots where original data is missing, dates are unclear, account ownership is not proven, or messages appear incomplete.
11. IP Logs and Attribution Problems
IP logs are frequently used in cybercrime investigations. They may show that an account was accessed from a particular internet connection at a particular time. However, IP logs do not automatically identify the individual user.
Several problems may arise:
Dynamic IP allocation.
Missing port information.
Shared Wi-Fi.
Public Wi-Fi.
Company networks used by many employees.
VPN or proxy use.
TOR or anonymization tools.
Compromised devices.
Remote access malware.
Incorrect time-zone conversion.
Incomplete provider records.
An IP address may be a starting point, not the end of the analysis. To prove personal responsibility, the prosecution should ideally support IP evidence with device data, account records, user behaviour, messages, bank records, CCTV, possession of credentials or other corroborating evidence.
For defence, the key argument is often that IP attribution proves a connection, not necessarily personal use. This is especially important in shared households, workplaces, student dormitories, internet cafes, public networks and corporate systems.
12. E-Mail Headers and Business E-Mail Compromise
E-mail evidence is central in phishing, fake invoice fraud and business e-mail compromise cases. A printed e-mail or screenshot may not show technical routing details. Full e-mail headers may reveal sender infrastructure, SPF, DKIM, DMARC results, reply-to manipulation, spoofing indicators, IP addresses, mail servers and timestamps.
In a business e-mail compromise case, the forensic analysis should determine:
Was the genuine mailbox hacked?
Was the e-mail spoofed?
Was a lookalike domain used?
Was there a hidden forwarding rule?
Was the invoice attachment modified?
Did the attacker access the mailbox before sending the fraudulent e-mail?
What IP addresses accessed the mailbox?
Were login alerts deleted?
Were payment instructions changed?
A strong expert report should not merely say “the e-mail was fraudulent.” It should explain the technical basis. For victims, preserving original e-mails with headers is crucial. For defendants, incomplete e-mail evidence may provide important defence arguments.
13. Cloud and Remote Data
Modern cybercrime evidence is often stored in cloud systems rather than local devices. WhatsApp backups, Google accounts, iCloud data, Microsoft 365 logs, cloud drives, SaaS records, CRM exports, Git repositories and cryptocurrency exchange records may all be relevant.
Cloud evidence creates special challenges:
Data may be stored abroad.
The provider may require formal legal requests.
Logs may be retained for limited periods.
Time zones may differ.
Account ownership may not prove personal use.
Cloud synchronization may place files on a device without manual download.
Remote deletion may occur.
Multiple devices may access the same account.
A criminal complaint should request urgent preservation of cloud records where necessary. Defence lawyers should examine whether cloud data was obtained lawfully, whether the scope was proper and whether synchronization or automated backup explains the presence of certain data.
14. Unlawfully Obtained Digital Evidence
Unlawfully obtained evidence is one of the most important issues in Turkish digital forensics. Article 38(6) of the Turkish Constitution provides that findings obtained in violation of law cannot be accepted as evidence; the Criminal Procedure Code also reflects this prohibition through Articles 206 and 217, under which unlawfully obtained evidence must be rejected and criminal allegations may be proved only by lawfully obtained evidence.
This principle is critical in digital cases. Evidence may be technically accurate but legally unusable if obtained unlawfully. Examples may include:
A phone examined without proper authorization.
A computer copied beyond the judicial order.
A private e-mail account accessed by password cracking.
A social media account entered without consent.
Messages obtained through spyware.
Evidence gathered through unlawful interception.
A company reviewing employee private communications beyond lawful scope.
A digital search exceeding the offence specified in the decision.
Turkish practice pays special attention to digital evidence because digital data can be copied, altered or manipulated easily; lawful search and seizure, exact copying, chain-of-custody records and forensic reporting are decisive for evidential weight.
15. Private Collection of Digital Evidence
Many digital evidence disputes involve material collected by private persons. A victim may take screenshots of threats. A spouse may record messages. An employee may copy company files. A person may access another person’s account to obtain proof. A company may review employee devices.
The legal position depends on how the evidence was obtained. If a person submits messages they received directly, this may be different from hacking into another person’s account. The IBA’s comparative analysis of Turkish law notes that where message content is shared by a party to the communication or a legitimate recipient, the issue may not automatically be characterized as unlawful acquisition; unlawfulness is linked to the method by which access was obtained.
However, planned, prolonged or provoked recordings and evidence obtained through unauthorized access, password cracking or covert interference can create serious admissibility problems. In criminal proceedings, the defence should examine whether the complainant obtained the evidence through lawful access or through an unlawful intrusion.
16. Digital Evidence in Victim Complaints
Victims of cybercrime should preserve digital evidence quickly and carefully. Many digital records disappear: social media accounts change usernames, fake websites go offline, banking logs are overwritten, call records become harder to obtain and cloud logs expire.
A victim should preserve:
Screenshots showing date, time, URL and account name.
Original messages.
E-mails with full headers.
Bank transfer receipts.
Wallet addresses and transaction hashes.
Phone numbers and usernames.
Phishing links.
Device notifications.
Login alerts.
Fake profile URLs.
Ransom notes.
Server logs if the victim is a company.
The criminal complaint should request concrete investigative steps: platform records, IP logs, bank account records, telecom data, device examination, expert report and preservation of digital evidence. A complaint that only attaches screenshots may be weaker than one that explains what records should be requested and why.
17. Digital Evidence in Corporate Cybercrime
Corporate cybercrime cases often involve employee data theft, former employee access, source code theft, customer database exports, fake invoice fraud, business e-mail compromise, ransomware and cloud breaches.
Companies should preserve:
VPN logs.
Server logs.
E-mail audit logs.
CRM export records.
Repository logs.
USB connection records.
Cloud access records.
Firewall logs.
Endpoint alerts.
Payment approval records.
Internal chat records.
Employee access permissions.
Offboarding records.
Companies must act carefully. If an IT department deletes accounts, formats devices or resets systems without preserving logs, the company may lose evidence. In serious cases, forensic imaging and legal supervision should be used.
18. Expert Report Objections for Defence Lawyers
A defence lawyer should review every digital expert report with specific questions:
Was the evidence lawfully obtained?
Was CMK Article 134 followed?
Was the original device preserved?
Was a forensic copy created?
Were hash values calculated?
Was chain of custody documented?
Was the correct device examined?
Were timestamps converted correctly?
Were screenshots verified with original data?
Was malware or remote access considered?
Was the device shared?
Were alternative users considered?
Did the expert exceed technical expertise and make legal conclusions?
Is the report based on complete data or selective materials?
Did the report prove intent or only technical activity?
A strong objection should request specific additional examination. For example: “The expert report should be supplemented to determine whether remote access software existed on the device during the alleged transaction period.” This is more effective than a generic objection.
19. Defence Strategies in Digital Forensic Cases
Cybercrime defence often depends on challenging attribution, intent, legality and evidential integrity.
Common defence arguments include:
The device was shared.
The account was compromised.
The IP address does not identify the accused.
The evidence was obtained unlawfully.
CMK Article 134 safeguards were not followed.
The expert report is incomplete.
The screenshot is unsupported.
The timestamps are wrong.
The accused had authorization.
The data was synchronized automatically.
The alleged file was not opened or used.
The bank account was used by another person.
The accused was a money mule without intent.
Malware or remote access caused the activity.
The legal classification is excessive.
Defence should not deny technical evidence blindly. It should identify what the evidence proves and what it does not prove. For example, a log may prove access from an account, but not necessarily personal criminal use. A wallet address may prove a transfer, but not necessarily wallet control by the accused.
20. Victim-Side Strategy in Digital Forensic Cases
Victims also need strategy. A victim who wants a strong investigation should provide structured evidence and ask for technically meaningful measures.
A victim-side lawyer should:
Prepare a chronological incident timeline.
Classify the offence correctly.
Preserve original digital material.
Avoid relying only on screenshots.
Identify platform, bank, telecom and provider records.
Request urgent preservation where logs may disappear.
Request device examination where a suspect is known.
Request expert analysis of IPs, e-mail headers, malware or wallet transactions.
Explain financial, reputational or privacy damage.
Preserve evidence before content removal.
In corporate cases, the complaint should include internal logs and forensic findings but should also request official collection of third-party records. Private forensic reports can guide the investigation, but official evidence collection may still be necessary.
21. Practical Checklist for Digital Forensic Evidence
A strong digital forensic evidence package should include:
Original data source.
Forensic copy or export.
Hash values where possible.
Chain-of-custody notes.
Acquisition date and time.
Tool names and versions.
Examiner identity.
Device identifiers.
Account identifiers.
Time-zone explanation.
Relevant screenshots with context.
Metadata.
Logs.
Expert conclusions separated from legal conclusions.
Alternative explanations considered.
Clear relation to legal elements.
This structure makes the evidence easier for prosecutors, judges and appellate courts to evaluate.
22. Practical Checklist for Expert Reports
An expert report in a Turkish cybercrime case should ideally answer:
What was examined?
Who provided the evidence?
Was the evidence original or copied?
How was the copy made?
Were hash values verified?
Was the examination repeatable?
What tools were used?
What data was found?
What data was not found?
Were deleted records recovered?
Were timestamps normalized?
Was user attribution possible?
Were malware, remote access or automation considered?
What is certain, probable or unknown?
What technical limits remain?
The best expert reports are clear, reproducible and legally focused. They explain the evidence without overstating it.
Conclusion
Digital forensics in Turkish cybercrime cases is decisive because modern criminal files often depend on phones, computers, cloud logs, screenshots, IP records, bank records, e-mail headers, server logs and expert reports. Turkish cybercrime law includes offences such as unlawful access, system interference, misuse of bank cards, prohibited devices and computer-related fraud, while criminal procedure rules under CMK Article 134 regulate search, copying and seizure of computer data.
For victims, digital forensics helps prove what happened, preserve evidence, identify suspects and support criminal complaints. For defendants, it provides the basis for challenging unlawful evidence, weak attribution, incomplete expert reports and unsupported technical assumptions. For companies, forensic readiness is essential because internal logs, cloud records and access histories may determine whether data theft, ransomware or business e-mail compromise can be proven.
The most important principles are legality, integrity, chain of custody, proportionality and technical clarity. Evidence must be obtained lawfully, preserved properly, examined by reliable methods and interpreted within the correct legal framework. Digital evidence may be powerful, but it is not automatically conclusive. A screenshot, IP address, file name or login record must be tested against identity, intent, authorization, authenticity and procedural law.
In Turkish cybercrime litigation, the strongest legal strategy is not merely to collect more data. It is to collect the right data, preserve it lawfully, analyze it scientifically and connect it clearly to the legal elements of the offence or defence.
Yanıt yok