Screenshots as Criminal Evidence: Italian Supreme Court Ruling and Forensic Acquisition
Most stalking and cyberharassment cases today live on screens. WhatsApp messages, social media posts, emails, video calls: the victim's story is told through digital artefacts, and the evidentiary weight of those artefacts depends on how they are captured. Screenshots feel like the natural solution: press a key, save the image, move on. From that moment, however, the evidentiary ground becomes unstable.
On 7 April 2026, the Italian Supreme Court (Corte di Cassazione, Criminal Section) published ruling 6024/2026, addressing a question that forensic practitioners had long confronted but that lower courts still handled inconsistently: not all screenshots are equal in a criminal proceeding. The Court drew a sharp line between images captured with device-native tools and images acquired through a sealed forensic methodology. The background numbers make the issue tangible: in Italian criminal proceedings for stalking and cyberharassment, more than 60 percent of screenshots submitted as evidence are formally challenged by the defence for lack of qualified timestamping, cryptographic hashing or a reconstructible chain of custody.
The short answer the ruling points to, and that international forensic standards have codified for years, is this: a screenshot is admissible as evidence in stalking cases when it is captured through a methodology that demonstrates verifiable integrity, authorship and temporal placement. In any other scenario, it remains a representation that can be disputed, rejected and, without an expert report, effectively set aside. This article explains what changes after ruling 6024/2026, why traditional screenshots fail in court, which technical requirements make them defensible under international standards, and how TrueScreen captures screenshots at source so they are ready for first-instance proceedings without further forensic work.
Italian Supreme Court Ruling 6024/2026: what it says about screenshots in stalking cases
The Italian Supreme Court's ruling 6024/2026 addresses the admissibility of screenshots in criminal proceedings for persecutory acts. Although the decision is framed within the Italian criminal procedure, the reasoning it follows aligns with the evaluative framework adopted internationally: digital evidence is admissible when the party introducing it can show how the item was produced, preserved and presented. Screenshots are not self-evident exhibits: they are representations that must pass a technical test before contributing to the court's findings.
Facts and decision
The case originated from a stalking proceeding in which the complainant submitted a sequence of screenshots from chats and social media posts to support allegations of harassment and threats. The defence challenged the reliability of the images: saved in the device gallery, stripped of their original metadata, without any cryptographic hash and lacking any verifiable external timestamp. The Court confirmed that digital documentary evidence must be evaluated in light of its reproducibility, integrity and authorship. An unsealed screenshot, once contested, cannot overcome that test without a technical expert appointed by the court.
System screenshot vs forensic acquisition
The most operational part of the ruling distinguishes two categories of acquisition. A system screenshot, produced by the device's print-screen function or native shortcut, is a photograph of the display with no subsequent integrity constraints: it can be modified, renamed and re-saved without leaving univocal technical traces. A forensic acquisition, by contrast, is a structured process where the screen is captured with a sealed technical chain that binds the image to a qualified timestamp, a cryptographic hash and a signed certification record. In the Court's reasoning, only the second category accesses a technical presumption of genuineness that shifts the burden of contestation to the defence.
Why a traditional screenshot is contested in court
The direct answer is that a traditional screenshot does not carry the technical elements criminal proceedings require to exclude manipulation. There is no seal linking the image to its capture date, no cryptographic fingerprint certifying immutability, no independent record attesting from which device, when and by whom it was produced. Without those elements, any defence challenge is legitimate and, in most cases, decisive. These weaknesses have been documented in international forensic literature, including NIST Special Publication 800-86 on integrating forensic techniques into incident response.
Missing metadata: hash, timestamp, device
When a screenshot is saved to the device gallery, it retains only the metadata that the operating system decides to preserve. No SHA-256 hash is computed at capture, because the print-screen function has no cryptographic role. The timestamp is the one written by the file system, easily rewritten when the image is transferred from one device to another. The device identifier is not signed by any independent authority. In a criminal proceeding, those absences are openings for the defence: courts across jurisdictions require digital evidence to allow verification of origin and integrity, not only relevance, as the SWGDE Best Practices for Digital Evidence explicitly state.
Federal Rule of Evidence 901 and international standards
Under Federal Rule of Evidence 901, the proponent of digital evidence must produce sufficient evidence to support a finding that the item is what the proponent claims it is. In Italian proceedings, the analogous requirement is articulated around reproducibility and the absence of reasoned disconnection. Both frameworks converge on the same practical point: the party introducing the screenshot must be able to show how the capture happened. Without a sealed forensic acquisition upstream, that burden is difficult to discharge, as explored in our guide to authenticating digital evidence under FRE 901.
The 60% contestation rate: 2024-2025 data
Data collected on Italian criminal proceedings over 2024-2025 shows that more than 60 percent of screenshots submitted as evidence in stalking and cyberharassment cases face formal contestation by the defence on technical grounds. In roughly 40 percent of those cases the contestation becomes a request for court-appointed forensic analysis, extending proceedings by 6 to 12 months and, in a significant share, leading to outcomes unfavourable to the complainant. Similar patterns are documented in comparative eIDAS Observatory studies on digital evidence across EU jurisdictions. The problem is not judicial scepticism: it is the structural absence of technical tools that would make the image a full piece of evidence rather than an indicative one.
Admissibility requirements: ISO 27037, eIDAS, chain of custody
The Italian Supreme Court does not impose one specific technical standard but invokes principles that forensic practice maps onto well-known frameworks. The reference technical norm is ISO/IEC 27037, which governs the identification, collection, acquisition and preservation of digital evidence. The EU eIDAS Regulation regulates qualified timestamps and qualified electronic seals, which confer a presumption of authenticity on signatures and attestations. The chain of custody traces every step of the evidence from capture to courtroom.
| Requirement | Reference standard | Evidentiary function |
|---|---|---|
| Qualified timestamp | eIDAS, Art. 42 | Opposable temporal placement |
| SHA-256 cryptographic hash | ISO/IEC 27037 | Immutability and integrity |
| QTSP digital signature | eIDAS QTSP framework | Authorship and non-repudiation |
| Acquisition record | ISO/IEC 27037 | Reconstructible chain |
| Identified and attested device | ISO/IEC 27037 | Technical provenance |
Qualified timestamp under eIDAS
A qualified timestamp is an electronic attestation issued by a Qualified Trust Service Provider that binds a sequence of data to a precise moment in time. Unlike the date recorded by the operating system, a qualified timestamp under eIDAS benefits from a presumption of accuracy and correct temporal placement (Article 42, Regulation EU No 910/2014). For a stalking screenshot, it means being able to demonstrate in court that the image existed in that exact form on a specific date and time, and that no later modification is possible without invalidating the timestamp.
SHA-256 hash and integrity
SHA-256 is a cryptographic function that generates a 256-bit string uniquely associated with binary data. Changing a single pixel produces a completely different hash. In the forensic process, the hash is computed at the moment of acquisition and recorded in the acquisition document: in court, anyone can recompute the hash of the produced file and verify that it matches the original. This excludes subsequent manipulation with mathematical certainty and keeps the screenshot technically defensible even years after capture. The same mechanism underpins the digital chain of custody across forensic toolchains.
Certified acquisition record
The acquisition record describes step by step how the screenshot was captured, on which device, with which tool, at what time, over which network, resulting in which hash. When the record is digitally signed by an accredited Qualified Trust Service Provider, it becomes a document with a presumption of authenticity equivalent, in evidentiary terms, to a notarised attestation in digital form. For the criminal judge, this is not a photo of a screen: it is a structured technical act, with a weight that a raw screenshot cannot match.
TrueScreen: screenshots captured at source for criminal proceedings
What is a source-captured screenshot and how does it work
A source-captured screenshot is an acquisition in which the forensic chain closes at the very moment of capture, before the image leaves the controlled environment. TrueScreen acquires the device screen while simultaneously applying a qualified eIDAS timestamp, computing the SHA-256 hash and digitally signing the certification record. The user does not need to perform any technical step: starts the acquisition, TrueScreen records the screen as required, and at the end produces a package with the sealed evidence and a signed certification record. The difference compared to a system screenshot is structural: it is not an image to which a timestamp is added later; it is an image born inside the forensic methodology, with integrity guaranteed from the origin. We analyse the full workflow in our guide to screenshot admissibility in court.
Features: app, web portal, chain of custody
Acquisition happens through the mobile app, which captures the phone screen directly, and through the web portal, which acquires web pages, desktop chats and browser-based workflows. Each piece of evidence is stored in a certified data room with a tracked chain of custody: every access, download and share is logged and digitally signed. The certification record, signed as QTSP, is generated automatically and contains all the elements required by ISO/IEC 27037: device identification, acquisition tool, hash, qualified timestamp and contextual metadata.
Use cases: stalking, cyberharassment, workplace harassment
In stalking proceedings, the captured screenshot preserves WhatsApp, Telegram and Instagram DM conversations, along with account and thread identifiers. In cyberharassment cases, the app is used directly by the victim or by a parent to capture social posts and feed interactions before they are removed. In workplace harassment cases, the acquisition covers corporate emails, Teams and Slack exchanges and shared documents, always with a reconstructible chain of custody. In every scenario, the complainant reaches the hearing with evidence that does not require a court-appointed expert to be discussed on the merits.
What changes for criminal defence lawyers and complainants
After the 6024/2026 ruling, a lawyer assisting a complainant in stalking proceedings has a concrete benchmark to guide evidence collection. The operational advice shifts: no longer "take a screenshot and save it", but "acquire with forensic methodology from the first message that presents criminally relevant features". The procedural consequence is twofold: the likelihood of formal contestation at trial decreases, and proceedings shorten, because the defence has little room to request expert reports that the court would otherwise be obliged to order in case of disconnection. For complainants, the benefit is also economic: a party-appointed technical expert typically costs between 2,000 and 5,000 euros and adds several months to the case. A forensic acquisition performed at the moment of the conduct prevents, in most cases, both costs. This logic mirrors international guidance on the admissibility of digital evidence, which treats the sealing-at-source moment as the decisive variable.
