This four-part series is based on a joint webinar between IAPE and FileOnQ, addressing the critical role of digital evidence and modern law enforcement investigations. Together, they explored collecting, analyzing, and managing digital evidence in today’s fast-paced and changing world. This year marks IAPE’s 31st anniversary.
IAPE has been teaching property and evidence best practices since 1993. They have instructed well over 25,000 property evidence professionals throughout the United States and Canada. IAPE offers two and three-day training classes on property and evidence handling.
Not only does IAPE provide fantastic training, but they also offer an assortment of resources on their website, including best practices standards guides, training manuals, and SOPs through agencies around the country. You can find all of these resources and all of their upcoming training, on their calendar, on their website, at IAPE.org.
Let’s dive into the webinar…
Steve: “My name is Steve Paxton, and I recently retired from law enforcement after 26 years of working as a police officer and detective. For the last 12 years, I managed a four-person digital forensics unit and worked with various digital evidence management systems.
After I retired, I went to work for FileOnQ, which is a public safety solutions company. We’re based out of Seattle. We’ve been in business since 1986 and work with nearly 400 public safety organizations around North America.
We offer several evidence management solutions that work together as an integrated platform. You can use our systems separately, but they become even more powerful when you bring them together. This includes DigitalOnQ, which is our digital evidence standard system, and EvidenceOnQ, which is our property and evidence management system.
Today, we have IAPE Board Member and all-around cybersecurity expert Alexis Grochmal. Alexis, can you give us a brief introduction?”
Alexis: “I’m a board member with IAPE, and I have been with IAPE for about a year and a half. I’m a certified crime specialist. And as Steve graciously said, Cybersecurity is my realm.
Digital forensics is my realm as well, and I’m actually obtaining my Ph.D. in cybersecurity at the moment.
I’m happy to be here and glad to see such a great group.”
Steve: “Thanks, Alexis. So this is the agenda. We have a lot to pass along to you in 60 minutes, and it’s likely we’re going to go a few minutes over, just because there’s so much here.
We’re going to start by talking about the state of things and how agencies are handling their digital evidence. We talk to many police departments across the United States and they’re handling evidence in a variety of different ways.
We’re also going to highlight some examples where agencies have run into problems, not having controls in place, or an evidence system in place, which led to costly disasters. Then, we’ll look at some key considerations for implementing a digital evidence management system. Things to be looking for. I’ll also touch on storage options for digital evidence and integrating with other systems. You can integrate your digital evidence management system with a body-worn camera system, for example.
Additionally, digital evidence, just like physical evidence, has a lifecycle. So we’ll briefly cover what that lifecycle looks like as evidence is brought into the system, managed, and eventually, at the end of that life cycle, potentially purged out of the system.
I also have an arson case when I worked as a detective – along with some other of my colleagues – and it’s a great example that we can use to put a frame around all of this digital evidence and how it impacts a real-life case. Finally, I’ll finish up with some final thoughts. And we’ve got some resources for you, and hopefully, we’ll have time for questions.
Alexis is going to be looking for questions in the control panel. So if you’ve got a question, be sure to submit that there and she might be able to answer it directly. If we can’t get to all the questions at the end, we’ll definitely follow up in an email.
On a different note, Craig is here. He is the Marketing Director for FileOnQ. Craig, could you start our first poll question?”
Craig: “Absolutely. Be happy to do that. So I’m gonna bring up a poll question on the screen for everyone, and this is interactive, so as this poll screen appears on your screen, go ahead and click on the choices that fit your needs. I’m going to launch that poll for everyone.”
Poll Question #1
What is your level of familiarity with digital evidence?
The results…
Steve: “There are more folks here who are somewhat familiar than I expected. So that’s great. We’ll go through this and hopefully help everyone become a little more familiar. One of the first things that we wanted to share with you is just how fast digital evidence is growing. From year to year, it’s growing exponentially by leaps and bounds, and it’s overwhelming a lot of police departments.
Approximately 46% of police departments in North America have less than 10 officers, which is interesting. So, for medium to small departments, it can be overwhelming and crushing to have all of this digital evidence come in. And, the bottom line is that virtually every crime an officer or detective goes to will have some kind of digital element. Whether it’s a misdemeanor crime, a simple theft, or something like that, or all the way up to a major person’s crime or felony.
You’re going to have surveillance video. Everyone’s carrying mobile devices. There’s going to be some type of digital evidence in nearly every case. So it’s really important to have the knowledge to be looking for that evidence. And to have a system in place for investigators to be able to store that evidence effectively. Plus the training and SOP to know what to do when you’re out there.
The information there on the right, in the graph above, is worldwide data that’s being produced by us human beings all around the world. It’s in Zettabytes which is kind of a crazy amount of data.
We talk about digital evidence in Gigabytes and Terabytes. So when I’m talking to Chiefs, Captains, and Lieutenants, their needs for digital evidence are typically measured in Terabytes. A Zettabyte is a trillion Gigabytes. So if you’re able to store 175 Zettabytes onto Blu-ray disks, that stack of disks would reach the moon and back 23 times. Which is staggering, right?
So, to provide some more context, and I don’t want to get too geeky here, there are a little over one thousand Terabytes in a Petabyte and a little over one thousand Petabytes in an Exabyte. And then a little over a thousand Exabytes in a Zettabyte. So, really, what that means is that a Zettabyte is an enormous, practically incomprehensible amount of data that we’re producing.
And you can see it’s growing each year, all the way up to, potentially, 181 Zettabytes by 2025. So, the point is that our use of smartphones, tablets, computers, surveillance video systems, drones, and all the IoT devices we use produce an enormous amount of data in virtually every crime. Whether the crime is big or small it has some kind of digital element to it, most likely.
And connected to that is surveillance video, so if we take all of the digital evidence that is out there, surveillance video is really the area that’s growing even faster than the rest.
There’s surveillance video virtually everywhere nowadays. If we went back 15 or 20 years, businesses had to spend a fair amount of money to have an installer setup a surveillance video system. Nowadays, you can get into a wireless, cloud-based system that can be purchased at Costco for just a fraction of the cost. You can install it and have it set up, usually in just an hour or two.
So the information there in the slide is from my police department. I retired from the Seattle area, and our police department has about 200 officers with a population of slightly over 100,000 people. You can see the growth of surveillance video we recovered all the way up through 2019. And, of course, it’s continuing to grow through today.
So when you combine this surveillance video with all the other video that’s out there… we have in-car camera video, body-worn camera video, and citizen-generated video that’s given to officers for cases… Video is the area that’s really growing the most.
If you look at it, it’s primarily HD, and some of it’s even 4K video, so it’s huge. So it really goes to show how important it is to have some kind of system for managing all this digital evidence.
Switching gears for a moment… Let’s talk about some examples of when things went wrong for some different agencies. Alexis is going to talk about these examples here.”
Alexis: “Thanks, Steve. So, here’s an example of some of the lack of internal controls that we’re seeing. Vanessa Bryant filed a lawsuit. I’m sure everyone’s familiar with the Kobe Bryant helicopter crash site back in 2020.
It alleged that there was evidence that was permanently destroyed by sharing those crash scene photos on multiple devices – the Sheriff’s Department LA County actually owned the devices – and when a forensic firm examined the devices of the Sheriff and Fire Departments, they found that nine out of eleven iPhones they provided had been wiped clean and reset.
So, that was a failure of those internal controls and standard operating procedures that you should have in place concerning the retention of digital evidence. Obviously, that underscores the urgency of addressing those lapses for accountability and justice, and also, it’s problematic for law enforcement personnel.
Another situation where the evidence integrity was called into question.
Everyone’s probably familiar with the Kyle Rittenhouse case, where he shot three men, resulting in two fatalities. This is an example of where the drone video resolution was degraded, and it ended up causing a mistrial because of the video that was provided to the defense.
Also, I know everyone’s probably familiar with Dallas, PD. They’ve been having significant issues with their digital evidence files – 52,000 digital files have been affected now. They inadvertently deleted 52,000 pieces of evidence that could affect upwards of 9000 cases.
So, that’s another issue where we’re seeing a lack of internal controls and auditing procedures being violated. These are just some examples that we continue to see with the digital element.
It’s not just physical evidence, right? We all know about the physical evidence that we maintain, but we also need to look at the auditing procedures and having SOPs to address the lack of controls related to digital evidence.”
Poll Question #2
Craig: “This will be our second and last poll question…
How does your organization store digital evidence?
The Results…
So the winner of this is… Across several systems. That’s interesting to know. After that, it comes BWC or in-car, camera cloud systems, which is what I would expect. Followed by We have a centralized server outside of our DEMS, and then Portable media stored in the property room comes in at 11%. Then we’ve got some people with Other. I’d be curious to know what those ‘others’ are. Back to you, Steve.”
Steve: “I’m surprised that I didn’t put DEMS in there. So there are probably some folks who are storing their evidence in a digital evidence management system.
What we are seeing out there really kind of mirrors the poll here… many agencies are storing their digital evidence across multiple systems. So an agency may have a file server where they store a lot of their digital evidence, and then they’re using their RMS system for photos, and then maybe they’re using their body-worn camera system for videos.
It makes it challenging for detectives and investigators to be able to find what they’re looking for in a case, and also a challenge for sharing evidence. There’s just an enormous amount of digital evidence out there and it’s impossible to ignore. Agencies and police department officers are having to grapple with all this evidence, and there are many agencies that don’t have a system in place to manage that evidence.
So it’s really kind of a three-part thing. You have a digital evidence management system (DEMS), which we’re going to talk about here in just a moment – alongside good policy and procedure and also training. So a digital evidence management system is a virtual command post, and effectively goes over the top of your digital evidence.
You can have a DEMS over the top of an on-prem server. For example, your city or your county has a server set up with your evidence stored there, and your digital evidence management system goes over the top of that and manages the access control.
It ensures that certain people can access sensitive evidence while other people are denied access to that evidence because they don’t have a right to it. It also tracks the chain of custody and ensures file integrity.
All of that, along with training and department policy, will help ensure that you’re properly collecting and maintaining your case evidence.
Digital evidence has a life cycle, just like physical evidence. Virtually everyone here is familiar with how physical evidence comes into a property room. And we certainly don’t want to have a system where evidence just comes in without a purging process in place. Otherwise, your property room is going to fill up and you’re going to have a lot of junk in there.
Having a retention system in place is super important. With digital evidence, it’s very much the same. That life cycle starts on the front end with identifying evidence when you’re out in the field.
For example, an officer responds to a domestic violence call and meets the victim at the front door. As he walks up to the door, he may see video cameras on the house, maybe a Ring or Blink camera. So he knows right away there’s potentially recorded video of the incident. And the victim may provide him with text messages from her phone – threatening text messages or photos that might be evidentiary. The officer may also take photographs of the victim’s injuries.
So, identifying evidence is the first step and then identifying the legal authority for your search. In many examples, you’re going to be able to obtain consent to search, and they’ll provide the video, or the files on their phone, or maybe give you the phone so that you can process it for the evidence that’s on there.
And that leads us to the next step, which is contacting support. If you don’t know how to process a mobile device, or you’re not familiar with Cellebrite, use the expertise either in-house or know where to get it so that you can process that evidence properly. So it’s a good idea to take photographs out in the field and notes to document where that evidence was recovered and the condition of any devices taken into custody.
If you see somebody’s phone, you want to document the condition of that device before you take it, and then collect and securely transport it back to your police department. And this is where you’re going to upload your evidence into your digital evidence management system.
Once that evidence is uploaded into the DEMS, it will electronically track your chain of custody, but it’s still important to write a report and document that chain of custody to include when it was recovered in the field.
And as we go along, some of that evidence is going to be moved forward for investigation, right? Not all of it, maybe 20 or 30% of the evidence that you run across, is going to be assigned for investigation. Within your DEMS you’re able to review, sort, group, and go through case evidence to make it ready for prosecution. Organize it so the prosecutors know what’s coming.
Towards the tail end of that life cycle, sharing your digital evidence with stakeholders and with the prosecutors can be done electronically and securely. Gone are the days of sharing evidence on portable hard drives. And I know that there are departments still doing that.
But that is an incredibly time-consuming and also a really insecure way of sharing evidence. You don’t have chain of custody tracking or clear visibility of what digital evidence you have stored in each case. So being able to share electronically and securely out of your digital evidence management system is really critical. It’s going to save a lot of time.
Finally, have a retention manager built into your DEMS where you can manage storage and archive long-term evidence that needs to be kept. The retention manager is typically tied to crime types. For example if there are four types of assault in your area: Assault 1, Assault 2, Assault 3, and Assault 4. Each one of these different types of assault would be tied to different retention times in the digital evidence management system based on their severity.
If the statute of limitations for second degree assault is five years, a police department could configure the retention manager to send an alert to review the case in five years. At that time, if the case had been adjudicated or there’s no suspect information, it might be appropriate to purge the digital evidence based on local guidelines.
For most departments, purging involves several people within the agency doing research on the case. Purging evidence is not something that’s handled lightly. It’s usually assigned to several people to oversee. Typically, you’re going to read through that police report, check with the prosecutor and case detective and confirm if it’s appropriate to purge the digital evidence in the case.
If you can purge 30 or 40% of your digital evidence over time, that’s going to help you save on server storage down the line, as you won’t have to purchase additional storage for evidence that you no longer need.
The other really good reason for purging is the flood of public disclosure requests that come in for police departments. Public disclosure laws vary from state to state, but in most states, you have to be responsive to them.
If you have evidence on your server, that’s eight years old or 10 years old – that you really don’t need to have, because the case has been adjudicated or there was no suspect – and you’re still hanging onto it, if someone comes in and requests it you’re going to have to dig in and be responsive to that request. That involves someone pulling that evidence out, reviewing every frame of video, looking at all the photographs, listening to the audio files, and doing any necessary redactions based on the requirements.
It’s really important to be able to do that purging when appropriate to get that evidence off your server when you can. That concludes the life cycle of digital evidence. In the next episode, I’ll talk about the features to look for in a DEM system.”
If you would like to learn more about how FileOnQ can help you manage everything from your Enterprise Platform to a Data Backup and Recovery Solution and Evidence Management Software Solutions, visit FileOnQ here.
