This four-part series is based on a joint webinar between IAPE and FileOnQ, addressing the critical role of digital evidence and modern law enforcement investigations. Together, they explored collecting, analyzing, and managing digital evidence in today’s fast-paced and changing world.
This year marks IAPE’s 31st anniversary. IAPE has been teaching property and evidence best practices since 1993. They have instructed well over 25,000 property evidence professionals throughout the United States and Canada. IAPE offers two and three-day training classes on property and evidence handling.
Not only does IAPE provide fantastic training, but they also offer a huge, smart assortment of resources on their website, including best practices standards guides, training manuals, and SOPs through agencies around the country. You can find all of these resources and all of their upcoming training in the calendar section of their website at IAPE.org.
Let’s dive into Part 2 of the webinar…
Steve: “In this part of the series, I’ll talk about the features to be looking for in a digital evidence management system. High points to follow so you understand what a digital evidence management system can do for you. The first thing is looking for a system that’s secure, compliant, and that follows all the best practices. CJIS compliant where applicable. If you’re working for a federal agency, follow FedRAMP, if you can.
SWGDE is the Scientific Working Group on Digital Evidence. They publish best practices for handling digital evidence.
Alongside that is the vendor following the best practices for developing the software, vulnerability testing, and patching as necessary. So secure and compliant, Very, very important.
It’s important to also find a system that’s agnostic and scalable. When I say agnostic, I mean a system that isn’t tied to another proprietary system, like a body-worn camera system or a drone system, or a mobile forensics tool set that offers a digital evidence management system alongside that.
If you can get an agnostic digital evidence management system, it will be a single source of truth and the primary vault for all of your digital evidence. When investigators are looking for evidence, they know that they’re going to find everything in one place instead of spread across multiple systems.
A digital evidence management system like that also should be able to integrate with some of the other systems that work alongside it. So your digital evidence management system should be able to integrate with your body-worn camera system, for example, so that you can have your body-worn camera video brought into your system, and that video can be stored alongside all of the other case assets in that digital evidence management system.
Scalable storage management is really important, too.
There are different ways you can store your evidence. You can store your evidence on-premise or in the cloud. Azure US for Government cloud storage is CJIS compliant, encrypted in transmission, and encrypted at rest. Having a system that’s scalable allows you to purchase just the amount of storage that you actually are going to use in the immediate future.
If you’re at a smaller agency, for example, and you think you might need five terabytes in the next 12 months or 24 months, it doesn’t make a lot of sense to purchase 30 terabytes when you don’t expect to need that much for 10 years. Scalable storage is critical to reducing that cost.
Granular permissions are usually broken out into user groups. For example, you might have a Patrol Officers user group, and then a Detective user group, and then you may even have a Special Assault Detective user group.
Those three different user groups will likely have varying levels of access to the system and access to the evidence. So your Patrol Officers may have mid-level access to the evidence while your Detectives have more elevated access, and your Special Assault Detectives, who are working sensitive crimes, have even deeper access into the system.
And if you had an injured Patrol Officer who was injured and on light duty, you may want to move them into a detective spot temporarily to help out with a major case. With a digital evidence management system, you can move users between groups to match the work they’re doing. Chain of custody is tracked within the system, and the granular permissions allow you to grant or deny access to evidence in the system.
One of the backbones of a digital evidence management system is preserving the file integrity. It’s important that digital evidence in the system doesn’t change and it’s tracking who’s accessing it.
We do that with two methods. The first is secure file hashing, and then the second is something we’re more familiar with, which is chain of custody tracking.
Just like chain of custody tracking, when we’re talking about physical evidence collected at a crime scene, we also want to track the chain of custody of our digital evidence, and that’s done file by file.
All of the interactions – such as viewing, downloading, sharing, and printing, at a file-by-file level, should be tracked within your digital evidence management system.
That’s really important. A chain of custody report may be requested by prosecution or defense in court. If the defense has questions about the integrity of the evidence, you can address that with a digital evidence management system that tracks chain of custody.
It’s also great for internal visibility. Police administrators will be able to know who’s accessing evidence and whether or not it’s appropriate.
Chain of custody tracking is super important. It works alongside secure file hashing, which is a process of verification. Let’s look at two definitions that are related to digital evidence handling and integrity.
The first one is verification. That’s the process of confirming that the data, or files presented, are complete and unaltered since the time of acquisition. The key part of that is complete and unaltered. It’s important that the evidence that we recover and store within our digital evidence management vault is unaltered. It doesn’t change from the time you recover it.
If I recover surveillance video today, in five years that video shouldn’t be different. I should be able to show in court that the video evidence is unchanged or unaltered.
The example that Alexis gave for the Kyle Rittenhouse trial, where the prosecution provided drone video that had been reduced down to 1/16th of its original resolution, is a situation where the video was altered and provided to the defense. And it almost resulted in a mistrial. It’s very important that digital evidence we recover remains complete and unaltered.
Authentication is a little bit different; however, it works side-by-side with verification. Authentication is the process of substantiating that the data files are an accurate representation of what they purport to be. This refers to the provenance of the files – where they originated from and whether or not they’re authentic.
So if you go to a crime scene and you are talking to a victim or to a witness, and they give you what they say is iPhone video – a video that they recorded on their iPhone – but they send it to you via email or share it with you on a thumb drive, and they say, “This is a video recording of this incident.” One of the first things an investigator should do is authenticate whether that video, in fact, came from an iPhone. You could do that in a number of different ways.
You could look at the metadata. There will be file signatures associated with the make and model iPhone the files came from. So the provenance of that file is really important. I’m sure most of you have run across this on the internet and social media, where you come across a video or picture, and you begin to wonder if they’re authentic or not.
With all the artificial intelligence that’s happening, there’s a lot of stuff out there that’s not real. There’s a phrase that describes this in forensics. It’s called synthetic media. Authentication addresses whether or not a video or image file is a true and accurate representation of what it purports to be.
Jumping back to verification now. We can verify our evidence through secure file hashing, as I mentioned before. This is how we show that the evidence is complete and unaltered. File hashing is a widely researched, publicly available algorithm or function that returns a hash value which is a unique string of characters as you see below. You can think of a hash a little bit like a digital fingerprint.
A DEMS applies a secure hash value to every file as they’re uploaded into the system.
In this example let’s say we’re uploading crime scene photos. And every digital photograph is hashed as they’re uploaded. The hash travels alongside each file and is stored in the digital evidence management system.
If we want to go back anytime in the future and look at that hash, we can verify if that hash is the same and that hash is that string of characters above. If that hash is different, then we know something has changed about the file. And it’s not just one character that would be different. The entire hash would be different. So, if something about that file changed, it would change hash.
That’s how we can know and show whether or not the files are the same down the line in court. Here’s a simple example.
Imagine we’ve got a crime scene photo – this is a photo of Haystack Rock on the Oregon Coast – but if we had a crime scene photo, and we were to identify and change a single pixel randomly. In this case, we changed it from that blue that you see to a slightly darker shade of blue, and we saved it. Visually, you wouldn’t be able to tell that that file was different.
However, hashing would show an entirely different string of characters. It would identify that the file has changed. You can make an argument that changing a single pixel isn’t very important. But the image has changed. And it would probably also show in the metadata that it was changed in Photoshop or with some other image editing tool. So this is how we can track the file integrity within our system.
I’ve actually had this come up several times as a detective. I’ve testified in court, and I’ve had the defense ask me a question. They would say, “Detective, these surveillance video files that you worked on and recovered three years earlier… How do we know that they haven’t changed?”
For me, it was just a matter of taking a short break and independently hashing the files and then bringing the results back to the defense.
What you’re seeing here is a hash report out of our DigitalOnQ system. You can see that each one of these files has a unique hash. You’d have a lengthy report like this, where the thumbnails are associated with the hash value, and we can pull that up anytime.
We can also independently hash the files with third-party tools, which are freely available. You can download a hashing tool and check to see if the hashes are the same.
As I mentioned before, chain of custody tracking and file hashing work together to ensure file integrity within a digital evidence management system. In this sample report from our DigitalOnQ system, we can review all the interactions at the file-by-file level.
In this report we are looking at a thumbnail of an arson photo. We can see that Officer Jones uploaded this photo at a certain date and time. (see the highlighted section in light yellow above). He viewed it. And shortly after that, he shared the photo – and probably all the photos in this case – with a prosecutor.
Then, Officer Evans reclassified it. It was originally a Property Crimes case then, he reclassified it as a Persons Crimes case. Finally, it was shared, downloaded, viewed, etc. We can pull this chain of custody report anytime out of a digital evidence management system, which can be very important in court.
It also provides police administrators with visibility and accountability for how their digital evidence system is being used. And how evidence is being managed and viewed.
Digital evidence management systems should also be able to manage all file types. And, there are a lot of different file types out there.
If we wanted to take a step back and look at it more broadly, you can say that there are standard file formats and there are proprietary file formats. JPEG images and MP4 videos are examples of standard file formats that can usually be viewed on a standard Windows computer without any special software.
That’s in contrast with proprietary files, which do not play in Windows. Most of us have run into tricky file formats that Windows can’t open or play when you click the file. Reviewing these types of files can be challenging for detectives and officers to review.
I estimate half or a third of surveillance videos are proprietary and require a special player or a CODEC to open them. This type of surveillance video is an example of a proprietary file format.
There are a wide variety of digital forensic evidence such as mobile forensic evidence from Cellebrite, or computer forensic evidence, or GIS evidence for traffic collision software that is proprietary and requires specialized software to review.
Your digital evidence management system should be able to ingest and manage all proprietary digital forensic evidence. And if the digital evidence management system can’t open it because it’s proprietary, it should allow you to download it out of the system for review in the appropriate software.
As our life cycle moves forward, some evidence will need to be reviewed more closely. Investigators may need to search, organize, sort, and group case evidence to get it ready for court and the prosecutor assigned the case.
So having a digital evidence management system that has the ability to look at all your evidence and be able to identify important, critical pieces of evidence, set that aside, and make that ready for a prosecutor is critical.
And then finally, at the tail end of that life cycle, is secure sharing with stakeholders. An investigator may need to share digital evidence with a detective in another agency investigating the same suspect. Oftentimes, though, it’s going to be sharing evidence with prosecutors so they can review it for charging and eventually disclose it to the defense.
Q & A
So, let me pause for just a second. Craig, do we have any questions about anything that we’ve covered?”
Craig: “We do have some questions that we’ve been answering, but I’m going to backtrack just a few of these here. One of the questions is… Is sharing limited to only applicable persons per case, or is it agency-wide?”
Steve: “Sharing would be a permission within the system. So if you have permission to share, you could share with anyone outside the system. That could be a prosecutor, or it could be an investigator from another agency.
Or maybe you’re sharing evidence with a sexual assault clinic, and they need to have specific evidence to help with the investigation on their side. You could share it with the appropriate investigators or sexual assault nurse examiner (SANE).
Craig: “Someone had a question related to, How do you deal with Sensitive Evidence?”
Steve: “That’s a great question. Sensitive evidence can be ingested into a digital evidence management system just like any other digital evidence. Sensitive evidence would be tagged with a sensitive crime category (such as Special Assault) as it’s uploaded. The sensitive crime category would be set up to restrict access to the evidence-based on how permissions are configured. Most likely, sensitive evidence wouldn’t be accessible to patrol officers or general detectives; however, it would be accessible to investigators assigned to work sensitive cases. Sensitive evidence, along with other digital evidence, would be stored on on-prem in a physically secure environment or in the cloud utilizing Azure for US Government or AWS GovCloud storage.
Another example similar to sensitive evidence is you could have a category in your digital evidence management system for Internal Affairs to store digital evidence related to officer complaints. If an officer complaint is generated several days after a police call, BWC video and other collected digital evidence could be tagged as Internal Affairs, which would restrict access to the Chief, Deputy Chief, IA Inspector, and IA Detectives. So, even though the digital evidence in this example isn’t related to a criminal case, it can still be restricted (like sensitive evidence) for the duration of the internal investigation.
Great questions.
Stay tuned for our next installment in this series. It promises to be just as enlightening!”
If you would like to learn more about how FileOnQ can help you manage everything from your Enterprise Platform to a Data Backup and Recovery Solution and Evidence Management Software Solutions, visit FileOnQ here.
