This four-part series is based on a joint webinar between IAPE and FileOnQ, addressing the critical role of digital evidence and modern law enforcement investigations. Together, they explored collecting, analyzing, and managing digital evidence in today’s fast-paced and changing world.
This year marks IAPE’s 31st anniversary. IAPE has been teaching property and evidence best practices since 1993. They have instructed well over 25,000 property evidence professionals throughout the United States and Canada. IAPE offers two and three-day training classes on property and evidence handling.
Not only does IAPE provide fantastic training, but they also offer a huge, smart assortment of resources on their website, including best practices standards guides, training manuals, and SOPs through agencies around the country. You can find all of these resources and all of their upcoming training in the calendar section of their website at IAPE.org.
Let’s dive into Part 3 of the webinar…
Steve: I’m going to switch gears here and go over an arson investigation that I worked on as a detective. It’s a great chance to highlight how digital evidence plays into a case like this and how it can really have a positive impact. It can also be really overwhelming if you don’t have a digital evidence management system in place.
A very nice lakeside restaurant that burned down in my jurisdiction. It was a beautiful place, and it suddenly burned down to the ground in the middle of the night.
Detectives were dispatched a short time later to investigate, and almost immediately, investigators suspected arson.
Here’s the restaurant before the fire…
And you can see the fire here…
It was sudden, fast-moving, and unexpected. The arson detectives that came out immediately suspected that it was arson. It didn’t really make sense that it burned down. It didn’t appear accidental. I came to the scene and was asked to take crime scene photos and also to assist with any electronic evidence that needed to be recovered and managed.
Here’s an overhead crime scene photo, and you can see it’s a total loss.
As I was walking around taking photos for this case, I noticed a window that led to the manager’s office. As I got closer to that window, I realized that I was looking into what appeared to be a DVR system below a monitor.
The first thing I noticed about it was an older DVR system – a digital video recording system – with a disk tray on the right and a little USB port on the left.
I was hopeful that the system was up and running and that it may have captured a person of interest or a suspect. There were a number of concerns, though. A lot of times, businesses will have these DVRs in place, but they’re not actually working. They’re not functional, or they’re broken.
The other concern was the potential for environmental damage in this case. A lot of water had come down on the system. It had been raining that night, and firefighters had sprayed water into this office. Plus, there was the potential for smoke and heat damage.
So, the concern was about whether or not the system was completely broken and if we were actually able to get video off of it. I recovered that DVR system and brought it back to our lab. You can see it here.
It’s just a really simple Linux computer. You can see the hard drive on the right, and the little motherboard is toward the top of this image. When we opened it up, I realized that the hard drive was in really good shape, and it didn’t look damaged. But the system itself, the main board, was soaking wet.
I was very concerned about whether or not we were going to be able to boot up this DVR system. So, we let it dry out for several days. And while the system was drying, we cloned the hard drive, which is essentially making a copy of the hard drive.
Once the DVR was dried out enough for us to try to boot it up, we connected the cloned drive to the system and tried to start it, and unfortunately, it didn’t work. It wasn’t really surprising, but we’re very hopeful that it would work. And you can see why here.
The main board was short-circuited. You can see the corrosion and the blistering and some of the rust from all the water damage. It was just simply not going to work.
When we tried to find a duplicate system on eBay or from a third-party reseller, we weren’t able to find one that we could purchase. Since the DVR was sold old, they weren’t available to buy. So, all we had to work with was the hard drive.
We used forensic software to recover the files from the hard drive. There were over one thousand files on the hard drive. It was filled all the way up.
This is an example of files that are in a proprietary file format. So you can see that they are in a .img file format.
This is a file that you can’t open in Windows without specialized software. We made contact with the manufacturer and were able to get the player to open these files. I went through every single file to see if it contained video footage of the incident. It took weeks. Eventually, I found surveillance video that had been recorded when the fire started.
What you see in the image above is a barback area. The fire started in the top right-hand corner of the screen where a porch led out to the lake.
What was really helpful with finding this video is that it substantiated what our arson detectives already thought; which was that the fire started in that portion of the building on the backside of the building.
It was a very fast-moving fire. In the video, you can see parts of the ceiling melting off and onto the ground, and eventually, the fire overwhelms the camera and goes offline.
The person of interest came from the upper right section of the image and walked toward the location of the fire. It’s pretty low-resolution, but there’s a lot of detail there. If you look closely, there’s a distinctive shirt. He’s wearing a distinctive hat, shoes, and shorts. And you can see that this is a young juvenile male.
We also have a direction of travel, so we can see where he came from. And he walks right up to that point where we think the fire started. And then, about a minute later, he walks away toward the street in the upper left-hand part of the image. That gives us the direction of travel and potentially the area where he might live.
We did all the things you would expect. We canvassed the neighborhood, examined all of the physical evidence, and worked with the media to issue some media releases. It was a very compelling local news story at the time.
Despite all of our efforts, we weren’t able to identify a suspect until one of our school resource officers contacted someone at school.
We learned this juvenile male talked about the fire with some of his friends, and it got around the school. Eventually, a student mentioned it to one of our school resource officers, so we had a name.
We contacted the kid, and he admitted to the fire. But there was really no rhyme or reason for it.
He just impulsively started the fire using some debris there on the side of the building and then walked away.
It was a terrible thing to have happened to the owner of the restaurant, but it was also really heartening to be able to investigate this case, identify what happened, and find the suspect for charging. In an arson investigation like this, investigators are going to collect a great deal of digital evidence
In this case, we easily had thousands of files that we recovered. This included patrol photos that were taken, crime scene photos, and crime scene video that investigators captured. Today, you’re going to have body-worn cameras and in-car video in most cases. There’s going to be surveillance video like you saw, and this is a fairly old case.
But today, most of the time, detectives are going to go out and recover video in the blocks around the crime scene. This includes the area where the suspect walks up, and then down the street when the suspect leaves. You’re going to be making contact with many homes and businesses to see if their surveillance systems captured video of interest and build a timeline of the suspect coming and going.
They’ll also have photos of the physical evidence. For example, I had photos of the video recorder, accelerants, and the suspect’s clothing. You will conduct audio interviews with the suspect and potentially other witnesses. You’ll have Word documents and PDFs, which include case notes, forensic lab requests, and search warrant returns.
Nowadays, many citizens will share mobile evidence with you — citizen-shared evidence. You might have photographs, videos, and other things that the community offers up as they learn about this case.
Your suspect almost certainly has a phone on him as well. That phone will contain some very critical evidence, such as location data, call records, and text messages with his friends. Photos, videos, and other social media-type things could also be evidentiary.
The takeaway here is that a case like this today is going to be many, many terabytes in size, and it doesn’t matter if you are a large department, a medium-sized department, or a small department. Arson like this can happen anywhere, just like a homicide can happen anywhere.
In this case, handling the digital without a digital evidence management system is going to be a nightmare to go through everything and try to figure out what you have. If you’re storing evidence on a file server without a digital evidence management system or if you’re putting it on portable drives, trying to go through it as an investigator and sort out what you have, and then make copies for the prosecutor, it’s just going to be a nightmare. The only way to manage a case with this kind of evidence is with a digital evidence management.
Nowadays, every department needs to have a digital evidence management system. That’s the bottom line. It’s just a matter of when you are going to get a digital evidence management system.
So we’re just about finished here, and I know we’re running up against the clock. I wanted to hand this over to Alexis for a few moments to talk about IAPEs’ best practices for handling digital evidence. She’s going to briefly touch on some standards that they have. Go ahead, Alexis.”
Alexis: “Thanks! IAPE is short for the International Association of Property and Evidence, and we have some standard operating procedures related to digital evidence.
We talk about the preservation, legal compliance, and the SOPs that you should have in your agency. Also protecting against contamination or loss, effective investigation processes, and, ultimately, accountability and transparency.”
Steve: “Let’s focus specifically on best practices for handling digital evidence. One thing to know is that if you’re processing mobile devices, video surveillance video, or a computer, there are going to be different ways that you process and handle that evidence, and they’re going to be very specific.
However, there are some best practices for handling digital evidence overall, and that’s what I want to go through here briefly. The first two bullet points are really for police administrators. It’s important to have an SOP for digital evidence handling.
Maybe you do have an SOP for handling digital evidence, but how long has it been since you updated it? If your SOP is 10 or 15 years old, then it’s probably time to take a look at it because this is an area that’s changing very quickly.
It’s also important to be able to provide training to your officers and your evidence staff, even if it’s just basic training. For example, a four-hour or one-day training on some of the things to think about, consider, or avoid when handling digital evidence.
It’s important to ensure you’re storing digital evidence in a secure environment – both a physically secure environment, and also electronically.
So if you’re on an on-prem server, it needs to be behind locked doors and have very limited access control built in. And if you’re storing your evidence in the cloud – Dropbox or OneDrive are not secure. Digital evidence needs to be in a secure environment, such as Azure for US Government cloud storage with a digital evidence management system over the top of it.
Of course, it’s also important to have redundant storage, meaning you want backup copies of that evidence. It’s really important that your evidence is stored in multiple locations, and if it’s on a file server, your IT is very likely not keeping it in multiple locations.
Also, never work on the original. Always maintain the original evidence. What this means is if you recover surveillance video, it’s going to be very tempting to bring it back to the station and sit down on a computer and watch it and say, OK. I gotta see if there’s a suspect on here.
It’s best practice to make a copy of that evidence before you watch that video and review the secondary copy, not the original. Because you could inadvertently delete the file, or corrupt it somehow. It’s best practice to maintain the integrity of the original. So never work on the original.
We were talking about file integrity earlier, and we should utilize methods to track that integrity. I talked about file hashing as a method to do that. Be sure to document that chain of custody and any work that’s done.
In Part 4 of this series, we’ll provide you with some excellent resources regarding standards and best practices, training, organizations that foster education and communication, plus much more.
If you would like to learn more about how FileOnQ can help you manage everything from your Enterprise Platform to a Data Backup and Recovery Solution and Evidence Management Software Solutions, visit FileOnQ here.
