This four-part series is based on a joint webinar between IAPE and FileOnQ. The webinar addressed the critical role of digital evidence in modern law enforcement investigations. Together, the participants explored collecting, analyzing, and managing digital evidence in today’s fast-paced and changing world.
This year marks IAPE’s 31st anniversary. IAPE has been teaching property and evidence best practices since 1993 and has instructed well over 25,000 property evidence professionals throughout the United States and Canada. IAPE offers two—and three-day training classes about property and evidence handling.
IAPE provides fantastic training and offers a huge, smart assortment of resources on its website, including best practices standards guides, training manuals, and SOPs through agencies around the country. You can find all of these resources and all of their upcoming training in the calendar section of their website at IAPE.org.
Let’s dive into Part 4 of the webinar…
Steve: We’re going to provide best practice standards, training resources, and the names of organizations you can reach out for additional support. IAPE is certainly one of them.
I also touched on the Scientific Working Group on Digital Evidence (SWGDE). I highly recommend that you take a look at SWGDE. It’s an organization that provides quite a bit of free resources. They provide best practice standards. They also bring together organizations actively engaged in the field of digital and multimedia evidence to foster communication and cooperation. As well as to ensure quality and consistency within the forensics community.
They are a consortium of experts in law enforcement, academia, and the private sector who regularly handle, manage, and work with digital evidence. They come up with best practice standards that you can download. It’s all free.
As an example, we’ve been talking about best practices for digital evidence collection. They have a best practices guide that you can download. Another example is Introduction to Testimony in Digital Evidence if you find yourself testifying in court. SWGDE offers over 100 standard guides you can download, and they keep them up to date on a regular basis. So I definitely recommend them.
We also have training resources and a DEMS Guide for Police Administrators. The latter goes into greater detail about what we discussed—what to look for when considering implementing a digital evidence management system.
Finally, we’ll provide video retrieval notes and a video authenticity statement. They look like this:
These are forms I created for my police department and follow best practices laid out by the Scientific Work Group on Digital Evidence. The one on the left is a Video Retrieval Notes form for officers and detectives collecting surveillance video in the field. They can use the form to document the information about the location, crime, video system and generally take notes. The Video Retrieval Notes form captures information many prosecutors need when they are introducing surveillance video in court.
The form on the right is a Video Authenticity Statement. Investigators can use this form when they are at a business and the manager provides a copy of the video, but they don’t let you sit down at the system. This form captures that person’s information, their name, date of birth, and other personal information, along with information about the video surveillance system.
This includes the name and model of the video system and any time offsets. They can sign the form like a statement attesting that it’s true and correct. In the county where I worked, these forms were required anytime we recovered surveillance video.
Both of these documents are super helpful. They are locked Word documents, but there’s no password. You can unlock them, customize them, swap out the logo with your patch, and use them if you’d like. You’re also welcome to share the forms with other investigators.
Real briefly… I’d talked a little bit about us. We are an evidence management solutions company.
If you’ve been to any of the IAPE training classes, you may have already seen our evidence management system called EvidenceOnQ.
We have, for example, a customer…Metro PD in Washington, DC, that manages nearly a million items of evidence using EvidenceOnQ. The system’s counterpart is called DigitalOnQ, which is our digital evidence management system.
DigitalOnQ can manage all those evidence types, both standard and proprietary, that we talked about. It meets all of the important standards when it comes to CJIS compliance and storage requirements. It’s agnostic, it’s flexible, it utilizes file hashing, and tracks that chain of custody.
It does all that important work for you and manages the integrity of your files within the system. It’s called DigitalOnQ. If you’re interested in it, feel free to reach out to me. I’m glad to send you more information or talk to you about it over the phone.
2024 IAPE Classes
I will have Joe talk briefly about the class schedule coming up here. Go ahead, Joe.
Joe: I’ve been the executive director of IAPE for the last 30 years. If you’ve never heard of us before, we’re in our 31st year. We do training in all of the states in the United States and all the provinces in Canada. We have been everywhere.
As you can see, this year will be extremely busy. If you haven’t had any training or any training lately, you should join us. Keep in mind that most of our classes, so far this year, we’ve had to close, because we’ve run out of seating capacity. So I invite all of you to visit our webpage to sign up. We also have our class online. It’s about 15 hours, just like watching Netflix. It’s the same price as the live classes.
Again, I would like to thank Steve, Alexis, and Craig for putting this together. We try to partner with our friends out there so that we can share this information with as many people as possible.
Q & A
Steve: Let’s see if I have any questions. Craig, do we have anything that we want to touch on?
Craig: Yeah. There have been a number of questions. I know we’ve answered some of them. And Alexis, if you have anything that stood out to you to ask, I’d like you to ask those, also. I’m going to do a few, and then I’ll let you pass them on and see if you have any good ones. One that stood out to me is
Can you address USB security? Most items come from a third party. Does malware scanning impact the integrity of USB?
Steve: That’s a great question. Most digital evidence management systems don’t do file scanning. And your system really shouldn’t do that because virus scanning could introduce changes to the files as they come in when they’re scanned and potentially changed.
I did quite a bit of surveillance video recovery while I worked as a detective. And yes, you can run into a rogue system that downloads malware on your thumb drive, but it doesn’t happen very often. Periodically, you may run into an old Windows XP computer setup that is used to manage a surveillance system. Windows XP is no longer receiving software patches and is vulnerable to viruses. One of the things that we did in our lab… and I worked in a four-person digital forensics lab… we wiped our thumb drives on a regular basis. We also triaged or viewed digital evidence we suspected might have viruses on a cold computer not connected to the network or a laptop we use for that purpose.
Alexis: I resonate with that as well. Ultimately, they shouldn’t be on your network. They shouldn’t be anything that you should have on a computer. If you’re getting digital evidence, from maybe the shop down the road, or something like that and they give you a USB. Obviously, coming from the cyber person, I would recommend not putting that into anything within your network. But it sounds like you’re doing an automatic scan when it comes through the anti-virus. So, I think that’s good, but it can alter files and do some metadata changes.
Steve: Make sure they come from a trusted source. And definitely be careful. In our department, we had a laptop that we just basically beat up on. It was the laptop that we’d use to dump information and examine it if we thought it was suspicious. And so it wasn’t on the network.
Craig: I have a question… FileOnQ only uses local storage? Is there a solution for Cloud Storage coming?
Steve: Yes. You can do either on-prem or cloud storage with DigitalOnQ. We also offer DigitalOnQ as an on-prem solution or a SaaS. We can set it up so that you’re completely off-site. We use Azure Government Cloud Storage for off-site storage.
Alexis: Someone asked about hashing…. If you change the file format, does that affect the hash? It does. That conversion process ultimately changes the original file and re-encodes it in a new file format. Just remember: changing a BMP file to a JPEG is going to change that hash. So just be aware of that.
Steve added: It’s OK to have a derivative. Just maintain that original and document your changes. You may have surveillance video, which is proprietary, and it doesn’t play very easily, right? You’re trying to play it in your lab, or your work computer, and it’s really wonky. So, you may use forensic software or some tools to convert it to a standard MP4 format.
That’s perfectly acceptable. Just be sure to let the prosecutor know the MP4 is something that can be played in court, and you always point back to the original. So if the prosecutor or defense wanted to look at the original, you could say, Yeah, we got it, and we can show it to you. It’s unchanged and unaltered. We have it saved, and I can get your copy.
Craig: I have another question here. It says, Most of our departments and our state’s attorney’s offices use iCrimeFighter. Our officers send requests via iCrimeFighter to the business, and the digital evidence gets uploaded right from the business. Does this cause an issue for authentication?
Steve: DigitalOnQ can do the same thing. That’s a citizen share feature, which is a really important tool in a digital evidence management system. The way it works for us is that we have it triaged before it is sent directly to the digital evidence management system.
What happens is the officer sends a share request to a witness or victim. The requestee responds by uploading videos or photos, but they don’t go directly into the digital evidence management system. The files are placed into a waiting queue for the officer to review and then approve.
It doesn’t really cause any problems, but you just have to make sure that you’re tracking the chain of custody, and that’s why the waiting queue is important. The investigator needs to confirm, OK, the files came from somebody I actually trust, that I sent a request to, and they sent it back.
If you don’t have a triage checkpoint in place for citizen-shared evidence, you can potentially have a lot of stuff like anime and pornography… One thing that happens when agencies put out a link for digital evidence on a public incident – let’s say it’s an arson – and they send out a link and request to the public: Send us whatever evidence you’ve got on your phone. Or, if you capture something of interest, please send it to us. You’ll find many agencies getting 60, 70, and 80% of garbage files.
Things that are inappropriate, anime, and sometimes even types of virus files. So there’s gotta be some kind of triage checkpoint in place for investigators to review before the digital files are ingested into the digital evidence management system.
Craig: That’s great. Steve, I have another question. How are any related online data transfer efforts completed from your system without altering evidence?
Steve: It’s shared into Azure, so if you’re already in Azure, it’s already there, but DigitalOnQ makes a copy of the evidence that’s being shared. The system checks the hash of that file to ensure the hash is the same when it makes a copy. Then, you make it available to whoever you share it with. So, nothing changes when the share happens.
Alexis: The question was, Since we don’t have a digital evidence management system, we work on a copy, not the original. How do you document that you work on a copy, not the original? It sounds like they had a case where they made a copy on a hard drive for an officer to work with, and they weren’t sure if both had to be submitted.
Looking at it from a property perspective, if you made a copy and you have the evidence on two different drives, you want to have both of those in the property room. Ultimately, any evidence, physical or digital, should be handled the same, and it should be stored back in the property and evidence room.
Craig: The last question I will ask is, Would it be best to convert all digital evidence from CDs in USBs to the cloud?
Steve: We’re not talking about converting but just migrating it away from your physical media. That’s a huge challenge. Because you’re talking about loading disks in, one at a time, manually, and moving stuff. But, yeah, it’s a wise thing to consider. It really depends on how many disks you have and how much evidence you have.
If you’re a smaller agency, and you have 300 or 400 envelopes of evidence, that might be manageable over time. We recommend that you take your newest evidence first to migrate it into your digital evidence management system. You’d start with 2023, and then you work backward because that’s the evidence you’re most likely going to need right away. And then just move backward. If you’ve got evidence that goes way, way back, it might just make sense to leave it.
But, you will probably have to look at it at some point for retention and for purging. As you’re doing that, it might make sense to do a purging process – or get rid of what you can – before you even try to do that migration. It’s a tough answer, because it’s important, but at the same time, it will probably be very challenging and time consuming, maybe not even practical, depending on how much you have.
Alexis: We teach that at IAPE as well. You have all that old evidence. That old homicide stuff that you’re going to have to keep forever. It’s nice to have that in your system so you know what you have, especially when you’re migrating to an electronic system. Look at the scalability of it, the accessibility long term, maybe the cost efficiency, and then ultimately at data security and compliance.
Craig: I know we just scratched the surface here, but we only have an hour. For those of you who have questions, we’ll get back to you via email and go through the questions we did not answer. All right, thanks, everyone. Have a great rest of the week.”
If you would like to learn more about how FileOnQ can help you manage everything from your Enterprise Platform to a Data Backup and Recovery Solution and Evidence Management Software Solutions, visit FileOnQ here.
