Digital technology is increasingly becoming a part of criminal activity—and increasingly a part of police work. Consequently, law enforcement agencies are being hit from two sides. On one side, they must deal with “cop-made” digital evidence, such as digitally recorded interviews, crime-scene photos and other digital media used in documenting an investigation. On the other, agencies must deal with “criminal-made” digital evidence, such as a suspect’s e-mails sent promoting an online scam operation.
Savvy agencies know how to successfully handle digital evidence—from finding it on the street to presenting in the courtroom, and preserving it long after the first round of appeals. They strive to develop the expertise and competency to deal with four aspects of digital evidence: recognition, investigation, presentation and preservation.
Recognition
Agencies that keep pace with technology strive to train all ranks about effective recognition of digital evidence. Whether it’s an obvious technology crime—such as Internet child pornography or realizing that a cell phone or GPS may contain digital evidence about a burglary ring—savvy agencies ensure personnel are aware and well trained in identifying and collecting digital evidence. Bottom line: The more digital technology becomes a part of our lives, the more it will become a part of criminal activity. Police investigators must stay ahead of the curve.
Investigation
Proper handling of digital evidence is critical, especially since the manner in which digital evidence is secured and collected cannot compromise its integrity or the digital chain-of-custody. Even the most condemning criminal case will fall apart if digital evidence was mishandled at any point during the investigation. And unlike physical evidence, the proper protocols for handling digital evidence may seem counterintuitive. To avoid these and other pitfalls, successful law enforcement agencies maintain clear, effective policies and protocols to facilitate efficient, proper and lawful handling of digital evidence.
Typically, leading agencies also have a team of competent digital forensics professionals to handle digital evidence and support other officers and investigators. However, funding a digital forensics unit can incur astronomical expenses.
To overcome financial and operational burdens, Sgt. Josh Moulin of the Southern Oregon High-Tech Crimes Task Force recommends that “agencies should strongly consider a taskforce model.” Agencies in Oregon know they can turn to the help and experience of this multi-jurisdictional taskforce. Likewise, pooling resources from various agencies and jurisdictions may alleviate costs and ultimately yield greater expertise and results. (For the benefits of taskforces in major crash scene investigations, turn to p. 26.)
Presentation
Effective agencies also train their personnel to effectively use and present digital evidence in court. Indeed, many cases have been made (or lost) by just one e-mail, a single digital image or confusion about a lone IP address. A hallmark of successful prosecutions is the proper handling of digital evidence. As important is how well it is presented in the courtroom.
To improve success, leading law enforcement agencies tend to work closely with (specific) prosecutors to present digital evidence in the most clear, convincing and simple terms. The importance of collaboration with prosecutors can’t be overstated. Nothing confounds good police work like a great, prosecutable case that falls completely apart in the courtroom because the prosecutor couldn’t fully explain the investigative processes involved.
Using digital evidence checklists all the way from the crime scene to the courtroom can be an effective in enhancing collaboration between law enforcement and prosecutors. Checklists can take the guesswork out of handling digital evidence and promote consistency during the process. The FBI, Secret Service and U.S. Department of Justice offer training and have published guides to help improve digital evidence investigations (e.g., Digital Evidence in the Courtroom: A Guide for Law Enforcement and Prosecutors [DOJ & NIJ]; Best Practices for Seizing Electronic Evidence, a Pocket-Guide for First Responders [U.S. Secret Service]).
Preservation
Figuring out how to preserve and reproduce digital evidence can be perplexing, particularly since both temporary storage of digital evidence (e.g., between collection and analysis) and long-term preservation (e.g., to accommodate time until trial and appeals that can span several years) pose several technological challenges. When it comes to preserving an original versus a copy, U.S. Code, Title 28, Part V, Chapter 115, § 1732 is fairly clear: “… the original may be destroyed in the regular course of business unless its preservation is required by law. Such reproduction, when satisfactorily identified, is as admissible in evidence as the original itself in any judicial or administrative proceeding whether the original is in existence or not …”
However, both originals and copies of digital evidence are susceptible to obsolescence due to rapidly evolving technological advancements. What may work well today may not work at all tomorrow. So routinely keeping an inventory of the types, files, software and infrastructure needed to access, maintain and use various forms of digital evidence is a good idea. Knowing which evidentiary files you have in EBCDIC
format, AppleWorks or even older versions of Microsoft products that aren’t fully compatible with newer versions can be critical to both reproduction and preservation.
It helps to also have precise, reliable and defensible procedures for reproducing digital evidence (regardless of format) and have a long-term digital evidence strategy and plan.
Quick Tip: Your protocols should require sharing evidence & context with prosecutors to ensure digital evidence is well-understood before it shows up in court.
Collection, Analysis & Integration
When it comes to managing “cop-made” digital evidence, integration is the key. Having a common platform and seamless integration is crucial for several reasons. The more platforms and applications involved, the greater the complexity—and the greater the risk for compromises in the security, integrity and analysis of digital evidence in your system and the courtroom.
This is partly why many leading departments integrate their various forms of digital evidence into a single repository. Pulling together digital evidence—from helicopter pursuit video to digitally recorded interviews—into a single repository and point of access allows for more efficient, effective and consistent use.
When it comes to digital evidence integration, consider solutions like MediaSolve’s iDEM (Integrated Digital Evidence Management). It’s a flexible platform that allows various forms of digital evidence to be indexed, searched and analyzed in common. This can greatly improve efficiency in accessing, analyzing and using digital evidence to your best advantage. The police departments of Chicago, Toronto and Washington, D.C., all use iDEM.
To help satisfy evidentiary requirements, the iDEM solution provides an important audit trial. An automated and accurate audit trail (and file log) is a must. Michael Smith, chief technologist for DSS Corporation, recommends that an “audit trail include the date/time, username, workstation and type of access (view, copy, modify, delete, etc.),” and as much available information as possible.
No matter which solution you choose, remember that the fewer the moving parts, the better. Therefore, a multi-vendor strategy is likely to be less than ideal. It’s better to take the time and find a single vendor to meet all of your needs than bear the risks of multiple, and potentially conflicting, components. Bottom line: The better the integration, the better the solution.
When it comes to contraband digital evidence—evidence created by a criminal—strive for isolation (the opposite of integration). Moulin explains: “The servers and storage of a digital forensics unit should be completely disconnected from any other network and physically isolated and secure because they have contraband stored on them.” This may be at odds with your IT department, but it’s “a must,” according to Moulin.
Once you’ve isolated the proper system and storage, be sure to provision the best, most secure analytical tools possible and ensure they’ve been vetted in the courtroom. From his team’s experience, Moulin says, “the forensics are usually straight forward—either the evidence was found on the hard drive or it wasn’t,” but as defense attorneys are becoming more experienced with digital evidence and forensics, there’s “a trend toward attacking the handling of the digital evidence.”
It’s wise to have a solution that works for your digital evidence team, as well as the prosecution. For example, Guidance Software offers the EnCase product suite that has stood up to courtroom scrutiny time and time again. EnCase Forensic can help analyze data from a wide variety of devices, uncover critical evidence and maintain the integrity of it. EnCase Field Intelligence can perform covert, live forensic investigations across a data network without disrupting or alerting the person being investigated. Another part of the EnCase suite is Encase Portable, which is a “triage USB toolkit” that first responders can use to uncover digital evidence in various formats from different platforms. Lastly, the EnCase Neutrino helps investigators collect data from mobile devices and cellphones. Overall, Encase products are designed to work seamlessly with each other. This is a key benefit and a crucial factor for evidence integrity and management. (For a review of the EnCase Portable, turn to p. 56.)
Conclusion
Overall, successful law enforcement agencies are aware of the growth of digital evidence not just as a part of a few high-tech crimes, but of all crime. They understand digital evidence can play a critical part in any investigation, whether it’s a larceny, forgery, burglary or homicide. Successful LEOs effectively manage both “cop-made” and “criminal-made” digital evidence.
Integration is best for managing cop-made digital evidence. However, criminal-made digital evidence must be isolated.
Lastly, it’s best to take a systematic approach to the four aspects of digital evidence: recognition, investigation, presentation and preservation. This includes proper training, protocols, resources and service providers to handle digital evidence—from the moment the first officer arrives on scene until long after the final appeal.
Cop-Made Digital Evidence Must be Integrated
Examples:
• In-car or body-worn video
• Digital crime scene photos/videos
• Digitally recorded interviews
• LPR records
VS.
Criminal-Made Digital Evidence Must be Isolated
Examples:
• E-mails sent & received
• Phone records
• GPS coordinates
• Digital photos/videos of crimes or evidence
Additional References
LawOfficer.com – www.LawOfficer.com/Investigations
Digital Evidence in the Courtroom: A Guide for Law Enforcement and Prosecutors –
www.ojp.usdoj.gov/nij/pubs-sum/211314.htm
Best Practices for Seizing Electronic Evidence, a Pocket-Guide for First Responders –
http://www.forwardedge2.com/pdf/bestpractices.pdf