Even though most digital investigators know the importance of securing digital evidence, it often happens that the evidence gets disregarded, resulting in cases collapsing and criminals getting away due to technical issues.
We have spoken to Joseph Jones, a former British Military and Law Enforcement Intelligence officer with more than 15 years of intelligence-gathering and investigative experience.
In this article, he will tell us about four critical steps for securing digital evidence and what can go wrong if not done correctly.
You will learn more about:
- Securing your workstation
- Chain of custody
- Timestamps
- Hash values
- The principles of digital evidence
Step 1 – Securing your workstation.
The first thing to do is to secure your workstation.
– In my opinion, securing digital evidence all starts with the environment. Ensure that you are working in a lab where only people meant to be there can enter. Encrypt your hard drive and your case files and use a system that regularly removes viruses and unwanted programs, says Joseph.
With an encrypted hard drive, no one can plug it into another computer and read the content. But is it really necessary to encrypt the files if the hard drive is already secured?
– Yes, it is also important. For example, let’s say someone breaks into your home while your computer is left open and reads your files. Or if you’re in a lab and someone decides to read something they shouldn’t read while you’re on the toilet. With encrypted files, no one can access them without a password, says Joseph.
It is easy to think that these things would not happen to you. But they can happen, and that’s enough for a suspect’s defense legal team to question the admissibility of digital evidence. They could reasonably argue the evidence to be inadmissible; such an instance could see an entire trial collapse.
Step 2 – Chain of custody
The idea of the chain of custody is to account for every single physical item containing digital evidence from the moment it is collected from the crime scene to when it is presented at trial.
For example, if you have collected evidence and put it on a USB stick, the chain of custody must be applied so that the whereabouts of such evidence are indicated – not a single minute must go amiss.
Traditionally, the chain of custody is a paper-based log, though some police forces have implemented a digital approach to this crucial process.
– You have to log everything you do when collecting digital evidence. Precisely what time you did it, where, and how. If there is, for instance, a gap of one or two minutes where the USB stick can’t be accounted for, the legal defense team for a criminal suspect can argue that someone could have altered the information, says Joseph.
Unfortunately, the chain of custody accounts for many cases involving digital evidence collapsing.
– To write down every single step might sound time-consuming, and the reality is that it is – but for all the right reasons. We owe it to our professional reputation, the police force we serve, and the suspect to ensure a fair trial where there are no doubts when it’s time for the judge or jury to make their verdict, says Joseph.
Step 3 – Timestamps
Timestamps are also an essential step in securing digital evidence. Timestamps serve many purposes. With timestamps, you should be able to create a timeline so that a third party can look at the digital evidence and re-create the whole investigation process.
– If a criminal has been evicted on account of digital evidence, and decides to appeal, then a completely new legal team should be able to look at the evidence, analyze them and get the same result. In this process, timestamps are essential, says Joseph.
Another scenario when timestamps are extra critical is if you’re working on a case in various timezones.
– When working on cases regarding drug smugglers, human traffickers, etc., the timestamp is crucial. Because it will say that the evidence was collected at a specific time, but it also relates to when a picture was taken in another timezone, explains Joseph.
Step 4 – Hash Values
The final step in securing digital evidence is to add one or more hash values to every single piece of digital evidence. A hash value is a randomly generated string of numbers and letters added to the evidence to verify that it is accurate and has not been tampered with.
– The problem is that, in theory, you could download a picture from the internet, photoshop it and add a hash value afterward. So this also creates doubt sometimes in court, says Joseph.
A solution for this problem would be to use software like Discovry. Because in Discovry, you collect the evidence directly from the source in a built-in browser which automatically assigns a timestamp and a hash value.
– As I said before, securing digital evidence all comes down to doing everything in a way so that it can’t create any doubts at all when presented within the court. Because the defense will use it, and criminals go free due to sometimes minor technical issues, says Joseph.
There is an exception to this step; when collecting evidence from an encrypted mobile device, sometimes there is a need to conduct what is referred to as a ‘live forensic acquisition’ of digital evidence.
In these cases, the evidence can still be admissible in court, but you have to explain why they do not have a hash value and if there is any risk with the evidence.
– It is a little flexible, but I would say that it all comes down to the right training. If the digital investigator has the proper competence, knows how to secure the evidence, and knows what can and can’t be used in court, then none of this is a problem, says Joseph.
Joseph is working with these kinds of training, and if you have any questions and want to contact him, you can contact him here.
The principles of digital evidence
There is a framework by the Association of chief police officers, which a few countries around the EU have adopted. It is a guide on good practices for digital evidence.
On page 7, section 2 in this guide, you can read about the four principles of digital evidence. These principles include everything we have talked about in this article, and they are as follow:
Principle 1: No action taken by law enforcement agencies, persons employed within those agencies or their agents should change data which may subsequently be relied upon in court.
Principle 2: In circumstances where a person finds it necessary to access original data, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.
Principle 3: An audit trail or other record of all processes applied to digital evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.
Principle 4: The person in charge of the investigation has overall responsibility for ensuring that the law and these principles are adhered to.
Countries with this framework have to stick to it completely, which is good since they ensure digital evidence is safe and fair to use in court. This is important for the whole legal system.
If you are interested in learning more, read the complete guide here.
Get in touch!
Reach out to learn more or discuss how we can help you in your work.
