The Deluge of Digital Evidence
December 17, 2019
In the last few years, evidence management has become much more hectic due to the dramatic increase in digital evidence. In fact, it’s predicted that in less than five years, digital evidence will eclipse the amount of physical evidence that is taken in annually by law enforcement agencies. Because of that, Evidence Custodians, are leading the charge for implementing new software tracking systems in order to manage the deluge of never-ending digital evidence.
Like physical evidence, proper collection and management of digital evidence are critical to avoid spoliation and to preserve the integrity of the evidence throughout its entire lifecycle. If proper procedure is not followed during the acquisition of evidence, any data recovered may lose its admissibility in court.
According to (the excerpts from) an article by New York Computer Forensics, there are common errors made by organizations with regard to digital evidence.
Mistake #1 – Using untrained internal IT staff
Let’s say, a company suspects the evidence on a device will be important to a case. Legal counsel subsequently asks the custodian to print, download, and/or save the data to portable media. The technician goes to the site, turns on the computer, opens the files, prints the data, and saves the data on a CD or DVD. At this point everything appears sound; everyone believes the data has been successfully collected.
But, appearances can be deceptive. First, all you have is information and data – there is no evidence. Unless your evidence custodian is certified in computer forensics and trained on evidentiary procedures, they have not maintained chain of custody or followed other accepted evidence techniques.
Secondly, even if proper evidence handling techniques have been used, the collection process itself has altered, and likely tainted, the data collected. By opening, printing, and saving files, the meta-data has been irrevocably changed. Lastly, the act of turning on the computer changes caches, temporary files, and slack file space which, along with the alteration of the meta-data, may have seriously damaged or destroyed any evidence that was on the computer.
Mistake #2 – Waiting until the last minute to examine the digital evidence
Delaying or deferring examinations may damage the lawyers’ ability to win the litigation. This is all due to the unique nature of electronic evidence.
In general, electronic evidence in the form of undeleted standard user files is fairly robust and stable. Many matters, however, depend on the ability to authenticate user files, reconstruct timelines based on file usage, and recover deleted files. This type of evidence is extremely fragile and naturally degrades over time with computer use. The longer this evidence has been allowed to degrade, the greater the odds that the information is unrecoverable and the more difficult, costly, and time-consuming the recovery effort will be.
Mistake #3 – Limiting the scope of digital evidence
In a complicated matter, it can often be very difficult to know which systems have evidence and which do not. Did the principals use their home computers? Did they use the file servers? Which email servers were involved? Is there data stored offsite or on portable media? One of the most common mistakes, both in investigations and discovery, is limiting the scope of digital evidence, because the individuals involved do not fully understand computer systems (or forensics), and they do not know where to look for evidence.
When servers or systems are not initially collected, the effort increases significantly due to the degraded state of the data. So, if there’s a 20% chance that evidence from the system will be needed, you should collect it. Analysis of the data can always be deferred until there is more certainty about its necessity.
Mistake #4 – Not being prepared to preserve electronic evidence
Given the ubiquitous use of digital devices and electronic storage of information, any law enforcement agency, regardless of size, should expect and be prepared to preserve digital evidence at a moment’s notice.
In a recent case, a company was fined $1,000,000 and faced courtroom sanctions because while they had instructed employees not to delete files, they neglected to stop the automatic overwriting of backup tapes.
RELATED: EFFECTIVE EVIDENCE TRACKING SYSTEMS
In short, just tracking the massive spike in digital evidence has been challenging enough for law enforcement personnel; add in the mind-boggling development of complicated systems – like Bitcoin currency, Blockchain databases, and Ransomware cyberthreats – and tracking evidence in the near future will become much more technologically complex than simply seizing hardware.
Now, just storing digital files can be a nightmare for law enforcement agencies. Outdated methods of digital evidence storage are still the norm for the vast majority of law enforcement agencies today. Most digital evidence is burned onto CD or DVD for later use. Ten years ago, most agencies could fit all of their digital files into a shoebox, but today the same agencies are faced with shelf after shelf of DVD’s and CD’s, and the stacks grow exponentially each year as new, more memory intensive applications make their way into the industry each year.
This can be an overwhelming task for property rooms unprepared for the additional burdens of the digital age. That means, the continuing education of Evidence Managers should be a priority, and adopting a new evidence management mindset – for the entire department – should be mandatory.
Tracker Products can help ensure that your critical digital evidence is authenticated, stored securely, safely and dependably for as long as you need to keep it. Not only that, our system provides easy access to those who need it – while denying access to those who don’t – from anywhere in the world.
Do you need a better system for managing evidence, collections, assets, legal records, or other sensitive information? We can help you get back on track. Contact Tracker Products today to learn more about our software or to get information about a free trial.
Or, if you’re interested in Evidence Management Training Classes, Discover EMI Here!
***The Boston, Omaha, and St. Louis Police Departments, as well as the United States Department of Justice, Secret Service, and Department of Defense currently track their evidence with SAFE.