Digital Evidence Management—All about Security

Few question the overwhelming impact that digital evidence has made on law enforcement in the 21st Century. It started with point and shoot digital cameras and in car video cameras and has reached an apex with body worn cameras, smart phones, and wireless surveillance videos. Because digital files from these sources is essential evidence, careful attention must be paid to ensure its integrity. Lacking attention to digital evidence integrity leaves the door open to challenge, by a clever defense attorney. 

 

At the heart of ensuring integrity is storing, images, videos, and voice recordings. You can store digital evidence on DVDs. You can store it on your desk top. Alternatively, you can store it on a folder on a server. Many agencies store digital evidence in their records management system. 

 

At the end of the day, however, the legal concern will only be satisfied, if the processes for handling a file, from recording, storing, and sharing, support its unimpeachable integrity. Is digital evidence merely stored, or is it carefully “managed?” What has to happen, to help the prosecutor respond to a defense attorney who asks: “How do I know the files you gave me in discovery are original and untouched?” The answer to these questions is managing each file through a gauntlet of tests—the core of a digital management system. 

 

The first test is to verify that the digital file is a true copy of what was recorded and has not been tampered with in the source memory. It is possible to “enhance” digital files prior to upload using tools such as Photo Shop and Adobe Premier. Digital evidence management software can do this automatically but, if copied to a portable media or to a folder on a server, automatic verification is not possible, so the person uploading is must attest to its originality. 

 

The second test is to ensure that what copied to storage, transferred with 100 percent accuracy, independently of whether the source file has been verified as original. Most file transfer processes run a check sum that indicates that all the data that were sent (bytes) were received. It is possible for one or more bytes to become corrupted, but have the count of bytes sent be the same as the bytes received. To overcome the possibility of such corruption, the transfer or upload routine needs to run a “hash” routine on the file. The hashing routines, present in most DEMS, authenticate that every byte received was the same as every byte sent. 

 

The next test is to insure that no user should have direct access to the authenticated file. Any direct access to the file stored on DVD, on a folder on a server, or in an RMS, allows direct access to the file if for no other reason than to copy it for sharing with detectives or prosecutors. An advanced DEMS only allows indirect access through a middleware utility, such as IIS (internet information services). The user, through the DEMS, accesses IIS and, that utility accesses the file. 

 

In addition, only users authorized through a security system that requires a log on ID and strong password should have access to the DEMS. Moreover, that application should keep a log of each time a user accesses the file—chain of custody, as well as an activity log, that records each attempted access to the system (successful and unsuccessful, and each user search for records. 

 

Another test is to ensure that the original file is not changed while stored. There are three considerations here. One is to encrypt the file in storage. While very secure, encryption slows performance. The second is to prevent, even, and authorized DEMS user from enhancing or editing the stored file. Any changes should occur on a copy of the original—with a log of all changes captured and stored with the untouched original. Another form of security targets the potential of a rogue IT technician. If so much as one pixel in file is changed “behind the scenes,” the DEMS should expose the corruption. It does so by running a hash on the file each time it is displayed, copied, printed (image), etc., and displaying on the screen that it is either untouched—authenticated—or corrupted. 

 

So, now, you make an authenticated copy available to the prosecutor, defense attorney, or other third party—the press, insurance company, and so on. How do you protect it? Say you burn a CD. Is it password protected? OK? How do you prove it’s a true copy of what was uploaded? 

 

If your digital evidence management software anticipates and deals effectively with all of these tests and answers to these questions, you can help your prosecutor hold defense attorneys at bay.