Brought to you by Susteen
Three key items to include in your department’s digital evidence policy
Digital evidence has unique properties and there are special rules for handling it
Between email, data stored on cellular and smartphones and social media, it’s rare to find someone who doesn’t have some kind of digital footprint. This means that any case can have a digital evidence component. This material has unique properties and there are special rules for handling it. Your agency’s digital evidence policy should include the following:
The Freedom of Information Act (FOIA), signed into federal law in 1966, is the best known and perhaps the widest-ranging statute on public access to government documents. However, every state has its own version of FOIA, and they vary considerably. Some states provide nearly full disclosure of public records and communications, and others maintain numerous restrictions. If you aren’t both current and compliant with your state’s laws, you can open yourself to civil and even criminal liability.
In the digital age, one of the most common FOIA demands is for the output from body-worn cameras. Most requests will be to serve a legitimate interest, but if the law permits citizens to demand video for any reason (or no reason at all), the burden of production can be onerous. A citizen in western Washington State demanded all the video from one small police department there, and more than 300,000 hours more from the Seattle Police Department.
Besides the personnel and material cost of producing this volume of video, there is also the issue of redaction. Many police videos show faces, license plates, addresses and other information that could be used to identify disinterested private citizens and violate their privacy rights. Each video may require redaction editing to remove these details, a process that is time-consuming with even the most advanced software.
One workaround that may comply with state FOIA laws is to create one or more viewing kiosks at police facilities where citizens can call up and view video, but are required to complete another step to request a copy. You may also be able to charge a reasonable production fee that will both reduce costs and discourage mass demands for video that would overwhelm your operation.
All digital evidence is stored in or on some kind of medium or device, such as a desktop or laptop computer, a phone or flash drive. The people with the best reasons for not allowing you to get to that data will employ some kind of lock or encryption on the device so that only they can get to it.
An eager investigator who doesn’t have the requisite technical chops might try to extract the information themselves. This can have disastrous consequences. The first doctrine is that you never work with the digital original. It’s much better to clone the device to make a mirror copy, and put the original into safekeeping. Even viewing the original data may change it in a way that compromises any digital evidence.
Worse, some devices wipe or encrypt the data after a specified number of incorrect guesses at the passcode. iPhones running the current operating system will delete all the data on the phone after 10 incorrect passcode attempts. Pressing the power button on an iPhone five times will make an emergency call to a number the user pre-designates, and also disables the biometric (fingerprint or face ID) lock, so that a passcode is required. If the phone is locked in this way, it’s highly unlikely you’re going to get into it without the user’s assistance.
Many devices can be disabled or wiped remotely. Remote access is disabled if the device is contained in a radio frequency-proof container, also called a Faraday cage. You can buy or construct Faraday cages, but most microwave ovens will work in a pinch, so long as the door remains latched. Put the device(s) inside, then unplug the oven to prevent someone from nuking your evidence.
A witness with a photo or video on their phone may be reluctant to give the phone to an investigator to extract the file. The witness may have personal, or even incriminating information on the phone they don’t want the police to have. In those circumstances, an imperfect solution is to have the witness email the photo or video file from the phone, or copy it to a shared file resource like Dropbox or OneDrive, where it can be retrieved by a third party. This method is suboptimal because of the potential for the file to be edited or otherwise altered before the police get control of it.
The best policy is for officers and investigators to secure any data-containing devices they find, ideally inside a Faraday cage, and transport them to a qualified forensic tech for analysis.
Protecting your data
External cyberattacks are now common and no one is immune. The City of Atlanta suffered a ransomware attack in March 2018 that may cost $17 million to repair. The destroyed data included years of output from the Atlanta Police Department’s dash cams.
One of the simplest and most effective ways to protect your data is to ensure that default passwords on software and devices are changed to something more random, and that users do not use simple or easy-to-guess passwords. Employing a password manager allows for the creation of long, random passwords, and there is no need for the users to remember them, as they’re stored within the password manager. Some applications allow for the use of two-factor authentication, where access requires both a password and a second token that is sent to a portable device or carried by the user.
A less-intuitive safeguard is to forbid the use of flash or thumb drives in your agency’s devices. Flash drives are handy devices that store a lot of data, but they can pick up and transmit viruses faster than a five-year-old at preschool. If you do permit users to transfer data with flash drives, either limit them to agency devices only, or require that any that are exposed to outside sources be scanned by an air-gapped antivirus computer before they can be used in your department’s machines.