EMI Standards and Best Practices

Chapter 4 – Technology and Digital Evidence

Purpose: Digital evidence is the largest growing segment of evidence storage and management within the justice system. Management of digital evidence requires the same secure chain of custody as physical evidence, however the storage and preservation of digital evidence assets presents multiple unique challenges to evidence operations. Sustainable evidence operations must balance the scope and scale of digital evidence management and maintain technological currency to accommodate the changing needs of digital evidence. Almost all sustainable evidence operations leverage available technologies to increase operational efficiency and effectiveness. Implementation and adoption of the Technology and Digital Evidence standards and practices recommended by the Evidence Management Institute promotes a stable organizational baseline for sustainable evidence management.

 

Scope: Digital Evidence Standards and Best Practices

Evidence Management Technology Standards and Best Practices

Process Automation Standards and Best Practices

 

Definitions: Digital Evidence. A broad term for any electronically generated or stored data, metadata, file, document, audio, video or image related to a criminal investigation. The key common feature of digital evidence is data. Digital evidence may be contained or stored in a wide variety of formats from a wide variety of sources and may include devices or hardware containing data.

Asset. Interchangeable term associated with a specific item of digital evidence.

Server Storage. Secure data storage housed on a remote network computer.

Local Machine Storage. Data stored on an internal or external hard drive on a single computer.

Digital Storage Media. Refers to the specific digital recording surface used to store digital information, records or files. Common storage media types include: DVD, CD, flash-drive or hard-drive technology.

Legacy Storage Media. Refers to digital storage media types no longer in common commercial use. Examples include: floppy disk, VHS, tape or data cassette technology.

Evidence Technology. A broad term for devices or applications used for the forensic acquisition, processing or analysis of digital evidence assets or items.

Evidence Management Technology. A specific term for devices or applications used for the automation of evidence management processes.

Chapter IV. Digital Evidence and Technology

  1. Digital Evidence Standards
    1. Digital Evidence Standards
      1. Management of digital evidence assets or items is subject to the same secure chain of custody requirements and considerations as physical evidence.
    2. Digital Evidence Preservation
      1. Digital evidence assets or items should be stored in a manner that preserves the integrity of the original data and provides future access to the stored data for the duration of custody.
    3. Digital Evidence Authenticity
      1. Digital evidence assets or items should be stored and preserved with measures to guarantee or authenticate the item as a true or original copy.
    4. Digital Evidence Security
      1. Access to digital evidence assets or items should be limited to authorized users.
      2. Authorized access of digital evidence assets or items should be tracked to ensure the integrity of the chain of custody for the item.
      3. Digital evidence security measures should prevent unauthorized duplication, deletion, alteration or export of original digital evidence assets or items.
  1. Digital Evidence Best Practices
    1. Digital Evidence Sources
      1. Technology often evolves more rapidly than policy, procedures or practices can maintain pace. That being said, evidence management operations should be prepared to manage preservation and storage for current, legacy and emerging digital evidence sources, depending on digital evidence types in storage as evidence.
      2. Current technology evidence sources may include:
        1. Optical media such as CD, DVD, or Blu Ray disc
        2. Flash drive storage
        3. Card storage such as SD, XD
    2. Digital Evidence Preservation Practices
      1. Due to the wide variety of digital media types, it is advisable to consult the media manufacturer for guidance on optimal or suitable storage preservation conditions. As a general guideline most digital media types require the following conditions for extended preservation:
        1. Protection from heat or extreme fluctuations of temperature
        2. Protection from high levels of humidity or extreme fluctuations in humidity levels
        3. Protection from exposure to direct sunlight
        4. Protection from exposure to dust or other environmental contamination
        5. Protection from static electrical charges
        6. Protection from media surface scratches, breakage or impact
        7. Protection from volatile chemicals, including some marking pen instruments.
        8. Protection from excessive handling or contact with media surfaces
        9. In addition magnetic digital storage media should be protected from magnetic fields
    3. Digital Evidence Storage and Scalability
      1. Physical types of digital evidence, including storage media and device hardware containing digital evidence, should be stored under conditions that best preserve the data stored on the evidence item. It is advisable to incorporate protective packing measures into the evidence submission process and document digital evidence packaging procedures acceptable for common types of submitted evidence. Measures may include, depending on evidence type:
        1. Protective sleeves for disc media
        2. Shielded packaging for electronic evidence devices
      2. Electronically stored digital evidence should be stored on secure, redundant network servers capable of limiting access to authorized users.
      3. Electronically stored digital evidence servers should provide real time backup protection of all stored data to prevent evidence loss from a single server failure.
      4. Agencies should possess storage capacity to preserve and store all digital evidence without data loss until digital evidence assets or items can be removed from storage for disposition after the required duration of evidence custody and approval for disposition is obtained for disposal.
      5. Scalable storage, or server storage plans capable of increasing storage capacity utilizing the same storage network, is highly recommended as an option for long-term storage capacity planning.
    4. Digital Evidence Access
      1. One key functional difference between digital and physical evidence management is access to evidence. Digital evidence management systems may provide real-time, secure authorized access to investigators without compromising the integrity of the evidence or creating chain of custody or authenticity issues related to the item. Access to digital evidence assets or items is often critical to effective investigation practices.
      2. Systems or processes providing access to digital evidence should be capable of:
        1. Limiting item or file viewing access to identified and authorized users
        2. Tracking file access
        3. Preventing the alteration of original data
        4. Limiting and tracking evidence item export copies to authorized users
        5. Providing detailed chain of custody information related to all access activity
    5. Digital Evidence Retention
      1. Similar to physical evidence, digital evidence should be retained for the required custody duration, through case adjudication and after expiration of all applicable agency and statutory requirements related to disposition eligibility and until disposition is approved and documented by an authorized source.
      2. Some digital evidence collection systems such as in-car video or body camera storage systems can be set to automatically remove data files and associated metadata. Digital evidence files associated with cases managed by the evidence management unit should not be set for automatic disposal. Automated disposal processes for digital evidence assets or items may result in irreversible loss of evidence on active or pending cases.
    6. Digital Evidence Technology Change
      1. Little can be predicted about the future impact or implications of digital evidence management except change and growth. Technology change and the resulting increase in data storage requirements will likely continue along an exponential trajectory. Evidence management unit personnel should develop a continual knowledge base and technical skills to plan and be ready for emerging technological developments with respect to evidence management.
  2. Process Automation Standards
    1. Process Automation Statement
      1. Sustainable evidence management practices require accuracy, precision and detail, and completion of multiple time-consuming processes to ensure the integrity of evidence for the duration of custody. Evidence management operations are rarely staffed at levels that regularly allow manual completion of all required processes. Leveraging technology and automation resources, designed to meet the workflow and process needs within evidence management operations, increases the efficiency and effectiveness of the evidence management unit.
  1. Process Automation Best Practices
    1. Process Automation Features
      1. Multiple critical processes related to sustainable evidence management operations can be performed regularly and efficiently with appropriate automation. Few agencies have available budget resources to add staff as evidence workloads increase; fewer still have available resources to expand facilities to accommodate increased storage needs. This section details a variety of available options to consider to increase the efficiency and effectiveness of evidence operations without increasing staff levels or storage space. Effective automation systems provide:
        1. Secure Chain of Custody. Effective automation systems provide accurate real-time chain of custody documentation as evidence moves from submission through disposition. Person, location change, supporting documentation, and time and date information are consolidated into the history of each item.
        2. Paperless System Operations. Effective automation systems eliminate paper files and reliance on paper document attachments. Systems reliant on paper files are difficult to manage efficiently and present a continual risk of file loss, mislocation, and separation of critical documentation and legibility issues which may result in less reliable chain of custody data.
        3. Comprehensive Database. Effective automation systems consolidate all data and information about all cases and evidence stored in the evidence management operation. Reliance on a combination of old paper files and new electronic records, or reliance on multiple information systems and databases should be avoided. A comprehensive, or consolidated, database should be a top priority when implementing new management systems. Older evidence items are much more likely to be eligible for disposition. Failure to consolidate old data or files into an automated system only yields efficiency increases for management of new items. The resulting increase in efficiency will likely not achieve significant impacts on disposition levels.
        4. Data Entry. Effective automation systems resolve multiple process efficiencies, increase accuracy and legibility through:
          1. Elimination of Redundant Data Entry. Many paper systems require redundant form and label data entry by evidence submitting and evidence management personnel. Automated systems collect required information without duplicate information entry. Redundant manual data entry yields increased error opportunity and legibility issues.
          2. Submitting Officer Direct Entry. Effective automation systems require the submitting officer to enter initial evidence data and item information directly into the system.
          3. Controlled Field Data Entry. Effective automation systems increase information accuracy and consistency by breaking item descriptions into controlled fields
        5. Barcode Scanning. Effective automation systems generate unique item identification control numbers and provide barcode scanning functionality for efficient and accurate item identification, location, personnel identification and status changes throughout the evidence management process.
        6. Automated Labeling. Effective automation systems generate package labels with all agency defined critical item information and a unique barcode identifier.
        7. Report and Form Generation. Effective automation systems quickly generate system forms and reports, or provide real-time status data and form functionality for a variety of processes, including, but not limited to:
          1. Total current inventory data
          2. Total current currency, firearms and narcotics item inventory
          3. Item lists and status reports for items transferred to forensic labs, courts or investigators
          4. Disposition approval requests
          5. Item custody transfer documents
          6. Location reports
        8. Task Notifications. Effective automation systems automate, document and track completion of evidence management unit task correction requests assigned to agency personnel.
        9. Disposition Request and Approval Notifications. Effective automation systems automate, document and track completion of evidence management unit disposition requests assigned to agency personnel.
        10. Evidence Movement and Release. Effective automation systems are capable of generating electronic release, custody transfer and forensic lab submission forms, electronically capturing signatures and attaching identification or supporting documentation as linked file attachments without storing additional paper documents.
        11. RMS Integration. Effective automation systems should be capable of integrating with RMS (records management systems) to prevent redundant entry of case information. Some RMS provide limited evidence accountability functionality, however most current RMS applications do not possess sufficient process automation functionality or secure chain of custody accountability to significantly increase evidence management efficiency.
        12. Digital Evidence Management. Effective automation systems integrate digital evidence storage and management into evidence management software systems. A single repository that meets the requirements for digital evidence preservation, access and storage combined with physical evidence management is a highly recommended solution.
        13. Inventory Automation. Effective automation systems provide inventory functionality capable of providing:
          1. A full known inventory list of evidence items in inventory by location with all required item identification information.
          2. The ability to scan evidence barcode labels by location to verify evidence custody.
          3. The ability to generate a report detailing verification of items located, items located in the location but listed in another location and items listed but missing from the location being inventoried.
          4. The ability to reconcile missing and mislocated items from the inventory.
          5. The ability to generate a final report of UTL (Unable to Locate) items unable to be located or reconciled upon completion of the full inventory.
          6. The ability to generate and permanently store inventory reports in the system.
          7. The ability to set time intervals and reminders for annual inventory processes.
        14. Detailed Statistical Analysis. Effective automation systems should provide detailed system status analysis and facilitate the reporting of workload process levels, backlogs and inventory levels
  2. Evidence Management Technology Standards
    1. Evidence Management Technology Statement
      1. Automated evidence management processes require a balanced combination of technology solutions and established policies and procedures to meet the needs of evidence management operations. Evidence management operations should incorporate and utilize appropriate technology into workflow processes to increase efficiency and effectiveness.
    2. Evidence Technology and Evidence Management Technology Distinction
      1. Generally, evidence technology is developed by industry and adopted and utilized by forensic investigative personnel. Investigative applications of evidence technology fall outside the traditional scope of evidence management operations.
      2. Evidence management technology refers specifically to devices or applications used in evidence management processes.
  1. Evidence Management Technology Best Practices
    1. Evidence Management Technology Hardware
      1. Computers and Electronic Devices
        1. Microprocessor power, speed and wireless communications technology have evolved to the point that desktop computers are no longer essential equipment to run intensive data applications.  Agencies should consider laptop, tablet, or other small form factor mobile devices for primary use in evidence management operations. Mobile devices provide access to information and real time management of evidence processes at any location or area within facility, and provide electronic transfer documentation functionality that decreases the need for additional paper form generation, completion, attachment or storage.   
      2. Barcodes
        1. Evidence management operations should select a barcoding symbology type that provides long term barcode legibility, accurate reading and recording with scanners and devices used by the unit, and capable of containing all data strings required by the evidence management unit.
        2. Barcode numbers or unique identifiers for evidence items should be generated by a system that ensures the individuality and uniqueness of the number generated and prevents unintentional duplication or assignment to any other item.
        3. Barcode numbers or unique identifiers should conform to a set and consistent pattern to enable easier verification of incorrect scan translations or incorrect recording by barcode reader software.
        4. Barcode labels should print the scannable barcode and an alpha-numeric translation of the barcode on each label or other printed instance of the barcode. Barcodes may become obliterated, scratched or otherwise unreadable by a barcode scanner. Barcode scanners may fail during operation. Alpha-numeric translations of barcode data are a critical feature for verification, accuracy and identification.
      3. Barcode Scanners
        1. Barcode scanners should be capable of fast, accurate reading, recording and translation of the barcode specific symbology type used by the evidence management system.
        2. Wireless barcode scanners are highly recommended and preferred over tethered scanners.
        3. Barcode scanners should be equipped with an audible or visible confirmation of successful scan capture.
      4. Signature Capture Capability
        1. Evidence management system hardware should possess the capability to capture release or authorization signatures electronically.
        2. A direct touch-screen signature capture feature are common on most mobile devices and is the preferred method for electronic signature capture over a tethered signature pad for mobile devices.
      5. Labels and Label Printers
        1. Label printers used for evidence item labels should be accessible to personnel responsible for packaging and labeling evidence.
        2. Label printers should be directly network accessible from any device used for evidence management.
        3. Label printers should be capable of creating legible, permanent labels that meet standards for packaging and labeling requirements.
        4. Label Printer Technology Considerations
          1. Thermal transfer printers are preferred over direct thermal label printers for permanent, durable printing.
          2. Full resin transfer ribbons are the preferred ribbon type over wax ribbons to ensure permanent legibility of the label.
          3. For most evidence label applications, permanent adhesive labels printed on a polypropylene substrate are preferred over less durable label combinations.
      6. Wireless Technology
        1. Generally, wireless technology hardware should be integrated into the evidence management system. Tethered devices limit device range, may prove awkward or prevent access to information and generally decrease the efficiency and effectiveness of automated processes.
    2. Evidence Management Technology Software
      1. As described primarily under Process Automation, evidence management software technology should facilitate the automation of evidence management processes.
      2. Evidence management technology software should provide controlled, authorized user access.
      3. Evidence management technology software user rights should be assigned and controlled by an evidence management unit system administrator.
  2. Reserved
    1. Reserved for future versions
      1. Reserved
  1. Reserved
    1. Reserved for future versions
      1. Reserved

 

External References:

Placeholder


Upcoming Training Classes

5/06 - 5/07

Pittsburgh, PA

Register

6/02 - 6/03

Berkeley, WV

Register

6/09 - 6/10

Maple Grove, MN

Register
View full training calendar

Join the EMI Mailing List

Sign up to receive updates from Evidence Management Institute.

Sign up now!