Senior leaders across the CJS have described a ‘tsunami of digital evidence’ with police, prosecution and defence all struggling to deal with its implications, and the Forensic Science Regulator becoming increasingly challenging as to the pace and commitment of all in the sector to adopt standards that she mandated should have been in place last October. Most recently these issues were the subject of a hard hitting Panorama programme which looked at the human cost of evidence not being gathered or disclosed to all parties ( Panorama, ‘Getting a fair trial?’, 30 April 2018 ). This article looks at the issues around:
- how digital evidence is obtained and presented;
- how disclosure obligations can be addressed; and
- why standards are critical.
Extracting the data
Given the volumes of digital exhibits that are being seized daily, it is clearly impractical to assume that all devices are going to be fully examined.
Regardless of where the examination is taking place and whether the examination of digital media is being performed by a frontline investigator at a crime scene, a Digital Media Investigator, trained examiner in a High-Tech Crime Unit, or an analyst in a Digital Forensics lab, the same principle applies: it is a risk management exercise.
Broadly speaking there is a trade-off between how much data can be obtained, how long it takes and how intrusive the examination. Given the volumes of digital exhibits that are being seized daily, it is clearly impractical to assume that all devices are going to be fully examined.
Equally, however, it is clear from the cases that have made headlines that fundamental information has been missed from the examination and/or not disclosed to the defence. The technical limitations and overall ‘reach’ of the examination should be fully understood and reported accurately by the practitioner. It is imperative that the Criminal Justice System is fully sighted on what has and has not been examined to ensure a fair and balanced investigation.
In some circumstances, where there is strong corroborating evidence, it is clear that a self-service kiosk will provide a product that may not be comprehensive but will be justified in the circumstances. Equally in other cases where digital evidence is the evidence in chief, it is clear that the product of such a method cannot be a substitute for a full forensic examination. For example there may be entire messaging applications which are not supported by the forensic tool but can be extracted in their raw format and can be provided with a little digital investigation work.
Given the lack of training and awareness historically available to investigators around digital evidence it is unsurprising that this is an area of weakness in many forces.
It is the investigator’s duty to identify the relevant lines of enquiry, based on the circumstances of the case, that will inform the examination strategy. As the College of Policing Authorised Professional Practice makes clear the investigator’s understanding of what they are trying to achieve is critical to assessing the risk and a proportionate approach: ‘the successful management of an investigation requires planning, organisation, control and motivation’. Given the lack of training and awareness historically available to investigators around digital evidence it is unsurprising that this is an area of weakness in many forces.
Analysing the volumes of data
Volumes of data have already been alluded to. A typical smartphone might hold between 32-64 GB of data. Format of user data will vary (text, images, video, etc.) but it equates to dozens of filing cabinets worth of data, from one phone. When you consider that most people own and use multiple devices, and that increasingly data can also be stored remotely in the cloud, then the challenge of investigating digital evidence is considerable, and itself poses a further risk management exercise.
Tools to sift and manage massive volumes of data exist, and have been used for many years in civil litigation. A well-developed framework in the form of the Electronic Disclosure Reference Model outlines the stages involved throughout the E-disclosure procedure which closely mirrors the digital forensics process.
E-disclosure tools are already in use in a range of law enforcement and regulatory agencies in the UK. The implementation of such tools allow for the combined review of information from a variety of data sources, rather than devices being analysed and reviewed in isolation. Their application varies from providing a simple review client for a non-technical investigator through to the entire lifecycle of complex cases with multiple teams working in a coordinated manner on an investigation.
There is growing interest in expanding the application and functionality of such tools, but it is fair to say that their use to date has largely been confined to specialist investigations.
There is growing interest in expanding the application and functionality of such tools, but it is fair to say that their use to date has largely been confined to specialist investigations such as large scale fraud or complex major crime cases rather than mainstream investigations. Applying the same principles to a wider variety of digital evidence types offers considerable potential benefits:
- the ability to search large and diverse datasets quickly and prioritise looking for the most relevant evidence first
- the ability to audit these searches to demonstrate proportionality with regards to disclosure
- using data analytical features to identify relevant information and streamline review
- organise a substantial amount of data into manageable chunks
- group relevant items automatically and by data type
- avoid duplication of work
- the ability for multiple users to search simultaneously so delegating effectively to others
- ensure disclosure obligations are met
Due to significant amounts of data and from a wide variety of sources, implementing and using E-disclosure and data analytics tools effectively does require specialist knowledge of data types and network infrastructure as well as expertise in maximising the benefits of the tools in a criminal justice context.
The guiding principle of the CPIA on disclosure is that ‘Full disclosure should be made of all material held by the prosecution that weakens its case or strengthens that of the defence.’
The Attorney General’s Office has issued guidance on the principles of disclosure with a section dedicated to digital material. The objective of the guidance on digital material is: “to set out how material satisfying the tests for disclosure can best be identified and disclosed to the defence without imposing unrealistic or disproportionate demands on the investigator and prosecutor”.
The Home Office has highlighted how the guidance outlines an approach which is in keeping with eDisclosure. Tools can be of assistance in both the proportionate searching and the documentation aspects. A disclosure or case officer could be given access to the tool in the same way as an investigator and could see the log files concerning material ingested, searches conducted and comments from reviewers, all of which would be of assistance in fulfilling their responsibilities.
The importance of standards
Police forces should prioritise accreditation, both within their own labs and with their chosen outsourcing partners to ensure a consistent standard across all investigations.
The Criminal Procedure rules were updated in October 2017 at the request of the Forensic Science Regulator to ensure that courts have a duty to ensure that digital evidence admitted into criminal proceedings has been obtained and analysed in accordance with the standards she has mandated.
The Regulator’s annual report contained her most strongly worded statement to date over the importance of clear standards being implemented across everyone involved in the collection, analysis and presentation of forensic evidence. She has highlighted the progress made by a number of police forces to attain the standards, but has warned about the urgency of this extending to any organisations that provides digital evidence services to be used in criminal proceedings. She has warned that failure to make progress on this, and to enforce standards on those who have continued to drag their heels, carries real risks as to the integrity of evidence.
The Regulator has highlighted the risks that have arisen from a decision to prioritise taking cost out of the system above ensuring the integrity of evidence. Police forces should prioritise accreditation, both within their own labs and with their chosen outsourcing partners to ensure a consistent standard across all investigations. The Forensic Science Regulator has pressed for statutory powers that enable her to act to ensure that standards are complied with. Although the Government has indicated support for this to date, there is no timescale for the necessary legislation to be introduced.
Giles Herdale is the Director of Herdale Digital Consulting. He has been involved in digital investigation for many years, working in policing at the NPIA, College of Policing and NPCC, where he set up and ran the DII programme. He co-chairs the Independent Digital Ethics Panel for Policing.