What is the best way to store digital evidence?

With the increase in digital crimes and investigations, properly securing digital evidence has become crucial. Law enforcement agencies, corporations, and individuals all have a need to store digital evidence securely and reliably. But with many options available, what is truly the best practice for storing digital data for legal purposes? Let’s break down the key factors to consider.

Table of Contents

Conclusion

In summary, when storing digital evidence, utilizing onsite servers with redundant backups, strong encryption, strict access controls, and documented procedures is the most secure and stable method. Cloud services may provide convenience and collaboration capabilities, but come with legal concerns over chain of custody and jurisdiction. Tamper-evident storage media allows for physical transportation while protecting data integrity. And meticulous documentation and access logging is vital for maintaining evidentiary value and legal admissibility. With proper precautions, digital evidence can be reliably preserved in its original state.

What are the options for storing digital evidence?

There are several main ways to store digital evidence, each with their own advantages and disadvantages:

Onsite servers – Using locally hosted servers and storage devices to retain copies of digital evidence.
Cloud storage – Storing data on remote cloud servers operated by third-party providers.
Tamper-evident bags/boxes – Special containers that detect unauthorized access attempts.

External media – Devices like DVDs, USB drives or external hard drives.
Printouts – Analog paper printouts of digital data.

Additionally, certain features and protocols play a role in managing digital evidence storage:

Encryption – Encoding data to prevent unauthorized access.
Access controls – Limiting and logging who can access stored data.
Backups – Maintaining redundant copies of data.

Documentation – Detailing all access and procedures.

What are the requirements for evidence admission in court?

For digital evidence to be admissible in court, certain standards must be met:

Authenticity – Proving the evidence is genuine and unaltered.

Reliability – Demonstrating the accuracy and credibility of the digital information.
Relevance – Showing the evidence has bearing on the case.
Legality – The evidence was obtained legally under court procedures.

Additionally, chain of custody is crucial – documenting everyone who accessed, handled or altered the data. Thorough logs must account for all evidence activity.

How does onsite storage compare to cloud storage?

Here is a comparison between onsite servers and cloud storage for digital evidence:

Criteria	Onsite Servers	Cloud Storage
Security	Full physical control, restricts access	Relies on provider security, vulnerable to attacks
Reliability	Dedicated servers, controlled backups	Dependent on provider uptime and redundancy
Chain of custody	Clear, documented procedures	Can lack physical control and transparency
Admissibility	Unlikely to be challenged	Potential disputes over access and procedures
Cost	Large upfront investment	Lower startup costs but ongoing fees

In summary, onsite servers provide the greatest security, reliability and chain of custody control. But they require large infrastructure investments. Cloud services reduce hardware costs but cede control to third-party providers, creating chain of custody and security risks.

What are tamper-evident storage procedures?

Tamper-evident bags and containers allow for physical transportation and storage of devices while detecting unauthorized access attempts. Key aspects include:

One-time seals – Unique serialized seals that break if the bag or box is opened.
Access logging – Logs all date/time of sealing, unsealing and packing.

Tamper-evident materials – Bags and boxes made of materials that show signs of manipulation.
Chain of custody – Documenting everyone involved in transportation and storage.

When sealed evidence requires transportation, tamper-evident solutions verify no tampering occurred in transit or storage. The log provides an evidentiary record showing if and when the container was accessed.

How does encryption protect digital evidence?

Encrypting data is vital for securing evidence in storage and preventing unauthorized access. Encryption converts data into coded form that can only be accessed with a decryption key. Best practices for encrypting evidence include:

Strong algorithm – Use a certified algorithm like AES-256 vs. outdated ones like DES.
Proper key management – Store keys securely, restrict access, change periodically.

Full disk encryption – Encrypt entire drives vs. just individual files.
Remote wiping – Enable wiping after too many failed password attempts.
Document procedures – Record all encryption details for evidentiary purposes.

With proper encryption, even physical possession of drives does not allow unauthorized access. Only those with the decryption key can access and read the data. However, the key itself must be rigorously protected.

Why are access controls important for digital evidence?

Access controls for digital evidence storage should aim to:

Restrict access only to authorized personnel.

Log all access attempts and actions.
Quickly revoke access when no longer necessary.
Require strong passwords and multifactor authentication.

Securely transmit credentials and not store them locally.

Stringent access controls preserve chain of custody and prevent tampering. Audit logs provide documentation of all access, supporting authenticity and evidentiary value. Access should be limited to as few trusted parties as possible.

How many copies of evidence should be retained?

To prevent data loss, at least three synchronized copies of digital evidence is recommended, stored in separate physical locations. One copy serves as the working master copy. The other redundant copies safeguard against hardware failure, accidental erasure, disasters, or other risks that could destroy the data.

Regularly verifying the redundant copies match the master preserves the integrity and evidentiary value of the digital evidence. For extremely sensitive evidence, keeping an additional air-gapped cold storage copy offline is advisable.

What procedures should police follow when seizing digital evidence?

Best practices for law enforcement seizing digital evidence include:

Photograph scene – Capture devices and connections prior to collection.

Disable wireless – Prevent remote access or alteration.
Use write blockers – Prevent modifying data when connecting drives.
Create bitstream copies – Make forensic image copies of all data.

Verify integrity – Use checksums to validate copy authenticity.
Complete documentation – Detail all steps and findings.

Following evidentiary procedures proves the authenticity of copied data and establishes its admissibility in court. All activity must be thoroughly documented to attest to responsible evidence handling.

What mistakes should be avoided when storing digital evidence?

Some key mistakes to avoid when managing evidence storage include:

Poor access controls – Allowing unauthorized access jeopardizes chain of custody.
No encryption – Unencrypted data can be easily read if drives are lost or stolen.

Lacking backups – Without redundancy, hardware failures can permanently destroy data.
Cloud as sole copy – Cloud storage alone is risky without local redundant copies.
Inadequate documentation – Poor logs fail to prove authenticity and security.

Lax protections, transparency, and contingency planning can severely compromise evidence. Rigorous controls and documentation are essential to maintaining evidentiary integrity and admissibility.

How can evidence authenticity be proved in court?

To prove evidence authenticity in court cases involving digital evidence, investigators and prosecutors should provide:

Chain of custody logs – Records accounting for all access and transfers.

Integrity verification – Checksums confirming unchanged data.
Source testimony – Statements validating evidence origins.
Forensic methodology – Documentation of sound forensic acquisition methods.

Expert witness – Third-party digital forensics expert testimony.

With clear documentation, technical verification, expert testimony, and reliable witnesses, the authenticity and integrity of digital evidence can withstand judicial scrutiny.

What qualifications should evidence custodians have?

Ideal qualifications for evidence custodians include:

Law enforcement or legal experience – Understanding of evidence handling processes and requirements.
Technical expertise – Skills in data security, backup and recovery.
Attention to detail – Thorough and meticulous with detailed documentation skills.

Trustworthiness – Clean background and reputation, emotionally stable.
Communication ability – Able to clearly explain processes and procedures.

Evidence custodians must have the technical competence to secure and manage data storage appropriately. They must also demonstrate credibility and responsibility in handling sensitive materials.

How long should digital evidence be retained?

Recommended retention periods for digital evidence depend on the case type and jurisdiction. General guidelines include:

Non-capital crimes – Retain for statute of limitations of the crime.
Capital crimes – Retain indefinitely due to no statute of limitations.

Civil litigation – Retain for duration of case and any appeals process.

In child exploitation cases, some jurisdictions require retaining evidence involving minors until the subject reaches age 25-30. Chain of custody should be maintained throughout the designated retention period.

Can evidence be stored in a public cloud service?

Storing primary evidence solely in public cloud services is not recommended, due to:

No physical control – Unable to secure servers or prevent tampering.
Multi-tenancy risks – Potential security flaws and exposures from shared infrastructure.
Dependence on provider – Cannot ensure long-term viability or access.

Jurisdiction issues – Data could be subject to foreign privacy laws.

However, large providers may be acceptable for some redundant copies, provided encryption is used and extensive documentation validates chain of custody.

What cybersecurity measures safeguard evidence?

Recommended cybersecurity best practices for evidence storage include:

Network segmentation – Isolate evidence servers from wider network.
Access restrictions – Allow only authorized devices and users.
Firewall deployment – Filter traffic and monitor for anomalies.

Vulnerability scanning – Routinely check and patch servers.
Intrusion detection – Monitor systems for malicious activity.
Power protection – Prevent electrical spikes or surges.

Hardening and protecting systems preserves evidence from compromise. Following a layered “defense in depth” strategy maximizes information security.

Should evidence be stored in original format?

To prove authenticity, evidence should be preserved unchanged in original formats, including:

Hard drives and devices – Full forensic disk images, not just files.

Database contents – Complete database dumps preserving all metadata.
Emails – PST/OST files or server backups vs. printing messages.
Logs – Complete event and access logs vs. filtered extracts.

Images/video – Uncompressed RAW and original codecs.

Altering formats destroys metadata and risks manipulation accusations. Exceptions may occur where encryption warrants converted copies for accessibility.

How should evidence databases be designed?

Evidence management databases should have features including:

Audit logs – Record all access and actions within the system.
Chain of custody – Track transfer and custody details for each piece.
Reporting – Generate reports on all evidence activity.

Access controls – Restrict access and require strong credentials.
Retention settings – Enforce time-based retention policies.
Destruction tracking – Document proper evidence destruction.

Robust databases are crucial for maintaining evidentiary value and admissibility by documenting proper handling according to established policies.

What disaster recovery plans are needed?

Thorough disaster recovery plans are essential to avoid evidence destruction. Elements include:

Offsite backups – Store copies remotely to survive site damage.

Fire protection – Use fire-resistant materials, smoke detectors, extinguishers.
Flood prevention – Locate facilities outside flood zones when possible.
Power redundancy – Backup generators and uninterruptible power supplies.

Geographic diversity – Distribute storage across multiple regions.
Incident response – Establish emergency procedures for various scenarios.

Robust contingency planning provides multiple layers of protection against catastrophic data loss due to natural disasters, technical failures or other events.