Evidence Management: It’s time to get on the audit trail

What is the purpose of surveillance? It’s an interesting question and difficult to answer. Objectives change from solution to solution, sector to sector, making purpose hard to pin down one specific thing. However, all applications will likely have one common goal – evidence capture.

From using video footage to identify a perpetrator to using action logs to prove safety protocols are adhered to, surveillance is inextricably linked to the concept of evidence. But while the quality of evidence captured is important, the way evidence is handled can often be the determining factor in criminal, civil and internal investigations. David Aindow discusses some of the crucial aspects of effective Digital Evidence Management.

What exactly is meant by the term Digital Evidence Management?

At one point, it would have been more common to hear the term ‘Video Evidence Management’ referring to the processes for recording, storing and handling CCTV footage that may be required for organisational, legal or criminal investigations. The term has evolved into Digital Evidence Management (DEM) partly due to the digital transition surveillance has undergone, but more recently to reflect the fact that video is increasingly a single evidence strand among many in a security system. The nature of advanced integrated surveillance solutions means evidence – whether video, audio, operator notes, metadata or text documents – can come from various digital data sources and be used to create a comprehensive evidence case file.

What is the most important aspect of DEM system?

Data integrity is essential – as are clear and demonstrable audit trails. Evidence has to be produced and handled in the right way. If it isn’t, the evidence won’t stand up against legal interrogation and, as a worst-case scenario, could be ruled entirely inadmissible.

When was the information captured, and why? Who recorded it? Who has accessed it since, and what did they do with it? How can we tell if the evidence is original and hasn’t been tampered with? These are the questions that a DEM system – and the way it is used – has to satisfy. Any anomalies in procedural activity can be devastating to a case. If a single action, time log, personnel detail, etc., is incorrect or inconsistent; the integrity of the evidence could be cast into doubt.

The stringent nature of these audit trail requirements, coupled with the growing complexity and volume of data captured as evidence for investigation and prosecution purposes, means that many organisations are using automated capabilities – often fulfilled by an incident management functionality – within their surveillance command and control platform.

How does it work exactly?

The easiest way to explain it is to talk through a possible scenario. Imagine, for instance, an operator based in a local authority control room. They notice a cyclist behaving oddly, weaving on and off pavements and randomly changing directions on a busy main street – a street known for petty theft. The behaviour is suspicious enough for them to trigger an incident using the surveillance command and control solution.

From that point onwards, all video footage, connected data, and actions taken, e.g. any manual control of cameras or event escalation and notifications, are securely logged in a repository to establish a detailed audit trail. The data is then copied, encrypted and transferred to a secure location – often referred to as a secure evidence server or incident locker. Once in this location, the file can be accessed, viewed and copied by authorised personnel that meet specific security clearance criteria (the system automatically logs any such activity). It can also be supplemented, for example, with corroborating evidence gathered, police reference number details, or similar information. But the files themselves cannot be changed.

How is the information encrypted, and how can you prove files haven’t been altered?

A bit-for-bit identical copy is made and digitally watermarked – technically, there is no distinction between this, at least from an evidentiary perspective, and the original file. The watermarking is created using a Secure Hash Algorithm (SHA) to generate a bit value based on the exact nature of the data captured (with the advent of SHA-2, this is typically up to 256 bits), which is then rendered as a unique number bespoke to the file in question. To date, no incidents of this particular hashing algorithm have been successfully compromised.

As mentioned earlier, evidence cannot be changed. There is a range of security protocols in place to prevent this – from password protection to physical access measures – but the watermarking mechanism proves data integrity. Because the watermark number used directly relates to the content, any successful attempt to adjust the files in any way would result in a different numerical value that would not match the original file. If any such deviation did occur, the system would automatically detect it and flag the anomaly immediately.

“It doesn’t matter where the person who needs to access the information is based. Typically, the evidence and only the evidence is stored on the cloud with what we call secure token access.”

Does the secure storage location have to be on-site?

No, it doesn’t. Organisations have two main choices; a secure networked location, typically on the premises, or a secure cloud location offsite. Deciding which option to take will be dictated by the sensitivity of the information held, the nature of the organisation or application in question and who the information might need to be shared with.

A common myth is the assumption that the greater the sensitivity, the better it is to have a secure networked location on site. But actually, this isn’t necessarily the case. If the evidence is networked on the premises, then distribution and accessibility become more difficult because the people you want to be able to access that information also need to have access to the network. If evidence is being stored for internal purposes, e.g. HR matters or procedural reviews, this isn’t necessarily an issue or concern, but if the objective is to be able to share evidence with external parties, e.g. law enforcement or insurance firms, then this requires more thorough consideration.

Conversely, with a secure cloud location, it doesn’t matter where the person who needs to access the information is based. Typically, the evidence and only the evidence is stored on the cloud with what we call secure token access. This might take the form of a link to the data, which is both password-protected and time-limited; for example, it will expire in x hours.

With both location options, permission levels can be set to control how the evidence is used, e.g. purely available to view, view and add data, or available to copy. It is also important to note with either option, the data owner will always retain the original information on its system.

What is the best practice for sharing evidence with external bodies such as the police?

Once the evidence file has been created and is stored in a secure location, the process becomes one of evidence handling – a process carried out in one of two ways; physically, e.g. burning CDs/DVDs/USBs, or using an IT-centric route to request and transfer data which I’ll come onto in a moment.

If physical media is used, it should always be password protected. In the UK, there are also specific Home Office guidelines for collecting and transporting physical media, for example, regarding adequate packaging and labelling.

A physical scenario might be that a British Transport police officer has reviewed evidence held by a rail operator and has requested data for a specific date and time to pursue action against an assault which took place at a station. An evidence pack is created, which contains the relevant information, including details regarding the request, i.e. the police officer's details, the time of the request, and the reason for the evidence pack. As discussed earlier, from this point on, this requested data also becomes part of the evidence held for audit trail purposes.

When an IT-centric approach is taken, which is an increasingly common scenario, the individual requesting evidence will complete a digital document which is submitted to the data owner who decides whether the request is legitimate. If it is confirmed, they are assigned secure token access to a location containing only that particular data. When the evidence is accessed, they are not automatically able to make a copy and may need to submit an additional digital request to the data owner, resulting in a new secure access token. That is the fundamental process behind remote evidence access systems.

Are there specific requirements around image quality regarding evidence admissibility?

Actually – and many people find this surprising – there aren’t any hard and fast rules regarding image quality. Rather than focus on aspects such as resolution, the emphasis is on footage being ‘relevant to the requirement.’ This is certainly in line with CAST (Centre for Applied Science & Technology, now Defence Science and Technology Laboratory) guidelines about perceived quality. Naturally, the better the image, the stronger the evidence set may be, but focussing on the technicalities of evidence admissibility – the way evidence is captured, stored and handled, i.e. the audit trail – is far more important. A case can be thrown out on a technicality based on suspect audit trail information, but it won’t be dismissed because the surveillance footage referenced isn’t to a specific standard.

Finally, are there any other measures not already highlighted that organisations can and should take to protect the evidence they hold and share?

With the right software solution, the burden of securing and managing evidence is removed from the data owner – the built-in security, action logging, and reporting functionality provide the required level of digital protection. But the important wording here is ‘digital protection.’ Organisations cannot overestimate the importance of physical security when it comes to evidence. For example, the secure storage location should always be access controlled and have appropriate physical security measures in place as part of that access process (barriers, biometrics, CCTV).

It is also hugely important to carry out employee background checks and make sure that IT policies and information management systems are both up-to-date and comply with requisite standards (for example adhering to ISO 27001) regarding legal, physical and technical controls for identifying and managing risk. One obvious but often overlooked measure is ensuring access clearance reflects employee movement, such as transfers to different divisions or departures from the organisation completely.

With these measures in place, and an integrated command and control solution ensuring evidential data is gathered and processed in the right way, organisations can be confident that the information captured is protected and fit for purpose.