OpenText’s Chuck Dodson on Digital Evidence Management and Information Sharing

Christa Miller: “Digital evidence is piling up quickly for law enforcement across the globe. In today’s challenging world of evidence management, investigators and detectives often have to access multiple systems to collect evidence and search for clues. That means spending a lot of time looking for and trying to access and share needed evidence across disconnected systems. According to one estimate, many police organizations must log into six or more systems to obtain the evidence they need for a case. And evidence can be difficult to share with the public, other law enforcement agencies and prosecutors.”

Those words come from Part 2 in a series of blog posts authored by Chuck Dodson, senior director of market development at OpenText, the information company. Chuck joins us today on the Forensic Focus podcast to talk about those blogs and more broadly, digital evidence management. With an extensive background in information technology and public safety, Chuck has spent his career focused on defining and delivering solutions that leverage cloud, analytic and security technologies, people, and process improvements. I’m your host, Christa Miller and welcome, Chuck.

Chuck Dodson: Hey there. Glad to be here.

Christa: Good to have you. So Chuck, you cited a couple of pretty staggering statistics in these blogs. 80% of all evidence collected in criminal cases is now digital, law enforcement access six-plus systems to interact with it all. Where do these estimates come from and how much variability is there for instance, within differently sized jurisdictions or dependent on regions in the world?

Chuck: They are staggering percentages, but I will caveat that the quantity and amount of digital evidence is really dependent upon the type of case. And so these numbers came from industry analysts’ discussions with IDC and our focus really on digital evidence management systems. And so, that’s where that number came from.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.


However, it’s also very consistent with our law enforcement customers who have estimated as much as 90% or more of their investigations contain digital evidence. So it really is reflective of the proliferation of digital devices, right, from mobile phones, tablets, internet things kind of stuff; and our reliance upon applications on those devices to communicate and socialize, to be entertained, to do business, financial transactions.

There’s a lot of discussion around our office about how people don’t carry checkbooks anymore. They don’t know how to write checks and do everything on their mobile phones, all their transactions on their phone. So it’s a transition or a transformation, I guess, of society. And as society increasingly uses and adapts to mobile technology, that’s where the criminals go. So by default, that’s where the evidence is found, as well.

The second part of that is there’s shifts in policing trends. So those trends have impacted the digital evidence. So there’s a trend towards video enforcement of traffic laws and video monitoring for potential crimes in progress. And that has increased the quantity and quality of the video files and the types of evidence that law enforcement looks for.

Another major digital evidence generator is body-worn cameras or in-car videos, and then more recently the non-lethal weapons data streams. And those are used primarily to improve police accountability and to lower reports of misconduct. And so that trend, or that need has also proliferated a tremendous amount of video or media digital evidence. And then by default, the need to ingest, store and analyze those files is one of the main reasons for the overall development of the digital evidence systems.

To the point of accessing multiple systems, I’m probably telling you what you already know, but most law enforcement agencies use some type of records management technology to assist in the performance of duties and responsibilities. So the most basic are computer-aided dispatches for calls, for service records management, for recording incidents, witness statements, arrest reports, et cetera; and then a case management system for managing more complex criminal investigations.

In all three of those environments, there are additional systems that get accessed. So for example, criminal history records, mugshots, automated fingerprint identification systems, DMV records, Department of Correction criminal history and associations, sex offender registration, firearms registration, et cetera. And then for larger agencies, typically there are also specialized investigative information systems for investigating gangs, auto theft, homicides, what have you.

And then last but not least, there’s a series of forensic types of lab information reporting or information management reporting systems that are being used and developed to identify evidentiary factors for an investigation. So, I said there were about six+, but there are actually quite a few.

Christa: Yeah, that sounds like more than a dozen.

Chuck: It’s very late laborious. It’s very cumbersome. You know, law enforcement systems in general are not typically integrated, nor can they be accessed through a single pane of glass, what we call a single pane of glass. Most of the reasons for that is they were either developed in-house, or they were provided by different vendors who specialize in specific types of information systems. And so, searching those systems is time-consuming and laborious, or a separate special project to integrate or do a federated query across multiple systems is usually required.

Christa: And just for clarity, are we talking about primarily law enforcement agencies in North America, or are you seeing the same trends across the world?

Chuck: We are seeing the same trends or similar trends across the world. It’s more consistent or prolific in what we classify as “English law” countries. That isn’t a prerequisite, but those agencies tend to have the same type of technological systems and integration, they still have the same type of evidentiary requirements in all of their different geographies. But yeah, it’s pretty consistent across the globe.

Christa: Okay. Another point that you raised in your blog was, you described how police today aren’t just street officers, but also data analysts, going back to all of those systems that you’re talking about. It sounds a little like it’s related to the “democratization of digital forensics”, where investigators and even patrol officers can take on some limited field triage or similar roles. Tell us more about what that means, especially in a digital forensics context. Who is performing which functions and how do personnel make decisions on whether to escalate for advanced analysis?

Chuck: I think it’s a result again of the advances in technology and a maturing of society in terms of the adoption and familiarity with technology in general. So think about years ago, a crime occurred, the patrol officer would secure the scene and await the arrival of the crime scene investigators. Like, we’ve all seen the TV shows. And they would wait for the crime scene investigators to process the scene. Today’s patrol officers not only collect evidence, they do crime scene diagramming, they do the photographing of evidence, et cetera.

So in a similar fashion, forensic investigation is maturing and those responsibilities are changing. So, typically the evidence associated with complex crimes are gonna require collection processing and expert testimony by technical specialists. I don’t really see that changing. However, as resources become more constrained and the technology ease of use improves, what we’re starting to see is a trend toward what we refer to as “field triage” by some of our law enforcement customers.

And what that means for example is, assuming that there’s an illegal search of an individual’s laptop for contraband items, and that could be a condition of probation as approached by a law enforcement officer on the street, it could be a warrant service, it could be any number, but the point is that it’s an illegal search of an individual’s electronic device or mobile device.

So, the law enforcement agency is looking for something specific. They’re looking for, in this case, we’ll just broadly say contraband. It could be any number of things, but contraband. So, it can be conducted on-site in seconds using different technology.

And so, in this example, an officer or an investigator on the street can approach a suspect to gain access to the device, we’ll use a laptop as an example, and plug in a USB stick. That stick will go and search the computer, looking for very specific keywords, key phrases, images, compare those images to known file sets, and will come back and tell you if there’s contraband on the laptop or not.

And that device will do that in real time and in 10, 15, 20 seconds, and provide the officer with a reasonable suspicion that contraband exists and that warrants further investigation or further analysis. And so, the ability to do that on-scene more rapidly, more quickly, that then allows for either the detention of the suspect or the confiscation of the device, depending on, kind of, the area that you’re in.

And so, at the end of the day there’s a reasonable suspicion that this contraband exists that can then be evidentially secured in a forensically-sound manner or evidentially-sound manner, and in compliance with rules of evidence, et cetera, et cetera. And that can be then tasked or asked for further technical analysis, which will then render the exact contraband in a format that can be provided to the prosecutor and ultimately to the court.

I will say, at the end of the day, contraband is just one part of the overall evidentiary chain. There’s still going to be a law enforcement officer or the investigator or the agent still has to make the determination whether it meets the threshold for enforcement action.

Christa: Of course. Yeah. So, in your blog series, in coming to the, what you call the “Big Mac” of digital evidence management systems, you described this really complex mix of multiple formats, analytics, chain of custody requirements, as you’ve been saying, et cetera. To log and analyze all this disparate data in the aggregate is a massive undertaking. Tell us more about the underlying technology being used to store, crunch, and manage the data. How does it guard against some of the risks you described such as overlooked evidence?

Chuck: So the digital forensic tools or the digital evidence tools continue to grow in both capability and ease of use. Typically, these tools focus on specific areas: mobile device collections and analysis, some do cloud environments really well, some are more desktop laptop or network device-centric. Although they’re more efficient and comprehensive, most of the tools can access, collect, store and analyze a combination of evidence or information from those devices or those areas.

So then the question becomes, so what do you do with them? Right? So the NIST standard, and I don’t have it memorized, but the NIST standard for the basic digital forensic process is typically a four-step process. And I’m going to kind of paraphrase because I don’t have it memorized.

So basically, the first step is identify, acquire and protect the data. And there are tools and devices that are designed specifically for that. Next, you have to be able to process and extract the data or the information that comes out of those forensic files so that you can then conduct a third step, which is the analyzing of those.

And again, you’re looking for very specific things. For a criminal investigation you’re looking for contraband, you’re looking for intent, you’re looking for evidence. And so, that then gets generated into some kind of report that is used to either, it’s probably the wrong word, but either to indicate that the individual involved has participated in commission the crime, or to exonerate this exculpatory evidence that you want to exonerate them, that they were not involved.

And so, in the past, all of these things were done by a technical specialist in a forensic lab with specialized equipment, and then the report was provided to the investigator. And again, as I mentioned before, as the amount of digital evidence increases, the availability of the trained specialists are in decline, backlogs and delays become problematic.

So, some of these less technical tasks are being performed in the field, as I mentioned, but ultimately it comes into a digital evidence center or a digital evidence management solution that leverages technology to overcome those obstacles. So it allows for the ingestion, the storage, the analysis, and the reporting collaboration of that digital evidence across the enterprise, for lack of a better term.

And so, my enterprise, we’re really typically talking about the public law enforcement agencies and interested third parties, like prosecutors and defense attorneys, for example.

So, to kind of answer your question about the technology. So I work for OpenText, they’re a world leader in enterprise information management and a lot of organic technologies. With the aggregation of those technologies and customer-driven innovation, we leverage those different technologies in an industry-specific solution that we call digital evidence center, okay?

And that’s the cheeseburger example. It’s not the bun, it’s not the meat, it’s not the tomato, the whole cheeseburger is what we’re really after. And so in our cheeseburger, what we focus on is the complete evidence life cycle management for rich media documents and forensic evidence. So most digital evidence management systems really are focused on video, or they’re focused on video and non-lethal weapon data.

And typically those are an extension of the main products that those companies sell. We don’t sell those types of products. We’re really agnostic. We don’t particularly have a vested interest. So we are more focused on the actual evidence life cycle, and being able to analyze different types of evidence. Three examples: the one you asked about was overlooked evidence, so the protecting of the digital evidence integrity, overlooked evidence and collaboration are kind of like three examples. I can give you more if you’d like.

So, the process to ensure that digital evidence integrity is as it is ingested is typically a five-step process, right? So what we do is we take the file; we ingest that file; we scan it for malware; we do a metadata validation, and that’s just bits of information that’s related to that particular file; we image the file; we do a bit-by-bit imaging on the file to establish a baseline of, you know, the “originality” of the file; and that doesn’t mean that it was collected properly or that it was collected in a sound manner.

What it means is that we know exactly what that file looked like when it came into our system, okay? Once that occurs, we do an encryption of that file, and then that file is put into a vault and an audit and retention trail is established. So the original file can’t be edited or modified. You can do a bunch of analysis and cloning and copying and whatnot, but the original file integrity is maintained.

Then we do the last piece, as I mentioned, the audit is an electronic trail of everything that happens to that file. So once it comes in it goes, “The file is here.” I looked at the file, it tells me who looked at it, when they looked at it, you know, what systems they were on. I copied it, it tells me I copied it, well, where’s that copy? What was it named? Et cetera. There’s a full audit capability. And then we have a configurable retention policy for the evidence so that it isn’t destroyed or removed inappropriately or that it isn’t maintained any longer than is absolutely necessary and legally required.

So to preclude, that was the first example of digital evidence integrity. The second example is the overlooked evidence. So to preclude overlooked evidence, what happens is the evidence is ingested. As I mentioned, it gets a unique identifier and it’s associated with an incident, a case, or a complaint. All evidence by the nature of evidence has to be associated with an incident, a case, or a complaint. And there’s an exception, and I’ll get to that in a minute.

So it comes into the system,  it’s given a unique identifier, it’s associated with one of those things: incident, case, or complaint. And then we have workflow tasks and notifications that say, “Have you looked at this?”, “Have you reviewed this?”, “Is it relevant?”, “Is there an exhibit associated with this?”, “Do you want somebody else to look at it?”. I have a document that I need to have validated by a document examiner. I can send that request over to them, they log in, they review the document, they do their work, they post the results in real time, and it’s now available for the investigator. The access is controlled by roles and privileges so that you have to be granted to the case as a team member to be able to access the case, then you have to be given the access to access or view the evidence file within that case. Right?

So, as I kinda mentioned, everything gets associated with an incident, case, or complaint. The exception of that is what I talked about earlier, which is video files associated with body-worn cameras, non-lethal weapon data, or in-car videos. And those are what we classify as administrative files. They are brought in, they’re ingested the same way, they’re stored the same way, they can be viewed, and there’s some analysis high-speed scrubbing and time marking and other things that can be done, but they’re not really associated with a case unless there is an incident, a case, or a complaint that’s relevant to that video.

Christa: That makes sense.

Chuck: And then the third example is the collaboration amongst the public law enforcement and interested third parties that I mentioned earlier. We use a secure portal for access. So, the public has information they want to share with the law enforcement agency, they can upload it to this folder. And again, it’s reviewed, it’s scanned if it’s relevant; it gets associated with that incident, case, or complaint; or it goes into an administrative file. The requests for analysis comments, notes, and annotations can be accomplished by team members in this secure environment.

It’s completely 100% auditable. And then, the communications in terms of interested third parties, so think about a video, and there’s hundreds of thousands of pieces of evidence, but in this particular example, there’s a video that’s relevant to an investigation. The Individual’s has been arrested, he’s going to be prosecuted, we have a requirement to provide evidence to the defense.

So the defense, same thing, the defense logs into the secure portal, user ID, password, they have access to that file, they can view the file if they so desire and it’s up to the agency and the local policy on whether you’re going to allow it to be downloaded or copied. If you want to do that, you can do that again in real time. But the way that it’s typically done is the request is made by the defense attorney to download the file. Types that he makes a request, it comes up, it’s approved, a passcode is sent to their registered phone, and so it’s a two-part authentication in terms of being able to access that file and download it. So he puts in the code, now they can plug in a USB and download the file.

What’s relevant or important about that is we now know who downloaded it, when they downloaded it, and it was properly authorized in order to download that. So those are kind of some examples of how the technology is used to help streamline the process, automate a lot of the tasking, and to provide evidence, analysis and outcomes in much more real time than has been done previously.

Christa: I’d like to focus in a little bit on the information sharing aspect of digital evidence management in terms of accountability. That’s a kind of a word that I think is on everybody’s mind these days, especially when it comes to law enforcement. So in terms of being able to share evidence with defense attorneys, as well as potentially respond to Freedom of Information Act requests, do you see this solution as more or less transparent and why?

Chuck: Well, I actually think it’s more transparent and there’s greater accountability. I kind of went through this, the example of how you gain access, how, for example, a defense attorney would gain access to that information. So, it makes it easier to share the information.

So, you have the ability to say, “This is what I have. This is the evidence associated with this particular investigation or this particular prosecution. And here it is.” I don’t have to copy, I don’t have to make floppy disks, I don’t have to do any of that stuff, put it in the mail, oh, it got lost in the mail. I mean, it’s there real-time and there’s better control through a self-service capability.

I think that helps with the transparency. I think that the complete audit trail helps with accountability. We know exactly who did what, when, so there’s no question the evidence was modified, you know, they didn’t provide it to the defense, those arguments kind of go away. In terms of, like, Freedom of Information Act type of activity, we do have a very comprehensive search capability.

So, for example, and I kind of alluded to this earlier, so we tag videos, we tag documents, we tag forensic evidence with certain things: people, places, names, events, things like that. Those are all searchable. So, if I look for something, for example, you, I look for you in our evidence file, it’ll tell me, here are the 25 things related to you as an individual. Then I have the ability to view those documents or those items, and I can redact certain sensitive pieces of information. And it’s a true redaction, it’s not just a black bar put over another image or a document. You can’t actually see what’s underneath those redaction bars.

But what it allows us to then do is, again, do the same process, we can respond more quickly to Freedom of Information Act type inquiries. With the information electronically, the person who made the request can come in through a portal and do self-service. We can send an attachment, an email, here’s the response to your request. There’s a bunch of different channels that we can use to feed that information back.

But again, we have a complete record of, this is what the request was when it came in, this is what we found, this is what we provided, and this is when we provided it, and to whom. So we have greater accountability and greater transparency because the system helps the law enforcement agency do their normal course of business, or more rapidly, more efficiently, more cost-effectively.

Christa: So I want to jump back a little bit to chain of custody. You may know all these issues broadly. So there is some interesting research and interesting projects going on in the European Union and the US and I believe in Southeast Asia regarding using a blockchain ledger for digital evidence management. So I’m thinking specifically of Project LOCARD in the EU, something called Blockchain of Evidence here in the US, or at least that’s the name of a white paper they wrote, off the top of my head, right? In any case, why or why not do you see blockchain as a feasible solution relative to what OpenText is offering?

Chuck: Well, to be fair, I have to admit, I only have a high level understanding of the Project LOCARD and the use of blockchain. There are certain similarities in that project and our solution: public partnership, chain of custody, evidence handling type of agreements. But the Project LOCARD seems to be focused more on trying to standardize and streamline the processes between multiple countries, as opposed to, we are very much focused on the actual handling of the specific evidence and complete lifecycle of that evidence, and then being able to have the law enforcement use our platform to analyze and conduct further investigations without the need of highly trained technical individuals.

So, you know, our solution is configurable and extensible, so it’s not locked into one workflow or one business process, but I would be interested to see how the projects focus on information sharing, specifically around multimedia evidence, which is just one part of the evidentiary package. I would be interested to see how they use blockchain to ensure the integrity of the evidence, right? And I know that it helps with sharing and you have the ability to go across multiple jurisdictions, but I’m a little skeptical, or actually not skeptical, I’m a little curious as to how they’re going to ensure the evidence integrity so that it can be, as they’ve stated, they want to be able to provide a better presentation to the courts, right?

Christa: So, in terms of your solution at OpenText, your blog post talked about scalable cloud deployments. Are you finding more command staff to be amenable to the idea of cloud storage for digital evidence? And if so, how did you overcome objections about things like security and access, et cetera?

Chuck: I think, and I’m trying to remember, but I think before the advent of, or the proliferation of body-worn cameras and in-car video type of systems, even that, in-car video systems, they typically were a digital file, or they came on, you know, a DVD type of media. I think with the additional scrutiny of law enforcement activities, the need for increased storage and the ability to actually analyze and review video images, media images, I think that has kind of pushed the law enforcement agencies more towards a cloud environment.

So, the education and understanding of those environments, plus the provider efforts to ensure compliance with, you know, the criminal justice information system requirements, the access controls, auditing data encryption, and other security requirements has improved the acceptability of cloud deployments among law enforcement agencies.

Some time ago I was a CIO for the state of Illinois for public safety agencies. And there was a recognition of the benefits of cloud deployments for our law enforcement systems, not all of the systems, but the benefits in terms of cost, infrastructure, investment, scalable processing, unlimited storage, were incredibly compelling.

So again, our solution is cloud-deployable. But in addition to those benefits that I just mentioned, you have the provider infrastructure security; you have disaster recovery of business continuity; you have access to complimentary technologies such as artificial intelligence, machine learning, language translation, et cetera. All of those in a cost-competitive, secure manner have really been instrumental in gaining acceptance of cloud deployments.

Christa: Okay. So on that note, having said all that, OpenText is offering a variety of deployment options for agencies at different levels. Can we infer that agencies with existing infrastructure would be larger metro ones and those seeking a cloud deployment would be smaller? And again, does this tend to vary depending on the different regions in the world?

Chuck: So we offer cloud on-premise or as we like to say off-cloud, or hybrid deployments, right? Depending on the customer requirements. It’s really dependent upon what the customer needs are. Our preferred deployment method is the cloud deployment for all the reasons I just mentioned previously.

And cloud deployments typically seem to be preferred by a lot of small and medium agencies. They look to cloud deployments to provide those enhanced capabilities at a reduced cost, but also because they can’t really afford large information technology infrastructures. So I hate to say, they don’t have huge data centers.

Large agencies, as you might imagine, they tend to have their own well-established IT infrastructures, and so many are inclined to have on-premise deployments, so we want to meet those customer needs. However, as the cost for that IT infrastructure continues to increase, a lot of the agencies are acknowledging that it’s more cost-effective and beneficial to have the increased storage and processing capability in the cloud.

So they’re migrating portions of their systems in a no-cloud environment. And that’s one of the reasons and rationale that the state of Illinois chose to go with a no-cloud environment. In other parts of the world, we typically see, again, the same type of configuration, large agencies like to have their own stuff. Smaller agencies want the power and benefit at reduced costs, so they go more into cloud environments.

But what we’re seeing, particularly in the European Union is the need, or the mandate for the evidence to remain under the control of the local enforcement agency. And so, and there are lots of rules and regulations behind that, but so what we’re seeing is a need for a more hybrid deployment. They want to be able to retain the original evidentiary files on-site, or in their own storage environments, but they want to be able to leverage the processing capabilities of the other tool sets in the cloud environment.

So what they do is they have a combination of both. The storage and retention is really handled locally, and the processing and the analysis and collaboration is more through a cloud environment, even though that can also be a constraint due to local geography. Kind of a simple answer to a really complex question.

Christa: It is, for sure, for sure. Yeah. All right. Well, Chuck, thank you again for joining us on the Forensic Focus podcast.

Chuck: My pleasure, thank you for having me.

Christa: Good discussion. Thanks also to our listeners, you’ll be able to find this recording and transcription along with more articles, information and forums at www.forensicfocus.com. If there are any topics you’d like us to cover, or you’d like to suggest someone for us to interview, please let us know.

Leave a Comment