After the Webinar: The Law Enforcement Digital Evidence Lifecycle. Q& with the Presenters

Webinar presenters Robert Turner and Patrick Doyle answered a number of your questions after their presentation, The Law Enforcement Digital Evidence Lifecycle: From Intake to Expungement. Here are just a few of their responses.


Audience Question: What would you recommend if an agency does scan a piece of hardware, say a hard drive for viruses, and does detect some viruses on there?  

Robert Turner: Again, the first rule I think really applies, which is you’ve got to secure the original copy and keep it, but you’re going to have to keep anyone from getting into it. Then at the point where you need to start looking at it, you’re going to end up taking them a copy and having to look at sanitizing it. You’re still going to have a lot of issues and that’s why really when you start dealing with the cybercrime type aspects, people are going to have to then be able to balance off, “Okay? I’m going to go ahead and something that will protect me from the malware, and I’m not an expert in this area,” but certainly, you’ve always got to protect that original copy, because ultimately, the end, if there’s any question of what was found, they’re going to go back and look at that original copy.

Patrick Doyle: I just wanted to add something to that, Aaron. Interestingly enough, that’s submission just became evidence in a new crime, which is you submitting or possibly knowingly submitting a virus to me, the police department. So, in a broad sense. We call that containerizing. It containerizes it, call on the heavy hitters, go to a high authority. Don’t put it into your system any further until you’re sure that it can’t re-infect, and then treat it like evidence. It’s like blood splatter or a shell casing found in a scene. That’s new evidence of a new crime. So, lock it down, seal it, as Bob said when you can safely copy it, and then look for the person that submitted it to you, because they may have knowingly done that, not to accuse them without any facts, but lock it down. Protect the rest of your environment. And then calling the heavy hitters, calling the ——– into the world, and get it looked at under a safe, in a containerized environment.


Audience Question: Are there ways to develop digital evidence sharing between law enforcement and prosecutor offices? 

Patrick Doyle: I was going to say, yeah, there’s something that we’ve all forgotten about. It’s really cool. It’s called the telephone. You can actually call someone. I’m just kidding. But honestly, absolutely most of the prosecutor’s offices are, I think, willing participants, they want to work with law enforcement closer. This is what we’ve heard anyway in the study. And I think that digital evidence is the best place to start. You know, we got together on how we charge people now electronically, you fill out a warrant, you send it to the prosecutor as opposed to delivering the warrant for the prosecutor to review, et cetera. We’ve smoothed that a lot of these other areas, this is the next natural progression of it. So, I say yes, contact your local district attorney, your city prosecutor, attorney general, and say, I want to talk about how we’re handing off the evidence. They, from what we’ve heard, and the prosecutors, I’ve talked and spoken to. They’re all ears on this. They’re not going to be the ones to likely reach out because remember, they don’t hold the information, to begin with. It’s ours, so they just keep asking for singular batch feeds. If you approach them and say, “Hey, I want to work this out, I want to do this better.” I think they’re all ears. That’s what they’ve said, anyway, the ones we’ve talked to.

Robert Turner: I think one problem with that is, is that it implies that where the problem is. That’s not where the problem is. The issue is really not between law enforcement and prosecutors. There are logistics issues, but at the end of the day, they understand what’s going to be going on. It’s how do you deal with defense attorneys? How do you deal with the judges? How do you deal with those five of the entire digital evidence piece, because they’re in a criminal justice environment they are part of the participants? To use the previous question, as an example. Do you want to go ahead and let that infected hard disk get out to other parties like defense attorneys? There’s a really interesting question that you have to deal with this. That’s something you want to go ahead and go out and spread more problems with, especially where maybe the viruses, the crime itself. So, the key thing that I think we need to do. Yes, law enforcement and prosecutors need to work together. I think there’s a willingness and I’m understanding it’s the broader picture that’s the hard part.


Audience Question: Has anyone considered or are you planning on considering the ethical issues around the inadvertent collection of victim data as evidence often as phones are seized and accessed, which can have an impact on victim privacy?

Patrick Doyle: You bet. And that’s why we talk a lot about expungement because, me being the police department, what got into my system. I might necessarily not have had the right to might not be germane to the crime I’m looking into. And so, absolutely. The more we people, the citizens, store things the more they’re going to inadvertently get into government systems. Now, I don’t think the government wants to pry. In some cases maybe, you could make a case that we want everything we want it all, collect all the photos at the mall. But that’s not really the case in reality, but it’s too expensive and it’s not fruitful. So, Aaron, I think the answer to the question is, oh, you betcha! We’re worried about it because if we collect too much, we reduce our brand as well by being overbearing by being militaristic, or being a dictatorship or someplace where everything is ours and you have no privacy rights. People have rights to their private digital imagery. We should only get what we had seized legally, need to get to be the caretaker of the community or a judge orders that we happen across under legal circumstances. So, expungement, that’s why Bob and I focused on that. It’s a huge issue and we think it has to be addressed immediately. It’s a very important part of this as far as we’re concerned.


Audience Question: As it pertains to body-worn cameras, how do you balance the desire to not have tapes, even if they’re digital, stacking up on your desk while eliminating the possibility that the defense might accuse us of deleting or eliminating evidence that could exonerate or client.  

Robert Turner: I think this is exactly where you get into rules. Certainly, body-worn video is as much of a solution as it’s been And I’m a big proponent of it. There’s been a number of different issues that come from labor law to evidence in this whole thing. I think issues that eventually you’re going to have to get down to legislative issues of what is appropriate with body-worn video. That product that comes out has got a whole lot of different intersections that can come down to. But this gets to the vetting part that Patrick talked about upfront. I think, is, one of the real key parts that we have to look at is, we need to understand that we’re going to have to empower law enforcement, and we do with so many different areas to say, okay, just because this is relevant or not, is there is going to have to be their decision. And the example that Patrick gave of the tape running and then their state police cruiser, photographing a wall. That’s pretty easy to determine that the photograph of the wall is not really important. We can get rid of that with a high degree of confidence. But then you get into issues of striking what’s the reasonable issue of, we have a camera focused on a crowd, and two hours later, we had a riot there. Do we want everything there? It’s unfortunate that the reality it probably is, but if those cameras are fixed one that had been up for two nights beforehand, maybe not. And those are the issues that are eventually going to have to be, start to figure out. And as long as people are working in good faith. I think that’s one of the key things that we have to empower people to be able to say, just because we can capture it, doesn’t mean to me to hold onto it. And I think that’s striking that balance. Patrick, I know you’ve got ideas or thoughts on this area.

Patrick Doyle: There’s a safe spot for all of us, I think, the reasonable woman, or man standard. I think it can be applied here. I think it’s reasonable to keep even that shot of the wall if you want. Keep it for a couple of years. I think we can find a middle ground on this and make everyone happy, what the police capture legally should be able to be kept for. This is my opinion, and the opinion of those that were talking do as study participants, I think they’re saying, I can’t keep it for 25 years, and I don’t want to. I don’t want to keep it for life, but I think we can apply reasonable standards and find a middle ground. We’re going to have tp. At one point, the amount we’re going to accumulate is going to be so excessive. It might seem —— now. You say, “Well, it’s a terabyte. What’s that cost?” When you got 70 terabytes or whatever is beyond that? We can’t do this forever. We’ve got to establish standards and be reasonable. And people, we think we should keep, for a reasonable amount of time, any connection to a crime, I could keep it forever or keep it until the statute of limitations is gone. Everything else, I think we decide on a time, and we stand by it, and each jurisdiction will do it differently. I think we can do that. Because that’s the point, the questioner makes. I’ve got to take stacked on my deck. If I delete them or whatever disks? Just saving money because I don’t want to use new disks, at some point, that has to be acceptable. Even if, every once in a while, something’s going out the door, which could have been kept. I’m sorry, I hate to be the victim of that, and the evidence is gone, but at some point convenience to the government has to be weighed in here.



Audience Question: Some auditing systems provide a lot of information but no context. Have you found or how have you found best to relay context when information is released or requested? 

Patrick Doyle: I honestly don’t think keywords are a bad way to do this, I don’t need to see the whole case, but if I’m auditing, and I know that this is, homicide involved a gun and I hope I’m onto what the questioner asked, I actually think that there’s a way in which I don’t want to say anonymized. The audit process can be anonymized, but if I know this is a particular type of crime involved, a certain weapon occurred in a certain jurisdiction, that’s how I can correlate the audit trail to what I’m actually looking for. That may not be anonymized enough to not circumvents the standards but to comply with that, but I think the use of keywords is underutilized as a method of, Hey, here’s 10 things about this, this item that can relate to this case without you knowing all the details, or getting so much information, that it’s not even an audit anymore, it’s like a full review of thousands of cases, Bob. Did I misunderstand that, or do you treat them the same way?

Robert Turner: I think one of the big things that we look at this, no data and law enforcement stand alone, you know, there is always a report. There’s always an incident that ties back. So, I think the evidence system has to have that tie back to the case number, event numbers, incident reports, whatever. And certainly, then, being able to extract keywords relative to the cataloging of that information. That goes back to the issue of our collecting and bringing that information, and there’s going to have to be some tagging occurred and that’s, I think one of the big challenges that we’re going to be looking at is how can we use technologies like AI to go through and give us? Hey, give us some keywords of what you see in there? Oh, there’s a car. There’s, what we’ve identified is the victim and what we identified as the perpetrator and a number of different things that we can look at. That goes into the keyword search that conventionally goes in to help to search through this and then simplify it. This is what technologies like AI really make some value because their ability to sift through large volumes of data and tag it and give us information is really useful. Is it hundred percent accurate? No, nothing is in life. But certainly, it’s more viable than having the detective sit for 2 or 300 hours trying to deal with all the different tape that came from a different camera of the scene that really, for the most part, don’t show anything. And so, using technologies like AI and similar to help us be able to sort through that pile of evidence is going to certainly help us, and tying it into keyword searches and other technologies I think are important.

Patrick Doyle: Bob, I saw one system that actually uses icons, not keywords, but similar to keywords if it was a gun case, it had a little symbol of a gun. Next to it. So, when you did your audit, you could actually see, because people humans pick up on pictures more than they do words because they don’t need to process the words. The image means something to them. So, it’s sort of a keyword thing. So, I thought that was a really neat way to correspond to audit records, to what kind of case they were, just to throw it out there, symbols. So, simple but worked really well for volume cases.


Click Here to Watch a Recording of The Law Enforcement Digital Evidence Lifecycle: From Intake to Expungement. 



Additional Resources
8 months ago
Operation Find Our Kids: Coordinated Efforts to Find Missing Children
Law enforcement is inundated with shortages of resources and an overwhelmed workforce. Couple that w […]
10 months ago
Don’t Do Data Sharing Alone! And Don’t Do Half Way Data Sharing!
Bad guys know no jurisdictional boundaries. They’ll commit crimes in one city, state, or even coun […]
3 years ago
Thoughts about Data from Mitch Volkart
Love this quote from GTL's Mitch Volkart, about the importance of quality data. "Success isn't me […]
7 years ago
Automated Secure Alarm Protocol (ASAP to the PSAP) Project Updates
The ASAP program continues to expand beyond implementations in Washington DC, Houston TX, Tempe AZ, […]