This Section - Collection and Preservation of Information/Evidence - outlines the specific steps concerning the receiving, recording, handling and preservation of physical, documentary, digital and testimonial evidence.
1. Collecting and Preserving Physical Information
The standards below outline the basic principles that should be maintained if you receive physical information. Physical information refers to physical objects as well as prints (such as fingerprints, footprints, cut marks, tool marks etc.) found at the scene where the human rights violations happened.
Observation and investigation of a location where violations and abuses took place and collection of physical information may involve risks to health and safety. Practitioners should exercise extreme caution when collecting and handling physical information or accessing locations where violations took place. It usually requires a high degree of training and expertise. However, if owing to the circumstances, you are required to collect, handle or preserve physical information, then follow the principles and guidelines in this section.
Observing and Documenting a Scene of Human Rights Violation
The management of a scene where violations and abuses took place is a highly technical process that requires the expertise of a professional investigator. An inexperienced practitioner may easily contaminate a scene of human rights violation in a variety of ways. Therefore:
- Do not attempt to enter, secure, manage, or intervene in, a scene of human rights violation
- If practicable, contact the appropriate domestic or international authorities within your locale to process the scene of human rights violation
Only undertake this role if:
- Professional investigators are not willing or able to access the scene of human rights violation in time to preserve the information
- Information arising from the scene of human rights violation would be lost or damaged if the scene of human rights violation is not secured
- You are confident of your expertise and have carried out appropriate risk assessments (see Preparing a Risk Assessment and Strategy to ensure you and others remain safe)
In the event that these conditions are met, take the following steps in observing and documenting the scene of human rights violation.
Step One: Preserving the Scene of human rights violation
Preserving a a location where violations and abuses took place is a three-step process that requires:
1. Assessing the safety of the area where the scene of the human rights violation is located
As a general rule, the safety of the practitioner or any other person found at the scene of human rights violation should always have priority over information gathering.
First, make sure that the site is safe and free of any dangers. Perpetrators of human rights violations often have an interest in destroying information and will consider violent means to do so.
When assessing risks to the scene of human rights violation:
- Identify and plan for escape routes – take into consideration how you and your team and the information gathered can be transported from the location. Refer to the Preparing a Risk Assessment and Strategy
- Identify nearby medical facilities and your ability to access medical care when needed
- Locate other actors working in the area and determine the trustworthiness of local authorities and whether collaboration is appropriate
- Ensure capable personnel have swept the area for landmines, unexploded ordnance and booby traps
- Make initial observations (look, listen, smell) to assess the safety of the scene
- Wear protective clothing (such as protective helmets, gloves and shoes)
- Prioritise assisting any injured persons found at the scene through first aid, if need be
2. Identifying the scene of a human rights violation
Once the safety of the area is established, the practitioner should identify the scene of a human rights violation. This requires the practitioner to:
- Identify the central point(s) of the scene, i.e., the exact location where the violation occurred (e.g., a street where a person has been shot or a room where a violent act occurred)
- Consider whether there are any possible secondary scenes. Physical information may not only be found in the direct vicinity of the violation. The practitioner should attempt to identify all locations where physical information may be found (i.e., the investigative scenes)
- Cordon off an area around the central point and investigative scenes that is large enough to contain all relevant physical information
3. Securing the scene of a human rights violation
Once the scene of human rights violation is identified, the third step is to secure it with a view to maintaining the integrity of the investigation and ensure that the information is not interfered with. This requires the practitioner to:
- Accurately record the location of the site
- Sketch the site including the location of potential information
- Cordon off the scene with scene tape
- Establish a common entry point to the scene
- Monitor access to the scene
- Keep a log of all those who enter the scene
- If the scene is outdoors, promptly photograph and shelter it from the weather
- Ensure everyone refrains from contaminating the scene. This can be done by avoiding the use of any facilities available at the scene (such as telephones and bathrooms); not eating, drinking or smoking within the scene; not moving anything/anybody (except for situations where it is absolutely necessary); not touching or handling objects found in the scene; and not littering or spitting
Step Two: Observing and Recording the Scene of a human rights violation
After the scene is secured, proceed to record what you have observed in as much detail as possible in the Investigation Folder (in the activity log) and your notebooks.
The purpose of this is to have an accurate and reliable account of the original state of the scene of human rights violation. Detailing the activities undertaken by practitioners at the scene may prove vital in establishing whether the scene was tampered with.
In detailing the scene of a human rights violation, practitioners should:
- Record facts regarding the scene, not personal opinions
- Ensure that the notes are correct, detailed and professionally kept; the records you create may eventually become evidence in any court process
- Note the date/time of the incident and also the date/time that you arrived at and left
- Note the location and size of the scene through GPS coordinates and by hand on a map. The map should be signed, dated and preserved
- Note the type of violations that may have occurred at the scene
- Note your observations in the Investigation Notebook, i.e.:
- Your vantage points in observing the scene
- How the scene looked when you arrived
- Whether anything has been moved within or removed from the scene
- The location, description and measurements of any potentially valuable information that is found (including any deceased victims)
- Who was present at or leaving the scene and their activities
- The names and identifying details (full names, dates of birth, ID details, places of residence, contact information, etc.) of potential witnesses
- Description of any suspicious vehicles that are seen, including colour, year, make, body and licence
- Description of any suspicious individuals using the ‘head to toe’ method, i.e., his/her race, sex, age, height and weight, followed by a description of the individual from head (hair) to toes (or shoes)
- Supplement or substitute the written record with voice recordings, photos and videos, in case it is more practical than writing down observations
- Prepare a detailed bird’s eye sketch of the scene of human rights violation (including an indication of the scale used in drawing, signed/dated and stored) which indicates:
- The direction of north
- The central point of the scene
- The location(s) where the violation(s) occurred
- The location of identified information or objects. Such objects should be labelled and described
- Any landmarks, roads or buildings with a label and description
- Any measurement of pertinent objects and spaces between them
Collecting and Handling Physical Information
As a general rule, do not attempt to collect or remove physical information from a scene of a human rights violation. As indicated, managing scenes and collecting information are primarily the responsibility of experienced professional investigators mandated by domestic or international authorities.
Nonetheless, in certain situations, it may be necessary to collect and retain physical information. This may be the case if, for example:
- The information in question would disappear or deteriorate without its immediate collection
- You are requested by the authorities who do not have immediate access to the scene to collect and store the information on their behalf
Only under such circumstances should practitioners engage in the collection of physical information at a scene. Proper collection of physical information is required to ensure that it retains its (reliability and probative) value. These standards rest largely on three stages:
- Collecting: accurate recording of the information or item
- Handling: implementing a chain of custody
- Storing: preservation of the information or object
Step One: Collecting Physical Information
Generally, practitioners will come into possession of physical information in two ways: collecting it from a scene or receiving it from a source, such as a witness or victim of the violation.
If you cannot accept a piece of information due to concerns on how to handle it properly, make a note of it in your Investigation Notebook together with its location and the details of the provider to enable its collection at a later date.
1. Collecting Physical Information from a Scene of human rights violation
As a general rule, defer the collection of forensic information (i.e., DNA, blood, semen, body parts etc.) to professionally trained practitioners. Similarly, collection of potentially dangerous information such as firearms or other weaponry and associated material (such as cartridges, casings and bullets) should be left to professionally trained practitioners.
When collecting other types of physical information from a scene of a human rights violation:
- Consider the elements of the violation when deciding what to collect
- Prioritise collecting information which may disappear/deteriorate if not collected immediately
- Wear protective clothing (e.g., gloves) before collecting the item to avoid contamination
- Photograph the information in its original location before removing it
- Record the description and the original position of the information in sketches and notes
- Place the object in a storage bag which has a piece of paper attached to it or an envelope and seal it in a way that will allow any tampering to be detected
- Record the reference number given to the object, the date, time and location of collection and name of the person who collected it on the bag/envelope
- Record the chain of custody of the object on the storage bag or envelope by noting the details of the person who collected the item and the item’s movement from the possession of one person/location to another, if applicable
- If possible, engage experts in gathering physical information which requires specialist knowledge (such as gunpowder, DNA or bodily fluids) to prevent them from degradation or contamination
2. Receiving Physical Information from a Source
When receiving physical information from a source (i.e., a victim, witness or a third party), the practitioner should:
- Avoid receiving information in exchange for money
- Ensure that the provider obtained the information honestly, without threat, coercion or trickery and with due regard to the fair treatment or others, especially the vulnerable.
- Record the personal and contact details of the provider
- Wear protective clothing (i.e., latex gloves) in handling the item in order to ensure that any possible forensic information on the item is not contaminated
- Do not promise to the provider that the information or their identity will remain confidential in all circumstances
- Explain to the provider that the authorities who receive the information may be able to address any confidentiality and/or security concerns through protective measures
- Consider the motivation of the provider in providing the physical item
3. Recording Physical Information
Whenever you observe and/or collect any form of information, record it in writing in the Investigation Folder. The section of the Investigation Folder on physical information should include:
- A Physical Evidence Log to register the collection of physical information from the scene of human rights violation, indicating:
- The reference number of the object appointed by the practitioner
- The description of the object
- When, where and by whom (including their contact information) the object was collected
- If it was provided by a person, when, where and by whom (including their contact information) it was provided
- Any additional comments regarding the circumstances under which the information was collected/provided
- Photographs of the collected information
Step Two: Handling Physical Information
Proper handling of physical information is crucial to ensure its reliability and, consequently, its successful admission as evidence before a court. This requires maintaining an accurate and complete chain of custody of the item in question.
You should strive to keep the chain as short as possible. As few people as practicable should handle the information. If a link in the chain of custody is missing or in question, a court may need to assess whether it has been intentionally or inadvertently altered from its original state, affecting its admissibility, or the reliability and weight given to it by the judges.
In short, to ensure an accurate chain of custody, the practitioner should:
- Put the information in a storage bag or envelope
- Record the following on the “chain of custody sheet” that is fixed to the storage package or envelope containing the physical item:
- The reference number assigned to the object upon collection
- The name of the person who originally collected the item, the date and time it was collected and the location where it was found
- A description of the object (appearance, quantity, size, weight and other features)
- The names of all persons who take possession of the item, the date, time and location of handlings, and the purpose for which they handled it.
- Seal the bag/envelope with adhesive tape in a way that enables any interference to be detected
- Store it in a secure location where it will not be disturbed
- Keep an up-to-date record of the whereabouts of the item in the Physical Evidence Log
Step Three: Storing the Information
Once you have completed the necessary steps regarding the collection and handling of the physical item, you must store it. A practitioner should:
- Store the information in a secure, safe place such as a room or a closet space with a lock, free from environmental factors (extreme heat or cold, water, etc.) and unauthorised access
- Appoint a person to be responsible for the storage area and access to the physical items
- Institute a logbook to record who is entering the room and for what purpose
- Ensure that any handling of the item after storage is properly recorded
- Contact the authorities to pass the item to professional investigators as soon as practicable
Please see Implementing a Storage System for detailed information on the storage of physical information.
2. Collecting and Preserving Documentary Information
Documentary information gathered from private and public sources are vital to the investigation of business related human rights abuses, including in linking perpetrators to the violation and establishing the elements of a particular abuse. Documents are often difficult to dispute and, unlike oral testimony, are more likely to be contemporaneous and free of ill will or bias (if not produced for the purpose of the trial process). Any practitioner needs to ensure that it is properly sourced, handled and authenticated.
Whilst digital information is also considered as documentary information, due to specific technical considerations regarding utilisation of such information, the principles related to digital information are dealt with in a separate section, see Collecting and Preserving Digital Information/Evidence.
Receiving and Handling Documentary Information
Documentary information can be gathered from public and private sources. These include state authorities, international organisations, non-governmental organisations, victims and witnesses, private individuals and organisations, national or international media, including radio broadcasts, online posts, newspapers and online sources.
Documentary information relevant to the potential commission of a business related human rights abuse may include:
- Official documents: orders, instructions, rulebooks, periodic reports, situation reports, meeting reports (agendas, minutes, stenographic records), land and property records
- Official logbooks: documents from police stations, prison records, etc.
- Official financial and personnel records: payslips, telephone and transportation billing records, personnel files/dossiers, commendations, and attendance records
- Court files and prison records: case files, investigative reports and dossiers, records pertaining to detention and release of prisoners and prisoner health records
- Maps
- Medical records from hospital and psychiatric institutions
- Business records of companies
- NGO reports
- Diaries, journals and other forms of individual records
- Newspapers and other print media
Step One: Receipt of Documentary Information
In receiving documentary items from external sources, practitioners should:
- Avoid receiving documentary items in exchange for money
- Ensure that the provider obtained the document through valid means
- Consider the motivation of the creator/provider in creating/providing the documentary item
- Not promise the provider that the item or their identity will remain confidential in any circumstances
- Wear protective clothing (e.g., gloves) in handling the document to avoid contaminating any possible forensic information (if applicable)
- Avoid altering the original state of the document in any way (e.g., stapling the document)
- Make copies of the original document as soon as practicable and store the original appropriately to prevent loss or damage. Avoid making too many copies of the original document
- Explain to the provider that domestic or international authorities who will receive the document may be able to address their confidentiality and security concerns through protective measures
Step Two: Authenticating Documentary Information
One of the most significant issues regarding documentary information is its authenticity, which is intrinsically linked to the eventual assessment of its reliability and probative value during admission of evidence in a court. Accordingly, a document’s authenticity must be established for it to be admitted as evidence before a court. A given document may:
- Be self-authenticating, for instance, if it is an official document publicly available from an official source
- Be prima facie reliable, meaning it bears sufficient indicia of reliability such as a logo, letterhead, signature, date or stamp and appears to have been produced in the ordinary course of the activities of the person or organisation that created it
- Not bear sufficient indicia of reliability, meaning that its authenticity must be established to enable the court to verify that the document is what it purports to be
1. Authentication
If a document is not self-authenticating or prima facie reliable, take the steps outlined below to assist in assessing whether the document is authentic. Ideally, these details should be gathered from the original provider/creator of the document at the time that you receive it:
- Identify the author and provider of the document (including the organisation he/she belongs to) and his/her motivation in producing/providing the document
- Establish when, where and for what purpose the document was produced
- Identify witnesses (ideally the author of the document) who can speak to the creation or origins of the document
- Establish the provenance (i.e., the origins and source) of the information relied upon by the author in the preparation of the document
- Find (if possible) copies of the document from different sources and cross-check its content
- Record how the document was obtained (in order to assess whether the document was obtained through valid means
- Maintain a chain of custody of the document from the time of its creation until its provision to domestic or international authorities
- Collect additional information to demonstrate the authenticity of a document
2. Specific Guidance on how to Authenticate Particular Types of Information
Open-source material: Open-source material is information that is readily available in the public domain (e.g., the internet or public libraries). In collecting such information:
- Note where the document was obtained from (e.g., a website)
- Record when the document was obtained
- Note the process through which the document was obtained
- Indicate if the item of information is no longer publicly available
Reports from NGOs, IGOs or third state governments: Generally, reports that appear to be well-researched and documented from well-known and respected NGOs, intergovernmental organisations or governmental bodies will be considered prima facie reliable (i.e., without requiring authentication) if they provide sufficient guarantees of non-partisanship and impartiality. Accordingly:
- Focus on collecting reports issued by impartial, independent and respected NGOs, intergovernmental organisations or governmental bodies
- Note when and from where each document was obtained
- Assess whether the report provides information on its sources. In addition, consider the methodology used to analyse and present the factual claims within the report
Official documents: Official documents refer to any authenticated documents from organisations that perform public functions (even if they do not belong to regular state authorities) and may include documents such as pay records, records of employment, orders, police reports, meeting reports, court records, military personnel records, daily military reports, land and property reports, or State legislation.
Generally, these types of documents constitute highly probative information before a court. To authenticate official documents:
- Note from where and when the document was obtained
- Note the source of the document and how it was obtained
- Check whether the document is authored and signed by an identified representative or agent of an official body or organisation. If so, the document will be presumed authentic, as long as the authenticity of that signature is not called into question
- If the document does not have an identified author, check whether the document is self-authenticating, i.e., whether the origin of the document is apparent from the document itself (for instance from a letterhead or logo)
- In case the document is not self-authenticating (i.e., does not bear a clear indication as to its origin and author), ensure that the document is certified by the relevant issuing authority or an identified representative from that authority
Private documents: Private documents are those that are provided by private individuals or organisations. In authenticating these documents:
- Note when, from where/whom and how the document was obtained
- Ensure that the document provides proof of authorship or adoption or other indices of integrity
- If the document does not provide any indices of reliability, have the author of the document authenticate it or find corroborating and independent information authenticating the document and establishing its date (e.g., through another document or witness referring to it)
Media articles/reports: Media articles and press reports may provide highly relevant information on the occurrence of abuses, statements made by alleged perpetrators or associated groups, or details on the scope of the victims or affected communities. However, media articles/reports often do not provide detailed information about their sources and, therefore, will likely be considered opinion information. This information is often only admissible when presented in court by an expert. Accordingly:
- Note the date and source of the press article/report
- Note how the press article/report was retrieved
- Note the author of the article/opinion and how they have come to their conclusions, e.g., the background of the journalists and their sources and other material relied upon in publishing the article/report
- Note that news articles from respected news organisations (such as the BBC) found online may be admissible even if the author of the article is unknown
Letters, manifestos, political statements and similar documents: Letters, manifestos, political statements and other documents emanating from persons or entities involved in contemporaneous events related to the commission of violations and abuses will likely be considered as opinion information and therefore often only be admissible when presented in court by an expert. More often than not, these documents will merely contain assertions by people with subjective interests, limiting their probative value. If, however, the documents make factual assertions about relevant military or political events:
- Note when, from where and how the document was obtained
- Note the date of the document
- Find corroborative information (allowing cross-checking) demonstrating that the document contains reliable and objective statements
- Ask the author for further information concerning how they arrived at the conclusions or opinions contained in the document
Step Three: Recording Documentary Information
In order to keep a record of the collected documentary information, maintain a Document File within the investigation folder. The Document File should contain:
- A “Document Log” recording all documents obtained in the course of the investigation and their metadata, including:
- A description of the document
- The provenance/origin of the document
- The date of the document
- A short summary of the content of the document
- The location of the original copy of the document
- The provenance of the document, including who authored it and provided it to the practitioner
- When the document was provided to the practitioner
- The chain of custody of the original version of the document
- Whether the document contains confidential information or not
- A copy of the document as a countermeasure against the possible loss or deterioration of the original version
For additional information on how to record documentary information, please see The Investigative Folder.
Step Four: Storing Documentary Information
Once you have completed the previous steps, preserve the original version of the document. To do so:
- Store the original version of the document in a secure, safe place such as a room or a closet space with a lock, free from environmental factors (extreme heat or cold, water, etc.) and unauthorised access
- Do not share the original document with third parties (unless they are professional investigators or other relevant domestic or international authorities)
- Appoint a person to be responsible for the storage area and access to the original document
- Institute a logbook to record who enters the storage area and for what purpose
- Ensure that any subsequent handling of the document after storage is properly recorded
For additional information on how to store documentary information, please see Implementing a Storage System.
3. Collecting and Preserving Digital Information
Digital information refers to anything stored on, received or transmitted by an electronic device. This includes photographs and videos, audio recordings, email communications, posts on social media and data downloaded from websites. In addition to digital information recorded personally by the practitioner, digital information from other sources including eyewitnesses, NGOs and other public organisations, the internet, and social media may provide relevant and probative evidence.
Digital information is often considered to be a type of documentary information (see Collecting and Handling Documentary Information/Evidence). Accordingly, the same or similar approach needs to be taken to reliability and probative value. The practitioner should assume that the information would need to be authenticated before being used as evidence. In order to enhance its probative value, practitioners should:
- Assess the content, provenance, source or author of the digital information as well as that person's role in the relevant events
- Record the chain of custody from the time the information is created or downloaded or otherwise seized until its submission to the relevant authority or court, and
- Consider any other relevant information that might help in establishing the authenticity of the digital information
Ethical Principles for Collecting Digital Information
In creating, collecting and preserving digital information, practitioners should respect some minimum principles in addition to the Ten ESSENTIAL Investigative Rules. In particular:
1. Security
- “Do no harm” is the most essential consideration of any investigation. Accordingly, the practitioner should explore how this principle may be important in the collection of digital information. In particular, the practitioner needs to ensure their own security and that of those with whom they are interacting, and anyone identified in the information and their associates.
2. Transparency of Collection Methods
- The collection of digital information should be transparent. It should provide for potential replicability: are third party practitioners able to confirm the appropriateness of methods employed to obtain the information?
3. Legality
- Are there any laws that might preclude the use of the information collected? For example, digital information containing personal data will likely be highly protected as it affects the right to privacy of individuals. International courts will wish to comply with human rights laws and any violation may result in the exclusion of relevant information.
4. Integrity and Ethics
- Apart from the need to ensure compliance with human rights principles, there are a variety of associated ethical considerations. For example, all information collected should be preserved with the same characteristics as the original (or as close to that as possible) and a chain of custody should be maintained as it helps demonstrate that this has been done. An ethical approach also requires respect for data minimisation principles (which demands that no more information than required is collected); due regard for the consequences that data collection may have on victims, witnesses and third parties; and the need for informed consent.
Creating Photographic and Video Information
A practitioner may take photographs and/or videos of scenes of a human rights violation, investigation sites, or physical information. Before being admitted as evidence, a court will require proof of the photograph or video’s originality and integrity. The relevance of the photograph or video depends on the date and/or location of the recording so the practitioner must ensure that this information is always provided.
Once the photograph or video has been taken, it should be treated as other forms of documentary or physical information (e.g., if a mobile phone is seized as potential evidence, then physical information/evidence principles should apply during its collection).
1. Taking a Photograph
Photographs provide an effective way to document a scene of a human rights violation in its original condition. When taking these steps, practitioners should take care to:
- Use the camera’s date and time. Alternatively, take a photograph, for instance by including in the photograph a picture of that day's newspaper
- Try to activate GPS settings on the device itself or otherwise note the location where the photograph was taken, e.g., by ensuring that the location is clearly visible in the photograph itself
- Take the photographs immediately upon your arrival and before the scene is disturbed
- Take a series of photographs to ensure good quality images
- Take as many photos of the scene as possible from different angles
- Take close-up and mid-range photographs of the individual pieces of information
- Take wide-angled photographs that show the location of the information within the content of the entire scene
- Use a ruler next to relevant objects to indicate their dimensions
- Record the author, location, date and time of the particular photograph; a description of the part of the scene the photograph depicts (for example: ‘investigative scene facing north) and a description of the information the photograph shows, if any (for example: ‘bullet casings found at the south entrance to the scene’)
- Take photographs of victims and potential perpetrators that may still be at the scene (providing all security and consent issues have been adequately addressed)
- Do not attempt to alter the photograph (e.g., crop/filter or add anything to the original). If an alteration is necessary, record the reason why
- Practitioners should consider seeking corroborative information from witnesses at the scene, who may be able to further clarify the context and relevant occurrence. In doing so, you should:
- Obtain the informed consent of any person you are photographing
- Record the names and contact information of the person you are photographing and others on the scene who may have information about the events
2. Taking a Video
If your team is personally collecting video information, ensure that the person taking the footage has experience in doing so. When taking these steps, practitioners should take care to:
- Film with the date and time showing on the screen and note the location of the recording
- Take a note of the location of the video and, if possible, ensure that the location is clearly visible in the media itself. It may be possible to activate GPS settings on the device
- Avoid narration and film silently
- Film strategically and logically to ensure that viewers will understand what has happened and where
- Take the video immediately, i.e., before the scene of a human rights violation or information is disturbed
- Try to continuously film the same incident or location, i.e., try to not stop and start your film unnecessarily, to avoid any later suggestion that the film has been spliced or otherwise altered
- Ensure that the video is comprehensive in capturing all aspects of the scene, not just your opinion on what is important: film 360 degrees around, from a distance and up close
- Ensure that the footage is not distorted and images captured clearly through adequate exposure
- Attempt to record details that demonstrate the location (e.g., buildings, landmarks, etc.), the time of day, date and surroundings, as well as the detail being filmed (i.e., the specific incident occurring or the physical information)
- Take videos of potential perpetrators that may still be at the scene (providing all security and consent issues have been adequately addressed)
- Record the contact details of the person who did the filming
- Ensure the protection of the video in the field by keeping memory cards safe from physical damage or confiscation
- Do not attempt to alter the video (e.g., cut/edit, or add anything to the original). If an alteration is necessary, record the reason why
- Practitioners may seek corroborative information from witnesses at the scene, who may be able to clarify the context and relevant occurrence. In doing so, you should:
- Obtain the informed consent of persons you are recording
- Record the names and contact information of the person you are recording and others on the scene who may have information about the events
3. Ensuring Authenticity of Photographs and Videos
Photographs and videos taken by practitioners can be highly relevant and probative if demonstrated to be authentic. The following steps will assist to establish authenticity:
- Take the photographs/videos immediately
- Date the photographs and videos. In addition, record the date in your Photograph Log
- Try to activate GPS settings on the device itself or otherwise note the location where the photograph was taken (e.g., by ensuring that the location is clearly visible in the photograph itself)
- Maintain the chain of custody
- Do not attempt to alter the photograph/video (e.g., crop/filter or add anything to the original) to ensure that it can be authenticated as originals. If an alteration is necessary, record the reason why
- All photographs should be clearly labelled and recorded in the ‘Photograph Log’, including who took the photograph or video, when, where, why and how, what it depicts and other contextual information
- Consider if witnesses can provide information for essential context, for example by describing what is in the photograph/video, when, where and why it was taken and by whom
- Practitioners should be aware of specific digital tools that allow photographs and video recordings to be verified during their creation. For example:
- Truepic offers a free camera application available on any Smartphone and Tablet. Truepic's Controlled Capture technology establishes trust in digital photos and videos by verifying their origin, pixel contents, and metadata, from the instant the capture button is pressed. It leverages cutting-edge machine learning, computer vision, and cryptographic techniques to ensure the highest possible levels of trust, credibility, and immutability. The unique cryptographic signature of each photo and video taken using Controlled Capture technology is written to the blockchain. This creates an immutable record in a distributed public ledger, which is outside Truepic's control, for maximum resiliency. Ubiquitous Smartphones can collect even more data than what meets the eye. Within the phone’s hardware are myriad sensors of the phone’s position and usage. Changing a phone’s time or date is a simple settings modification and there are countless applications and methods of spoofing a phone’s geolocation. The Truepic app allows anyone to document and report on events from their surroundings, while allowing recipients to verify the integrity of the origin and metadata of the image. Granular privacy controls allow for higher levels of anonymity in challenging or dangerous environments. Learn more about the app at https://truepic.com/truepic-app/.
- eyeWitness - combines law and technology to promote accountability for human rights violations and the worst international crimes. Their system is based on three pillars. First, a mobile camera app designed to verify the date, time and location, and the fact that the footage has not been altered. Second, a secure server system and transmission protocols that create a chain of custody that can be presented in court. Lastly, tailored support for the use of photo and video in court and other accountability processes. The eyeWitness system is currently trusted by human rights documenters around the world. Their footage has been used for building photo and video dossiers that have been inserted into investigations or cases by the United Nations, the ICC, different European war crimes units, domestic courts, and international police forces.
Collecting, Handling and Preserving Digital Information
Prior to collecting any digital information, practitioners should make a Photograph/Video Log and Physical Evidence Log that will record the details of the collection of each piece of information. The Log should be designed to record:
- The date, time and location of the collection or creation. In relation to video recordings, you should note the exact duration of the recording
- The collector or creator’s name and organisation and contact details
- The contact details of the information provider, including the address, contact telephone number and e-mail address
- A title for the item
- A description of the item (for example, appearance, quantity, size, weight and distinguishing features)
- Information actions taken with respect to the item (such as where the item is stored, whether it was moved)
1. Collecting Digital Information from an E-device
Digital information can be collected directly from an electronic device (“e-device”), such as a computer, digital camera, mobile phone, or portable electronic storage device. Ideally, when an electronic device is found, it should be handled and examined by a digital forensic expert in order to avoid accidental contamination of data and to protect the digital information on the device from, for instance, attempts to tamper with the evidence via remote access programs.
E-devices must be handled carefully in order to protect not only their physical integrity but also the data they contain. The integrity of a device may be compromised and data (including date, time and system configurations) lost due to among other things, exposure to electromagnetic fields, environmental factors like dampness, dust and humidity, and failure or corruption of the battery. Most batteries have a limited life and there is a real risk of losing data from the prolonged storage of e-devices. Therefore, practitioners should give priority to e-devices powered by batteries, and all relevant data should be recorded in a log as soon as possible.
With the large file-containing capabilities of modern electronic devices, it is key that investigators know how to efficiently search these devices, in order to save time and adhere to data minimisation principles (which dictates that the evidence collected must be no more than required). The following are examples of techniques that may be utilised in order to identify, extract and collect evidence pertinent to the investigation, from e-devices
- Keyword Searches: This entails searching the content of devices using likely or known file names and/or key phrases of text. Using this method, you should be able to search for specific, topical information and digital documents
- File Signature Searches: This entails searching for specific types of electronic files, e.g., doc. PDF, JPEG
- Searching Known Evidential Locations: Focus on electronic files and folders that are most likely to contain the type of information that you are looking for. For instance, folders whose name corresponds to an issue you are investigating or folders that were mostly recently accessed prior to seizure of the device
- Hash Searches: Hashes are a unique string (text data) used to identify a file and ensure it has not been tampered with since its gathering. In order to search for a file using hashes, an investigator must be familiar with the ‘command’ function of a computer device
As e-devices and the files therein may be encrypted, it is worth trying to ascertain and record the passwords, codes, or PINs needed to access the device.
If the Device is Turned Off:
- Do not turn on the device
- Label connections, peripheral cables (cables used to connect older hard drives to power sources), manuals, and attached devices
- Photograph and document the labelled computers and associated cables, connections and devices
- Pull the power plugs from the back of machines and remove all cables
- Bag, tag and transport all the information in accordance with your specific organisation's procedures (should it have any)
- If possible, record the passwords, codes, or PINs needed to access the device
2. Collecting Digital Information from Third Parties
Practitioners may collect digital information from third parties. Below are some considerations that practitioners should keep in mind:
- Avoid receiving information in exchange for money
- Check that the provider obtained the information through valid means
- Consider if witnesses can provide information to verify the digital information received, for example by describing what is in the photograph/video, when, where and why the photograph/video was taken and by whom, and by providing context
- Do not, in any way, alter the received digital information received. If the alteration is necessary, you should record the reason why
Collecting Information from Open Source Investigations
Open source information is information that is publicly available on the internet. It may be a valuable source of evidence in court processes. It may include (but is not limited to) that which is created, shared, or collated by journalists and news organisations; state agencies; commercial entities; international organisations; nongovernmental and civil society organisations; academics and academic institutions; private individuals; and groups of individuals with political, commercial, professional, and personal affiliations. Common types of online open source information include online news articles; expert and NGO reports; social media content; image and sound recordings; geospatial imagery and mapping data; documents, including public administrative records and leaked confidential documents; library holdings, and more. Online open source investigation is the process of identifying, collecting or analysing information that is publicly available on or from the internet as part of an investigative process.
There are a number of steps that will enable the integrity and success of open source investigation. The practitioner should:
- “Do no harm”- it is the first consideration of any investigation. An open source investigator should think through the digital, physical, and psychosocial security of those with whom they’re interacting and anyone identified in the collected information, as well as themselves and any affiliated staff. The investigator should also consider and plan for data security
- Develop the initial query, define the search parameters and use algorithms for automated searching if possible
- Conduct open source investigations as close in time to the relevant events as possible in order to capture original postings. This is key as social media websites maintain a policy of taking down content that violates their guidelines. However, preservation of any information is better than none so “near duplicates” posted later may also provide critical information and should be recorded
- Preserve metadata, links, networks, content, and all comments from relevant social media and other sites.
- Preserve the chain of custody
- Preserve collected materials with the same characteristics as the original (or as close to that as possible)
- Ensure the organisation and searchability of the information (i.e., the information found as a result of the investigation) and avoid duplication of information. At a minimum, the coding of any archives should include the following: who (names of individuals, unit, command, etc. with consistent descriptions that may include a coding scheme); what (document? photo? video?); where (coordinates? city?); and when (date, made as narrow as possible)
- Ensure transparency and accountability. Maintain clear records around how the investigation was conducted, the processes used and standards adhered to, the nature and type of information found and how the information is stored
- Maintain objectivity. Open source investigations should include both incriminating and exonerating materials without favour. Objectivity should be integrated into the development of search parameters, including the selection of search terms and the design of algorithms for automated searching, as well as in the review of collected materials. Peer review and ‘two-factor authentication’ (that is, analysing both the content and the source of the relevant information) are useful methodologies that ensure the objectivity of the information collection process
- Be mindful of data collection ethics, including data minimisation principles (which require collecting no more information than needed); the increased vulnerabilities that data collection may create for witnesses and others; and the need for informed consent of use of the underlying materials for legal accountability purposes. Investigators should also be mindful of their “footprint” - for example, too many people accessing the same website might raise flags that are problematic for others
4. Handling of Digital Information
The mishandling of digital information can lead to unintentional modification or destruction of information that reduces its probative value or otherwise renders it inadmissible. In order to safeguard against these negative occurrences, practitioners should keep in mind the following basic steps.
Chain of Custody
A chain of custody includes a precise description of the item collected and a detailed record of activities in relation to that item. A detailed and precise record serves as proof of the integrity and reliability of the piece of information in any legal proceedings. It is important to make note of precise details as these will remove or minimise any opportunities for interference and will safeguard the information against allegations of interference. For example, if collecting a bundle of photos or multiple visual or audio recordings, the practitioner should record the exact number of items collected, the duration of any footage or recording, and the content.
An accurate and comprehensive chain of custody will help establish the origin of a piece of information and will be crucial in establishing whether the information has been modified or tampered with. A complete chain of custody should also record:
- The whereabouts of the piece of information from the moment someone receives it to the moment it is handed over to the relevant court or other proper authority
- All persons who handled that information, including those that provided the information and those responsible for the storage of that information
- The purpose for which the information was handled, for example an investigator handling the information
As with physical and documentary information, a chain of custody should be implemented as soon as you receive or create the digital information and should be maintained until it is passed on to the relevant authorities or used in court. See Chain of Custody.
Please see Authenticating and Verifying Digital Evidence for additional considerations to bear in mind when seeking to protect information through the maintenance of a chain of custody.
5. Preservation of Digital Information
Digital preservation refers to the storage of digital information. It entails organising and maintaining the information in a secure space so that information is easy to securely access, retrieve, interpret and understand for the entire time span during which the information is required. The following steps will assist in achieving these aims by preserving the integrity of electronic devices and the digital information contained therein.
Packaging Digital Information
The practitioner should take the following steps when packaging any e-devices:
- Prior to packaging devices, document your process in handling the information. Make note of any changes to the device resulting from your actions so that any problems in retrieving the digital information can be traced and easily corrected
- Place the device in either the original or antistatic packaging and ensure that the device is protected from the physically damaging effects of bumps and shocks during transport
- Extra precaution should be taken to not fold, bend, or scratch storage media such as diskettes, CD-ROMs, and tapes. Avoid placing adhesive labels directly on the surface of e-devices - label the outer cover so as to avoid damage from scratches, etc. For instance, do not label a CD-ROM but do label its casing
- Where a device is composed of multiple parts and components, pack each individual component separately. For instance, separate the computer monitor from the attached wires
- Clearly label and photograph each device and any associated parts or equipment. For instance, for a computer system, label the monitor, connections, cables, user manuals and any peripheral devices like scanners, printers, etc. Make note of any serial or identification numbers on these items.
- Do not affix adhesive labels to the surface of storage media (devices that store user information)
- Leave cellular, mobile or smartphone(s) in the power state (on/off) in which they were found
- If the device is on, leave it this way. Two challenges in dealing with powered on devices include: (1) isolating the device from cellular and Wi-Fi networks; and (2) obtaining security passwords or pass patterns for the device so the evidence can be examined forensically. Turning the device off could result in loss of information because there may be security features on the phone - these can include passwords (simple or complex), security/wiping apps, pass patterns, or biometrics (facial scan). The best option is to keep the device powered, unlocked (if locked, collect any available passwords, PIN codes, or security unlock information), and in airplane mode until it is in the hands of an experienced technician.
Transporting Digital Information
In transporting any digital information devices, practitioners should:
- Keep them away from magnetic sources, including radio transmitters, speakers, magnets and heated seats as they can potentially interfere with the device and corrupt the date contained therein
- Ensure that the equipment is strapped down in the vehicle and not loosely placed in containers in order to protect it from mechanical damage caused by shocks and bumps. Avoid leaving digital devices in a vehicle for long periods of time.
- Document the transportation of the digital information and maintain the chain of custody for all devices transported
Storing Digital Information
The storage of digital information should strive to protect the original data from loss, theft, contamination or other changes so as to ensure its originality and integrity in any legal proceedings. For more information, see Implementing a Storage System. In storing digital information, practitioners should also implement an appropriate storage system by:
- Storing the original version of the digital information in a safe location, for example, on an external hard drive. Keeping a complete back up of the information that includes copies of all the digital files kept in separate locations
- Storing information collected on a physical device (such as a computer or mobile phone) in a secure and supervised room with enough fire-safety precautions and temperature controls to protect the devices from heat, humidity, dust and dampness
- Implementing measures to prevent unauthorised access to the data, including limiting access to files to persons with security clearance and maintaining strong passwords on all devices and information
- Encrypting files, particularly sensitive information, through encryption software such as VeraCrypt is recommended. It is also recommended to install firewalls, antivirus and anti-spam software on all devices to protect your device from malicious software, such as MalwareBytes, Avira or AVG. For more information about digital security and data, see: Front Line Defenders and Tactical Technology Collective: Security in-a-box – Digital Security Tools and Tactics
Cataloguing Digital Information
In cataloguing digital information so it remains safe and securely accessible and searchable, practitioners should:
- Allocate each piece of information collected a unique reference number. This entails assigning each document, photograph, video footage, etc. a unique identifying number
- Create a Photograph/Video Log and Physical Evidence Log where each piece of digital information, as well as its metadata, is recorded. Record any access and log any edits that are made to the digital files
- Within the Photograph/Video Log and Physical Evidence Log, indicate the location of the original and the copies as well as the chain of custody of the digital information
- Preserve the “original” information and label and store it appropriately.
Authenticating and Verifying Digital Information
Authenticating Digital Information
As stated in the Introduction to this section, the practitioner should work on the assumption that digital information will require authentication before being used as evidence. This is required to be able to demonstrate that it retains its integrity, particularly in establishing that the information has not been purposefully or otherwise, manipulated or tampered with.
Generally, digital information shared through official channels or marked with official logos or stamps may be considered self-authenticating, meaning that it does not require additional authentication. The practitioner should take steps to protect photographs or videos that may readily be doctored or otherwise used to disseminate misinformation. If the practitioner creates digital information or receives it from unofficial or unknown sources (for example, photographs from a witness or videos from websites/social media), he/she will need to take various steps to ensure the authenticity and integrity of the information.
To assist in authenticating digital information, practitioners must adequately record the metadata of the digital information they have created. The metadata that practitioners should record in order to establish the authenticity of digital information includes:
- The description of the lifecycle of the digital information, i.e., the chain of custody
- The details of any person/organisation that played a role in the creation, publication or dissemination of the digital information. Note that persons linked to the creation, publication or sharing of the digital information should be available to testify in court on its integrity and related issues
- How the digital information was created, collected or received
- The languages used in the digital content (if any)
- The type (e.g., a photograph, voice recording or a video) and format (e.g., JPEG, MKV, mp3 etc.) of digital content and its format (PDF, JPEG etc.)
- The tool(s) used to create the digital content (e.g., the type of camera, recorded etc.)
- The size or duration of the digital content
- The subject of the digital content explained through single keywords (e.g., scene, attack, weapons etc.) so the content can be retrieved quickly through key searches
- A brief description of the contents of the digital content
- The location that the digital content depicts (if applicable). This can be achieved by geolocating the landmarks in the images either automatically (by enabling GPS on the electronic device used to create the digital content) or manually (by, for instance, including street signs, clocks, landmarks, etc. in photographs and video footage)
- Chain of custody of the digital content, including changes in ownership
Verifying Digital Information
While authentication deals with ensuring the digital information has not been manipulated or tampered with, verification purports to tell you something about the who, what, where, and when of a certain event. Practitioners should verify digital information to increase its probative value in the event it is submitted as evidence to a court. The Dat Nav: A New Guide to Navigate the Digital Data in Human Rights Research recommends the following five basic steps to assist in verifying digital information:
- How did you get the content? Think about what information channels it travelled through before arriving on your desk. How many times did it change hands?
- Who created the content? Is the person who shared or uploaded the content online also the creator, or was it someone else? Ask if you do not know.
- Where is the content from? Descriptions and metadata can be forged. Are there visible landmarks or sounds (like police sirens or dialects) that can help you verify a location or time? If you are concerned about the authenticity of the images, you should employ an experienced member of your investigations team or other professional to geolocate the landmarks in the images
- When was the content created? You may not always be able to trust the date stamp on a file. Are there visual clues like the weather?
Why was the content created? Can you determine the motivation for sharing the content? What interests does the uploader have?