Should Digital Evidence Be Stored In Perpetuity?

29 January 2010

Where it is suspected that a computer has been used in the commission of a crime, the equipment is usually passed by law enforcement officials to computer forensic experts for analysis. In the event that any of the evidence extracted is successfully used to secure a conviction, the question then arises as to how long the evidence should be stored.

Generally, there is a legal requirement to retain all forms of evidence unless the police seek permission to lawfully dispose of it, which is usually not granted until all avenues of appeal have been exhausted.

In the case of digital evidence, the reasoning behind this is quite clear: as new information or scientific methodologies come to light, it is possible that an appeal could be lodged, and the computer forensic analysts could be asked to go back and analyse the drive again.

For example, in recent years, the ‘Trojan horse defence’ has developed where an accused person claims that a Trojan – a form of malware which allows third party control of a computer by an unauthorised person – was responsible for the illegal activity that has been proven to have taken place on their computer. If a convicted criminal were to appeal on these grounds, analysts would need to revisit the evidence to attempt to prove or disprove the presence of malware.

To ensure that evidence is not corrupted or contaminated during the analysis, the first stage of a forensic investigation is to create a ‘forensic image’, where an exact copy of the hard drive is created. It is this perfect copy of the drive that is analysed by computer forensic experts, while the original drive is moved to a secure storage area.

How long, then, should the original media be preserved, given that the forensic image is an exact and verified copy? The original, in most cases, would only be required if the validity of the forensic image was called into question. As a rule, this should not be an issue, since imaging must be carried out in a fully auditable fashion in line with the best practice guidelines for computer based evidence set out by the Association of Chief Police Officers (ACPO). However, in cases where a conviction carries a sentence of 20-30 years, it is possible that the original media could naturally degrade over time, rendering it inaccessible should an appeal be lodged on these grounds.

For police high tech crime units and computer forensic laboratories, the natural deterioration of the digital media used to store the copied image is also a problem. A hard drive in regular use could be expected to last two to five years, with the potential to fail at any time, sometimes causing the permanent loss of the data held within it. While media containing copied images can be kept in heat and moisture controlled environments to limit degradation, there is therefore some question as to whether the fidelity of all data could be guaranteed for the full duration of a conviction.

It seems then that new technologies will become increasingly necessary to fulfil the need for a long term storage solution for digital evidence. Until that time, there is always the real danger that evidence could be lost at the expense of the thorough investigation of a crime.

Talk to our consultation team today

Contact Us

I can honestly say that your excellent customer service and communication has made our forensic instructions to you exceptionally easy. I am very conscious of the amount of time I must have taken up with various queries, requests, and then changed requests but you have always been very patient, polite and extremely helpful.

Case Review Manager - Criminal Cases Review Commission