Digital Evidence: Investigatory Protocols

Download PDF
Tommy Umberg, Cherrie Warden
Publication Date
October 1, 2013
Publication Type
Working Paper
International Criminal Law, Investigations Program, Open Source Investigations, Technology


The purpose of this paper is to assist the Office of the Prosecutor (“OTP”) at the International Criminal Court (“ICC”) by discussing cyber investigation protocols that enable strategic mobilization and acquisition of digital evidence. This paper discusses cyber investigation protocols relevant to three types of digital evidence: data that is on a device; data that is not on a device or is accessible online; and data that is held privately by a service provider. The first section addresses how an investigator should acquire and authenticate physical devices that may have evidentiary value. The protocols demonstrate methods that reduce the risk of inadmissibility and manipulation. The second section addresses situations where the investigator obtains evidence independent of a physical device, for instance, a video that is posted on a publicly available website. Since this type of digital evidence is not forensically acquired, this section aims to help investigators determine its reliability. Additionally, this section explains how prosecutors might authenticate such evidence by corroboration or testimony. The third section turns to data held by service providers that is not available without their cooperation. This data may be acquired by a direct request from a prosecutor. For United States service providers, the U.S. Stored Communications Act (“SCA”) sets forth procedures for domestic law enforcement access to this data. It is silent on foreign law enforcement access. The Mutual Legal Assistance Treaties (“MLAT”) process addresses foreign law enforcement access to this data; however, this process is lengthy and may be subject to other legal requirements, such as dual criminality. Please note that protocols in all three sections are based on standards that reflect the current technological landscape and therefore should be updated when necessary. Furthermore, the basic procedures discussed here are derived from lengthy treatments of forensic analysis in source documents. In all three types of investigations, situational factors arise in which deviation from the protocols discussed is appropriate. Therefore, each investigation will need to employ specific procedures that are contextdependent.