Foreword
Digital imagery, and the audio frequently associated with it, is now an intrinsic part of everyday life and is a key enabling technology for the Police Service and public alike. With this in mind it was time to revise the Digital Imaging Procedure, first published in 2002 and last updated in 2007.
The aim of this latest version is to build on the successes of the original document and not only reflect current advances in technology, but also look to the future. The purpose of the procedure remains the same, that is to detail the processes involved in the proper capture and handling of digital data for police applications and to define best working practice. The target audience also remains broad, encompassing operational, administrative and judicial staff involved throughout all stages of the Criminal Justice System (CJS).
The key to the process is the creation of an identifiable, isolated and suitably stored Master reference copy at the earliest opportunity. The exact method of storage is unimportant provided it can be shown that the Master is unchanged from the moment of its definition. With current data trends and retention timescales the most suitable long term solution is a secure network environment.
This procedure enhances the integrity of proper evidential gathering processes whilst reducing the risk of malicious manipulation. Every effort has been made to keep the document as generic and technology neutral as possible, however specific technologies and processes are addressed as necessary and reference given to sources of more in-depth advice.
Digital imaging has enormous benefit for the swift and accurate outcome of investigations, particularly given the fuller use of network technologies. Whilst such technology has a price tag in terms of infrastructure and skilled technical support, this is an enabling document that allows for the adoption of suitable technologies as the opportunities present themselves.
We expect that operational implementation and court proceedings will continue to refine some of the procedures set out in this document, although the framework itself is considered robust and defensible, and has been widely adopted since its original publication in 2002.
The information contained in this procedure has been derived, developed and reviewed through wide ranging consultation with practitioners from the Police Service and related CJS organisations, as part of the NPCC national CCTV working group, and supports the SCC Codes of Practice. We commend it to forces and other organisations for adoption as current best practice.
The Digital Imaging and Multimedia Procedure is a guide for those practitioners within the Police and CJS who are involved with the capture, retrieval, storage or use of evidential digital images, and associated audio and metadata, either generated by the police themselves or recovered from witnesses under the CPIA (Criminal Procedure and Investigations Act 1996).
When applied to equipment seized under PACE (Police and Criminal Evidence Act), further safeguards may be required.
It is focused around a flowchart that guides the reader through the process from the initial preparation and capture of images, through the transfer and designation of Master and Working Copies, to the presentation in court and finally the retention and disposal of exhibits.
Supporting notes are provided for each step in the flowchart. For the purposes of this document the term image can be used interchangeably for either still images or moving image sequences.
This version (v3.0) of the Procedure maintains the overall structure of the preceding editions, but has been updated in 3 key respects.
Firstly, it is recognised that there is now a broader range of technologies available for the capture and storage of digital imagery, which frequently has associated audio and metadata. Hence the broadening of the document title to explicitly include the term multimedia.
Secondly, it is recognised that the police increasingly realise the benefits of storing Master and Working Copy data on a secure server, instead of physical WORM (Write Once Read Many) media such as CDs and DVDs. This secure server environment is often configured as a DEMS (Digital Evidence Management System) or DAMS (Digital Asset Management System). Both server storage and a move away from physical exhibits brings many advantages but also raises questions around integrity and tampering. This concept of the evidence being separable from the media and steps to preserve its integrity and authenticity are addressed in this document.
Thirdly this document also reflects the changes in data protection legislation, Protection of Freedoms Act and other relevant codes since the previous version.
This procedure should be read in conjunction with:
These documents provide further information on the roles and responsibilities of the police and the prosecution.
Also of relevance is the Control of Data section of the Forensic Science Regulators Codes of Practice (Section 23 in Issue 5, plus subsequent amendment Notice 02/2020).
The bulk of this document comprises notes that should be read in conjunction with the flowchart. However, there are several issues that are not covered within the Procedure itself. These are introduced and discussed briefly in this section to answer some frequently asked questions about digital image evidence.
Evidence, in terms of still or moving image data, and/or related audio data, and associated metadata is the presentation of facts about the crime or an individual that the prosecution presents to the court in support of their case. The image data could be presented either as hard copy or on a screen, with or without audio. The evidence is not normally all the data contained on the recording device but a sub-section of it. For these reasons the term image file refers to an image or video stored electronically, not a forensic disk image of a drive or folder.
As it is possible to make a bit-for-bit identical copy of digital image data, in evidential terms there is no distinction between the copy and the primary or original data because the data are the same and have the same evidential weight. It is not important whether the data is on a stand-alone or networked computer, a server, or on any type of storage medium. This assumes the operation of adequate security against unauthorised and unrecorded access, with appropriate traceability.
The core principle of this document is that there is a definitive copy of the data (Master Copy), that is documented, sealed and stored according to established procedures and can be examined by a court if required, to confirm the authenticity of the evidence relied on in proceedings. The Master may be stored as a physical item or purely in digital form. In either case the principle stated above and the conditions below apply. If no discipline is applied there can be any number of identical files. For evidential purposes it is essential to be able to demonstrate that the images are authentic and are a true representation of the data captured in the originating device and recorded to the first medium.
The Master must be:
Force policies should be developed to cater for these requirements.
Furthermore the Master files should be in the same format as:
Where a DEM or DAM system compresses or transcodes files on ingest, this would preclude its use for Master storage.
The Master should be designated at the point at which the data is under police control and has been stored according to the conditions described above. This may be on physical media but is increasingly likely to be some form of networked storage. There is no requirement for the Master to be on physical media if these conditions have been met.
There may be intermediate steps between the initial capture and the designation of the Master Copy, involving for example transmission or the use of a transfer medium (see Section 4, Transfer and transmission).
There must be an accompanying audit trail showing its provenance (see Section 2). Audit trails can be written, electronic or a combination of both and may incorporate information automatically generated by the hardware or software used to store or process the data. Electronic audit trails if available can augment or replace the written audit trails.
Digital image and audio data is stored in a vast array of different formats and variants of formats of varying quality levels. Some lower resolution digital images displayed on a computer screen or as hard copy might not appear very lifelike but then neither do many simulations.
The important and overriding factor is that the content of the image should be fit for purpose and that the quality is adequate. To this end for reproduction and viewing the use of desktop printers for hard copies of stills and low resolution video footage should not be ruled out. It is not always necessary or feasible to produce the highest quality images to demonstrate the facts required for evidence. However any known reduction in quality should be disclosed and audited in order for the court to assess evidential weight.
Any consideration of whether an image is fit for purpose should fully take into account the uses to which it may be put, in particular whether it is likely to be subject to forensic analysis, in which case the highest quality native format should be available, with any associated metadata.
Image and audio capture devices use a multitude of complex processing techniques to combine the signals received into a representation of the event. These representations are admissible as evidence and the digital storage of them does not alter that.
There are various compression algorithms used to reduce the amount of data in a file to cut both storage capacity and transmission bandwidth requirements. All compression algorithms remove data from the file and some are more effective than others at reconstruction of the data for replay. Generally, the greater the compression ratio, the more seriously affected is the replay.
If image or associated audio data is being presented as evidence and illustrates the facts of the offence then it is evidentially irrelevant whether the data has been compressed or not. What is important is the content of the data should be fit for purpose and that the quality is adequate. It should be noted that various transmission methods used throughout the capture, retrieval and replay chain may adversely affect the quality of the data and steps should be taken to mitigate this.
Some compression algorithms are more suitable for fast movement, some for talking heads scenarios. The compression can produce some artefacts which may mask the information or contaminate it with movement, patterns, outlining, and so on. Where the capture, conversion or transmission is under police or CJS control the algorithm must be tested on typical scenes. The image quality must be agreed and performance tests carried out to ensure suitability.
Image processing cannot make up for inadequate data. Images should not be excluded because they are compressed and whilst there may be reasons to prefer some algorithms for reasons of quality, there is no reason to exclude any from evidential material.
Digital data files can have a variety of formats. The still camera industry is mostly using widely supported (or open) formats (TIFF, JPEG) although their highest resolution images are often in their own proprietary (raw) format. This may mean these latter images have to be downloaded in a proprietary software package. An open format allows for ease of incorporating images into publications, printing and transmitting to others, but will be a representation of the data held in the raw file. Generally raw files are read only with any changes either saved to an .XMP sidecar file or the processed result to another file format.
Currently digital handheld video cameras mainly record to Solid State memory (SD and its variants, CompactFlash, XQD, and so on.). The market seems to be stabilising around fewer formats, but faster read/write speeds and ever larger capacity are still the trends. Large amounts of video are now shot on mobile phones and stored on their internal drives, though some offer external storage options, including cloud storage.
The manufacturers of closed circuit television (CCTV) video recorders use a multitude of open, proprietary and mixed compression formats to meet the needs of massive amounts of data versus the cost of storage. Again the format is not relevant to the admission of the evidence, only that the quality is fit for purpose.
Many file formats record metadata along with the content, commonly time and date information but potentially many other fields that may be of value, if accurate. Metadata is often lost if files are converted between formats.
Server storage has many advantages particularly with regard to long term storage. The data can be migrated automatically and with no loss should a more effective media become available. Also server storage is more fault tolerant; failures within a RAID array can normally be rectified with no loss, ensuring that the data is accessible, as compared with a CD or DVD where once it has been noticed that the media has failed it is usually too late. Increasingly police services are deploying a DEM or DAM system that is capable of suitably storing Master evidence and providing output for court in an appropriate format.
Cloud based storage is a variation on server based storage, where the storage may be provided off-site by a third party, and has its own set of problems and advantages. These must be carefully considered and steps taken to mitigate perceived risks before this route is chosen. Cloud services may or may not be geographically located within the force area, and the implications of this need to be considered. For further information see the National Cyber Security Centres Cloud Security Principles. Also of relevance is the Control of Data section of the Forensic Science Regulators Codes of Practice (Section 23 in Issue 5, plus subsequent amendment Notice 02/2020, in particular paragraphs 23.3.30-31).
The use of a cloud or server system for secure storage of evidence should be accredited by the local force Information Security Officer, as per the Information Assurance section of the Information Management APP.
Care should be taken to ensure that the processing of personal data complies with UK data protection law. UK data protection legislation is designed to protect the rights and freedoms of individuals and is outlined in both the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA2018). The Information Management APP incorporating MoPI (The Management of Police Information) provides further detail on how the DPA2018 applies to the processing of personal data for law enforcement purposes.
Forces should be aware that many of the safeguards employed in this procedure are the same safeguards that will allow them to comply with their obligations with under the DPA2018. Its also important to note that whilst many of the requirements of the GDPR will be relevant, the provisions for processing personal data for purposes of law enforcement are set out in section 3 of the DPA2018.
The following data protection principles (described in part 3, chapter 2 of DPA2018) are most relevant when handling digital images and evidence:
It should be noted that the requirements of Principle 5 (Retention) must be harmonised with the retention requirements in the CPIA and Information Management APP.
The Protection of Freedoms Act 2012 require the police to pay due regard to the Home Secretarys Surveillance Camera Code of Practice. Failure to do so is admissible in criminal and civil proceedings and the Crown Prosecution Service Disclosure Manual reflects this. The focus of the Code is on the operation of surveillance cameras however parts are relevant here, in particular:
These elements of the procedure include the preparatory steps before images are captured. This may be directly before the images are taken, or at an earlier stage or date where work can be anticipated. The steps identify the importance of:
Such checks will avoid the reputational damage of failure and/or challenges about conformance with an accepted procedure. Digital image capture systems may increasingly be used by non-specialists in operational situations and locations so adherence to an established procedure will assist in safeguarding those captured images.
This instruction applies to all image capturers, who by virtue of their role or position within the Police Service are empowered to capture images for the purposes of their particular work, where trained or deemed competent. Specific roles and responsibilities, for example for a Scenes of Crime Officer or a Collision Investigator, will be written into their job descriptions, training and instructions together with any verbal instructions. Obtaining authority is not necessarily required for each separate operational task.
However, Police Forces need to be aware that authorisations do need to be in place before data is taken, for example authorisation to permit images to be taken where Directed Surveillance is requested under the Regulation of Investigatory Powers Act 2000. That authority must be obtained and recorded within the audit trail of the operation. Further restrictions and/or authorities may result from Data Protection legislation. It is the responsibility of the person obtaining the data to ensure all required permissions are obtained and that all legislation is adhered to.
At this point the first 3 principles of the DPA 2018 Part 3 Chapter 2 are particularly relevant. In summary:
One of the fundamental requirements of digital imaging is the need to safeguard the integrity of images; part of this process involves an audit trail being started at the earliest stage. This may be as a written audit trail, and/or incorporate an auto-generated electronic audit trail mapping the movement and changes of files on computers. When relating to third party images, the audit trail should begin at, and detail, the point of transfer.
This Procedure relies on the written audit of activities. The audit trail should include the following information (with date and time of action) when available and if appropriate:
The practices may not be familiar where imaging is a new feature of the work and it may be worthwhile to consult the Forensic Support Manager or equivalent adviser.
The correct operation of any equipment is essential to gathering evidence.
In particular it is suggested that checks are made to ensure that:
It is essential that time and date settings are correct, any inconsistencies should be documented and the equipment monitored to ensure that further drift of these settings does not occur.
This list is not definitive and detailed information should be obtained from the equipment manuals.
Specific advice relating to re-using USB thumb drives is given later in this document.
These steps cover the capture of still or video images onto the chosen medium with due regard for the image quality and integrity of the images.
This section should be read in conjunction with the Protocol between the Police Service and the Crown Prosecution Service (CPS) on dealing with third party material, which provides further information on the roles and responsibilities of the police and the prosecution.
The Procedure diagram should be used to establish the point of transfer at which the responsibility for the handling of third party images transfers to the police. That point of transfer will depend on the nature of images being transferred, the recording format and equipment used by the third party. At whatever stage this point of transfer occurs the police audit trail must start.
Continuity of image handling should be demonstrated throughout by ensuring that the police audit trail links directly to any audit trail that is available from the third party.
Some imagery may have little or no provenance, for example images uploaded to the police website by members of the public in response to an appeal. This imagery must be treated with caution until its authenticity and integrity can be verified.
Town centre CCTV cameras, for example, should follow established and standardised procedures and comply with the Surveillance Camera Commissioners Code of Practice. These systems should allow the police to;
Whichever still or video camera or format of medium is chosen for the capture and initial storage of images, effective means must be available for transferring the images to the computer system where they are to be used and possibly archived.
It is becoming increasingly common for the police to be granted remote access to systems either on a permanent or ad hoc basis. However, care must be taken to ensure all data protection legislation is adhered to and proper safeguards and necessary authorisations are in place before this facility is utilised.
Service Level Agreements (SLAs) should be in place between the police and local authorities to govern access to town centre systems. Live access to a town centre system may enable a level of surveillance of an individual that would require a Directed Surveillance Authority (DSA) under the Regulation of Investigatory Powers Act 2000. Data Protection legislation would be contravened by retrieving more information from a system than was necessary and agreed with the owner (DPA principle 3).
The image quality setting should be selected appropriate to the operational requirements rather than to minimise the storage capacity. Operators should anticipate their requirements and have sufficient empty storage media available.
Selective capture involves the switching on and off of recording devices and should not be confused with other editing processes.
Still images can be captured on many different types of camera using a multitude of memory storage devices/memory cards. The manufacturers manual should be referred to for instructions on correct use of this equipment.
There are several technologies for capturing video images digitally. Each is illustrated in the Procedure:
Because of the high data rates associated with digital video, the image data is usually compressed in order to:
Where image sequence(s) have come from a non-removable medium the Working Copy or copies could be made:
One crucial aspect of the Procedure is that none of the images obtained for the purposes of an investigation should be deleted without authority. This does not apply to images on a transfer medium which may be deleted once a Master Copy has been verified on more suitable storage.
Any deletion of images, intentionally or accidentally, may be the subject of a challenge or legal debate during any prosecution.
Where such authority is given, deletions must be recorded in the audit trail and be subject to the requirements of the CPIA Code of Practice and Disclosure Manual.
In CCTV systems, video is recorded directly to an HDD, which is often designed to over-record automatically after a set period. Before this happens some or all of the images may be protected on the HDD preventing them from being overwritten.
In the simplest case, images will be transferred directly from the source to create the Master (for example, copied from HDD to WORM). However, in some instances the images will be transmitted across a network or physically moved via an interim transfer medium. This may occur either at the point of capture (such as IP CCTV cameras) or during transfer from the initial storage medium to the Master.
The security, stability and longevity characteristics of different transmission methods should be considered and where necessary documented in the audit trail. This particularly applies to wireless transmission methods that may be susceptible to interception or unauthorised access, or transport media such as flash media that is prone to loss. This should also be considered when using wired network transmission, particularly if the internet forms any part of the network transmission.
The Master should be designated at the point a verified copy of the imagery reaches the optimum storage medium available, even if earlier stages are via media that is suitable to be designated as Master, for example if data were transferred via DVD to a secure server the Master would be designated on the server and the DVD could be destroyed. Figure 1, below, gives a graphical representation of this process.
Comprehensive audit trails are required in order to document the processes shown in Figure 1. In particular any transfer media must be uniquely identifiable, and suitable checks and verification carried out to ensure data integrity when transferring from the transfer media to permanent storage. These checks should be carried out at each transfer stage after the initial retrieval. A comparison of hash values such as MD5 or SHA-1 is an example of such checks.
The flow chart illustrates 2 paths for multimedia evidence, server based storage and traditional physical storage of master evidence. For both these routes the process is further separated into transfer to the long term storage media and transfer from it, either for further analysis or court replay.
Taking server based systems first, 2 paths are illustrated from the originating system to the server. In the first instance evidence is uploaded directly from the originating system to the server. In this case then there must be checks and verification between the originating system and the server in order to ensure the integrity of the data. In the second example the transfer is via an intermediate stage that may be physical (DVD, USB, and so on) or virtual such an upload portal. In this instance then at the very least there should be checks and validation between the intermediate stage and the server storage.
In the final step of this path, if the evidence is being exported for further analysis or processing, then there must be checks and verification to ensure the exported file is an exact copy of the ingested file. If the evidence is exported in an altered format for court replay for example then this must be suitably noted in the audit trail and reflected the file name and or accompanying documentation.
With storage of the master evidence on physical media, again there are 2 routes. If the originating system exported to a suitable storage medium (such as optical disc) then that could be immediately stored as the master and no further processing need be considered aside from ensuring that the transfer was successful. If however the orignating system does not export to suitable long term storage then the data must be transferred to suitable media with checks and verification done to ensure the integrity of the transferred file.
As with the final step above, if the evidence is being exported for further analysis or processing, then there must be checks and verification to ensure the exported file is an exact copy of the ingested file. If the evidence is exported in an altered format for court replay for example then this must be suitably noted in the audit trail and reflected the file name and or accompanying documentation.
This diagram illustrates how these checks could work in practice. It shows 4 stages in the path through the system:
In this instance working exhibit is used to denote a file that will undergo further processing or analysis. The diagram recommends that between each stage the file integrity is checked using a suitable method such as determining the hash value of the file at each stage. Thus hash 1 would be calculated for the file on the transfer media, hash 2 would be calculated for the file on the master storage media and hash 3 would be calculated for the file when it is exported for further processing or analysis. Verifying that all 3 hash values are the same then verifies that the file exported for further processing or analysis is identical to the file exported from the originating system.
Images on reusable media should be copied from the original storage medium in the original file format onto secure media. This secure media could be WORM or secure network storage.
The generation of the secure copy should be carried out as soon as possible after the capture to reduce the time and opportunity for the accidental or malicious alteration to images.
All imagery Master or Working Copies should be appropriately identified in order to facilitate the storage, retrieval and eventual disposal of case material. In terms of evidential value there is no difference between bit-for-bit copies of the data on the Master, Working Copies and the images on the storage medium. This does not remove the necessity to protect the Master as an exhibit in case of challenges to evidence handling procedures or image manipulation. It is suggested that the before and after hash value (MD5 or SHA-1) of a file is created, recorded and compared at any time it is transferred between media.
The correct software required for viewing proprietary formats must be available otherwise the images will be inaccessible. It is advisable to store any replay software with each recording to assist with the correct viewing of the files.
The choice of using network storage or WORM media is a matter for force policy and should be guided by factors such as volume of data, predicted storage time and longevity of WORM media. Master evidence not stored on WORM requires equivalent levels of protection such as access control and tamper proof usage logs. Appropriate measures also need to be taken when the data has to be retained on a storage medium that is not WORM and cant be write protected, for example drives from a CCTV recorder, or complete CCTV recording units.
Non-reusable removable medium technology includes CDs, DVDs, Blu-ray and so on. They represent the theoretical ideal in that once closed the recording on the disk cannot be altered. However, optical discs are prone to damage that can make them unreadable and they do degenerate over time. In addition the computer industry is moving away from optical disc storage which places it at risk of becoming a redundant technology. For these reasons a DEMS or DAMS would be a better long term repository for Master evidence. If the Master is stored on such a system then the optical disc would be considered a transfer medium and could be destroyed (once a verified copy is on the DEMS/DAMS).
The WORM medium must be closed to prevent any of the image data files being subsequently changed and further data written to the disk. Optical disks (CD-R, DVDR) must be finalised or closed in the camera or CD-writer before the disk is removed otherwise the images may not be viewable on a computer.
Read more here:
Digital Imaging and Multimedia Procedure v3.0 - GOV.UK