Investigators are well aware of the requirements regarding physical evidence management to ensure proper chain of custody, but the requirements surrounding digital evidence are more elusive.

While the number of digital evidence sources per case continues to grow, running defensible investigations requires new best practices specific to digital evidence management. Criminals will continue to leverage modern technology to make their illicit activities more convenient while law enforcement, and similar investigative entities, must respond in kind.

There are three key trends that affect an agency’s ability to serve its community effectively and efficiently, and fight crime in today’s environment:

1: Increase in Case Backlogs

Staffing shortages and budget cuts in policing have made it difficult for investigators to manage caseloads. The pandemic has also taken a toll on staffing with many detectives being reassigned to back-fill vacant patrol positions, with remaining investigators facing the unenviable choice of which cases to investigate and which to close.

Multi-Device backlog. Source: Shutterstock

This lack of manpower has led to massive case backlogs and a frustrated public. But the issue in case backlogs doesn’t stop at the detective level; digital forensic units are also feeling the squeeze.

Caseloads for digital forensic units vary depending on the proportion of digital evidence per case, device size, and data set to sift through. And with the number of devices per case growing, backlogs of devices waiting for examination are also growing. Recent research[1], for example, has shown that police forces in the UK have more than 20,000 digital devices waiting to be examined, raising fears over the impact on the entire criminal justice system

This leads us to a striking irony that exists today in the typical digital evidence workflow. Highly technical approaches are used to obtain the acquisitions, often from locked devices, but a decidedly lower-tech route is used for storage, sharing, and review. Examiners will load the evidence onto external media and transfer it to a storage shelf awaiting pickup by the investigation team. The clock is still ticking, and action based on this evidence is delayed. Multiple copies will undoubtedly be required to accommodate collaboration and discovery processes. This represents an avoidable inefficiency at best and can quickly lead to an unacceptable risk when the chain of custody is broken.

Cloud-based solutions can help investigators take control of investigative management by expediting processing time and speeding up the evidence submission process.

2: Operational and Retention Policies are Outdated  

Technology and the surrounding evidentiary requirements are changing rapidly, but these advancements are rarely updated in policy and procedures. Outdated policies can leave investigators open to chain-of-custody claims by defense attorneys or lead to possible civil rules-of-evidence violations against the police department. Nothing you do in the investigation matters if the evidence is deemed inadmissible by a court.

Adding additional stress, law enforcement agencies are now seeing that external media may not be up to the task of long-term storage. Portable flash memory devices, known as “thumb drives,” were designed for the temporary transfer of files from one point to another; not as an archiving solution. Long-term testing and real-world results are showing the eventuality that digital evidence will be lost due to the failure of the storage media.

Digital evidence retention is no different than its physical evidence counterpart. If digital evidence is used to prosecute a homicide or a sexual assault, that evidence may need to be held for decades, but storage devices such as CDs, DVDs, and thumb drives cannot physically guarantee safe storage and accessibility of evidence for this long. Operational and retention policies and procedures therefore need to include alternative cloud-based storage solutions, with their superior durability, not just hardware solutions prone to single-point failure. Digital evidence is now equally as important as a murder weapon.

3: Investigations are Multi-Jurisdictional

Investigative work is teamwork. Criminal activity transcends geographical limits, with many criminal organizations committing crimes throughout multiple jurisdictions. As a result, it is now common to see multiple agencies working together on the same case or forming multi-jurisdictional task forces to combat specific crimes.

Data Analysis. Source: Shutterstock

Regardless of agency size, investigators work with many divisions including other investigative units, patrol officers, crime lab investigators, crime scene technicians, evidence personnel, and local and state prosecutors.

Timely and efficient collaboration is key to a successful criminal investigation, and cloud-based solutions can make collaboration simpler and faster, as well as more streamlined and secure.

An Unsustainable Situation

Investigators and leadership must continually evaluate their compliance with policy as well as court orders. Securing the public trust means running ethical and defensible investigations. At the core of this requirement is compliance with and transparency of standard operating policies and procedures (SOP) modeled after best practices.

Here are a few questions to begin the journey. Is the status quo facilitating efficient and effective investigations and prosecutions? Are we enabling the opportunity for mishandled copies to result in revictimization? Can we be sure we are complying with destruction requirements when we’re uncertain as to the number of working copies created? Is our current storage strategy durable enough to match our evidence retention requirements?

When we combine these key questions with the larger trends mentioned above to form the bigger picture, the conclusion is undeniable: investigation strategies need to change. Law enforcement leaders know that convictions rely heavily on inter- and intra-agency collaboration to maximize efficiency. The only way to do this successfully is to start utilizing cloud-based solutions.

Private Sector Innovation Leads the Way for Public Sector Success

Many private sector companies have mastered collaboration and project management out of necessity because their employees, vendors, and clients are worldwide. Law enforcement can therefore use the best practices and tools from the private sector to become more effective within their investigative workflow. SaaS (software as a service)-based solutions provide the quickest and easiest ways to collaborate and manage projects, regardless of location.

Advances in computer networking, more reliable data storage, and faster computer processing speeds have made cloud-based solutions the preferred method for companies, and now the preferred method for many government agencies. A SaaS-based solution for managing your investigations means all stakeholders can access evidence securely anywhere, anytime, and on any device with an internet connection. The vendor is the one to push out updates, maintain the software, and keep the systems secure so that the agency can focus on what matters—resolving their investigations.

Cellebrite, the industry’s leading Digital Intelligence solutions provider, recently launched their own cloud-based investigation and evidence management system – Cellebrite Guardian. In a case study, Guardian was shown to provide a mid-sized US agency with over five times faster time to evidence and 50% reductions in expenditure. These savings in time and money can help agencies allocate limited resources more effectively while reducing case backlogs for detectives.

Cellebrite Guardian is a unique Investigation & Evidence Management Solution that spans the entire investigation. This enables strong collaboration by streamlining investigator and examiner processes from the very beginning of the investigative workflow and allows evidence to be submitted, assigned, tracked, and reviewed all from just a browser. The lead investigative agency can upload and analyze the digital evidence, then instantly share it with those involved in the investigation with just a few clicks of a mouse. These efficiencies ultimately help reduce case backlogs and increase case resolution.

Addressing Concerns around Cloud-based solutions

Cloud-based solutions are now widely accepted as the safest and most secure ways to store data – especially when you consider the risk of data loss with current physical storage methods. This is why many agencies are switching. The provider handles the security patches, penetration tests, and monitors any potential threats. Many providers even have dedicated network and security operators who perform continuous testing.

How to Choose a Cloud-Based Solution Provider

Security is paramount for those seeking cloud-based solutions, which is why it is critical to identify industry-leading providers with a proven track record in the law enforcement arena.

You will undoubtedly be looking for data encryption and multi-factor authentication to ensure evidentiary integrity. You should also be thinking about compliance frameworks, including ISO 27001 and SOC2, to help guarantee a particular solution can withstand demanding situations.

Your provider must understand the threat landscape and be equipped to respond and manage security incidents. As a law enforcement agency, be sure to ask questions about tenant segregation, isolation, and their web security monitoring capabilities.

Finally, determine where your data will be stored, if there are any regulatory issues with the storage location, and how you can retrieve it if necessary. While doing so, remember that all cloud hosting services are not the same. Amazon Web Services (AWS), for example, offers GovCloud for added security and adherence to compliance frameworks for both private and public sectors.


The amount of digital evidence is growing, technology continues to advance, and compliance with digital evidence best practices is increasingly difficult. There is no crime today that doesn’t include some type of digital evidence. Using outdated technology like flash drives, CDs, and DVDs to store digital evidence physically, instead of digitally in cloud-based solutions, can put your agency at risk. Law enforcement leaders need to act now to manage digital evidence for the future.

Learn more about how Cellebrite Guardian can help your team, here.

About the Author: Ryan Parthemore joined Cellebrite as a SaaS evangelist following his extended tenure in law enforcement. A veteran in the industry, Ryan has over 20 years of experience as a patrol officer, detective, and technical lead in a government digital forensics laboratory. During his time in law enforcement, Ryan completed hundreds of hours of training in digital forensics, performed thousands of digital forensics examinations, represented his unit through ANAB ISO 17025 accreditation, and testified as an expert witness in state and federal court. Ryan moved to Cellebrite to utilize his expertise in helping others in law enforcement find more effective ways to resolve cases.

[1] Channel 4 News investigation, Feb 2022

Share this post