Law enforcement entities collect and process digital evidence in the course of conducting investigations. However, previously examined digital evidence may not be identified by investigators as relevant to an ongoing investigation. This project pursues the development of a solution that will demonstrate that digital content relevant to a current investigation is present on previously acquired digital media to provide the basis for re-examining such media, without re-examining previously acquired digital evidence.
The proposed solution allows agents in the field and at regional centers to quickly establish that previously collected evidence may contain evidence relevant to a new, on-going investigation. The proposed solution includes a primary repository of evidence hashes (not actual evidence), and a lightweight field deployable component. The field component provides remote users the ability to quickly and locally establish that relevant evidence likely exists in the organization’s store of previously collected evidence, but the field component does not query any previously collected evidence and does not initially generate any queries back to the primary repository of evidence hashes. Any matches are verified with the primary hash repository, assessed, and returned to the investigator for consideration of additional action.
The impact to the HSE, and specifically the CCC and digital forensic investigators, is that they will have access to a more complete set of relevant evidence, resulting in more effective investigations and prosecutions. Digital Media Sector Hashing for Evidence Correlation
- Project Fact Sheet
Law enforcement entities collect and process digital evidence in the course of conducting investigations. However, previously examined digital evidence may not be identified by investigators as relevant to an ongoing investigation. This project pursues the development of a solution that will demonstrate that digital content relevant to a current investigation is present on previously acquired digital media to provide the basis for re-examining such media, without re-examining previously acquired digital evidence.
The proposed solution allows agents in the field and at regional centers to quickly establish that previously collected evidence may contain evidence relevant to a new, on-going investigation. The proposed solution includes a primary repository of evidence hashes (not actual evidence), and a lightweight field deployable component. The field component provides remote users the ability to quickly and locally establish that relevant evidence likely exists in the organization’s store of previously collected evidence, but the field component does not query any previously collected evidence and does not initially generate any queries back to the primary repository of evidence hashes. Any matches are verified with the primary hash repository, assessed, and returned to the investigator for consideration of additional action.
The impact to the HSE, and specifically the CCC and digital forensic investigators, is that they will have access to a more complete set of relevant evidence, resulting in more effective investigations and prosecutions.