In this article

Introduction

Concept

Chain of Custody - Evidence

Evidence Handling

Evidence Access

Evidence Analysis

Chain of Custody - Case

Case Management

Case Assignment 

Log Filtration for Custom Reporting

Export Audit Reports 

Read Next


Introduction

Considering the volatility and vulnerability that surrounds the integrity of a digital evidence, it is imperative to take extra cybersecurity measures to eradicate any chances of loss of data, and minimize possible ways to misdirect the process of digital forensics. While VIDIZMO also opts for an effective approach in delineating protocols to verify that an evidence remains uncontaminated, it also includes a detailed log to allow authorities to track and monitor the activities taking place on a digital evidence.


In VIDIZMO Digital Evidence Management System, to record the life of a digital evidence from its acquisition and ingestion into the system to its secure disposition, a Chain of Custody report is generated. This is a formal assemblage of security-oriented chronological records that provide documented proof of the trail of activities that have been carried out within your portal or specifically on an evidence or a case.


By its own virtue, well-monitored audit trails are key indicators of  uncompromising supervisory controls mandated for a Law Enforcement Agency to employ in order to meet legal security requirements. Audit trails can provide a means to help accomplish several security-oriented objectives, including an individual’s accountability, reconstruction of events taken on a specific case or evidence, tamper detection and reliable transfer of custody.


Concept

Keeping in view the stringent nature of the audit trail requirements coupled with the growing complexity and volume of data collected as proof for investigation and prosecution purposes, VIDIZMO ensures that every activity performed during the process of digital forensics within the system is logged and monitored in a manner that helps investigative officers answer grave questions like: 

  1. Which officers have been held responsible for a case, and for what timeline in the investigative process? 
  2. When was a clip created of a video-based evidence and by whom? 
  3. Have the copies of digital evidence ingested within the system been contaminated
  4. Who allowed an evidence to be downloaded and when did this significant change take place? 
  5. Entailing which, how many users were able to download the evidence?

Similarly, many other such interrogations can be readily taken care of using VIDIZMO's detailed audit trails.


The reports allow you to course through the audit trails to detect unauthorized activity on a digital evidence or case, and analyze record with detailed information such as:

  • The User (name) who carried out the activity
  • The Email Address of the user
  • IP Address using which the activity was performed
  • Local Date and Time at which the activity took place
  • The Event that was registered, which helps readily register the solemnity of the matter such as "Evidence Clipped"
  • The complete log of Changes that took place within that event, such as which folder was an evidence relocated to - "Evidence has been moved from Forgery to Extortion."


Chain of Custody - Evidence

An evidence is an integral component of investigation making use of which any law enforcement agency may run its further proceedings upon. VIDIZMO empowers agencies and organizations to keep a track of an umbrella of activities upon an evidence to maintain an unmistakable report of its Chain of Custody. Here is a clear segregation of all events registered 


Evidence Handling

  • Evidence Record Created: This event logs the following events when a digital evidence is ingested into the system:
    • Title
    • Author Name
    • Description
    • Tags associated with the evidence
    • Category/Folder in which the evidence was placed
    • Thumbnail modified
    • Default Viewing Access
    • Password Protection
    • Permission to Download, Share, Comment
    • Publish Status that can either take values: 
      • Published
      • Drafted
      • Pending for Approval
      • Rejected
    • Tamper Status after running verification process on an evidence

  • Evidence Updated: This event is logged whenever properties of digital evidence are modified, which include all above events:
    • Changeset is maintained about updates made to the above information e.g. Title changed from "ABC" to "DEF".

  • Evidence DownloadedThis activity is registered when a digital evidence is downloaded from the portal:
    • Changes further detail which rendition has been downloaded.

  • Evidence ReuploadedThis is logged when an evidence is re-uploaded into the system replacing the old one. 

  • Evidence ClippedThis is logged when an evidence is clipped in the system to make further copies of its segments.

  • Evidence DeletedThis event is registered when an evidence is deleted from the portal only to be disposed off into the Recycle Bin.

  • Evidence RestoredWhen an evidence is restored from the Recycle Bin, this event is logged.

  • Start Copy Evidence: This event is logged when digital evidence(s) is copied from one portal to another.


Evidence Access

  • Access Rights Assigned: This event is logged whenever an evidence is given access to; either internally or externally. Learn more about assigning licenses to internal as well as external users here: How to Share Media with Internal/External Users and Groups. Following information is logged as details of the changes:
    • Users/Groups to whom the access has been provided or the Email Address of the external users to whom access has been provided.
    • Allowed number of views (if any)
    • The duration (number of days) for which access has been granted.

  • Access Rights Updated: This event is logged when already-assigned licenses are edited or altered:
    • Updated Users/Groups
    • Updated number of allowed views
    • Updated duration for which access has been granted.

  • Access Rights Revoked: This event is logged whenever an already-assigned license is deleted:

  • Shared Link via MailThis event is recorded when the link of a digital evidence is shared with an email address for quick reference. This entails that only if that user has the right to view the evidence, they will be able to access it via the URL, not otherwise.


Evidence Analysis

  • Evidence ViewedThis is logged when an evidence is analyzed via our inspection page.

  • Evidence Updated: This event is logged whenever properties of digital evidence are modified, which include all above events:
    • Annotations added or deleted in the evidence
    • Handouts or attachments added, deleted within a video evidence
    • When was Content Tamper Verification process run and its result

  • Added Evidence in my Quick AccessThis event is logged when an evidence is bookmarked by an officer for quick access

  • Content Tamper Verification Process: Whenever the process of tamper verification is run on an evidence, this event is logged.

  • Notes AddedThis event is logged whenever any discussion notes are initiated upon the subject matter of the evidence in question:
    • Changeset maintains the body of the text that was added as discussion note.

  • Notes Deleted: Whenever discussion notes are deleted from a digital evidence this event is logged in the reports:
    • Changeset maintains the body of the text that was deleted.

  • Notes Updated: Upon updates to any existing discussion notes against an evidence, this event is logged:
    • Changeset includes previous as well as new comment


Chain of Custody - Case

Case is a secure repository of digital evidence logically grouped together to ease the investigative process within law enforcement organizations. VIDIZMO empowers agencies to be able to monitor not only the chain of assignment of a case to relevant investigative officers (access rights) but other crucial details like removal of an evidence from within it, and whether it has been moved from one departmental folder to another.


Case Management

  • Case Record Created
    • Title
    • Author Name
    • Description
    • Tags
    • Category/Folder
    • Thumbnail
    • Default Viewing Access
    • Limited Sharing License Assignment
      • User to/from whom the access has been given/revoked
      • Allowed number of views
      • The duration (number of days) after which the license shall expire.
    • Password Protection
    • Permission to Share
    • Publish Status that can either take values: 
      • Published
      • Drafted
    • Evidence added in the Case [this is applicable only when multiple evidence are selected and added to a new Case in the Portal]

  • Case Updated: This event is logged whenever properties of digital evidence are modified, which include all above events:
    • Changeset is maintained about updates made to the above information e.g. Title changed from "ABC" to "DEF".
    • Which Evidence were added, removed from the Case

  • Added Case in my Quick Access: This even is logged when a case is bookmarked for quick access.

  • Case Deleted: This is logged when a case is deleted, only to be archived in the Recycle Bin.

  • Case Restored: This is registered when a case is restored from Recycle Bin back into the Library or in drafts (if it were there at the time of deletion).


Case Assignment

  • Access Rights Assigned: This event is logged whenever an evidence is given access to; either internally or externally. Learn more about assigning licenses to internal as well as external users here: How to Share Media with Internal/External Users and Groups. Following information is logged as details of the changes:
    • Users/Groups to whom the access has been provided or the Email Address of the external users to whom access has been provided.
    • Allowed number of views (if any)
    • The duration (number of days) for which access has been granted.

  • Access Rights Updated: This event is logged when already-assigned licenses are edited or altered:
    • Updated Users/Groups
    • Updated number of allowed views
    • Updated duration for which access has been granted.

  • Access Rights Revoked: This event is logged whenever an already-assigned license is deleted.

  • Shared Link via Mail: This event is recorded when the link of a case is shared with an email address for quick reference. This entails that only if that user has the right to view the case, they will be able to access it via the URL, not otherwise.


Log Filtration for Custom Reporting

VIDIZMO's advanced filtering allows customer organizations to generate tailored reports to cater to their agency policies and organizational rules. Below are some of the filters upon which you may construct a custom report to present structured list of related audit logs:

  • Date Range - specifying a From and a To
  • Event - Choosing any event from the list above, you may filter report based on those specified events to monitor activities corresponding to them
  • User's name
  • User's Email Address
  • IP Address


Here are some custom reports that may be generated using rich filters within the Case and Evidence Audit Logs:

  • All records of Evidence Clipped by a certain User
  • All records of Content Tamper Verification run within a certain Date range
  • All records of Access Rights Assigned to a particular Email Address


Export Audit Reports

After you tailor audit records to meet the needs of your organizations, you may use our enhanced custom export option to extract data either in the form of a CSV for further analysis and mining, or in the form of a well-formatted PDF report which can then be either demonstrated to relevant stakeholders and presented to the higher official authorities as a proof of trail of activities on a digital evidence.


If you have filtered the records based on an investigative criteria, you can easily export the same custom report.


Note: If you have audit logs greater than the default number of records currently displayed per page, make sure to select All if you wish to download a report of all records against the evidence.