Advanced Search

CPS Public Consultations

We want to hear your views about our prosecution policy and so we conduct consultations to help inform our policy making.

Visit the consultations page to view the current and previous consultations

Annex H - Disclosure Manual

The use of keyword searches and digital evidence recovery officers

This annex has been devised for use by police/CPS/HMRC/RCPO

Introduction

  1. Although the technology is fast-moving, the use of keyword searches is still fairly common across the whole CJS. A proper use of focused keywords and word searches at the initial stage should reduce the need to do further searches when considering the unused material 'hits,' unless it is reasonable to further refine the search.
  2. Some or all of the following (non-exhaustive list) are suggested as reasonable and proportionate actions for the disclosure officer to undertake to comply with the duties under the CPIA 1996:
    • inspecting the material retrieved in the keyword searches made by investigators
    • reviewing the keyword dictionary and parameters used by investigators to see if these properly cover all reasonable lines of enquiry
    • making additional keyword searches, using judgement and knowledge of the circumstances of the case to decide how much additional work is proportionate
    • where appropriate, to review the same material that has been reviewed by the investigator in order to determine that all reasonable lines of enquiries have been followed. This may include folders, files, spreadsheets, images, and emails as an alternative or in addition to keyword searches
    • inspecting the directory structure and reviewing the examination strategy used by the investigation officer to see if this properly covers all reasonable lines of enquiry
    • carrying out additional direct examination of folders or classes of files if necessary, using judgement and knowledge of the circumstances of the case to decide whether all reasonable lines of enquiry have been followed
    • identifying, as accurately and clearly as possible, any digital item containing stored data in the disclosure schedule, and for each item describing the various actions the disclosure officer has taken, describing the extent, manner and justification of the examination in the schedules:
      • a list of all the keywords used
      • a print out of the directory structure, or file listing where this is available
      • a forensic unit's documentation of any applications audit, where this is available
      • the search terms that were applied
      • the details of all the steps in this annex that have been carried out
      • why they were carried out.

Top of page

Digital evidence recovery officers

  1. Digital evidence recovery officers (DEROs) may be commissioned to help extract evidence and to assist with unused material. They may be part of the police force, civilians attached to the computer crime unit or the National Hi Tech crime Unit. Sometimes specialist outside expertise may be required. Acting only upon instructions from the investigators and disclosure officers, their primary role is to extract and preserve the evidence, although they may be involved in helping to collate and audit the unused material.
  2. Investigators will need to work closely with the Forensic Computer Analyst (FCA) and the DERO, where available, in order to establish the appropriate methodology and terms of reference to employ in the examination. The completion of a Digital Evidence Recovery Form (DERF) together with the provision of the case summary will assist the DERO in identifying the parameters of the search and the selection of relevant keywords to employ in the examination.
  3. Investigators should use the DERF to list focused keywords in order to examine the data seized or obtained. The disclosure officer and the DERO may also use their own keywords, as may the prosecutor when they become involved. The DERF should be scheduled on the schedule of unused material.
  4. Care must be taken to use focused keywords otherwise the purpose is defeated, for example, by generating too many 'hits' to be useful. Each keyword search may produce relevant information that requires further searches. An example could be a keyword producing 10,000 hits. The DERO should usually produce the relevant hits onto a CD or DVD.
  5. The investigator should then decide, after liasing with the DERO, which of the hits will be used as evidence. Any remainders are likely to become relevant unused material to be dealt with by the disclosure officer.
  6. The DERO should produce a summary of his/her findings in a statement and/or report. Additionally, a log should be maintained as a diary of events and actions, setting out what examination methods were used. It should comment on items or 'hits' that become unused material. The log itself should be treated as unused material and if it contains sensitive material, its scheduling should follow the normal procedures.
  7. The DERO should be supplied with a copy of any defence statement, and the prosecutor, investigating officer and disclosure officer should consider whether any further examination of the unused material needs to be carried out.

Top of page