Disclosure Manual: Annex D - The Use of Keyword Searches and Digital Evidence Recovery Officers
The use of keyword searches and other appropriate search tools has been validated for use across the criminal justice system (see R v R and Others 2015 EWCA Crim 1941 and the AG’s Guidelines). A proper use of focused keywords and word searches as well as documenting the digital strategy in a DMD is key to managing disclosure.
Some or all of the following (non-exhaustive list) are suggested as reasonable and proportionate actions for the disclosure officer to undertake to comply with the duties under the CPIA:
- inspecting the material retrieved in the keyword searches made by investigators
- reviewing the keyword dictionary and parameters used by investigators to see if these properly cover all reasonable lines of enquiry
- making additional keyword searches, using judgement and knowledge of the circumstances of the case to decide how much additional work is proportionate
- where appropriate, to review the same material that has been reviewed by the investigator in order to determine that all reasonable lines of enquiries have been followed. This may include folders, files, spreadsheets, images, and emails as an alternative or in addition to keyword searches
- inspecting the directory structure and reviewing the examination strategy used by the investigation officer to see if this properly covers all reasonable lines of enquiry
- carrying out additional direct examination of folders or classes of files if necessary, using judgement and knowledge of the circumstances of the case to decide whether all reasonable lines of enquiry have been followed
- identifying, as accurately and clearly as possible, any digital item containing stored data in the disclosure schedule, and for each item describing the various actions the disclosure officer has taken, describing the extent, manner and justification of the examination in the schedules:
- a list of all the keywords used
- a printout of the directory structure, or file listing where this is available
- a forensic unit's documentation of any applications audit, where this is available
- the search terms that were applied
- the details of all the steps in this annex that have been carried out
- why they were carried out
Digital evidence recovery officers
Digital evidence recovery officers (DEROs) may be commissioned to help extract evidence and to assist with unused material. They may be part of the police force, civilians attached to the computer crime unit or the National Hi Tech Crime Unit. Sometimes specialist outside expertise may be required. Acting only upon instructions from the investigators and disclosure officers, their primary role is to extract and preserve the evidence, although they may be involved in helping to collate and audit the unused material.
Investigators will need to work closely with the Forensic Computer Analyst (FCA) and the DERO, where available, in order to establish the appropriate methodology and terms of reference to employ in the examination. The completion of a Digital Evidence Recovery Form (DERF) together with the provision of the case summary will assist the DERO in identifying the parameters of the search and the selection of relevant keywords to employ in the examination.
Investigators should use the DERF to list focused keywords, in order to examine the data seized or obtained. The disclosure officer and the DERO may also use their own keywords, as may the prosecutor when they become involved. The DERF should be scheduled on the schedule of unused material.
Care must be taken to use focused keywords otherwise the purpose is defeated, by generating too many 'hits' to be useful. Each keyword search may produce relevant information that requires further searches. An example could be a keyword producing 10,000 hits. The DERO should usually produce the relevant hits onto a CD or DVD.
The investigator should then decide, after liaising with the DERO, which of the hits will be used as evidence. Any remainders are likely to become relevant unused material to be dealt with by the disclosure officer.
The DERO should produce a summary of his/her findings in a statement and/or report. Additionally, a log should be maintained as a diary of events and actions, setting out what examination methods were used. It should comment on items or 'hits' that become unused material. The log itself should be treated as unused material and if it contains sensitive material, its scheduling should follow the normal procedures.
The DERO should be supplied with a copy of any defence statement, and the prosecutor, investigating officer and disclosure officer should consider whether any further examination of the unused material needs to be carried out.