TGI’s Digital Forensics Investigation Methodology
Data Collection
The collection process forms the foundation of digital forensics. Evidence is gathered from open sources such as social media platforms, websites, and publicly accessible environments, as well as from external organizations, human rights defenders, journalists, and testimony accounts. Analysts meticulously identify and retrieve data while ensuring no compromise to its integrity during acquisition. Advanced techniques and tools are often employed to capture content in its original state, preserving critical metadata and contextual details essential for analysis.
Maintaining Chain of Custody
A structured approach to cataloging is vital to maintain a clear chain of custody. The chain of custody refers to the documented and unbroken process by which digital evidence is handled throughout its lifecycle, from collection to presentation in legal or investigative contexts. Maintaining an unbroken chain of custody is critical to ensure the evidence remains admissible in court and retains its integrity.
Key steps in managing the chain of custody include:
- Identification: Documenting when, where, and by whom the evidence was collected. Every piece of evidence is labeled with a unique identifier (UID) for traceability.
- Documentation: Maintaining records of the sources, from whom and when, and how it was collected. A standardized consent form is used during the data collection phase to ensure that digital evidence is obtained lawfully, ethically, and transparently, which reinforces the integrity of the forensic investigation. Digital evidence submitters are informed that they can withdraw consent at any time. We also document the description of the evidence and other sensitive information.
- Storage: Securing evidence in tamper-proof environments for restricted access. Digital evidence is often stored in encrypted formats to protect its integrity.
- Transfer: Ensuring that any transfer of evidence is accompanied by proper documentation, including signatures and timestamps, to confirm its authenticity.
Cataloguing and Preservation
Each piece of evidence is assigned a unique identifier for traceability and organized in a Master Catalog. This catalog includes details like Case ID, Evidence Type, Source, Device Details, Creation Date, and Metadata. Maintaining this system ensures evidence is accessible, categorized, and preserved effectively throughout the forensic investigation process.
Verification and Analysis
The verification and analysis process begins after the initial steps of collecting and preserving digital evidence. At Tech Global Institute (TGI), meticulously examine the content for additional clues to uncover what is happening, why it is happening, and who is involved. Using open-source techniques, analysts strive to verify as many details as possible, ensuring accuracy and reliability.
Analysis
Frame-by-Frame (FBF) Analysis
Frame-by-frame analysis meticulously documents observations in video or image evidence. Analysts record details like individuals, security forces, and their actions, noting crowd dynamics, gestures, or equipment use. Significant events are corroborated with media or social media footage, ensuring precise identification of law enforcement and high certainty in findings.
Geolocation
Geolocation identifies incident locations using visual cues like landmarks, billboards, or environmental features. Analysts examine details such as clothing, language, or structures, using Google searches and Reverse Image Search to match locations. Articles, captions, and social media comments are reviewed to confirm the exact place of the event.
Chronolocation
Chronolocation determines event timing when metadata is missing. Analysts use shadow analysis, timestamps from related posts, or environmental changes to approximate time. Synchronizing with news reports or corroborative footage enhances precision, with investigation context guiding tool use for accurate temporal verification.
Establishing Body Detection and Crowd Estimation
Body detection verifies image and video authenticity before counting casualties. Enhancement tools clarify details, with frame-by-frame reviews identifying movement, wounds, or incapacitation. Crowd counting tools estimate numbers, while direct counting is used for smaller groups, distinguishing injured from deceased.
Review
Post-analysis, evidence undergoes a thorough review by external experts, such as weapon specialists, lawyers, and human rights representatives. Conducted under strict agreements, this multidisciplinary process confirms the accuracy and reliability of findings. It ensures ethical presentation and prepares evidence for responsible dissemination in investigative or legal contexts.
Reconstructing Events and Documentation
Reconstructing events is key to understanding large-scale incidents like uprisings. Analysts systematically document dates, locations, individuals, security forces, and their actions to reveal connections and implications. This structured approach tracks multiple incidents and outcomes, offering a comprehensive view essential for forensic analysis and accountability.
Distribution and Safeguarding of Evidence
Sharing digital evidence with third parties requires strict protocols to protect sensitive data. Access is restricted, and formal contracts outline usage limits and security measures. This ensures responsible handling, preserves privacy, prevents misuse, and aligns with legal and ethical standards, safeguarding all individuals involved.
Ethical Considerations
Digital forensics demands ethical rigor in handling sensitive evidence. Analysts must maintain integrity, confidentiality, and respect for those involved, avoiding bias and harm, especially with graphic content. Transparency and impartiality uphold the investigation’s credibility, ensuring protection for all parties and reinforcing the forensic process’s trustworthiness.
Challenges
Determining a Location :
Pinpointing incident locations is challenging, especially in poorly mapped areas. Tools like Google Maps or Street View often lack detail in conflict zones, forcing reliance on visual cues like landmarks, billboards, or shadows. Corroborating with media reports or crowdsourced data helps, but ambiguity persists, making the process iterative and time-consuming.
Counting Human Bodies :
Counting individuals in chaotic, low-quality videos is complex. Blurry visuals, poor lighting, and overlapping figures obscure casualties in protests or conflicts. Frame-by-frame analysis and crowd estimation tools aid, but precision is elusive. Cross-checking with eyewitness accounts or additional footage is often necessary, yet not always available.
Tracing Time, finding metadata, and low-quality media :
Tracing event times is difficult without metadata, often stripped by social platforms. Analysts use timestamps, shadow analysis, or event sequences for approximation, but low-quality, pixelated media complicates detail extraction. Compression artifacts distort visuals, requiring cross-referencing with reports or testimonies, a labor-intensive process demanding precision.
Violent Content :
Analyzing violent content is emotionally taxing, with graphic videos causing fatigue. Repeated exposure to death or injury footage strains analysts, especially during large-scale events with high video volumes. Psychological support, like debriefing or mental health resources, is essential to maintain focus and ensure accountability.
Archive Materials and Manual
We archive materials including:
Digital files (e.g., video, audio, and photo) that document daily acts of resistance against the oppressor and human rights violations by law enforcement, military forces, and pro-government parties during the uprising.
Interviews and eye-witness accounts of the events surrounding the uprising, including the use of lethal force against demonstrators, extrajudicial killings, and mass casualties.
Documents related to legal, personal, and medical matters of the deceased and injured victims for potential use in investigations.
Audio, video, and photo collected from open sources (e.g., social media, news media, and articles).
Important website links associated with our research and investigations.
Reports and articles from investigative journalism and publications by human rights organizations, such as the UN Fact-Finding Mission in Bangladesh.
| Type | [Type Code]-[Chronology Code] | Suffix Code | File Types | File Description |
|---|---|---|---|---|
| Video | 01-000 | Transcript [T] Example: | Mpeg, mp4, mov, txt, doc | Video evidence and its transcript |
| Audio | 02-000 | Transcript [T], Example: | Wav, mp3, txt, doc | Audio evidence and its transcript |
| Image | 03-000 | Png, jpeg, svg, gif | Images that contain any type of ‘document’will not be included [e.g, personal/medical/legal documents | |
| Screenshot | 04-000 | Png, jpeg | Screenshot of any type of ‘document’ will not be included [e.g, personal/medical/legal documents | |
| Satellite Image | 05-000 | Google Earth, Map | ||
| Document | 06-000 | Document [general] Example 06-000 Subtype Personal document [P] Medical document [M] Legal document [L] Example: 06–000-P or 06–000-M | Doc, pdf, xls, xlsx, txt, ppt, jpeg, png | [Document type [06, without suffix] that do not fall under Personal, Medical or Legal Document subtype] Documents related to personal, medical (hospital data), and legal (FIR) matters of the deceased and injured victims for potential use in investigations. |
| Media Report | 07-000 | Any file type we collect from news media including archived weblinks, including photocard | Archived news link | |
| Text | 08-000 | Includes screen capture, archived post, and text format |
Footnote:
In our open-source investigative process and developing the manual, we adhered to the Berkeley Protocol on Digital Open Source Investigations and the methodology of Bellingcat & the Global Legal Action Network.