A wise investigator assumes an attitude of professionally skepticism. She recognizes that any piece of evidence may not be what it seems to be, and might in the future be interpreted in a different way or be refuted by other evidence.
Consider for example one of the most famous and thorough investigations in American history. The official investigation of the 1970 shooting of Kent State students by national guardsmen concluded that a certain Terry Norman (paid FBI informant) played no role in the shooting. However, forty years later a previously-unknown tape recording of the events has surfaced, and a forensic analysis of the recording shows that someone fired a .38-caliber pistol four times, shortly before the guardsmen opened fire. Norman was known to have brandished such a pistol at that place and time. It appears that Norman fired shortly before the guardsmen fired. So the official investigation appears to have been wrong on account of compelling evidence that emerged four decades after the fact.
In many cases, a professional investigator needs to remember that her investigative work and report will not and should not be the final word on a matter. The investigator's job is to collect and analyze evidence, recognizing that rarely will the investigator possess all of the possible evidence. Someone else will be the final judge and jury.
As an educational exercise, I have developed a prototype, online investigation report and evidence container. Part check-list, part demonstration, this prototype could be useful for many kinds of non-criminal investigations. Using the Zoho online notebook application, I created the prototype as a teaching tool for my SANS course on the law of investigations.
The prototype report gives instructions on the skeptical attitude the investigator should adopt. It reminds the investigator to evaluate any biases or conflicts of interest she may possess. It includes an optional banner for protecting attorney-client confidentiality and attorney work product. It provides the investigator a means for storing embedded evidence (written text, plus audio, video or other files) and for affirming that the stored evidence accurately reflects what the investigator collected.
An interactive, published report from the prototype appears here:
http://notebook.zoho.com/nb/public/benwright214/book/376222000000004171
Obviously many investigators who might want to use a report like this in Zoho would not want to publish the report openly for all to see. Zoho allows the report to be shared (read-only or read/write) selectively, with people possessing the right credentials.
In the prototype, I signed the report with a webcam electronic signature.
I secured the stored evidence, and associated it with my webcam signature, using the log-on ID and password to my Zoho account. Further, Zoho allows me to secure my account (and prevent tampering with the report) by limiting which IP addresses can access it and by providing me a report on which IP addresses accessed at which time. Zoho keeps a detailed history of revisions, which could be helpful if question arose about whether someone tampered with the report after it was finalized.
Zoho allows the people with whom I selectively share a report to make their own, independent copies of it. These independent copies could deter me from making undetected changes to my report after I finalize it.
I am interested in feedback. What do you think? If anyone would like to help me make an iPad, iPhone or Android app like this, please let me know!
Mr. Wright teaches the law of investigations at the SANS Institute.
