Report: IRS fails to manage digital evidence properly

The Internal Revenue Service's failure to back up digital evidence to off-site networks and to maintain detailed records of procedures used during investigations into financial crimes could lead to problems for federal prosecutors trying the cases in court, according to a report released by the agency's inspector general on Monday.

Comment on this article in The Forum.The audit covered the IRS's Electronic Crimes program, which was launched in 2001 to support financial investigations by acquiring, preserving, extracting and analyzing digital evidence such as word processing and spreadsheet files and e-mails. In 2006, E-Crimes seized almost 150 terabytes of digital data. That's more than twice the amount of digital information collected by the Library of Congress as of May 2007.

Since 2005, a task force has created and periodically revised standard operating procedures for handling digital evidence by computer investigative specialist agents. But according to the report, "The absence of some program-level processing controls has created risks that could compromise investigations in worst-case scenarios."

One area of concern is backup procedures. Currently, the computer investigativeagents make working copies of digital data seized for analysis purposes, reserving the original images for possible forensic authentication by prosecutors. Agents typically store only the original image and the working copies on local computers, according to the report, but don't save copies to an off-site location, which "would not be affected by a local catastrophic event such as fire, flood, natural disaster, sprinkler system malfunction, vandalism or other intentional destructive acts," the report noted.

Also, interviews by the inspector general's office revealed that most agents did not keep detailed written documentation of actions taken to process digital evidence, or make examination notes available for review, discovery or testimony purposes.

"The Justice Department has guidelines that state digital examiners should document all actions taken to process digital evidence to ensure it's admissible in court," said IRS Inspector General Russell George. "We found this is not always done."

The E-Crimes management information system was launched at the beginning of fiscal 2006 to provide case-tracking information, as well as evidence inventory accounting, but the system's full capabilities are not yet available.

"The value of evidence is its admissibility in court," George said. "Comprehensive internal controls are the best means to ensure data is protected and ultimately admissible. [The IRS criminal investigation division] has worked on some of the most notorious financial crimes in history, so we want to ensure they follow the rules to the most exacting degree."

The inspector general recommended that the director of the E-Crimes program develop effective quality control guidelines and documentation standards for the forensic process, clarify the role of the management information system for evidence inventory control and implement a comprehensive disaster avoidance plan for digital data prior to existing plans to build data centers for data backup in fiscal 2009 and 2010.

"Without interim procedures, risks that could materialize from incidents or disasters will continue to exist over the next two years, or longer if the system is delayed," the report noted.