Deploy a secure, simple user interface for law enforcement to store and manage digital evidence with data integrity verified through audit reports and system controls
Overview
Digital Evidence Archive (DEA) on AWS helps investigative units manage and store digital evidence on AWS. It equips investigators and other law enforcement personnel with a web user interface (UI) that they can use to create and update cases with the associated digital evidence. The UI removes the reliance on physical devices, such as USBs and hard drives, and reduces cost that is incurred when running a local data center.
This AWS Solution supports file integrity, hashing, encryption, and audit logging, helping customers meet the requirements of the Criminal Justice Information Services (CJIS) Security Policy.
Benefits
Allow investigative units to manage their data in one place using a simple interface and without interacting with the AWS Console. No cloud knowledge is required to leverage the scale, elasticity, and automation capabilities of this AWS Solution.
Gain assurance that customers are only charged for the storage and compute services they use. The default storage service delivers automatic storage cost savings through intelligent-tiering.
Promote security through encrypted data and access controls that allow permissions to be granted on an as-needed basis. Files are hashed when uploaded and can be validated to ensure evidence is locked in its original form, allowing users to maintain chain of custody.
Technical details
You can automatically deploy this architecture using the implementation guide and the accompanying AWS CloudFormation template.
Step 1
Solution users sign in through their existing CJIS compliant Identity Provider (IdP), which federates with Amazon Cognito, to access the DEA on Amazon API Gateway and the web UI.
Step 2
Users create cases using API calls to API Gateway (accessed through the web UI).
Step 3
Case creation API calls are directed to AWS Lambda, the solution's API handler.
Step 4
Lambda sends API event data to Amazon CloudWatch for logging purposes.
Step 5
Amazon DynamoDB registers the case creation event and tracks user authentication sessions to mitigate malicious case actions.
Step 6
DEA uploads data using SDK and downloads evidence using pre-signed URLs through Amazon Simple Storage Service (Amazon S3).
Step 7
AWS CloudTrail registers CloudTrail events and Amazon S3 object-level changes in the S3 evidence bucket.
Step 8
An AWS Key Management Service (AWS KMS) customer-managed key (CMK) provides server-side encryption, preventing malicious adaptation to evidence.
Step 9
Amazon S3 invokes Lambda as needed for S3 Batch Operations.
Step 10
AWS DataSync receives a task to migrate data, and the reports from the migration are uploaded to the Amazon S3 tasks logs bucket. Lambda listens for the object-created event in the S3 task logs bucket and begins processing the files when detected.
Step 11
Users retrieve audit reports by querying the DEA audit REST API endpoints. Amazon Athena returns case audit information to the endpoint.
Step 1
Solution users sign in through their existing CJIS compliant Identity Provider (IdP), which federates with Amazon Cognito, to access the DEA on Amazon API Gateway and the web UI.
Step 2
Users create cases using API calls to API Gateway (accessed through the web UI).
Step 3
Case creation API calls are directed to AWS Lambda, the solution's API handler.
Step 4
Lambda sends API event data to Amazon CloudWatch for logging purposes.
Step 5
Amazon DynamoDB registers the case creation event and tracks user authentication sessions to mitigate malicious case actions.
Step 6
DEA uploads data using SDK and downloads evidence using pre-signed URLs through Amazon Simple Storage Service (Amazon S3).
Step 7
AWS CloudTrail registers CloudTrail events and Amazon S3 object-level changes in the S3 evidence bucket.
Step 8
An AWS Key Management Service (AWS KMS) customer-managed key (CMK) provides server-side encryption, preventing malicious adaptation to evidence.
Step 9
Amazon S3 invokes Lambda as needed for S3 Batch Operations.
Step 10
AWS DataSync receives a task to migrate data, and the reports from the migration are uploaded to the Amazon S3 tasks logs bucket. Lambda listens for the object-created event in the S3 task logs bucket and begins processing the files when detected.
Step 11
Users retrieve audit reports by querying the DEA audit REST API endpoints. Amazon Athena returns case audit information to the endpoint.
- Publish Date
Related content
Digital Evidence Archive on AWS enables law enforcement customers to store and manage their digital evidence through a simple user interface. Evidence stored in the system does not change, and that integrity is verifiable using audit and accountability reports, file hashing, CJIS-level encryption, and access controls. Learn more about the benefits and how to get started in this one page overview.
The Digital Evidence Archive API documentation guides programmatic integration and use of this solution. It outlines APIs with explanations of request and response formats for managing cases, files, users, and audit trails. The documentation also provides code samples for securely storing, retrieving, and managing digital evidence.