Jump to Content Jump to Main Navigation
Signed in as:

Part IV, 15 Open Source Investigations for Legal Accountability: Challenges and Best Practices

Alexa Koenig, Lindsay Freeman

From: Digital Witness: Using Open Source Information for Human Rights Investigation, Documentation, and Accountability

Edited By: Sam Dubberley, Alexa Koenig, Daragh Murray

From: Oxford Public International Law (http://opil.ouplaw.com). (c) Oxford University Press, 2023. All Rights Reserved. Subscriber: null; date: 08 June 2023

Human rights — Internet — International criminal law — Evidence

(p. 331) 15  Open Source Investigations for Legal Accountability

Challenges and Best Practices

A milestone in the practice of international criminal law was marked on 15 August 2017. That day, the International Criminal Court issued a warrant of arrest for a person of interest—Mahmoud Mustafa Busayf Al-Werfalli of Libya1—that relied primarily on information derived from social media as the basis for the warrant. Legal scholars lauded this milestone as an important step in strengthening the use of digital content to secure accountability for human rights abuses and grave international crimes.2

Using publicly accessible online resources to support criminal and civil human rights cases is a relatively new practice, but as the chapters in this book show, one that is advancing quickly. Various international and national courts are beginning to recognize the potential value of cooperating with ‘first responders’, who frequently reach crime scenes long before international criminal investigators, the latter of whom may face diplomatic, legal, and/or pragmatic barriers to accessing such sites.3 Civil society actors—journalists, grass roots activists, and others—may also be the first to locate and acquire relevant content in digital space. This suggests there may be significant value in facilitating cooperation between legal actors and civil society actors to maximize the quality of digital information used as evidence. Increasingly, civil society organizations are using social media and user-generated content in their documentation of human rights violations—experimenting with online research methods to identify relevant material, preserve information that may become critical evidence in future prosecutions and is at risk of being removed, or identifying potential witnesses to events.4

(p. 332) However, such cooperation faces several barriers, including lack of training and guidance about how to identify what digital content might have evidentiary value in legal proceedings, how to collect and preserve digital content to a forensic standard, and how to maintain data in an archive that perserves its authenticity and makes it easily accessible to the appropriate end user (in this case, legal investigators).5

Interest in such cooperation has motivated the development of diverse guidance designed to help mature open source investigations as a branch of respeted legal practice.6 The guides that have been developed so far have been organized to help ensure admissibility in court as well as maximize the judicial weight accorded to verified content. They also serve as a basis for training lawyers, investigators, judges, and first responders who document atrocities; strengthen due process (for example, by supporting thorough verification and peer review to help ensure accuracy); and encourage best practices around everything from data generation to data handling to presentation in court.

While this area of practice is still relatively new, the past couple of years have seen its critical growth. For example, in October 2017 a number of experts in international criminal law and open source investigations met in Bellagio, Italy to discuss the need to develop a common lexicon, set of principles and other guidance to standardize open source investigations to generate lead, linkage and crime-based evidence for courts. The goal was to bring clarity to open source investigations as a set of practices and ultimately enhance recognition of both their limitations and their utility as a tool for supporting victims and ensuring justice. In spring 2018, a team of experts (the authors of this chapter among them) drew from the definitions and principles identified at Bellagio to begin developing a manual to support the effective use of open source information for the investigation and prosecution of human rights violations and atrocity crimes, a manual that could be globally disseminated in the form of an international protocol.

2.  Big Picture Considerations

Legal investigators ideally gather three types of information when building cases: (1) physical evidence (such as the murder weapon, or soil samples), (2) testimonial evidence (witnesses’ stories, expert testimony), and (3) documentary evidence (contracts, written orders, photographs, videos, etc). As an increasing amount of communications use digital channels, lawyers have begun to recognize the extraordinary value of web-based information for corroborating other evidence and filling holes in their evidentiary records. As noted by Lindsay Freeman in Chapter 3, such digital information usually (but not always) falls into the category of documentary information. Such online data can be a critical source of lead information (that which ‘leads’ a lawyer or legal investigator to additional sources), linkage evidence (that which ‘links’ low-level perpetrators, such as ‘trigger pullers’ to commanding generals, or presidents of countries), and contextual information that helps to paint the ‘who, what, when, where, why and how’ of the incidents underlying case. The objective of (p. 333) any legal investigation is to get sufficient corroborating information—ideally from each of these three information buckets—to establish each element of a crime so that in a criminal proceeding any alleged wrongdoing by the accused can be proven beyond a reasonable doubt, and in a civil case, so it can be established through a preponderance of the evidence.

2.1  Underlying Principles of Using Open Sources in Legal Investigations

The emerging practice of conducting online open source investigations for legal accountability is founded on—and ideally reflects—several principles. Some of these are common to all online open source investigations, while others are tied to some of the heightened considerations that arise when using online open source content in a legal context.7 At a minimum, these principles include security, impartiality, independence, accountability, legality, preservation, and equality, as summarized below.

2.1.1  Security

One of the first considerations when gathering online open source information to support legal accountability is security.8 Before designing an evidence collection plan that includes online open source content, an investigator should think through the potential physical, digital and psycho-social security risks that may result from accessing, viewing and handling open source information. For example, how can investigators best protect their identity—and thus the physical or digital security of their colleagues, anyone identified in the materials, the uploader(s), and themselves—when combing social media platforms for information related to a person of interest? Will they potentially reveal information that endangers the confidentiality of the investigation or the identity of possible witnesses? If members of the team have to comb through large volumes of graphic content, is there a plan in place, as Chapter 12 suggests, to strengthen resiliency and mitigate the likelihood of trauma? Once information is captured from the internet, how should it be stored so that investigators (1) can locate the needed information later, (2) preserve chain of custody (by logging who acquired the information, from where, and when), and (3) maximize data security?

2.1.2  Impartiality

Any strong legal investigation includes a plan for mitigating—and ideally eliminating—bias. This may mean employing multiple working hypotheses (developing multiple theories of the case) to avoid biased data collection and analysis; trying to prove the null hypothesis (for example, that the accused was innocent as opposed to guilty); and collecting both incriminating and exonerating data without favour. Search terms should be designed to maximize the likelihood of finding relevant and probative information without a preference (p. 334) to benefiting either the prosecution or defense—as should the choice of which platforms to search. Impartiality can be further strengthened by having team mates primed to check for bias and/or conducting some form of internal or external peer review. While rarely feasible, the gold standard from a research perspective would be to conduct some form of double blind review, where neither the original investigators’ identity nor that of the reviewers is known to each other.

2.1.3  Independence

Legal investigations must be independent of the personal or professional interests of any particular individual or institution and safeguarded from the actual or perceived appearance of outside influence. For non-governmental organizations, this may mean limiting or rejecting funding from governments or individuals that may have an interest in the outcome of one or more cases under investigation. This principle helps safeguard the perceived legitimacy of the investigation and the court in which the materials are eventually used.

2.1.4  Accountability

The principle of accountability is related to the potential replicability of the underlying analysis. Replicability is the basis for most scientific information and thus a critical factor for introducing information as scientific evidence in court. This principle is closely tied to transparency, specifically the transparency of the underlying methods that were used to access content and reach particular conclusions. Such transparency is intended to empower outside observers to analyse the potential validity of the results and the appropriateness of the methods used. To maximize potential acceptance as evidence for court purposes, investigators should log every step in their discovery and verification process and maintain the chain of custody of captured materials. At a minimum, this can be done by noting who handled the materials, when, and what they did with them.

2.1.5  Legality

The legality of the investigation (and any consequences for illegality) depends on the specific jurisdiction in which one is practicing and/or in which the open source materials may be submitted as evidence. To further maximize the likelihood that the findings of their research will be accepted in court, investigators and lawyers should review and understand the rules of evidence for the jurisdiction in which they are practicing and/or to which they will be submitting the information they collect.9

Many open source investigators violate the terms of service of the platforms they search by establishing a dummy account to protect their identity, even though that platform requires that individuals be transparent about who they are. Investigators should note whether such practices, or whether any laws that might be transgressed (such as violation of privacy regulations), could result in the exclusion of critical information. While international courts such as the ICC often have fairly lenient admissibility rules, even there, materials can be excluded if the collection process threatens the collected materials’ reliability or inflicts ‘serious damage on the integrity of the proceedings’.10 For example, information (p. 335) that the court believes was obtained in violation of human rights is supposed to be excluded, and privacy violations may well fall within the ambit of human rights. Under Article 68 of the Rome Statute—the body of laws that underlies the ICC—the investigator and lawyer are also mandated to protect victims and witnesses, court staff, and the public.

2.1.6  Preservation of Evidence

Preservation of open source evidence raises a number of critical issues for investigators and lawyers. First, how should information be stored? Increasingly, social media sites are being scraped or information from the internet is being crowdsourced, resulting in large data sets. How that information is tagged and coded will have concrete ethical and pragmatic ramifications, ranging from whether relevant and probative information can be located when needed, to the amount of time that must be expended to review potentially relevant materials. There are also chain-of-custody considerations (who has had access to the information and whether that information has been subsequently manipulated). The investigator should also note any information that is critical to authentication (for example, time and date stamps, as well as the identity of the machine on which the information was captured and the relevant URLs). Ideally, investigators will capture and preserve the source code underlying the online content. Such careful documentation may provide a certain degree of self-authentication of the evidence and thus may minimize the need for the investigator to testify about a particular piece of content in court.

2.1.7  Equality

Another consideration for human rights investigators and lawyers is the extent to which an open source investigation may influence which crimes are charged and which are virtually ignored because less visible and accessible. Will a heavy reliance on online open source investigations strengthen certain charges (such as chemical weapons attacks) to the exclusion of others (such as sexual violence) that may be less likely to be captured on film or discussed on chat sites? Will crimes or other harms perpetrated against certain demographics (for example, men, or people in technologically sophisticated countries) drown out equally important and perhaps even more pervasive crimes that target less advantaged groups? Investigators and lawyers should consider as well whether their familiarity with certain platforms (for example, Facebook, or YouTube) means that they will give scant attention to less common sources of information where relevant content may be located (such as WeChat or Sina Weibo in China, or Orkut in Brazil).

2.1.8  Ethics

A final note on ethics: As discussed in Chapter 11, ethical considerations are relevant not only to open source information collection for human rights generally, but also to human rights cases. There are, in addition, ethical considerations at each stage of the investigative and prosecution process, which differ based on jurisdiction and other content. Both investigators and lawyers should be aware of those considerations and how they affect public and legal acceptance of open source investigations practices.11

(p. 336) 2.2  Investigative Processes

There are a number of process considerations that should also be incorporated into designing an online open source investigation that may feed into legal cases. These range from preparation for the investigation, through discovery, to acquisition and preservation of content, to analysis and presentation in court—and of course on through the full data life cycle. Common practices around each of these stages are nascent, dynamic, and evolving. Thus, the considerations touched on below are a starting place for practice but are not comprehensive.

2.2.1  Preparation

As with any legal process, investigators should develop a plan of attack in order to maximize the efficiency and efficacy of their work.

Investigators should distinguish between background, exploratory research intended to provide general information about a situation, and formal investigatory work aimed at identifying, collecting, and analysing information that’s relevant to a particular legal situation or case and may serve as evidence. Formal investigatory work raises documentation and disclosure requirements from which exploratory research is generally exempt.

Plan objectives include (1) defining the investigation’s scope; (2) articulating objectives; (3) defining the universe of potentially helpful sources; and (4) designing digital, psycho-social and physical security protocols. In terms of substance, the plan should incorporate a search strategy designed around a relevant research question,12 which helps focus and guide the investigation. This research question should incorporate multiple working hypotheses in order to limit the potential for biasing the investigation from the outset—confirmation bias (the non-objective interpretation of information in a manner that confirms one’s pre-existing beliefs) is a risk in all investigations, but a particularly acute one in online investigations.

The plan should also document initial search queries that include specific terms (with keywords charted in all relevant languages), locations, coordinates, individuals, hashtags, platforms, and the like. The plan should also incorporate some thinking about the various crimes that may be relevant to the situation under investigation—and the elements of those crimes—as well as the various types of evidence that may be helpful to proving each element (physical, documentary and testimonial evidence being the ‘big three’). For example, if a case includes a charge of genocide—which often hinges on whether a prosecutor can prove the accused had an intent to ‘destroy in whole or in part an ethnic, national, racial or religious group’—is there online material that suggests that the accused had such genocidal intent, such as tweets or Facebook posts calling for the destruction of particular populations?

The individuals designing the plan should be aware that platform use may vary dramatically between geographic locations and between populations within geographic locations (for example, based on age or gender, with populations varying in their access to and comfort level with various digital resources). Thus, investigators should map the technological landscape of the conflict or issues under investigation, including an overview of the demographics of those who use each of the technologies, and incorporate those insights into their (p. 337) investigations plan. Many open source investigators have particular facility with certain platforms over others; conducting a technology mapping exercise before commencing research will mitigate the risk of discovery blind spots and biasing the discovery of relevant data to favour content on one platform over others.

Finally, the plan should outline the processes, including any tools, that the investigator or investigative team will use to locate, preserve, and analyse captured data. For example, investigators will ideally incorporate mechanisms for anonymous internet browsing and even the manual or automated collection of websites that are visited during the course of the formal investigation. If the investigation is being conducted by a team, there needs to be a plan for the safe sharing of relevant data and rapid communication as new leads and information are uncovered.

2.2.2  Discovery

Legal investigators often engage in three types of discovery: (1) monitoring (e.g. following a topic, conflict, or set of variables over time); (2) exploring (conducting research to better understand a conflict or topic); and (3) systematically gathering information (the formal stage of an investigation).

Monitoring refers to keeping on top of what is coming out over social media related to a particular situation as it is unfolding and as a means to help ensure critical information about people and incidents is not overlooked.

Exploring is a scoping exercise that often takes place prior to commencing formal fact-finding activities. This will often occur as part of a preliminary examination or when deciding if an open source investigation may be helpful to an incident under investigation. It consists of determining which platforms might be relevant and/or helpful, and what kinds of information may be available.

With planned information gathering, investigators may choose to start from a very narrow inquiry that broadens with the accumulation of information or start broadly and narrow down. Which is most helpful or appropriate will vary based on the information already in hand and the particulars of a case. Especially important is that investigators isolate the task from their personal browsing activities and record every step of the investigative process so that any member of the investigative team can testify to the process if needed. In addition to making the investigation easier to track and record, this will ensure a clean search history if that is ultimately reviewed as part of the disclosure process.

2.2.3  Acquisition and Preservation

Acquisition consists of identification of relevant online material; preliminary review of that content; and collection. Acquisition is followed by preservation.

Identification consists of finding and accessing relevant content. The potential evidentiary value of some content will be immediately apparent, while others may not be as clear cut. As online, digital content is ephemeral—and is at risk of removal if graphic or otherwise violative of platform community standards or terms of service—it is especially important to capture and preserve such information if it may conceivably be critical to later legal processes. If content is relevant on its face and at high risk of deletion, the information should be captured using the best method that time constraints allow. This may mean simply screenshotting the information and/or dropping the URL into a website (such as Internet Archive), or using a tool to capture the information in an evidentiarily-sound (p. 338) manner (such as Hunchly and Digital Evidence Vault). If the relevance and probative value are not immediately obvious, then the investigator may want to note the content but delay acquisition. While some investigators collect everything that may be relevant and analyse that content later, that method often results in over collection (bogging down the analysis and documentation process at later stages) and may violate data minimisation principles.

Best practices for capturing web pages vary and are evolving quickly. Once a digital asset has been located, investigators should connect to a time server to ensure their computer clock is accurate and document that accuracy; log their IP address (which will help establish that they were connected to the internet at a particular date and time through a particular computer); and download, screenshot, PDF, scrape or otherwise ‘capture’ the data that they want to collect. Collection is the moment when the investigator takes custody of the content. Collection may be mass and automatic (using specialized programs designed for online capture), itemized and semi-automatic (relying on custom or commercial scripts), or itemized and manual. Investigators should be aware that the method employed at this stage may have a later bearing on both admissibility and the weight accorded the content in court.

A forensic capture of the information will include metadata, content, and context. Best practices potentially include hashing or blockchain registration to preserve the original and demonstrate that the item—as presented in court—has not been modified from the original.13

Finally, if information is at risk of take down, the investigator may want to work with law enforcement or other official authorities to issue a subpoena or preservation order for that content. When not affiliated with a legal authority, it may still be worth reaching out to the platform to encourage preservation.

Once acquired, the content should be added to a secure online server with redundant offline back-ups (see Chapter 7). At this point, standard digital forensic methods should be employed to preserve the integrity of the digital evidence and document the chain of custody.

Some basic principles to keep in mind during the collection and preservation process:

  1. (1)  Locate and preserve the original or ‘first post’ of a particular item if possible.

  2. (2)  Collect information in as close to real time as possible.

  3. (3)  Preserve, if possible, all relevant metadata, links, networks, content and comments, manually or via scraping (although in the latter case, make sure that scraping will not destroy the data’s admissibility since scraping often violates terms of service).

  4. (4)  Preserve chain of custody, manually or automatically.

  5. (5)  Preserve the ‘original’ content and work on a copy.

  6. (6)  Organize, store, and code the data so that it can be located when needed.

When organizing archived data, it is often best not to organize the data around potential charges unless those charges are known. More helpful is tagging for the location depicted in the content (whether with geo-coordinates or the name of the city, town, etc) and the date of capture and/or of the events or people depicted in the content (when known, so that the content can be tied to a particular incident), and briefly describing what the contents include.14

(p. 339) One final note on acquisition and preservation: it is important to avoid overcollection, for a number of reasons. First, in legal contexts, much of what is gathered may be subject to discovery by the opposing side. Therefore, data collection should be thoughtful—over-collecting can be strategically and logistically problematic, as well as costly, when that information has to be disclosed. Second, as noted above, over-collection creates a ‘volume’ problem, draining data storage capacities and potentially obscuring critical evidence in relatively valueless content.

2.2.4  Analysis

Analysis refers to ‘the process of reviewing, evaluating and interpreting factual information or evidence to develop substantive findings relevant to the investigation, and reporting those findings to support strategic, operational and legal decision-making’ (International Protocol). Assessments should include the following questions:

  • •  How is this content relevant? (How does this content relate to any dispute at issue in an investigation or trial?) Note that relevancy may shift over the course of a legal investigation.

  • •  Is this item authentic? (Is it what it purports to be? Has this item been faked, forged, staged, manipulated or misrepresented?) This step may include a review of both content and the content’s provenance.

  • •  Is this item complete? (Have you captured the entire video, full web page, etc?) Partial documents may be excluded at trial for lack of completeness.

  • •  If this is not the original, can you explain why not and establish an acceptable reason for using a copy?

  • •  Is this information reliable? In addition to analysing the content, you may want to check the reliability of the poster by reviewing their posting history, related accounts, apparent proximity to the events at the time in question, online networks, and any other corroborating information they may have posted.

  • •  Can you identify the original source of the information and is that source credible? (Has the source lied in the past? Does the source have any apparent biases or affiliations that create an appearance of bias?)

  • •  What is this content’s probative value? This requires developing inferences from the data. The content may, for example, be helpful to establish basic facts including the geographic location of a particular incident, to identify social networks, to determine patterns of criminality (that may, for example, speak to legal issues such as whether a particular act was ‘systematic and widespread’ and thus potentially a crime against humanity), to establish intent or other state of mind, and so on.

2.2.5  Presentation

One of the greatest areas of experimentation with this new type of evidence is the way in which it may be presented—from analytical reports introduced through an expert witness to more creative demonstrative displays. Another milestone in international criminal law that precedes the ICC’s Al-Werfalli arrest warrant was the open source investigations report developed in support of the Al-Mahdi case from Mali, as discussed in Chapter 2. In Prosecutor v. Al-Mahdi, the Senior Trial Lawyer for the prosecution used an interactive digital platform created by SITU Research in his opening statement (see Chapter 2). The (p. 340) platform combined satellite imagery, ground-level images, and 360-degree panoramic photography on a map to show the relationship between various mausoleiums that had been damaged or destroyed.15 Al-Mahdi’s guilty plea meant that this platform and accompanying expert reports supporting the geolocation of the imagery was never tested as a form of evidence, disappointing those who were eagerly waiting to see how the chambers would respond.

When presenting an open source investigation report in court, there are two dominant risks. One is that the relevant finders of fact (whether judge or jury) may be so dazzled by the interplay of technologies (such as the use of satellite imagery to corroborate the location of events depicted in several videos, further supported by social media posts that confirm the likely presence of the purported source, for example) that they overvalue the investigation report. They may not know how to interrogate the underlying materials or analysis and thus over-credit the report as depicting the ‘truth’ (much as has been seen with DNA analysis, which is now known to be fallible in certain circumstances but has historically been portrayed as a conclusive ‘silver bullet’). The second risk is that fact-finders who are not familiar with the underlying technologies or methodologies will be concerned about their ability to evaluate the report and therefore will discard or otherwise undervalue the report in their decision-making. Thus, it is critical that the presentation of the results of an open source investigation be as clearly and carefully explained as possible. From a due process perspective, it is important that both prosecution and defense (or claimant and respondent), as well as the judge or jury, have the basic skills to adequately evaluate the relevant information.

Beyond how the report is compiled, a second issue is who is best situated to serve as a witness. Open source investigative reports may reflect the work of multiple parties. Issues include whether an expert needs to speak to particular parts of the report, or whether individuals could be certified as generalized ‘open source investigators’ who can speak not only to the individual methodologies but the overall analysis.

Several prosecutors have suggested that there should be one individual who is designated as the potential expert who could be called to speak to the report. That person should be informed about every stage of the investigation and analysis so that they can answer any concerns about the authenticity of the report and the validity of its findings. As with any expert witness, an individual may be called to provide expert testimony if an expert with the necessary ‘knowledge, skill, experience, training, or education’, in which case, in the words of US Rule of Evidence 702, the individual

may testify in the form of an opinion or otherwise if a) the expert’s scientific, technical or other specialized knowledge will help the trier of fact to understand the evidence or to determine a fact in issue; b) the testimony is based on sufficient facts or data; c) the testimony is the product of reliable principles and methods; and d) the expert has reliably applied the principles and methods to the facts of the case.16

(p. 341) The significance of qualifying a witness as an expert is two-fold—it allows that witness to testify beyond the scope of his or her first-hand account and to give opinions, which witnesses are normally not allowed to provide to the Court.

A third issue is the form that presentation takes. Depending on the technical capacities of the courtroom, the report may range from a text-based report to a multi-source video or an interactive platform. One option is to compile the content derived from open source material, along with any corroborating data and relevant information derived from closed resources, into an expert report that may be submitted as evidence at trial. Such reports should include, at a minimum, an executive summary, a methodology section that identifies all steps taken to collect and analyse the information, and the information itself. The report should not include conclusions unless written by a qualified expert witness who can testify as to how those conclusions were reached. The report should be written for a layperson so that it can be understood by a judge, attorneys, or defendants without specialized expertise.

3.  The Future—What Comes Next

Much as DNA and satellite imagery analysis had to evolve as fields of practice and gain legitimacy recognition by courts,17 open source investigations have to be standardized and a community of peers established before they will be deemed similarly reliable by judges. That evolution is still in its early stages but holds tremendous promise for diversifying the kinds of content that can be relied upon to hold war crimes perpetrators, human rights violators, and others who commit grave international crimes to account. Perhaps one of the biggest risks is that an increasing amount of communication will move behind ‘closed doors’ (for example, onto encrypted private messaging apps like Signal or WhatsApp instead of on publicly accessible sites) and thus an increasing amount of critical evidence that might have once been in the public domain will be inaccessible to human rights investigators. However, as long as perpetrators brag about their exploits, or reach out broadly for recruitment purposes, their work will leak into the open. It is up to the international community to develop the necessary standards and advance the methodologies that make up open source investigations if such work will reach its potential to produce critical evidence for courts.

4.  Conclusion

While open sources have long played an important role in information gathering for evidentiary purposes, digital technologies are emerging and changing so rapidly that it is difficult to stay on top of all of the ways that open sources can support case development. Formalizing and disseminating open source methods as a means to contribute to the successful adjudication of human rights cases is vital. As more and more communication moves online, it will be increasingly important for lawyers and legal investigators to understand (p. 342) the diverse online locations in which relevant information sharing is happening. Justice depends on the international community, including legal actors, knowing how to find, preserve, analyse, and present that key information to support witness testimony in ways that meet evidentiary standards and thus have weight in court. Soon, open source investigations may no longer be optional and/or supplementary to the ethical practice of law, but central to and required for achieving justice.


This chapter is based on research that the authors conducted with Eric Stover at the Human Rights Center at the University of California, Berkeley School of Law to support publication of an International Protocol on Open Source Investigations, which is being considered for co-publication with the United Nations Office of the High Commissioner for Human Rights in 2020.

1  International Criminal Court (ICC), Situation in Libya: In the case of Prosecutor v Mahmoud Mustafa Busayf Al-Werfalli (Warrant of Arrest) ICC-01/11-01/17 (15 August 2017) https://www.icc-cpi.int/CourtRecords/CR2017_05031.PDF.

2  See eg Lindsay Freeman, ‘Digital Evidence and War Crimes Prosecutions: The Impact of Digital Technologies on International Criminal Investigations and Trials’ (2018) 41 Fordham International Law Journal 282; Emma Irving, ‘And So It Begins … Social Media Evidence in an Arrest Warrant’ Opinio Juris (17 August 2018).

3  Silviana Cocan, Joseph Rikhof, and Érick Sullivan, ‘Prosecuting International Crime Series: Defining Legal Concepts and Frameworks’ (2018) 2 PKI Global Justice Journal 16; Andrea Lampros, Alexa Koenig, Stephen Smith Cody, and Julia Raynor, First Responders: An International Workshop on Collecting and Analyzing Evidence of International Crimes (Human Rights Center 2014).

4  Cocan, Rikhof, and Sullivan (n 3).

5  See chs 6, 7, and 9 in this volume.

6  See eg Kelly Matheson, Video as Evidence Field Guide WITNESS, 2016; International Protocol on Open Source Investigations: A Manual on the Use of Online Open Source Information for the Investigation and Prosecution of Human Rights Violations and International Crimes (Human Rights Center 2019).

7  The following overview of principles and practices was derived from two sources: Alexa Koenig, The New Forensics: Using Open Source Information to Investigate Grave Crimes (Human Rights Center 2018) and International Protocol on Open Source Investigations: A Manual on the Use of Online Open Source Information for the Investigation and Prosecution of Human Rights Violations and International Crimes (draft protocol on file with the authors).

8  See ch 13 in this volume.

9  See eg Louise Arbour, ‘In Our Name and on Our Behalf’ (2006) 55 International and Comparative Law Quarterly 511.

10  Rome Statute, arts 55, 69.

11  For more information on an ethical framework relevant to open source investigations, please see the International Protocol on Open Source Investigations.

12  Anthony Olcott, Open Source Intelligence in a Networked World (Continuum 2012).

13  See ch 7 in this volume.

14  For a more detailed overview of basic archiving principles, see chapter 7 in this volume.

15  Freeman, Digital Evidence and War Crimes Prosecutions, p. 312, 316: “When the testimony is this specialized and technical, judges are put in the difficult position of either rejecting it because they do not understand it or accepting the conclusions without qualification—both dangerous propositions for the interests of justice.”

16  United States Federal Rule of Evidence 702.

17  Jonathan Drake and Theresa Harris, Geospatial Evidence in International Human Rights Litigation: Technical and Legal Considerations (AAAS 2018).