evidx
Back to News
· Basile Simon

Every investigation should start with an empty browser

A small ritual borrowed from the Berkeley Protocol — and what it really protects. A note on hygiene before evidence.

Something I've been asked a few times recently by colleagues trying out evidx is why does our workflow always begins by opening a fresh, empty browser window? Without our morning tabs, our browsing history, and not logged in anywhere?

It's one of those things that feels finicky – but it's about protecting the people doing the work.

Thus go trackers everywhere online. If you're researching a far-right network from your normal browser, you are now in their advertising audience. If you're poking at a company's site while logged into your work Gmail, you may be telling that company who is looking. If you click a tracking link from a hostile source, you might just have handed them a thread to pull on.

It might not be dramatic, but it's a slow leak of who-you-are into places where who-you-are matters. For investigative journalists, that's not acceptable.

Starting from an empty browser, ideally one that lives only for the duration of a research session, minimises that leak. In a way, it's hygiene in the medical sense: not glamorous, mostly invisible when it works, but very obvious when it doesn't.

There's a second ritual I ask people to do, which sounds even more old-fashioned: before you open the browser, write down what you're about to do, in a captain's log of sorts.

It doesn't need to be long: a few lines in a notebook, a Google Doc doc, or whatever you use. Jot down the intent of the session, what you're trying to find out, what you expect to see and what you'd consider a finding. Oh, and a sense of date and time.

This comes from the Berkeley Protocol on Digital Open Source Investigations, which formalises a lot of practices that investigators already do informally. The Protocol calls for "pre-investigative planning": clear research questions, documented scope, an honest attempt to anticipate where bias might creep in. Lawyers do a version of this all the time: it's part of their covering their own back and talk to their objectivity and bias in discovery of evidence.

The captain's log serves to create a record of why you went looking and what you were looking for, which matters when someone later asks whether you were fishing or following a lead.

Provenance starts earlier than most people think – as early at the moment you decide to look.

Both these practices — the empty browser, the captain's log — are pre-capture habits which happen before any of the cryptographic, chain-of-custody machinery I usually write about kicks in.

Signed archives and certified timestamps are part of what makes a capture defensible after the fact. But they can only preserve the conditions you bring to the page: In other words, if you arrive at the page already contaminated — by your session, your assumptions, or even a vague sense of what you're hoping to find — no amount of downstream cryptography fixes that.