Daniel sent us this one — he's been watching the Strike series, the Cormoran Strike adaptations, and he noticed something that jumped out at him. The investigator in the show relies heavily on a simple phone camera. Not telescopic lenses, not surveillance-grade gear. Just a smartphone, diligent observation, and capturing small details most people would walk past. His question is basically this: if you were starting a private investigation operation tomorrow and you were capturing hundreds of photographs per day across different sites and different cases, what kind of organization system would you actually use? Because your phone's camera roll is not going to cut it. So what does the real-world equivalent of Strike's method look like when it comes to evidence management?
Oh, this is a fantastic question. And you've hit on something that separates the fictional depiction from actual practice in exactly the right place. The show gets the observation part right — real investigators do use phone cameras constantly, that part's accurate. Where fiction skips over the unglamorous part is what happens after the shutter clicks. The organization system. And that's actually where most of the professional discipline lives.
Because the photograph itself is worthless if you can't prove where it came from, when it was taken, and what it's supposed to be showing six months later when someone's asking you about it in a deposition.
And that's the thing — a real PI might take, let's say, two hundred photographs in a single surveillance day. Multiply that across five active cases, six days a week, and you're looking at thousands of images per month. Without a system, you're dead in the water. The phone camera roll is basically a junk drawer with timestamps.
A junk drawer that occasionally auto-creates a slideshow set to sentimental music, which is not what you want when you're presenting evidence of insurance fraud.
Right, the phone's like "here's your memories from last Tuesday" and it's forty-seven photos of someone's bumper and a guy walking into a workers' comp clinic.
The musical equivalent of beige wallpaper set to a fraud investigation.
Let me walk through what a real system actually looks like. And I should say upfront — I've looked into this because the intersection of evidence handling and digital organization is genuinely interesting to me. There are professional case management platforms built specifically for investigation firms. The big names are things like CaseJacket, i-Sight, X1, and there's one called PI Trac that's specifically designed for solo practitioners and small firms. But the software is only half the story. The real system is the workflow.
Walk me through the workflow then. I take a photo. What happens in the next sixty seconds?
The moment you capture an image in a professional context, there's a chain of decisions that need to happen immediately, because memory degrades fast. Most PIs I've read about use a capture app that's separate from the default camera — something like CamScanner or an evidence-specific mobile app that timestamps, geotags, and sometimes even hashes the file on capture. The hash is important because it proves the image hasn't been altered later.
You're not even using the native camera app.
Because the native camera app doesn't create an audit trail. A proper evidence capture app will log the device ID, the GPS coordinates, the timestamp, and generate a SHA-256 hash of the file at the moment of creation. That's your foundation. Then, immediately after capture — and I mean immediately, ideally before you move to the next location — you tag the image with case number, subject, location description, and a brief note about what you're documenting.
This is all happening on the phone, in the field, while you're presumably also trying not to be obvious about the fact that you're photographing someone.
That's the tension. The best investigators develop a rhythm where the tagging takes maybe ten seconds per shot. Case number is usually pre-loaded, subject is pre-loaded. You're just adding the specific note. "Subject exiting vehicle, license plate visible." "Subject meeting unidentified male, gray jacket." That note is not optional. Six months later, that note is the difference between usable evidence and a picture of some guy near a car.
Because the photograph doesn't explain itself. A photo of two people shaking hands could be a business meeting, a drug deal, or a family reunion, and without the note you've got nothing.
In court, the note becomes part of your contemporaneous record. If you wrote it at the time, it carries weight. If you're reconstructing it from memory six months later, opposing counsel will tear you apart.
The capture app is step one. Because you mentioned case management platforms, and I'm assuming the images don't just live on the phone.
The phone is a temporary vessel. Most firms have a policy that field evidence gets uploaded to the case management system within twenty-four hours, often sooner. The upload process varies — some apps sync automatically when you're on Wi-Fi, some require manual transfer. But the key principle is that the image moves from a device that can be lost, stolen, or damaged into a secured, backed-up system with access controls.
This is where the case management software actually does its work.
So let's use CaseJacket as an example because it's fairly representative. Each case gets its own digital file. Within that file, evidence is organized by type — photographs, video, audio, documents, notes. Photographs are further organized by date, by location, by subject, or by incident, depending on how the investigator sets up their taxonomy. The software lets you tag, search, and cross-reference. So if you're working a case and you need every photo taken within five hundred meters of a specific address between March and June of this year, you can pull that up in seconds.
Which is not something your phone's photo app is going to do, no matter how good the AI search has gotten.
The AI search in consumer photo apps is actually getting quite good at recognizing objects and faces, but it's not built for evidentiary chain of custody. It doesn't log who accessed the file and when. It doesn't prevent modification. It doesn't generate a certificate of authenticity. Those are the things that matter when evidence is challenged.
There's a legal architecture sitting underneath all of this that the TV show completely skips over, for obvious reasons — it's not dramatic.
It's profoundly undramatic. But it's also where cases are won or lost. I read about a case — this was a few years ago in the UK — where a PI's photographic evidence was thrown out because he couldn't establish when the photos were taken. He'd been using his personal phone, the metadata had been stripped when he emailed the files to himself, and the timestamps were inconsistent with his written notes. The photographs clearly showed what they showed, but they couldn't be authenticated, so they were inadmissible.
That's a brutal lesson. All that work, and the evidence was good — it just couldn't be proven to be good.
The evidence was factually accurate but legally orphaned. No chain of custody, no admission.
We've got the capture app, the immediate tagging, the upload to case management software. What about the physical side of this? Because Strike in the show is often working out of a cramped office with a laptop. He's not running a server farm.
For a solo practitioner or a small firm, the setup is actually pretty lean. You need a laptop, an external hard drive or a NAS — network-attached storage — and cloud backup. That's the minimum viable setup. The case management software is usually cloud-based now, so the data lives on encrypted servers. But most PIs I've talked to or read about also maintain a local backup, because cloud providers can have outages, and you don't want to be unable to access your evidence because AWS is having a bad day.
There's probably a retention policy too. You don't just keep everything forever.
That's actually a really important point, and it varies by jurisdiction and case type. In general, evidence gets retained for the duration of the case plus a set period after resolution — often three to seven years, depending on the statute of limitations and the nature of the investigation. After that, it's securely deleted. You don't want to be sitting on a mountain of old surveillance photos that serve no purpose and create potential liability.
If you're holding personal data on subjects who were investigated but never charged, or on third parties who happened to be in the background of surveillance photos, there are privacy regulations that govern how long you can keep that. GDPR in Europe, various state laws in the US. The principle is data minimization — don't hold onto personal information longer than necessary.
The organization system isn't just about finding things. It's also about knowing when to get rid of them.
A good evidence management system has a retention scheduler built in. It flags files that have reached their retention limit and prompts the case manager to review and either extend or delete. That's not a feature you get in Google Photos.
Google Photos is just going to hold onto that photo of someone's license plate forever, and then surface it seven years later like "remember this day?
Which is charming for personal memories and absolutely catastrophic for professional evidence management.
Let me ask you about something specific. In the show, Strike will often photograph documents — letters, receipts, pages from a notebook. He's using his phone as a scanner, basically. Is that standard practice, and does it create any special organization challenges?
It's extremely standard, and it does create challenges. When you photograph a document, you're capturing an image, but what you actually want is a searchable record. So the workflow for documents is slightly different. Most evidence capture apps have a document mode that does edge detection, perspective correction, and OCR — optical character recognition — right on the phone. That OCR text gets embedded in the file metadata or stored alongside it, which means you can later search for a name or an address and find the document even if the file name is something unhelpful like IMG_4729.
You're essentially building a searchable archive on the fly.
That's where the tagging discipline really pays off. If you tag a photographed document with the case number, the date, the source, and a five-word description, and the OCR has extracted the text, you've got multiple paths to find that document later. You can search by case, by date, by source, by keyword. It's redundant in a good way.
Redundancy as a feature rather than a bug.
In evidence management, redundancy is a virtue. You want multiple ways to find the same thing because you don't know what question you'll be asked six months from now. The lawyer might say "find me every photo that shows a blue vehicle" or "find me every document that mentions this address." If you've built your system well, those queries are trivial. If you haven't, you're scrolling through thousands of thumbnails at two in the morning before a court deadline.
That sounds like a specific scenario you've encountered.
I may have had some late nights in my medical practice dealing with records requests. Different field, same principle. If you don't organize on the way in, you pay for it on the way out.
We've talked about the capture, the tagging, the upload, the software, the retention. Is there anything about the naming convention itself? Because "IMG_4729" is the default, and I'm guessing that's not what professionals use.
Naming conventions are one of those things that sound tedious but are load-bearing. Most firms use a structured format — something like case number, date, sequence number, and a brief descriptor. So a file might be named something like 2026-0618-SMITH-001-subject-exiting-vehicle. That tells you immediately what it is without opening it. The case management software often generates these names automatically based on the tags you enter, which removes the temptation to get lazy.
Prevents the thing where you tell yourself you'll rename everything later and then later never comes.
Later is a mythical time that has never once occurred in the history of human organization.
Later is the procrastinator's Narnia.
It really is. And with evidence, later isn't just inconvenient — it's potentially case-destroying. If you're ever deposed and asked "when did you label this photograph," the correct answer is "at the time of capture." The incorrect answer is "uh, sometime last week when I was getting my files together.
Let's zoom out for a second. You mentioned some case management platforms. If someone were actually starting a PI operation tomorrow, what's the realistic setup cost and learning curve?
For a solo practitioner, you're looking at a few hundred dollars a month for a decent case management platform. PI Trac, which I mentioned, is aimed at exactly this market — it's around forty to sixty dollars a month for a single-user license. CaseJacket is more like eighty to a hundred and twenty a month depending on features. Then you need cloud storage, which is negligible — a few dollars per month for the amount of storage photos take up. The hardware is just a decent laptop and a phone. Most PIs are not buying specialized cameras unless they're doing long-range surveillance, and even then, the trend is toward high-end phone cameras with telephoto lenses because they're less conspicuous.
The barrier to entry on the gear side is surprisingly low. The investment is really in the software and the discipline.
Knowing how to use the software properly, knowing how to maintain chain of custody, knowing the legal requirements in your jurisdiction — that's the real cost. You can buy the tools for a few hundred dollars, but the expertise takes years.
Which brings us back to the show, actually. The thing Daniel noticed — that Strike uses a phone camera and pays attention to details — that part is realistic. The part the show doesn't depict is the hour he spends every evening tagging, uploading, and organizing everything he captured that day.
To be fair, that would make for terrible television. Nobody wants to watch a montage of file management.
Although I would watch exactly one episode of that, just for the verisimilitude.
The Venn diagram of people who listen to this show and people who would watch an hour of evidence tagging is probably a circle.
A very small, very dedicated circle.
There's one more piece of this I want to touch on, which is the collaborative aspect. In the show, Strike works with a partner, Robin. They share information constantly. In a real firm, the case management system is the collaboration hub. Multiple investigators can access the same case file, add their own evidence, read each other's notes, and see what's been collected in real time. That's critical when you've got a team working different angles of the same investigation.
The system logs who added what, so you know who to ask if something's unclear.
Every entry is stamped with the user ID. If Robin photographs a document and uploads it, Strike can see it immediately, and he knows it came from her. That audit trail also serves as a kind of institutional memory. If an investigator leaves the firm, their case files don't leave with them in their head — everything's documented, tagged, and accessible.
Which also means the firm owns the institutional knowledge, not the individual investigator. That's a business continuity thing as much as an evidence thing.
And it's one of the things that separates a professional operation from a guy with a camera and a notepad. The system is the asset.
If I'm hearing you correctly, the real-world Strike's organization system has maybe five layers. Layer one is the capture app with automatic hashing and geotagging. Layer two is immediate field tagging with case number, subject, and notes. Layer three is structured file naming. Layer four is the case management platform with search, cross-reference, and retention scheduling. And layer five is the collaborative access and audit trail.
That's a really clean summary. I'd add a sixth layer, which is the backup and redundancy strategy. Local backup, cloud backup, and in some cases an offsite archive for closed cases that are still within retention. You don't want a single point of failure anywhere in the chain.
All of this lives behind encryption, presumably.
Encryption at rest and in transit. The case management platforms are built with this in mind because PI firms handle sensitive personal data and are subject to data protection regulations. If you're storing photos of people who haven't consented to be photographed — which is inherent to surveillance work — you have a legal and ethical obligation to protect that data.
Which is another thing the show doesn't show you. Strike's phone presumably has a passcode, but we never see him thinking about encryption standards.
The show would grind to a halt if he spent three minutes explaining his AES-256 implementation. But in the real world, if a PI loses an unencrypted phone full of surveillance photos, that's not just a lost device — that's a data breach. Potentially a lawsuit. Potentially a licensing issue.
The phone itself is a liability. The sooner the photos move off it and into the secured system, the better.
Some firms have a policy that field photos must be uploaded within four hours. In high-sensitivity cases, they use apps that stream the photos directly to the cloud and don't store them locally at all. The phone is just a lens and a network connection.
That's interesting. The phone as a dumb terminal for a camera.
Which is a complete inversion of how we think about smartphones. We think of them as these incredibly powerful local computers. But for evidence gathering, you want them to be as dumb as possible, because a smart device is a device that can be compromised, that stores data that can be extracted, that creates a trail on the device itself. A dumb lens connected to a secure server is actually the ideal.
That's the kind of counterintuitive insight that makes this whole topic more interesting than it seems on the surface. The best tool is the one that holds nothing.
That connects to something I think about a lot, which is that good investigative tradecraft is mostly about disciplined ordinariness. The flashy gear is a distraction. The real skill is in noticing what matters, documenting it methodically, and building a system that makes that documentation reliable over time. The phone camera is the right tool not because it's the best camera but because it's the camera you actually have with you, and the discipline is what makes the output usable.
The answer to the prompt — what type of organization system would a real-world Strike use — is basically a layered evidence management workflow built on capture apps, structured tagging, case management software, and redundant encrypted storage. The gear is ordinary. The system is everything.
The system is mostly invisible, which is why it doesn't make for good television but makes for good investigations.
What about the admissibility standards? You mentioned chain of custody earlier, but I'm curious whether different jurisdictions have different requirements for digital photographic evidence specifically.
They do, and this is where things get nuanced. In the US federal system, photographic evidence is generally admissible under Rule 901 of the Federal Rules of Evidence, which requires that evidence be authenticated — meaning you have to produce testimony that the photograph is a fair and accurate representation of what it depicts. That's the traditional standard. But digital photographs introduce an additional layer because they're so easy to manipulate. So courts have started expecting more — metadata, hash verification, testimony about the capture process.
This varies state by state too, I assume.
Some states have adopted specific standards for digital evidence. California has a whole body of case law around this. The UK has the Police and Criminal Evidence Act, which sets out specific requirements for how digital evidence must be handled. A PI working across jurisdictions needs to know the standards for each one.
Which means the organization system has to be adaptable. You might need different metadata fields or different retention periods depending on where the case might end up in court.
And it's why the better case management platforms let you configure fields by case type and jurisdiction. It's not one-size-fits-all.
The software has to be flexible enough to accommodate different legal standards, but rigid enough that investigators can't skip steps.
That's the design tension. Too flexible, and the system doesn't enforce discipline. Too rigid, and it doesn't adapt to different case requirements. The best platforms find a balance — mandatory fields for the essentials, optional fields for jurisdiction-specific requirements.
I'm also thinking about the practical reality of doing this in the field. You're sitting in a car, you've just taken a photo of someone, and now you're typing a note on your phone. That's a moment of vulnerability — you're looking down, you're distracted. Is there a way to do the tagging by voice?
Some of the apps support voice-to-text for exactly that reason. You can speak your note while keeping your eyes on the subject. "Subject entering building at one-four-seven Oak Street, carrying brown package." The app transcribes it and attaches it to the photo. It's not perfect — voice recognition in a car with the engine running isn't ideal — but it's often better than looking down at a screen.
The transcription becomes part of the contemporaneous record, same as a typed note.
Same evidentiary weight, yes. The key is that it's captured at the time of observation, not reconstructed later.
I'm trying to think of what else a solo practitioner would need that we haven't covered. What about the physical notebook? Does that still exist in this workflow, or is everything digital?
Most PIs I've looked into still keep a physical notebook. It serves a different function. The notebook is for observations that don't attach to a specific photograph — timelines, impressions, things the subject said that you overheard, contextual details. But the notebook and the digital system need to reference each other. So you might write in your notebook "photo sequence 001 through 014, subject meeting with unidentified male," and those photo numbers correspond to the file names in the digital system. The two records cross-reference.
The notebook and the digital system are parallel tracks that point at each other.
If one fails, the other exists. It's another layer of redundancy.
Which is comforting until you realize you now have two organization systems to maintain instead of one.
This is why being a PI is mostly paperwork. The surveillance is maybe twenty percent of the job. The other eighty percent is writing, tagging, filing, and cross-referencing.
The Cormoran Strike of television is about seventy percent surveillance, twenty percent brooding, and ten percent paperwork. The real Cormoran Strike is about fifteen percent surveillance and eighty-five percent data entry.
The brooding, to be fair, is probably still present. Brooding is jurisdiction-independent.
Brooding requires no chain of custody.
And now: Hilbert's daily fun fact.
Hilbert: In the 1930s, a mainstream anthropological theory held that Polynesian wayfinders originally navigated to Tuvalu by following the migration patterns of a now-extinct species of glowing pelagic worm, which was believed to bioluminesce in long surface trails visible from outrigger canoes at night. The theory collapsed when no physical evidence of the worm was ever found and it was quietly abandoned by the 1940s.
Glowing worm highways in the Pacific.
I have so many questions and I know none of them have answers.
This has been My Weird Prompts. Our producer is Hilbert Flumingtop. If you enjoyed this episode, you can find more at myweirdprompts.com. We'll be back with another one soon.
