FISH Cloud Digital Evidence Management System

FISH comprises of modules which have the capabilities to collect fully compliant evidence images at crime scenes. Crime scene photos including fingerprints can be taken using mobile devices then transmitted and shared to relevant police facilities for analysis, reporting and the creation of fully audit-able court presentations.


  • The remote collection and transmission of high quality crime images
  • The accurate transmission of images for analysis to investigators
  • Local force sharing of images for assessment and presentation
  • Remote sharing of images for assessment and identification
  • Task management of jobs between local and remote forces
  • The ability to create fully audit-able court presentations
  • Fully compliant with 17025 for fingerprint images
  • Management and storage of imagery as primary evidence
  • Secure storage and management of images under MOPI rules


  • Force collaboration across the United Kingdom
  • Significant automation of the processing of evidence
  • No loss of evidence
  • Fully audit-able
  • Fully compliant with 17025
  • Cloud service means little impact on Forces ICT departments
  • Sharing of workloads means more effective processing
  • Court presentation image albums significantly easier to create
  • Reduction of cracked cases
  • Irrefutable outcomes for early guilty pleas


£27.00 to £81.00 a user a month

  • Education pricing available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at sp6technologies@gmail.com. Tell them what format you need. It will help if you say what assistive technology you use.


G-Cloud 12

Service ID

6 2 7 5 8 4 0 4 2 9 6 6 1 2 2


Telephone: 07836363490
Email: sp6technologies@gmail.com

Service scope

Software add-on or extension
What software services is the service an extension to
The underlying local crime or resource management applications like Socrates, Niche and Pronto. Asset management systems and image libraries like Fotoware. Local Lab Management and analysis systems National identification systems like IDENT1
Cloud deployment model
  • Private cloud
  • Hybrid cloud
Service constraints
FISH DF uses UK Cloud who are already a major cloud supplier to HM Government and police forces with no known constraints. In addition FISH DF is deployed in numerous forces who have disparate ICT platforms, including virtual environments such as Citrix, with no known constraints or issues.
System requirements
  • Current generation Windows based desktop PCs and servers
  • Windows XP to 10, Windows Server 2012 R2 or higher
  • Internet Explorer version 10 or higher
  • Epson scanners or those with TWAIN drivers
  • Optional media card reader
  • Optional printers require generic Windows drivers
  • Android version 5 or higher

User support

Email or online ticketing support
Email or online ticketing
Support response times
P1 (Blocker/ Critical) 1 working hour
P2 (Major) 1 working hour
P3 (Minor) 1.5 working hours
P4 No loss of service 2 working hours
User can manage status and priority of support tickets
Online ticketing support accessibility
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Onsite support
Yes, at extra cost
Support levels
Four service levels:

P1-Blocker/Critical. Loss of service impacting all users such that are unable to complete business function:
•Critical fault or failure of Licensed Software;
•Substantial damage/loss of Customer data;
•Severe performance degradation.

P2-Major. Loss of service impacting groups of users such that are able to complete business function albeit with some loss of business efficiency:
•Failure of a major feature of Licensed Software;
•Damage to Customer data;
•Performance degradation.

P3-Minor. Loss of service impacting one user or function such that the customer can continue their business process with some loss of business efficiency:
•Minor failure of Licensed Software;
•Performance degradation

P4-No Loss of service, only cosmetic.

Level Initial-Response Initial-Analyses Resolution
P1 1-Hour 5-Hours 1-Days
P2 1-Hour 1-Day 2/3-Days
P3 1.5-Hours 3-Hours 5-Days
P4 2-Hours 5-Hours 1-Month

*Time is working hours/days

•Escalation procedures

•Access to software updates, maintenance releases and patches;

•Access to 24x7 online support web site.

•Unlimited support requests: Available Monday-Friday, 08.30 to 20.30 UK time with exception of public holidays.

Support charges are various dependent on size of installation (part-cloud/part-on-site) and other factors around usage.

Our platform supplier (UKCloud) offers a full range of support options including a technical account manager and cloud support engineers.
Support available to third parties

Onboarding and offboarding

Getting started
A site survey is recommended prior to a full quotation so that business requirements, connectivity and deployment issues can be identified and assessed. An example questionnaire is available on request which highlights any IT and operational considerations that need to be agreed prior to deployment. Building, configuring and on-boarding a new customer environment normally takes between 3-5 days.

Installation and configuration work packages are defined and documented prior to deployment

Onsite training is available from a senior fingerprint examiner with long term experience in the FISH product and service. Training is either to small groups of 5-10 people or to 'train the trainer'

Online training is available by video conferencing.

Guidelines and user documentation is available for remote transmission and the job processing applications.
Service documentation
Documentation formats
End-of-contract data extraction
Images stored in the FISH online archive can be bulk exported. Each image will have a sidecar text file containing submission and audit / chain of custody information.

The API can be used to extract past job information.

SP6 also offers the ability to destroy images as required or by automatically applying local or MOPI rules.
End-of-contract process
SP6 uses the services of a world class expert on Fingerprint and Biometric services, who designed and built the UK's first shared service at EMSOU ( East Midlands Scientific Operations Unit ). In addition there is a user group - FISH User Group, and holds regular workshops with it clients to ensure legislative changes such as ISO-17025 or innovative new functionality, such as the recent Remote Transmission Proof of Concept at the Yorkshires, are incorporated into the latest FISH versions. This "horizon scanning" ensures our clients are current and have shared benefits. However as part of the end of contract planning we will offer options to extend the contract, Users to take in house as well as agreed shutting down support. Our expert consultant will work with the force to ensure the minimum disruption and to include advice and guidance on any transformation the new incoming software will need around business process change. This support has not been costed in to date but in recognition of this question SP6 will offer one day of end of life support -with no charge. Any additional days would be costed at our current day rate in the sfia price list.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
Application to install
Compatible operating systems
  • Android
  • Windows
Designed for use on mobile devices
Differences between the mobile and desktop service
FISH was requested by the Home Office Transforming Forensics team to build a remote transmission PoC with West Yorkshire police which was a successful Tier 1 service and is fully operational with over one and half million images processed to date. Remote transmission is supplied as a module with in the FISH product suite. The desktop service includes the same as the mobile but is also used for image processing, identification and workflow where high performance and large screens are recommended
Service interface
Description of service interface
The service interface is used to manage: Directory services for users, grouping, access permissions and workstation configurations. Static configuration data such as evidence types. Evidence, Workflow and Case Management service definitions. System configurations such as communication protocols, export formats, hardware connections and interfaces with 3rd party systems such as email servers, active directory and force management systems.
Accessibility standards
Accessibility testing
The mobile submission process and the workflow servers have been penetration tested at West Yorkshire Police
What users can and can't do using the API
There are two API interfaces - one for the submission of images and one for full lab management. The API is based on RESTFULL calls using an HTTPS protocol and commands in JSON format API calls fall into the following sections User identification Directory services Submitting images Case and exhibit management services Workflow services Alert and notification services Equipment management services Viewing and editing images Viewing tracking and audit information Viewing published reports Managing static data API calls are controlled through user group functionality and access permissions. Only authenticated logged in users can use API calls. An example is only a service manager can change access permissions for another user. Another is only a supervisor can delete images. Calls are defined with options to create, update or delete data with defined fields as mandatory. API calls can not delete user or audit records. Control of API calls can be customised by the FISH support team as required
API documentation
API documentation formats
API sandbox or test environment
Customisation available
Description of customisation
Buyers can customise many aspects of the system including standing data tables, workflows, case details, exhibit management processes, evidence types, directory services. Reports and dashboards can be customised using an online editor. Configuration schemas are used to customise: Printing. Scanning. Burning CDs. File import and export services. AFIS feeds.


Independence of resources
Prior to installation SP6 will assess with the client potential workload peaks and agree the appropriate provisioning of the cloud platform. That service architecture along with associated SLA's, will be designed in such a way that the underlying IT cloud infrastructure can be flexed to meet any operational demands whether that is an increase or decrease of usage with no degradation of service.

In order to guarantee that users are not affected by the demands from other users, we use resource reservations and shares such as internet bandwidth shaping.


Service usage metrics
Metrics types
All aspects of the operational use of the FISH service can be generated. These include SLAs, audits and usage reports.
Reporting types
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type
Not a reseller

Staff security

Staff security clearance
Conforms to BS7858:2012
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least every 6 months
Penetration testing approach
‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest
Physical access control, complying with CSA CCM v3.0
Data sanitisation process
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
Four ways to manually export data.

By case or by selected image to a CD, folder, media card or 'MyDocuments'. Images can be converted to TIF, JPEG, JPEG200, PNG, or BMP to defined size, resolution, depth and with custom naming convention

By printing images as single prints or as an album

By printing or exporting a case report

Bulk export to a file server by archive an archive management tool
Data export formats
  • CSV
  • Other
Other data export formats
  • Original image
  • Converted image formats such as jpeg, jpeg2000, tiff, png, bmp
Data import formats
  • CSV
  • Other
Other data import formats
  • Professional image formats TIF, JPEG, JPEG200, NEF, RAW, PNG, BMP
  • PDF documents

Data-in-transit protection

Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Bonded fibre optic connections
  • Other
Other protection between networks
We offer the choice of connecting:
• Via the internet using additional encryption such as TLS 1.2
• IPSec VPN tunnels
• Via private networks such as leased lines or MPLS
• Via public sector networks such as PSN, N3, Janet
Data protection within supplier network
  • TLS (version 1.2 or above)
  • Other
Other protection within supplier network
UKCloud: We use dedicated CAS-T circuits between each of our sites to ensure the protection of customer data in-flight. We additionally encrypt this data within our Elevated OFFICIAL platform. All data flows are also subject to our protective monitoring service.

Availability and resilience

Guaranteed availability
Up to 99.99% availability assured by contractual commitment
Approach to resilience
UKCloud (SP6 platform supplier) offers an SLA for customers for Service availability. Single-site service availability for a customer is 99.5%. Dual-site service availability for a customer is 99.99%.
All service elements within a single site are resilient and are redundant between sites catering for high availability services. Objects are automatically replicated across nodes to protect against hardware failure. The UKCloud service is deployed across a number of sites, regions and zones. Each zone is designed to eliminate single points of failure (such as power, network and hardware).

UKCloud can provide a system design review and analysis with the customers if required. This is available on request and at additional charges, price on application
Outage reporting
SP6 reports any outage via email alert to customers.

UKCloud outages will be reported via the Service Status page and the notifications service within the UKCloud Portal.  Outages are identified as Planned maintenance, Emergency maintenance, and platform issues.  In addition, the designated Technical Account Manager will proactively contact FISH-DF as appropriate who will then contact customers.

Identity and authentication

User authentication needed
User authentication
  • Limited access network (for example PSN)
  • Username or password
Access restrictions in management interfaces and support channels
Access is restricted in management interfaces and support channels by using user and workstation group permissions. A set of groups are defined in-conjunction with the customer that are linked to system functionality and ability to manage certain crime types, evidence types and viewing of reports. Users and workstations are added/removed from a group by the customer service manager.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
Access to supplier activity audit information
Users have access to real-time audit information
How long supplier audit data is stored for
How long system logs are stored for

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
Lloyds Register (LR)
ISO/IEC 27001 accreditation date
8th May 2012
What the ISO/IEC 27001 doesn’t cover
ISO 28000:2007 certification
CSA STAR certification
CSA STAR accreditation date
28th October 2016
CSA STAR certification level
Level 1: CSA STAR Self-Assessment
What the CSA STAR doesn’t cover
PCI certification
Other security certifications
Any other security certifications
  • ISO27018
  • Cyber Essentials
  • Cyber Essentials Plus
  • ISO9001
  • ISO20000
  • ISO27017
  • CISPE (Cloud-Infrastructure-Service Providers-in-Europe) Code of Conduct Certification

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
  • CSA CCM version 3.0
  • ISO/IEC 27001
  • Other
Other security governance standards
CSA STAR, ISO27001, ISO27017, ISO27018 and ISO20000
Information security policies and processes
The security of our platform is our number one priority. We have always been committed to adhering to exacting standards, frameworks and best practice. Everything we do is subject to regular independent validation by government accreditors, sector auditors and management system assessors. SP6 are governed by our end clients in the UK police forces and adhere to their required (various) levels of clearance and standards especially when using remote access to upload or manage the SP6 software.

Regarding hosting, UKCloud has a number of inter-connected governance frameworks in place which control both how the Company operates and the manner in which it delivers cloud services to its customers. These have been independently assessed and certified against ISO20000, ISO27001, ISO27017 and ISO27018 by LRQA, a UKAS accredited audit body. The Company is governed by an integrated suite of information security policies. Under the top level Information Security Policy itself are second-level documents with specific focus on Acceptable Use, Antivirus Protection, Asset Management, Business Continuity Management, Data Protection, Password Management, Personnel Management, Supply Chain Management and many others.

Operational security

Configuration and change management standard
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach
SP6 conform to ITIL best practice but are not currently accredited.

UKCloud has documented configuration and change management policies and processes, which have been implemented, maintained and assessed in accordance with the guidance from ITILv.3 and the current ISO20000 standard. Formal configuration management activities, including record management and asset reporting, are monitored and validated constantly, and any identified discrepancies promptly escalated for investigation. A robust, established process for the formal submission of change requests is mandated prior to review and approval of the daily Change Advisory Board, which is attended by a quorum of operational and technical management personnel.
Vulnerability management type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach
UKCloud has a documented vulnerability management policy and process, which have been implemented, maintained and assessed in accordance with the guidance from ITIL v.3 and the current ISO20000 and ISO27001 standards. Where technically possible, real-time updates and status reports are identified and sourced from credible vendor sources, which cover a significant proportion of UKCloud’s asset population. For other systems and software, assigned personnel have responsibility for regularly reviewing technical forums and specialist groups to promptly identify and evaluate any emerging patches or updates which require our attention.
Protective monitoring type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach
Following best practice from the National Cyber Security Centre, UKCloud protects both its Assured and Elevated platforms with 24x7 enhanced protective monitoring services, vulnerability scanning and assessment.  Our approach to protective monitoring at minimum meets the Protective Monitoring Controls (PMC 1-12) outlined in NCSC document GPG13 (Protective Monitoring for HMG ICT Systems).  It includes checks against systems events (SIEM) and network traffic analysis, including time sources, cross-boundary traffic, suspicious activities at a boundary, network connections and status of backups.  Any alerts generated are logged and investigated 24x7.
Incident management type
Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach
Incident management has four processes based on the four priority levels P1-Blocker/Critical, P2-Major, P3-Minor and P4-RFC:

Initial response
Initial Analysis

The 'Escalation' procedure has three levels of response based on:
Help desk supervisor
Senior Manager
Head of IS

The user reports incidents using the 24/7 online FISH service desk or for P1 critical issues by telephone or by email to the FISH support desk.

Incident reports are provided through the 24/7 online FISH Service Desk

Secure development

Approach to secure software development best practice
Conforms to a recognised standard, but self-assessed

Public sector networks

Connection to public sector networks
Connected networks
  • Public Services Network (PSN)
  • Police National Network (PNN)


£27.00 to £81.00 a user a month
Discount for educational organisations
Free trial available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at sp6technologies@gmail.com. Tell them what format you need. It will help if you say what assistive technology you use.