Digital forensics, much like DNA, can be the key to unlocking unbiased truth. It offers its own patterns and "codes" that the examiner can link directly to a person. We have heard the rumblings. Our ubiquitous digital devices are "today’s DNA."
Just as DNA evidence revolutionized investigations in the 1990s, digital forensics is now becoming the best science, the leading tool, and our most powerful weapon for use in the ever-evolving criminal landscape.
However, one major difference is that a prosecutor would have an easy time proving that a suspect was never separated from his DNA. This is much less certain for one’s digital forensics presence, no matter how profoundly the defense attorney might argue otherwise.
The pitfall comes when, for whatever reason, an error occurs. In digital forensics errors are usually the result of at least two, or more, mistakes. Let’s examine one critical error spawned by smaller mistakes within the Casey Anthony case. In this case a mother, Casey Anthony, was accused of murdering her own daughter, Caylee Anthony. The prosecution and the defense had their own digital forensics examiners. They independently generated almost the same information but arrived at different conclusions.
Casey’s defense attorney, Jose Baez, gave the jury what it needed the most. A viable alternative suspect, to wit George Anthony, Casey’s father. Per the timeline George and Casey were home when the following Google searches were initiated …
- Chloroform
- Chest trauma
- Internal bleeding
- How to make chloroform
However, there was one more critical search which, if the jury had known about, might have pushed them to vote guilty on the murder charge. While sources disagree on the exact term, they all agree that the search was highly incriminating and done at a time when only Casey Anthony was home with Caylee while George was at work. Some sources reported that the key words were “neck (plus) breaking” and some say “foolproof (plus) suffocation.” Without the expensive access to the trial transcripts this author cannot determine which is true, but, as a certified digital forensics examiner with capital murder trial experience, I can say that whichever term would have been dramatically detrimental to the defense.
Missing this search required two errors. Error one was the prosecutor simply altogether missing the search. Error number two, which nobody knew about, centered on the software used to reveal the search terms. That software was reporting searches as being executed exactly two hours before they occurred. If the jury had been hit with that deadly search, which could only have been done by the mother of the dead child, the jury, almost certainly, would have convicted Casey Anthony.
Several years ago, our field was referred to as “computer forensics.” When the Motorola “Bricks” (Dyna TAC 8000x) arrived in 1983 that term became doomed to obsolescence.
We began our transformation into a global mobile cellular society. Today our firm acquires about twenty phones for each computer. Digital forensics is now a more accurate description of our profession. Like all businesses we changed to keep pace with this constant metamorphosis.
Nowadays people commit crimes while carrying a computer in their pocket tracking their every move. Adults are secretly meeting their paramours while their phones are constantly pinging the towers. Teenagers still run away, but now they drop digital bread crumbs as they go. Crimes are planned online, executed online, and the money is being divided using online Visa cards and smartphone apps.
For us non-criminal types don’t forget the most expansive tracker on the planet, Google’s “Sensorvault.” It tracks you, criminal or not! This location information provides a wealth of intelligence regarding the owner.
The tidal wave is growing.
Daily, record numbers of new smartphone activations are set. There are no downward trends in the "new activations" graph. This directly translates into a need for more mobile digital forensics examiners.
Years ago, we examined mostly computers. Our cases were simpler. More straightforward. We would meet with the client, the client would explain what they needed, and we went to work.
Today we receive cases from attorneys sending us their client’s phone, and sometimes a computer, asking us what kind of person our client is. Does she or he lay on the couch watching porn and snorting drugs, as the ex claims, or does she/he go to work followed by Scout meetings? Their digital devices answer those questions, and more.
Now we are asked to discover inculpatory and exculpatory lives. To illustrate this point let us look at a case involving a cellphone owned by a 19-year-old teenager just been sentenced to 25 years for aggravated sexual assault of a child. Once the appellate attorney learned that neither the defense, nor the prosecution, had ever examined the convicted’s phone, the appellate attorney wanted my firm to find out what this kid was “about.” Not only evidentiary-wise, but also personality-wise: what did he do in his spare time? Who were his friends? Where did he go? Could he be trusted?
What we found would become the cornerstone of his exoneration three years later. We found the exculpatory life of a normal, healthy high school kid. He went to church, played football, was in love, and people loved him. We were also able to find images of the convicted containing metadata proving he was elsewhere when the children had been abused.
Additionally, during his retrial we also learned more about the lead investigator on the case. He made several errors but the most critical one was never visiting the crime scene during his entire four-month investigation.
That became a perilous error because had the investigator done so, he would have realized that the victims, had not described our client’s Spartan-like bedroom as the site of the crime. Or, had the investigator examined the phone, there were the images taken with our client’s phone to prove it.
The victims described a larger bedroom, with football trophies on the bookshelf, and where children slept. The room they described exactly matched the much larger bedroom of another young man just two doors down the hall. He played football, and the children napped in his room.
In a world where actions speak louder than words, a smartphone with the proper application of digital forensics, can irrefutably establish patterns of behavior that the jury may use to determine “kind” of person the owner may be. It could be invaluable to a jury presented with he said/she said case.
From the moment you activate your phone you begin the process of changing it … making it unique. Soon, the differences between your phone and anyone else’s are massive. Soon, you have attained “exceptional uniqueness.”
Will digital forensics become today’s “digital DNA?” I don’t think so. These are two vastly different sciences. But, as its own science, it might be equal. On the one hand, science is implemented by humans, and humans make mistakes. The mistakes that humans make have ramifications that trickle throughout our work as digital forensics examiners. That will never change. Thus, we must learn from our mistakes, and the mistakes of others improving our profession. On the other hand, we also must understand that smart, well trained, dedicated people, like you, who use proven software and established procedures the most common outcome will be success. That is what you do as a certified digital forensics examiner. You are the scientists and your methods are scientific. Good thing, too; as we have seen, digital forensics, especially mobile digital forensics, can give us not only machine generated digital data unique to the device, but also to its user.
Science has truly given us a window into the soul.