When investigators put together evidence to move a case forward, they’re telling a story. The story includes not only what evidence was discovered, but how it was discovered – and what steps the forensic investigators took to protect the chain of evidence.
Validation of investigative methods and the processes and technologies used to collect and analyze evidence are a critical part of preparing a case that will hold up in court. The validation process starts right at the beginning of investigation and may continue until the case closes.
Understanding the Process
Knowledge of the validation process isn’t limited to the forensic investigation experts. It’s important that everyone from frontline officers to investigators to prosecutors and attorneys understands how to validate the state of devices, the sources of data, and how the resulting Digital Intelligence was collected and examined. (Digital Intelligence is the data collected and preserved from digital sources and data types – such as smartphones, computers, and Cloud sources – and the process by which agencies collect, review, analyze, manage, and obtain insights from this data to more efficiently run their investigations.)
Why Validation is Important
Why is validation so important to the outcome of any cases? First, the level of the crime and the corresponding punishment can be vastly different, depending on the care taken with digital evidence validation. In cases involving sexual exploitation of children, for example, a person who is producing content such as images or videos would be subject to far longer prison terms if convicted. A person who received such content and possessed it on a device could still be subject to criminal penalties – but not as much as the content producer is. By determining the origin of the offensive content, investigators can pinpoint how the content came to be in a person’s possession.
Validation can also help identify who was in possession of the device when the evidence was created. There are many ways this can be done. Putting a person behind a device when an activity occurred will help the investigator understand the implications of the case. Was the suspect really responsible for the crime? Again, the story of the evidence should speak for itself, but validation will ensure nothing is overlooked or misinterpreted.
Evidence Tied to a Specific Device
Suspects may attempt to claim that damaging evidence on a device, such as photos or videos, was created by someone or something else and then sent to the suspect’s device. Investigators can note that content was created by the same device in question – for example, noting that a photo was taken by an iPhone 12, which is also the device being investigated. Usually, that’s not compelling enough since there are millions of such devices in the public’s hands.
A stronger validation point can be to show that the image’s or video’s unique number – such as IMG1332.jpg – is in sequential order and timestamp with other pieces of content known to have been generated by the specific device, along with log entries that track activity on the device and show which applications were in use during specific times. A timeline of activity helps tell the story of how the data came to existence.
Owner of a device
One low-tech way to validate a device’s owner is to simply ask. Skilled front-line investigators at a crime scene, or during the course of an investigation, can ask a person to enter the device password or provide it for access. This, in itself, can be a point of validation – if you know the password, odds are good that it’s your device. Validating the owner information in the settings on the device is the best way to identify who the device belongs to.
Investigators can also ask a suspect or witness about events which may be tied to information on a device like a smartphone, and in this way, confirm that the device was used by that person. “Do other people use this phone, or just you? Did you have it in your possession yesterday?” These are simple but important questions an investigator can ask.
Data Remaining in Original State
Typically, when investigators remove hard drives from devices like desktop or laptop computers, they will only connect the drives to forensic hardware using special adapters that will not write additional information to the drive itself. In contrast, if the drive is connected directly to a computer, without write-protection, data may be written to the evidence drive without any ill intent. Computers naturally reach out and try to recognize one another. This may sound like a minor forensics stumble, but it could open the door to challenges by defense counsel who say that the drive’s data has been tampered with.
This challenge becomes tougher when mobile phones are involved. The data on mobile phones is changing constantly – for example, when recording GPS locations and checking for e-mail or text messages. It’s difficult to keep a phone in the exact state it was in when a person of interest was using it. In addition, phones cannot be write-protected when connecting to a forensic workstation. The extraction software and hardware will not see a write-protected device. Because of this, validating the tools you use is important, as is understanding how the tools extract the data.
In many cases, forensic investigators will work to overcome possible challenges about altered evidence by using a digital fingerprint such as a hash value, a series of values that can uniquely identify a piece of data. If a crime suspect takes a selfie on their phone with weapons, for example, and that photo can be shown to generate the same hash value in a forensics lab, investigators can explain to courts that the photo is in the same state it was when the suspect took the picture. Using a hash as a digital fingerprint is widely used to ensure data is not changed.
Pushing for 100% Validation
While validation best practices like the ones above may not be able to show with 100-percent certainty who used a device, or if a suspect can be tied to a device’s data, consistent chain-of-evidence practices can help defer challenges. As with most cases involving Digital Intelligence, it’s the overall body of evidence that can help result in convictions, so it makes sense for front-line officers as well as lab technicians to adopt validation techniques at every stage.
Forensic's monthly column, Digital Intelligence in the 21st Century is authored by Heather Mahalik, Senior Director of Digital Intelligence at Cellebrite. With over 18 years of experience in digital forensics, Mahalik has been an expert of choice for many law enforcement and intelligence agencies. She has worked high profile cases from child exploitation to Osama Bin Laden’s digital media. Check back the second Wednesday of every month for more digital intelligence as Mahalik takes on managing and sharing data, testing and validation, highly encrypted phones and more.