co-authored by Ian Whiffin, Senior Digital Intelligence Expert, Cellebrite
In the world of criminal investigations, there’s digital evidence-tampering that largely happens only on police-procedural TV shows – for example, changing data on a smartphone to frame a good guy. The average frontline officer and forensic examiner might not ever come across this dramatic and technically complex example of evidence tampering – but they certainly may encounter more common types. Evidence deletion is a far more likely method of evidence tampering behavior from both suspects and witnesses.
However, all is not lost when crucial evidence seems to have disappeared into thin air: With Digital Intelligence technology combined with investigator smarts, some pieces of evidence that have been tampered with can be detected – and even if not fully recovered can still be useful to build a case against a suspect.
Finding evidence of deletion, but not the evidence itself
Deleting pieces of evidence such as photos or text messages can be done intentionally or unintentionally. For example:
- A victim might decide that a particular photo or text wasn’t needed.
- A suspect might purposely delete evidence they know might implicate them in a case.
- A device may naturally purge data after a given time period
Some people might go so far as to wipe a device completely. Of course, doing so would be a massive tipoff to examiners: There are few things more suspicious than a phone devoid of internet browsing history, texts, call records, and photos.
In the past, detecting and recovering deleted data was a fairly straightforward process. But since encryption became commonplace for digital devices and their data, recovering records is much harder. In many cases, examiners may find gaps where evidence may have resided, even if they don’t find the evidence itself.
For example, examiners looking at a simple text message database, in which messages would be recorded sequentially, might find a gap in records: something like 1, 2, 4, 5, 6, leaving examiners to assume that there was a record number 3 at some point. In addition, examiners can take an educated guess as to the timestamp of that record, using the records before and after.
However, examiners may never be able to recover the data from that message, so they can’t say with certainty, “This was an evidential message that’s been deleted.” All they can do is document that messages were deleted and try and find corroborating evidence that indicates what the evidence might have been. This may be from different files on the device itself or from a different source, such as another device, a backup or warrant return.
Evidence of deleted data will likely never be key evidence on its own in a prosecution, but it may be part of a bigger picture. In one case I worked on, the suspect put forward a defense that he was being blackmailed and that the allegations against him were the result of not giving in to the blackmailers demands. He provided screenshots of messages between himself and the alleged blackmailer which, if true, would prove that he was the victim of a malicious complaint.
On inspecting the original complainant’s device, none of the damaging messages were found. But it was clear from the pattern of missing records, that all messages that proved the blackmail plot to be true had been selectively deleted. This was enough evidence to prevent an innocent person being convicted and flips the script of what examiners are usually looking for.
In a recent paper by Ian and his research colleague, Shafik Punja of CGI, the authors offered up some words of wisdom about what examiners can (and can’t) deduce about deleted evidence, based on studies of SQLite databases, a widely used database format for smartphones amongst other things:
The conclusions drawn in this paper resulted in some general inferences that can be made.
- An identified missing record, that is after the most recent existing record, indicates with a high degree of professional certainty that the device user has intentionally deleted a record.
- Equally, a group of missing records that exist between a set of two existing records, indicates with a high degree of professional certainty that the device user has intentionally deleted these records.
- If timestamps are present for existing records, this provides a temporal context relative to the existing records, of when the missing/deleted records were originally created.
- The exact date and time of a missing record was deleted cannot be ascertained.
- Who performed the action of deleting records cannot be ascertained from the identification of missing records alone.
- If a database table is empty and missing records are identified, in conjunction with the presence of the most recent record value in use, this would indicate with a high degree of professional certainty that the device user has intentionally deleted these records.
How to spot signs of deleted evidence
Examiners should go into the examination of digital evidence with the assumption that something might have been deleted – and they should search accordingly. Looking for gaps in database records may be one of the most common ways to find signs of deletion. Examiners should also look for artifacts of applications that have been deleted, in addition to application usage records that would show up.
This tactic is, in part, how examiners for the South Wales Police in the United Kingdom helped put together a case against a person suspected of distributing indecent images of children (IIOC). Officers had received a tip that the suspect was using file-transfer services such as Mega and Telegram to share the images. By using Digital Intelligence tools, examiners found artifacts of both Mega and Telegram, demonstrating that the person deleted the apps. The discovery motivated examiners to keep searching for IIOC, which they found in a secured folder. (The case is ongoing and may come to court by fall 2021.)
While modern Digital Intelligence Technology helps us unearth app artifacts or detect gaps in database sequences, it’s the “antennae” of well-trained examiners that also leads us to learn more about what’s not visible in evidence. For example, if examiners think that a suspect used the internet for whatever reason, but there’s no internet history on the device, that’s an anomaly. They can start to dig deeper into which applications were in use at the same time; if apps were used but no internet history is recorded, then the device owner might have set up private browsing, or deleted their internet history.
Examiners can also examine temporary files such as “favicons,” which are the images generated by websites – for example, the styled “G” that you see in a browser tab when you visit Google.com. The favicons are in a separate database holding information on web addresses that have been visited, and the favicons don’t always get deleted when the rest of the data gets deleted. Again, examiners can cross-reference these other databases to say, “This website was visited at some point.” And we can take a guess at what the time was, based on when the icon was created.
While encrypted and deleted data may temporarily deter us from assembling more pieces of cases, and bringing suspects to justice, technology can help us detect the absence of data – and savvy examiners can use this knowledge to turn their “spidey senses” onto another path. Remember: Just because the data isn’t there, doesn’t mean it isn’t useful.
Forensic's monthly column, Digital Intelligence in the 21st Century, is authored by Heather Mahalik, Senior Director of Digital Intelligence at Cellebrite. With over 18 years of experience in digital forensics, Mahalik has been an expert of choice for many law enforcement and intelligence agencies. She has worked high profile cases from child exploitation to Osama Bin Laden’s digital media. Check back the first friday of every month for more digital intelligence as Mahalik takes on managing and sharing data, testing and validation, highly encrypted phones and more.