Friday, May 13, 2016
May 13, 2016
Don’t Forget the Victim (And Their Device)!
Regardless if your case involves computers, tablets, iPhones, Android devices or all of the above, one thing the investigative community can agree on is, every case is different. Sure, certain cases will follow a workflow pattern, but the circumstances of every case, the suspects/targets, investigators and victims all take on different faces, which can alter your approach to conducting digital forensic analysis in the case slightly or dramatically. We’ve all seen a surge in criminal (and civil) cases involving smart phones and other mobile devices and with that comes the mountain of evidence that is contained on a those powerful pocket computers that store up to 128 GB of data (or more, depending on when you’re reading this). But consider this: You may only be getting half of the story if the only device you seize and analyze is that belonging to the target of your investigation.
The best case example we can use to illustrate this point is the investigation of a rape allegation. Rape doesn’t happen in a bubble, it takes two people (or more) for a rape to occur. And virtually everyone involved in these incidents owns & uses a smart phone on a daily basis. Frequently, rape occurs when the alleged perpetrator knows the victim, either in some sort of early-stage relationship, a family friend, relative, etc. Because experienced investigators know this to be true and many reports will validate this, it is your investigative responsibility to prove or disprove the claim. In order to help do that, you need to seize not only the target’s phone data, but also the alleged victim’s phone data – all as soon as possible.
The best (and sometimes worst) thing about mobile device forensics is, once we have the data extraction, it’s ours. It is a digital snapshot of whatever was present on the device at the time the extraction took place and, depending on the device, may also give us access to deleted information. So in the interest of conducting a thorough investigation, I put forth that when an alleged rape victim makes the report, investigators should make it a regular and common practice to ask for consent to perform a data extraction on his/her phone. It is simply the easiest way to get a 360-degree view of the case.
A More Holistic View of the Data
Consider also what happens in the mind of the target after they know they may have committed a crime. Text and chat messages are deleted. Pictures of the alleged victim get erased from the device. They may even dispose of the device altogether and replace it with a new, fresh phone that has virtually no useful evidence contained on it. Wouldn’t it be nice if the other side of those conversations still existed on another device? What’s more, by grabbing the data from the alleged victim’s phone, you work toward a more complete investigation of the allegation. It is an unfortunate reality that there are often false reports of serious crimes. This certainly doesn’t mean that we automatically assume the victim may be lying, but it is our responsibility to fully investigate the case to determine what actually happened. Victims and eye witnesses are notoriously unreliable for different reasons. When victims are subjected to trauma, their accurate recollection of the incident can suffer to a degree, so that puts even more oneness on the investigator to try and piece the puzzle together.
The best part about the data is, it doesn’t lie. It has a perfect memory and it’s all documented, complete with date and time stamps, exif metadata, GPS coordinates, network activity and other great pieces of evidence that are very hard to spoof or fake, if not nearly impossible for most mobile device users.
Spoofing is a Thing
While the data doesn’t lie, it can be manipulated somewhat by either or both parties. As demonstrated in this news piece we helped out with, one can simply download a free app, assign a desired number to it and send text messages to themselves as if they were someone else, perhaps an ex-boyfriend or some other acquaintance. Then, if the messaging app is deleted, to the untrained investigator, this evidence looks legitimate on its face. But it’s only part of the story.
In the somewhat rare instance where this happens, it is absolutely vital to get the alleged victim’s cell phone dump. Getting even a logical extraction from the device might show what happened, but it’s always advisable to get as much data as you can in the form of a physical extraction, SIM card data, SD card image, etc. I realize these things may take time, but remember, the victim came to you for help. If they back off on wanting that help, don’t ignore your instincts. That could be a warning sign that you’re dealing with a false claim.
A Brief Note About Encryption
Encryption is the big bugaboo in forensics. More and more devices are coming to the consumer out-of-the-box with some sort of encryption already in place. Heck, this is the whole rub between Apple and the FBI…
But consider that if your suspect or target has a device with encryption in place, the alleged victim may be much more willing to hand over their device for extraction, whether their device is encrypted or not. From a law enforcement investigative perspective, the victim is generally much more cooperative and, in theory, would be willing to provide you with a passcode (as well as other potential credentials) in furtherance of the investigation on their behalf. It could be the only digital evidence you get!
Never forget there is always more than one person involved in the investigation. Grabbing the alleged victim’s cell phone data in this circumstance could mean the difference between an innocent person being convicted of a serious crime or being exonerated fully. When all the facts have been completely uncovered, the truth must remain and will have to hold up in a court of law.
Patrick J. Siewert, SCERS, BCERT, LCE
Professional Digital Forensic Consulting, LLC
Virginia DCJS #11-14869
Based in Richmond, Virginia
We Find the Truth for a Living!