Tuesday, April 19, 2022

Pretty Maps & Plea Bargains: Tips on Handling Cellular Records Analysis in Criminal Defense Cases

April 19, 2022


Pretty Maps & Plea Bargains: Tips on Handling Cellular Records Analysis in Criminal Defense Cases


I’m going to be blunt from the start:  If you are not using a trained, qualified, experienced & knowledgeable analyst for cellular records analysis (i.e., historical cell site location), then you are doing your client a large disservice, regardless of the side you’re representing.  Furthermore, if you’re taking what the other side tells you as 100% truth, you’re already behind the curve.


Do I have your attention?


Why Do I say this?  Because I’m coming off the likely second murder acquittal in about a year where the government used analysts to try and pinpoint their suspect’s location using historical cell site location data to illustrate that the Defendant was in or around a relevant location (i.e., crime scene) at or around the incident being investigated and prosecuted.  Both of these analysts were from federal 3-letter agencies and had allegedly analyzed the same records I was provided.  I’ll get more into the specifics later…


Historical Cell Site Analysis at a Glance


Before we get into specific case examples, we should define and discuss briefly what historical cell site location records are and are not.  There are volumes of articles and at least one book written on the topic, but I’ll try to trim the fat off the conversation to a simple definition:


Cellular companies keep records of activity on their network.  This activity often involves the phone’s use (calls, texts and data) and listing of particular cell sites (i.e., towers) used for these events, which are most commonly divided into three sectors in a 360-degree radius.  This means that each sector on most cell sites covers an area of roughly 120-degrees.  Please note, there are exceptions to this.  However, with the data that is acquired in the investigation and litigation process from the cellular provider, we can map these cell sites, using their verified GPS coordinates, and use the sector-specific information contained in the records to map generalized location of a cell phone that is allegedly tied to a Defendant or litigant.  


Depending on the timing of the request to the cellular provider, we can also potentially receive and map what are commonly referred to as “specialized location records”, which attempt to estimate the GPS (longitude & latitude) coordinate estimates of the phone itself, within a certain confidence level detailed in the records.  These records can be problematic when used as evidence, but this is where the knowledge and competence level of the analyst also becomes crucial.


It should be noted that these records were never intended to be used in litigation.  They are held by the cellular providers to help increase the user experience and efficiency on the cellular network.  It just so happens that the ubiquitous nature of cell phones in daily life has led to the location of a cell phone (and potentially the person carrying it) to be valuable data in criminal and civil litigation when analyzed & presented competently.


Not All Analysts Are Created Equal


Just like in the practice of law, medicine, auto mechanics, etc., it is a truism in cellular analysis that not all analysts possess the same work ethic, knowledge, training, capability or level of competence.  The vast majority of historical cell site data analysts work for the government, and as such, can present their data and analysis with an air of confidence and authority.  But I have seen multiple cases where this simply is not the case.  Consider the following examples:


Case study #1:  A homicide where data records were used to try and tie the Defendant to the phone.  Defendant’s primary phone in use was not in question, but the government attempted to illustrate that the “burner” or “drop” phone with which the victim last communicated also belonged to the Defendant by correlating the location of the two phones (known phone & burner phone) together over time, as well as attempting to tie the burner phone and defendant to the area where the victim’s body was located.


Defense Counsel hired a private-sector analyst (me) to conduct an independent analysis of the records and confirm or refute the assertions of the government with regard to this analysis.  The problem was, the 3-letter agency’s analysis contradicted itself without explanation.  See below image that was entered into evidence as part of the larger initial analysis:  




Map #1


Pretty map, isn’t it?  The problem, as is highlighted in the red boxes (upper left and lower right), is that this map puts the burner phone (events cited in the red boxes & wedges) miles apart at virtually the same time.  No explanation was provided in the report for this.  When this was brought forth in cross-examination of the government’s analyst, they testified that their agency calls this “teleportation”.  And no, that’s not a joke.


There’s actually a very reasonable explanation for this, which was not relayed to the jury until the analyst was called back to the stand in rebuttal of my testimony and, as coincidence would have it, produced a much more detailed map.  Regardless, the Defendant was acquitted of the murder charge.  Was it because of this?  I have no idea.  But I’m sure this didn’t help the jury’s confusion about this data… Nor did the “teleportation”!


Case Study #2:  A homicide where the Defendant was accused of the murder and assisting the shooter (who was found guilty prior to our Defendant’s trial) in getting away from the crime scene.  The 3-letter agency analyst produced a very short report/analysis, which lacked many things.  Take a look at one of the images and I’ll explain what’s lacking:




Map #2


Another beautiful map!  But what’s missing?  First, the crime scene is barely visible amongst the other noise on the map.  The map is hard to decipher.  Second, two crucial pieces are missing – the illustration of other cell sites in the area as well as any other potentially relevant locations.  And not simply alibi locations either – basic things like the Defendant’s home, which is actually within this map view, but you’d never know it because it wasn’t included in the illustration.  Simply put, this is an incomplete analysis.  It seeks to prove a theory and disregards the context.  


What are the cell sites and why is that important?  There are dozens of cell sites in the area of the above map (#2), some of which are closer to the crime scene.  And while I cannot emphasize strongly enough that it is not 100% true that the phone always connects to the closest cell site, without the illustration of where the other cell sites are located, we don’t even have enough information to scrutinize.  It’s an analysis in a bubble.  The green & red dots on map #1 --  Those are the cell sites in a fairly populated metropolitan area, similar to the area in the map #2.  Here’s the same event from map #2 in the same area from the same case, but with the context added (and easier to decipher):




Those orange dots are all cell sites for this cellular carrier in the area not used for this event.  The other potentially relevant locations, as well as the crime scene, have also been added to this map.  The final potentially relevant piece is the terrain of the area.  While not a large issue in this particular example, geographical features like terrain can have an effect on which cell site the cellular device chooses to use.  For further context, this usage event was 4 minutes after the shooting (as verified by surveillance video time stamp).  As you can see, there are several cell sites in between this event and the crime scene, but again, the cell phone will NOT always connect to the closest cell site, rather the cell site with the best signal.  That said, the cell site in use is over 2 miles away from the crime scene in a fairly densely populated area.


This map was generated as a more complete view of the relevant data and presented in comparison to map #2 for presentation to the Jury.  The exclusion of this information in map #2 is inexplicable.


Why Is Any of This An Issue?


I have been engaged in historical cell site records analysis in litigation for approximately 6 years, and in the practice of forensic data analysis (computers, cell phones, etc.) for 13 years.  In that time, I’ve conducted dozens of analyses of carriers of all types, cases spanning from insurance investigations to divorce/custody disputes to criminal prosecution and defense.  The practice of historical cell site analysis is not “junk science”, no matter what snake-oil salesman “defense expert” may try to tell you.  It works in most cases, if done properly.  And if it didn’t work, no one would use it.  Further, location of the phone is but one use of these records.  There are multiple others, as discussed here.


That said, the problem I’ve seen repeatedly with criminal investigations utilizing historical cell site analysis is that Defense Counsel may be misinformed or lacking in their knowledge about what is presented to them by the government’s analyst.  When a client is charged with a serious crime and the government gets the historical cell usage site location records and requests the [insert 3-letter law enforcement agency name here] to conduct an analysis and produce pretty maps showing that your guy was likely there at the wrong time, it tends to force a plea bargain because it looks good and it’s relatively technical.  This happens regularly and can often not be in the best interest of the client.


So what can help your client?  A thoughtful and informed conversation with an independent, experienced historical cell records analysis expert who can look at the records and provide a practical assessment.  To be clear, you do not want a “defense expert”.  You want an independent expert who will take in all of the available data and conduct as thorough analysis as possible, given what is available through discovery.  And there’s more to “available data” than simply the records in most cases.


A Few Tips From Experience


I’m not perfect and I don’t know everything.  On top of that, I’m not a lawyer.  However, I have worked many large litigation cases with these types of records and I’ve learned a few tips along the way that could help the process along more smoothly:


Consider obtaining the records allegedly associated with the target of the investigation independent of discovery.  This assists in the ability for you to introduce the records and your expert’s analysis at trial, even if the government chooses not to do so.  If the government never enters the records into evidence, it may not be possible for the hard work of your analyst to be presented to the judge or jury.  Obtaining these records can be done via Court Order and should be done as soon as possible and in consultation with your independent expert for proper terminology of the request.  Some carriers don’t retain certain records for a long period of time (see record retention article here.  Updated data may be available.)


The value of illustrating these usage events on a map can be compelling evidence, but static maps don’t always tell the whole story.  Consider using an expert who has access to tools that will help animate the movement in the usage to help paint an overall clearer picture of the cellular location evidence in your case.  To date, I’ve not seen a government analyst use animations to illustrate the records.  I have, however, conducted analysis for the government using animations.


Be careful with your stipulations prior to trial.  Stipulating to the authenticity of the records is probably OK.  Anything beyond that, including stipulating to the other analyst’s credentials, may cause issues down the road during trial testimony and presentation of evidence.


Don’t forget that there is probably relevant data in more than one place.  While it’s true the government has likely tried to cover all of their bases on this – particularly in a major criminal case – that doesn’t mean that there won’t be information to help confirm or refute alibis, alternate location data, etc. that is stored on the cell phone itself or potentially in cloud data sources.  If your cellular analyst doesn’t also have experience with analysis of these items, I’d suggest finding someone who has the ability to conduct this “holistic” type of analysis incorporating all potentially relevant pieces of data.


Look closely at what isn’t provided.  I’ve learned that there is almost as much (if not more) value in looking at the evidence that ISN’T presented than there is at looking at evidence that IS presented.  If something obvious – like data from the Defendant’s cell phone (i.e., the device itself) was obtained, analyzed and not presented as evidence, that probably means there may be something on that phone that is not favorable to the other side’s case.  Look at this closely.


In Conclusion


I was in law enforcement for nearly 15 years, and I still travel the country teaching cops in any number of different subjects, including this one.  Many of my former (and current) law enforcement compatriots may read this article and conclude that I’m trying to give the defense a “leg up” or reveal some trade secrets.  Nothing could be further from the truth.  My goal in relaying this information is simply to do my part to ensure the right people go to prison and the innocent people do not.  This involves hard work, no matter who the victim is or what the circumstances of their death or attack may have been.  I work many cases for the prosecution.  I work many cases for the defense.  The truth is always the ultimate goal, and should be for everyone involved in this process.  


A final note for prosecuting attorneys who are using government analysts in these investigations:  The devil is in the details with this data.  There can often be missteps, omissions or other potential Brady-like material that is overlooked simply because the right questions were not asked by the analyst or a plea is expected in many of these cases.  While it is true that many times this data can help prove your case, I’ve seen more success with a 360-degree approach to the evidence, rather than relying on one piece to illustrate guilt. 


Author: 

Patrick J. Siewert

Founder & Principal Consultant

Professional Digital Forensic Consulting, LLC 

Virginia DCJS #11-14869

Based in Richmond, Virginia

Available Wherever You Need Us!



We Find the Truth for a Living!

Computer Forensics -- Mobile Forensics -- Specialized Investigation

About the Author:

Patrick Siewert is the Founder & Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia (USA).  In 15 years of law enforcement, he investigated hundreds of high-tech crimes to precedent-setting results and continues to support litigation cases and corporations in his digital forensic practice.  Patrick is a graduate of SCERS & BCERT and holds several vendor-neutral and specific certifications in the field of digital forensics and high-tech investigation and is a court-certified expert witness in digital forensics and historical cell site analysis & mapping.  He continues to hone his digital forensic expertise in the private sector while growing his consulting & investigation business marketed toward litigators, professional investigators and corporations, while keeping in touch with the public safety community as a Law Enforcement Instructor.

Email:  Inquiries@ProDigital4n6.com

Web: https://ProDigital4n6.com

Pro Digital Forensic Consulting on LinkedIn: https://www.linkedin.com/company/professional-digital-forensic-consulting-llc

Patrick Siewert on LinkedIn:  https://www.linkedin.com/in/patrick-siewert-92513445/  

Monday, February 14, 2022

When the Absence of Evidence is Good Evidence

February 14, 2022


When the Absence of Evidence is Good Evidence


Fielding dozens of inquiries every month for nearly 9 years as a digital forensic service provider, we start to get a good sense about what many cases involve, even before the details of an incident are revealed.  Whether the case involves mobile device evidence, computer evidence, cellular records analysis or electronic-based investigation, the general approach to the case, depending on the scope, is about the same.  What many attorneys and their clients are seeking is the proverbial “smoking gun” or “nail in the coffin” of their case.  As we often tell them, that does happen, from time to time.  But it is not the norm.  


More often than not, we are provided data that is lacking or missing something important.  The question then becomes why is the data missing, when did it go missing and who (if anyone) caused it to become missing?  In this game of piecing the digital puzzle together, often what is absent can also be key to the case.  But there are some definite considerations that go along with this notion as well.




The Value of Missing Data


There are circumstances where missing data can tell a decent part of the story.  For instance, on some mobile devices, items in certain areas are stored sequentially and numbers (or indices) in the sequence are not repeated.  Accordingly, if we find that there are missing numbers in the sequence, we can conclude that something was removed from the table that stores this information.  Can we always recover the data itself?  No.  But we can often determine that it was removed and at the very least approximate when it was removed, using process of elimination.


We can further determine the prior existence of this data by:


1) Searching for the likely file names or monikers of the missing data to see if there are any other records of those files being accessed or used on the system or device.

2) Looking at the timeline of activity on the device or system to determine what took place during the time frame that the data is suspected to have been removed.  Many other areas of the device may have been used around these times to help show the overall activity around these times.

3) Looking at patterns of removal of data, either in this or other categories, to see if perhaps a mass-deletion of data may have taken place.  There are always alternative explanations which need to be explored before coming to concrete conclusions.


We can also try to determine if some or all of the missing data might have been stored elsewhere.  Alternative and backup data storage such as computer syncing and cloud-based storage are valuable, common areas that could potentially store either more data and/or the deleted data to help answer these important questions.


The Expert’s Conclusions re: Missing Data


The ultimate goal in missing data analysis is to be able to come to some conclusion within a reasonable degree of certainty.  This is not always easy and it’s almost never 100%.  However, as analysts and Experts who testify in legal matters, digital forensic practitioners can be *mostly* sure about what happened through thorough analysis and testing, depending on the scope of the case and the needs of the Client.  


The important point about our conclusions with regard to when items were deleted, who deleted them and when lies in the thoroughness of our work.  Leaving no stone unturned is a good approach, but it’s also time-consuming and expensive.  Many clients will not want to support this cost expenditure, mostly because they don’t see the need for it.  Ultimately, it is the analyst’s reputation and work that is to be scrutinized in court and by other experts, therefore, the analyst should be steadfast in their calls for whatever measures are appropriate to support their conclusions in court.  Whatever the conclusion(s) is/are, they must be articulated, defensible, repeatable and supported by the data.  Otherwise, they will not pass evidentiary muster and ultimately the client will not be served by the expenditure.


This is another area where peer review can play a vital role.  No digital forensic analyst knows everything about every data storage medium, file system, application, mobile device, etc.  However, with a thoughtful and thorough peer review of the procedures, findings and conclusions, we take another valuable step to validating those conclusions for the finder of fact.   




A Brief Case Study


We once worked a divorce case involving an iPod with internet connectivity.  The husband, our client, found videos on a computer of his wife engaged in sexual relations with another man.  When the Court ordered her devices turned over, including the iPod on which she was suspected to have chatted for months with her paramour, there were no messages found.  However, there were suggestive pictures and videos located on the iPod, which supported the suspicion of chatting behavior.


Additionally, the Court ordered her laptop hard drive to be analyzed.  On the laptop hard drive, there were a number of iPod backup files, nearly all of which contained the application-based chats with the paramour, including their sexually explicit conversations and his admission to killing another person in another state.


Wrapping It Up


We like to take the approach that the data is virtually always somewhere.  But even if it’s not anywhere, we can often find markers, indicators, patterns and evidence that it existed in some form prior to our obtaining the data enough to be able to come to some conclusion about it.  The key lies in the ability, competency & knowledge of the digital forensic analyst to be able to determine what may have happened, when and who is responsible.  Just because it’s not there doesn’t mean your case is dead or that your analyst can’t do anything to help.  Tenacity is a virtue in digital forensics.  Make sure to scrutinize the characteristics of your analyst before asking them to work your case.  Not all analysts (or lawyers or clients or… ) are created equally.


Author: 

Patrick J. Siewert

Founder & Principal Consultant

Professional Digital Forensic Consulting, LLC 

Virginia DCJS #11-14869

Based in Richmond, Virginia

Available Wherever You Need Us!



We Find the Truth for a Living!

Computer Forensics -- Mobile Forensics -- Specialized Investigation

About the Author:

Patrick Siewert is the Founder & Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia (USA).  In 15 years of law enforcement, he investigated hundreds of high-tech crimes to precedent-setting results and continues to support litigation cases and corporations in his digital forensic practice.  Patrick is a graduate of SCERS & BCERT and holds several vendor-neutral and specific certifications in the field of digital forensics and high-tech investigation and is a court-certified expert witness.  He continues to hone his digital forensic expertise in the private sector while growing his consulting & investigation business marketed toward litigators, professional investigators and corporations, while keeping in touch with the public safety community as a Law Enforcement Instructor.

Email:  Inquiries@ProDigital4n6.com

Web: https://ProDigital4n6.com

Pro Digital Forensic Consulting on LinkedIn: https://www.linkedin.com/company/professional-digital-forensic-consulting-llc

Patrick Siewert on LinkedIn:  https://www.linkedin.com/in/patrick-siewert-92513445/  

Friday, November 5, 2021

Popular Case Studies in Digital Forensics

Popular Case Studies in Digital Forensics

In today’s ever-changing and increasing technological world, digital forensics has become an important step in civil and criminal investigations. This typically involves collecting, extracting, and examining data evidence from computer hard drives, mobile devices (smart phones, tablets, GPS units, etc.), emails, text messages, social media, location (or GPS) data, and cloud storage systems.

There are several notable and famous cases that involved the utilization of digital forensics to be solved. Most of the population of this country has heard of these cases:  the BTK Killer, Dennis Rader, the Craigslist Killer, Philip Markoff, and Larry J. Thomas vs the State of Indiana.

For over 30 years, the BTK Killer, aka Dennis Rader, tortured and killed at least ten people while evading identification and capture in Wichita, Kansas, beginning in the early 1970’s. He made it a habit of taunting law enforcement as he sent cryptic messages during his killing spree. Everything seemed to stop in 1991, when BTK seemed to just disappear. However, it was this habit that led to his capture and arrest on February 25, 2005. Prior to his arrest, Rader contacted law enforcement to ask whether he could communicate with them via a floppy disk and virtually asked if it could be traced back to a specific computer.  After a number of weeks, a floppy disk was received by a local television studio and was swiftly traced back to a computer he used at his church, Christ Lutheran Church and the Park City library as well as information found in the properties section one of the documents, details of the file (metadata) displayed that this document was saved by an individual named “Dennis”. This was in the early stages of digital forensics and produced very notable results.

Craigslist is a well-known website where individuals can buy or sell goods and services. However, the site became synonymous with a murder case that was eventually solved using digital forensics. On April 14, 2009, a New York woman, Julissa Brisman was found murdered in an upscale hotel in Boston. There was additionally a report of an assault on another woman who was robbed at gunpoint. Both women had posted an ad on Craigslist, which is how the Craigslist killer, 23-year-old, Philip Markoff, had found his intended victims. On the night of the crimes, they had each made an appointment to meet a man named “Andy M.” 

Investigators were able to trace emails sent between the victims and Markoff and discovered the IP address of the postings, which led them to Markoff after submitting subpoenas for IP address ownership information. There were also phone calls exchanged between Markoff and the victims in this case. The phone numbers were traced back to prepaid cell phones. Surveillance video from the hotel captured a young man in a black leather jacket and a New York Yankees baseball cap entering and exiting the hotel around the time of Brisman’s murder. Once law enforcement discovered the killer’s name, they turned to Facebook for research and discovered he was engaged to a woman named Megan McAllister. Police staked-out the couple’s apartment and waited for Markoff. He was arrested on April 20, six days after the murder and died after his fourth attempt at committing suicide in prison.


In the third case, Larry J. Thomas vs. State of Indiana in 2016, Thomas was found guilty of the attempted robbery and murder of Rito Llamas-Juarez in his car and was linked to the murder through social media and Offer Up, which is an app used to buy and sell items. Thomas had set up a meeting to sell an iPhone 6 to Llamas-Juarez in a parking lot.

Based on witness accounts of the incident, law enforcement turned to Facebook and discovered Thomas was using the name “Slaughtaboi Larro” and had posted photos of himself carrying an assault rifle and ammunition used in the murder of Llama-Juarez matched that of the weapon posted in the images as well as a bracelet worn which was found at the crime scene. Cell phone records not only put him at the scene of the murder but were able to identify the Offer Up app which was used to set up the meeting with Llamas-Juarez. A treasure trove of evidence was later found in his possession at his residence, and he was subsequently arrested.


Civil cases can also utilize digital forensics to help prove or disprove a claim between two parties, companies or their representatives.  One of the most famous divorce cases involved Tiger Woods. After being suspicious about his behavior, Tiger’s model wife, Elin Nordegren, texted night club hostess, Rachel Uchitel, pretending to be Tiger.  This infidelity was later proved in court in 2010.  Without this confirmation, the claim of infidelity would have been difficult to prove.  This case also highlights the ease at which people can spoof or fake text messages and why having a forensic analysis of a mobile device (or all devices) in a large litigation case is crucial.


Text messages, emails, social media or a varying array of application data can be used in most civil cases such as divorce, intellectual property (IP) theft or employee misconduct to help prove or disprove claims made in the case.

Wrapping It Up

All four of these cases were solved in one form of digital forensics or another. Although in the infancy stage during the time of BTK, digital forensics has changed and continues to adapt to the newest technologies. With many individuals utilizing the internet and social media or mobilizing with their digital media or fitness apps, the use of digital forensics in litigation has become a critical component in assisting to solve crimes. Technology is alway changing and increasing in capability, therefore it is crucial for digital forensics to do the same. Crime and civil disputes will never stop. Accordingly, the value of digital forensics is a tool that will increasingly be one that investigators and litigators will need to be aware of and evolve with as the complexity of cases evolves.

Author: 

Tami Smith

Digital Forensic Examiner

Professional Digital Forensic Consulting, LLC 

Virginia DCJS #11-14869

Based in Richmond, Virginia

Available Wherever You Need Us!

 We Find the Truth for a Living!

 

Computer Forensics -- Mobile Forensics -- Specialized Investigation

About the Author:

Tami Smith is a Digital Forensic Examiner and Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia (USA). An Army Veteran, she is a Suma Cum Laude graduate of Computer Forensics and Digital Investigations, she has had the opportunity to practice in the field, examining civil and criminal cases with the discipline of her military experience. Tami holds vendor-neutral and specific certifications in the field of digital forensics and high-tech investigation and is also a Private Investigator in the state of Virginia. She continues to hone her digital forensic knowledge, education, and experience in the private sector.

Email :  Inquiries@ProDigital4n6.com

Web : https://ProDigital4n6.com

Pro Digital Forensic Consulting on LinkedIn: https://www.linkedin.com/company/professional-digital-forensic-consulting-llc

Tami Smith on LinkedIn:  https://www.linkedin.com/in/tami-smith-1b28ab29/