May 13, 2016
Don’t Forget the Victim (And Their Device)!
Regardless if your case involves
computers, tablets, iPhones, Android devices or all of the above, one thing the
investigative community can agree on is, every case is different. Sure, certain cases will follow a workflow
pattern, but the circumstances of every case, the suspects/targets,
investigators and victims all take on different faces, which can alter your
approach to conducting digital forensic analysis in the case slightly or
dramatically. We’ve all seen a surge in
criminal (and civil) cases involving smart phones and other mobile devices and
with that comes the mountain of evidence that is contained on a those powerful pocket
computers that store up to 128 GB of data (or more, depending on when you’re
reading this). But consider this: You
may only be getting half of the story if the only device you seize and analyze
is that belonging to the target of your investigation.
The best case example we can use to
illustrate this point is the investigation of a rape allegation. Rape doesn’t happen in a bubble, it takes two
people (or more) for a rape to occur.
And virtually everyone involved in these incidents owns & uses a
smart phone on a daily basis.
Frequently, rape occurs when the alleged perpetrator knows the victim,
either in some sort of early-stage relationship, a family friend, relative,
etc. Because experienced investigators
know this to be true and many reports will validate this, it is your
investigative responsibility to prove or disprove the claim. In order to help do that, you need to seize
not only the target’s phone data, but also the alleged victim’s phone data –
all as soon as possible.
The best (and sometimes worst) thing
about mobile device forensics is, once we have the data extraction, it’s
ours. It is a digital snapshot of
whatever was present on the device at the time the extraction took place and,
depending on the device, may also give us access to deleted information. So in the interest of conducting a thorough
investigation, I put forth that when an alleged rape victim makes the report, investigators
should make it a regular and common practice to ask for consent to perform a
data extraction on his/her phone. It is
simply the easiest way to get a 360-degree view of the case.
A
More Holistic View of the Data
Consider also what happens in the mind
of the target after they know they may have committed a crime. Text and chat messages are deleted. Pictures of the alleged victim get erased
from the device. They may even dispose
of the device altogether and replace it with a new, fresh phone that has
virtually no useful evidence contained on it.
Wouldn’t it be nice if the other side of those conversations still
existed on another device? What’s more,
by grabbing the data from the alleged victim’s phone, you work toward a more
complete investigation of the allegation.
It is an unfortunate reality that there are often false reports of
serious crimes. This certainly doesn’t
mean that we automatically assume the victim may be lying, but it is our
responsibility to fully investigate the case to determine what actually
happened. Victims and eye witnesses are
notoriously unreliable for different reasons.
When victims are subjected to trauma, their accurate recollection of the
incident can suffer to a degree, so that puts even more oneness on the
investigator to try and piece the puzzle together.
The best part about the data is, it
doesn’t lie. It has a perfect memory and
it’s all documented, complete with date and time stamps, exif metadata, GPS
coordinates, network activity and other great pieces of evidence that are very
hard to spoof or fake, if not nearly impossible for most mobile device
users.
Spoofing
is a Thing
While the data doesn’t lie, it can be
manipulated somewhat by either or both parties.
As demonstrated in this
news piece we helped out with, one can simply download a free app, assign a
desired number to it and send text messages to themselves as if they were
someone else, perhaps an ex-boyfriend or some other acquaintance. Then, if the messaging app is deleted, to
the untrained investigator, this evidence looks legitimate on its face. But it’s only part of the story.
In the somewhat rare instance where
this happens, it is absolutely vital to get the alleged victim’s cell phone
dump. Getting even a logical extraction
from the device might show what happened, but it’s always advisable to get as
much data as you can in the form of a physical extraction, SIM card data, SD
card image, etc. I realize these things
may take time, but remember, the victim came to you for help. If they back off on wanting that help, don’t
ignore your instincts. That could be a
warning sign that you’re dealing with a false claim.
Conclusion
A
Brief Note About Encryption
Encryption is the big bugaboo in
forensics. More and more devices are
coming to the consumer out-of-the-box with some sort of encryption already in
place. Heck, this is the whole rub
between Apple and the FBI…
But consider that if your suspect or
target has a device with encryption in place, the alleged victim may be much
more willing to hand over their device for extraction, whether their device is encrypted
or not. From a law enforcement
investigative perspective, the victim is generally much more cooperative and, in theory, would be willing to provide you with a passcode (as well as other potential
credentials) in furtherance of the investigation on their behalf. It could be the only digital evidence you get!
Never forget there is always more than
one person involved in the investigation.
Grabbing the alleged victim’s cell phone data in this circumstance could
mean the difference between an innocent person being convicted of a serious
crime or being exonerated fully. When
all the facts have been completely uncovered, the truth must remain and will
have to hold up in a court of law.
Author:
Patrick J.
Siewert, SCERS, BCERT, LCE
Principal
Consultant
Professional
Digital Forensic Consulting, LLC
Virginia
DCJS #11-14869
Based in
Richmond, Virginia
Available
Globally
We Find the Truth for a
Living!
About the Author:
Patrick Siewert is the Principal
Consultant of Pro Digital Forensic Consulting, based in Richmond,
Virginia. In 15 years of law
enforcement, he investigated hundreds of high-tech crimes, incorporating
digital forensics into the investigations, and was responsible for
investigating some of the highest jury and plea bargain child exploitation
cases in Virginia court history. A
graduate of both SCERS, BCERT, the Reid School of Interview & Interrogation
and various online investigation schools (among others), Siewert continues to
hone his digital forensic expertise in the private sector while growing his
consulting & investigation business marketed toward litigators,
professional investigators and corporations.
