Monday, December 9, 2019

Digital Forensics in Sexual Assault Cases



December 9, 2019

Digital Forensics in Sexual Assault Cases

Any practicing litigators and digital forensic analysts (as well as our regular readers) appreciate the value that digital evidence can add to their cases.  Civil, criminal and administrative matters can all have a data component to them, for which forensic data acquisition, analysis & reporting may be necessary and valuable.  The challenge when putting together a case strategy is whether or not the cost of digital forensic analysis is worthwhile to the overall case.  This particular approach in the case strategy should always meet with a resounding “YES!” when working sexual assault cases.  It is reported that false claims of sexual assault are five times as common as other types of crime, and the incidents at the heart of the claim are very often precipitated by text and/or picture messaging, often to a high degree, which can serve to help reveal the truth of the claim.

From One Side: The Accused

When an accusation of sexual assault is made, there is frequently a “he said, she said” factor.  But before the alleged assault took place, there is often a build-up of text and/or picture messages in some form.  In 2018 alone, Uber reported over 3,000 sexual assaults.  All activity on Uber is facilitated via the app, including a messaging component.  Uber also frequently logs GPS coordinate location while using the app.  All of this is extremely valuable data when attempting to prove or disprove if the alleged perpetrator was at or near the incident location and in contact with the complaining witness and if any pre or post-assault messaging took place.  But Uber is just one example…

Dating apps are another frequent data medium where activity precipitating a claim of sexual assault can take place.  Apps like Tinder, Bumble, Hinge, Match, etc. all serve to match potential dates and facilitate communication prior to meeting and/or exchanging phone numbers.  Several of these apps also have the ability to send picture messages.  In the events where messages have been deleted in between the time of the contact and the alleged assault, a forensic data acquisition is critical to any recovery of those messages and should be performed as soon as possible after the report is made and legal authority is obtained.  Additionally, these apps are all location-based, so there may be data within the app that is not accessible to the user that may help prove or disprove the claim of sexual assault.



While app data is certainly valuable, the data stored within the standard text or iMessage databases should not be overlooked.  Even in cases where communication may have started on an application, very often users will transition to standard text messaging once there is a certain level of comfort.  In the past several years, we have worked multiple sexual assault cases where the deleted and recovered text messaging data led to the acquittal of criminal defendants.  In every case, this was because a false claim was made and ultimately proven to be false through acquisition, analysis and presentation of text message data from one location or another on the device.

As a brief note, certain app data may not be available through the forensic process and depending on the application, the recoverable artifacts can be more circumstantial than substantive (i.e., contact entries).  Snapchat, WhatsApp & Signal are all very challenging, depending on the device hardware and software (iPhone vs. Android).  Fortunately, mobile forensic developers are constantly working on these issues, so data that may not be available today could be available in the future.

From The Other Side:  The Complaining Witness

Despite there being five times as many false claims of sexual assault as other types of crime, there still seems to be a mental block with regard to obtaining a forensic data extraction of the device(s) belonging to the complaining witness.  As alluded to in our May 2016 article, obtaining the data from the complaining witness’ device as soon as possible after the incident is reported should be part of standard practice in any sexual assault claim.  Why?  Simply put, there are two sides to every story and as trained investigators will undoubtedly agree, the truth usually lies somewhere in the middle.

 

Aside from being able to confirm or refute the veracity of the claim, one party or the other may have deleted some of the pertinent data, which could prove invaluable in piecing the facts together.  No matter which party’s device is analyzed, it is absolutely vital to look in all potential areas for messages.  As previously stated, the accused and the complaining witness may have started communication on one medium and transitioned to another, so cross-referencing phone numbers, user ID’s/monikers and other personally identifiable information is crucial to finding and reporting all of the relevant data.

It bears noting that obtaining the data from the complaining witness’ device has not been the normal practice in cases we’ve seen.  The rationale given for this is that the investigating entity doesn’t want to “re-victimize” the complaining witness.  The job of an investigator and a digital forensic examiner is to ultimately find the truth, no matter where that leads.  With only half of the potential data and a claim of assault, we potentially only have half of the story.  This “digital PERK kit” can and will add value to the overall investigation when so much is at stake for both parties, so obtaining the data from the complaining witness’ device in the interest of truth and justice.  This should also be done with a high level of discretion and with either consent or search warrant to obtain the data.

The Civil Side

The numbers of reported sexual assaults from Uber alone make it worth mentioning how vital this evidence can be from both sides, even in civil matters.  If a criminal claim of sexual assault is made involving a company or app-based service provider, that claim will many times lead to a civil suit being filed alongside or subsequent to the criminal investigation.  While the freedom of the accused may not be at stake in a civil claim, there may be millions of dollars involved in the claim arising from alleged sexual assault.  For all of the reasons cited here, the forensic data should be acquired from both plaintiff and defendant.  If data has previously been acquired by law enforcement in an accompanying criminal investigation, the same data should be requested through discovery.



Wrapping It Up

In the era of the #metoo movement and high-profile attention on sexual assaults in America, the value of forensic data as it relates to these claims cannot be overstated.  Proper collection, analysis, reporting and effective testimony about the findings can often make or break a case.  Ultimately, the truth is at the heart of the matter.  With a universal approach to every sexual assault investigation – criminal or civil – the digital evidence can help lead the finder of fact to the truth, which means justice will have been served. 

Author:
Patrick J. Siewert
Principal Consultant
Professional Digital Forensic Consulting, LLC
Virginia DCJS #11-14869
Based in Richmond, Virginia
Available Wherever You Need Us!


We Find the Truth for a Living!
Computer Forensics -- Mobile Forensics -- Specialized Investigation
About the Author:
Patrick Siewert is the Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia.  In 15 years of law enforcement, he investigated hundreds of high-tech crimes, incorporating digital forensics into the investigations, and was responsible for investigating some of the highest jury and plea bargain child exploitation investigations in Virginia court history.  Patrick is a graduate of SCERS, BCERT, the Reid School of Interview & Interrogation and multiple online investigation schools (among others).  He is a Cellebrite Certified Operator and Physical Analyst as well as certified in cellular call detail analysis and mapping.  He continues to hone his digital forensic expertise in the private sector while growing his consulting & investigation business marketed toward litigators, professional investigators and corporations, while keeping in touch with the public safety community as a Law Enforcement Instructor.
Email:  Inquiries@ProDigital4n6.com
Twitter: @ProDigital4n6

Wednesday, October 30, 2019

Three Reasons Why Call Detail Records Analysis Is Not “Junk Science”



October 31, 2019

Three Reasons Why Call Detail Records Analysis Is Not “Junk Science

Since introducing our private sector clients to the impact that cellular call detail records (CDR) analysis & mapping can have on their cases, we’ve had a lot of robust discussions with litigators and clients about the veracity and value of this evidence.  CDR analysis has been used for decades in law enforcement to help prove or disprove the approximate location of criminal defendants in major crimes.  Only in the past several years have civil litigators and insurance companies also been introduced to the value that this evidence can have on their cases and/or claims investigations.  In the time we’ve been conducting CDR analysis, we’ve worked varying types of cases from criminal prosecution for smaller prosecutor’s offices to domestic litigation to help prove/disprove cohabitation to high-dollar insurance claims to help determine if the claim and associated statements made under oath are verifiable with regard to location.  This specialty offshoot of digital forensics requires constant knowledge updating with regard to carrier practices and specialized training and tools to be able to perform these analyses effectively.


However mainly among the Criminal Defense Bar, the notion has been put forth that CDR analysis may be “junk science” and therefore potentially unreliable as evidence in legal proceedings.  One such high-profile case in which CDR analysis was used to obtain a conviction was the case of State v. Adnan Syed, chronicled in the Serial Podcast.  However, as we’ve seen more recent developments in that case unfold, the “junk science” claim doesn’t necessarily lie with the practice, rather with the potential practitioner.  Indeed, even in computer forensics, certain vendors of forensic tools like to claim their tool has been “validated in court”, when in reality it is the examiner and their competence that needs to be validated in court.  The tool (or in this case, the cellular records) is/are just a dataset that needs to be analyzed competently to be introduced as evidence in a legal proceeding. 

Toward the end of establishing that CDR analysis is not “junk science”, here are three salient points that will help debunk the myth that these records and their associated analysis is not worthy of evidentiary status.

Reason # 1:  Cellular Records Are “Pure” Evidence

What do we mean by “pure” evidence?  Consider for a moment other types of digital evidence that are analyzed for use in court, such as the cell phone itself or a computer system.  These items are generally affected by the user to a great degree and therefore can be open to some scrutiny about the weight and value they hold.  Cellular Records are only available via court order or search warrant to the cellular provider.  A Verizon Wireless customer cannot call customer support and ask for their cellular call detail records with historical cell site data.  The provider will not provide this data this absent legal process.  This means the user has very limited (if any) ability to manipulate the data, which makes the evidence about as pure as it gets. 

Furthermore, the record-keeper has no vested interest in altering the evidence.  In fact, they have every reason to maintain better, more accurate records!  It is a fact within the cellular industry that CDRs were never meant to be used as evidence in legal proceedings.  CDRs are kept by cellular providers so they can log and analyze their own networks for efficiency and to increase overall customer experience on the network.  Simply put, the records are kept for customer service purposes and cellular companies don’t make money by having poor customer service.  It is a fortunate byproduct that these records may be obtained via legal process and analyzed for potential use in legal proceedings.  This is why cellular providers don’t maintain these records indefinitely, as detailed in our 2017 article Cellular Provider Record Retention Periods.

Name another type of digital evidence that the user never touches and to which they generally don’t have access!

Reason # 2:  Automated Tools Have Greatly Decreased The Human Error Factor 

Back in 2001 when the incident detailed in season 1 of the Serial Podcast, there were few, if any, automated tools with which to conduct CDR analysis.  In modern casework, we have many options for automated tools analysis, including CellHawk, ZetX, CASTviz, Map Link, Pen Link, as well as some others.  Use of automated tools can save time and greatly reduce error, but they come with a few warnings:

·      Not all tools are created equally.  If you’re using a tool that is free [to law enforcement], you’re generally getting what you pay for. 
·      Don’t rely on the tool to do all of the work.  Automated tools are great, but they cannot tell you if someone likely shut their phone off or sent a call to voicemail or left their phone in one location while committing an offense somewhere else.  Only manual analysis of the data and the behavior of the user can help verify these conclusions.

·      VALIDATE!  If an automated tool is telling you something, make sure to always refer back to the original record for validation.  If an automated tool is citing a GPS coordinate for location, make sure you validate there is actually a cell site at that location. 


Reason # 3:  Trained, Experienced Analysts Don’t Deal in “Junk Science

One of the traps digital forensic examiners of all ilk are susceptible to fall is the drawing of conclusions not based on fact.  While it’s true that a trained, experienced professional may reach conclusions based upon device activity, those same conclusions have to be rooted in some facts at some point.  The trap that sometimes rears its ugly head is when we reach conclusions that are either outside of our expertise or are not supported by the data. 

There are several traps documented in litigation over the course of the life of CDR analysis in legal proceedings that have led to the claim of “junk science”.  Probably the biggest of these (and the one cited in the article linked above and again here) are conclusions about cell site range.  As analysts, we are not cellular engineers and we cannot be engaged in speculation or discussion about the “range” of a particular cell site.  This is why in most cases we approximate location of the target device in the investigation and DO NOT get entwined in discussions about cell site range.  Even if we were fortunate enough to have propagation maps from the cellular provider which detail the effective/optimal range of a cell site, we still won’t draw conclusions about range.  It is not within the expertise of most analysts to discuss range.  That is for a cellular engineer to conclude, not an analyst of cellular records.



There are behaviors and activity that the records can tell us, however.  A trained analyst can usually tell of the phone was off or if a call was sent straight to voice mail or if the phone was left in one location for a prolonged period.  At the heart of the records is usage behavior.  Is there a pattern of behavior that is not adhered to during the time of the alleged incident?  Is there link analysis that can be done to confirm likely associates and/or accomplices?  If there are alleged accomplices, does normally text and/or call activity cease with that person during the time frame of the incident?  All of these items and more can help lead a trained, experienced analyst come to conclusions within a reasonable degree of certainty, but with most of these items, we require a larger dataset to compare the behavior at the time of incident with the behavior at other times.  An analyst cannot identify these behaviors with 24 or 48 hours worth of records.  This is not enough data from which to draw conclusions about behavior.  This is also why we highly advise obtaining at least 30 days of records on either end of the incident, preferably more.  More data is better when it comes to CDR analysis.



The ultimate test of whether or not the conclusions based upon trained, experienced analysis of the records is “junk science” lies with the competencies of the analyst.  One who draws conclusions not based in fact is what leads to an otherwise valid form of data analysis to be dubbed “junk science”.

Wrapping It Up

In any forensic discipline, there is a possibility for human error or oversight.  We’re not infallible, after all, and we can’t be expected to be perfect all the time.  But CDR analysis is the only one in which the term “junk science” has been bandied about quite a bit.  Deeper inspection of the issues involved in each case where this claim has been made can be lessons for current and future analysts to read and take heed.  It’s when our conclusions span beyond the breadth of our expertise and what the data tells us that we get into trouble.  Ultimately, everyone wants to see justice done.  If we can use CDR analysis successfully in litigation without reaching past our ability into conclusions that are open to extreme scrutiny, justice will be served. 

Author:
Patrick J. Siewert
Principal Consultant
Professional Digital Forensic Consulting, LLC
Virginia DCJS #11-14869
Based in Richmond, Virginia
Available Wherever You Need Us!


We Find the Truth for a Living!

Computer Forensics -- Mobile Forensics -- Specialized Investigation
About the Author:
Patrick Siewert is the Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia.  In 15 years of law enforcement, he investigated hundreds of high-tech crimes, incorporating digital forensics into the investigations, and was responsible for investigating some of the highest jury and plea bargain child exploitation investigations in Virginia court history.  Patrick is a graduate of SCERS, BCERT, the Reid School of Interview & Interrogation and multiple online investigation schools (among others).  He is a Cellebrite Certified Operator and Physical Analyst as well as certified in cellular call detail analysis and mapping.  He continues to hone his digital forensic expertise in the private sector while growing his consulting & investigation business marketed toward litigators, professional investigators and corporations, while keeping in touch with the public safety community as a Law Enforcement Instructor.
Email:  Inquiries@ProDigital4n6.com
Twitter: @ProDigital4n6