Thursday, September 1, 2022

Pro Digital is Joining ArcherHall

September 1, 2022

I built something someone wants. So, I sold it to them.

When the happenstance came along that I was introduced to the CEO of ArcherHall, a Sacramento-based nationwide provider of litigation support and eDiscovery services, I took it in stride. We had a great call, but I had no expectation that it would blossom into anything. It did, and over several months of discussions we came up with an exciting plan for the future that works well for everyone.




So here’s what’s changing: Not much. 

I will continue to serve current and future clients in the role of Director of Digital Forensics and eDiscovery for ArcherHall out of the former Pro Digital office & lab in the West End of Richmond, VA. We have worked very hard to cultivate the relationships with the attorney-clients with whom we work consistently, and it is our goal to continue to foster those relationships for years to come. Professional Digital Forensic Consulting (dba Pro Digital) will cease to exist as a business entity, and I will join ArcherHall. Because ArcherHall has more financial backing and people performing the casework, the analysis work on future cases will have the benefit of a team of experts working on them with expanded capabilities of tools, training, experience, and knowledge. It’s a win-win for our current and future clients.


I will continue to teach as much as possible at the University and private sector levels. I thoroughly enjoy teaching and it’s a great “side-hustle”. This blog may be moving, but it will still exist. There are a few other exciting things on the horizon regarding publications, which I’ll announce on my personal Linked In and personal Twitter feeds. I will stay an active and vocal member of the digital forensic community and hope to be able to contribute more as I will not have the time investment overhead of running a business on a daily basis.


That’s the biggest part that will be changing: The administrative side of running a digital forensic consultancy will largely be removed from my responsibilities. Clients can expect more structure, team-based communication and an overall more immersive and responsive experience from me and ArcherHall.


The natural question that would be posed is “why?”  In my multiple conversations and meetings with ArcherHall’s CEO, Chief of Staff and Managing Directors, it became apparent that we share the same approach and values in our role as digital forensic service providers.  Those values include integrity, professionalism and a service-based approach forged with an entrepreneurial spirit.  These are the core values that Pro Digital’s clients have come to expect and will remain as tenants of our practice moving forward.


I’ll wrap up this blog and personal note by thanking everyone who has helped make this possible. When I registered the LLC for Pro Digital back in 2013, I did so as sort of a lark and a fallback position. A little more than a year later, I left full-time law enforcement work and invested in Pro Digital fully and have been churning it ever since. Every close person in my personal and professional circles has helped make this possible in some way or another, from my ex-wife to my children to my current fiancĂ©e. My brother and my sister, both successful business owners who offered so much advice to help get started and stay in business. Experts in other areas of forensic services, including noted authors, other DF entrepreneurs and very smart people in our industry. Mentors at Cellebrite and IACIS and the Virginia State Police and Instructors with the Department of Homeland Security and the US Secret Service, as well as colleagues from my 2012 BCERT class. If you are reading this, you know who you are, and I am forever grateful for your contributions to the success of Pro Digital and me personally.


In closing, I’d only ask that we, as an industry, always strive to be and do better. I’m not perfect, nor am I the professional ombudsman of the digital forensic service industry. I get educated on areas of improvement regularly and take those lessons in the way they are intended. I can always learn more & do better and am regularly excited to do so. Digital Forensics as an industry can also work toward the standards of constant improvement. Our profession deserves it. Our clients and case stakeholders deserve it. And most importantly, the justice system needs it. Our industry will only grow over the coming decades. It’s incumbent upon all of us to nurture the profession and ensure that it remains a path to the truth in the cases we work.


Onward….


-Patrick


Author: 

Patrick J. Siewert

Director of Digital Forensics & eDiscovery

ArcherHall


About the Author:

Patrick Siewert was the Founder & Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia (USA). In 15 years of law enforcement, he investigated hundreds of high-tech crimes to precedent-setting results and continues to support litigation cases and corporations in private digital forensic practice. Patrick is a graduate of SCERS & BCERT and holds several vendor-neutral and specific certifications in the field of digital forensics and high-tech investigation and is a court-certified expert witness in multiple digital forensic areas. He continues to keep in touch with the public safety community as a Law Enforcement Instructor and Adjunct Professor at Virginia Commonwealth University.

Email: psiewert@archerhall.com

Twitter : @RVA4n6 

Web: https://archerhall.com 

ArcherHall on LinkedIn: https://www.linkedin.com/company/archerhall/ 

Patrick Siewert on LinkedIn: https://www.linkedin.com/in/patrick-siewert-92513445/ 

Tuesday, April 19, 2022

Pretty Maps & Plea Bargains: Tips on Handling Cellular Records Analysis in Criminal Defense Cases

April 19, 2022


Pretty Maps & Plea Bargains: Tips on Handling Cellular Records Analysis in Criminal Defense Cases


I’m going to be blunt from the start:  If you are not using a trained, qualified, experienced & knowledgeable analyst for cellular records analysis (i.e., historical cell site location), then you are doing your client a large disservice, regardless of the side you’re representing.  Furthermore, if you’re taking what the other side tells you as 100% truth, you’re already behind the curve.


Do I have your attention?


Why Do I say this?  Because I’m coming off the likely second murder acquittal in about a year where the government used analysts to try and pinpoint their suspect’s location using historical cell site location data to illustrate that the Defendant was in or around a relevant location (i.e., crime scene) at or around the incident being investigated and prosecuted.  Both of these analysts were from federal 3-letter agencies and had allegedly analyzed the same records I was provided.  I’ll get more into the specifics later…


Historical Cell Site Analysis at a Glance


Before we get into specific case examples, we should define and discuss briefly what historical cell site location records are and are not.  There are volumes of articles and at least one book written on the topic, but I’ll try to trim the fat off the conversation to a simple definition:


Cellular companies keep records of activity on their network.  This activity often involves the phone’s use (calls, texts and data) and listing of particular cell sites (i.e., towers) used for these events, which are most commonly divided into three sectors in a 360-degree radius.  This means that each sector on most cell sites covers an area of roughly 120-degrees.  Please note, there are exceptions to this.  However, with the data that is acquired in the investigation and litigation process from the cellular provider, we can map these cell sites, using their verified GPS coordinates, and use the sector-specific information contained in the records to map generalized location of a cell phone that is allegedly tied to a Defendant or litigant.  


Depending on the timing of the request to the cellular provider, we can also potentially receive and map what are commonly referred to as “specialized location records”, which attempt to estimate the GPS (longitude & latitude) coordinate estimates of the phone itself, within a certain confidence level detailed in the records.  These records can be problematic when used as evidence, but this is where the knowledge and competence level of the analyst also becomes crucial.


It should be noted that these records were never intended to be used in litigation.  They are held by the cellular providers to help increase the user experience and efficiency on the cellular network.  It just so happens that the ubiquitous nature of cell phones in daily life has led to the location of a cell phone (and potentially the person carrying it) to be valuable data in criminal and civil litigation when analyzed & presented competently.


Not All Analysts Are Created Equal


Just like in the practice of law, medicine, auto mechanics, etc., it is a truism in cellular analysis that not all analysts possess the same work ethic, knowledge, training, capability or level of competence.  The vast majority of historical cell site data analysts work for the government, and as such, can present their data and analysis with an air of confidence and authority.  But I have seen multiple cases where this simply is not the case.  Consider the following examples:


Case study #1:  A homicide where data records were used to try and tie the Defendant to the phone.  Defendant’s primary phone in use was not in question, but the government attempted to illustrate that the “burner” or “drop” phone with which the victim last communicated also belonged to the Defendant by correlating the location of the two phones (known phone & burner phone) together over time, as well as attempting to tie the burner phone and defendant to the area where the victim’s body was located.


Defense Counsel hired a private-sector analyst (me) to conduct an independent analysis of the records and confirm or refute the assertions of the government with regard to this analysis.  The problem was, the 3-letter agency’s analysis contradicted itself without explanation.  See below image that was entered into evidence as part of the larger initial analysis:  




Map #1


Pretty map, isn’t it?  The problem, as is highlighted in the red boxes (upper left and lower right), is that this map puts the burner phone (events cited in the red boxes & wedges) miles apart at virtually the same time.  No explanation was provided in the report for this.  When this was brought forth in cross-examination of the government’s analyst, they testified that their agency calls this “teleportation”.  And no, that’s not a joke.


There’s actually a very reasonable explanation for this, which was not relayed to the jury until the analyst was called back to the stand in rebuttal of my testimony and, as coincidence would have it, produced a much more detailed map.  Regardless, the Defendant was acquitted of the murder charge.  Was it because of this?  I have no idea.  But I’m sure this didn’t help the jury’s confusion about this data… Nor did the “teleportation”!


Case Study #2:  A homicide where the Defendant was accused of the murder and assisting the shooter (who was found guilty prior to our Defendant’s trial) in getting away from the crime scene.  The 3-letter agency analyst produced a very short report/analysis, which lacked many things.  Take a look at one of the images and I’ll explain what’s lacking:




Map #2


Another beautiful map!  But what’s missing?  First, the crime scene is barely visible amongst the other noise on the map.  The map is hard to decipher.  Second, two crucial pieces are missing – the illustration of other cell sites in the area as well as any other potentially relevant locations.  And not simply alibi locations either – basic things like the Defendant’s home, which is actually within this map view, but you’d never know it because it wasn’t included in the illustration.  Simply put, this is an incomplete analysis.  It seeks to prove a theory and disregards the context.  


What are the cell sites and why is that important?  There are dozens of cell sites in the area of the above map (#2), some of which are closer to the crime scene.  And while I cannot emphasize strongly enough that it is not 100% true that the phone always connects to the closest cell site, without the illustration of where the other cell sites are located, we don’t even have enough information to scrutinize.  It’s an analysis in a bubble.  The green & red dots on map #1 --  Those are the cell sites in a fairly populated metropolitan area, similar to the area in the map #2.  Here’s the same event from map #2 in the same area from the same case, but with the context added (and easier to decipher):




Those orange dots are all cell sites for this cellular carrier in the area not used for this event.  The other potentially relevant locations, as well as the crime scene, have also been added to this map.  The final potentially relevant piece is the terrain of the area.  While not a large issue in this particular example, geographical features like terrain can have an effect on which cell site the cellular device chooses to use.  For further context, this usage event was 4 minutes after the shooting (as verified by surveillance video time stamp).  As you can see, there are several cell sites in between this event and the crime scene, but again, the cell phone will NOT always connect to the closest cell site, rather the cell site with the best signal.  That said, the cell site in use is over 2 miles away from the crime scene in a fairly densely populated area.


This map was generated as a more complete view of the relevant data and presented in comparison to map #2 for presentation to the Jury.  The exclusion of this information in map #2 is inexplicable.


Why Is Any of This An Issue?


I have been engaged in historical cell site records analysis in litigation for approximately 6 years, and in the practice of forensic data analysis (computers, cell phones, etc.) for 13 years.  In that time, I’ve conducted dozens of analyses of carriers of all types, cases spanning from insurance investigations to divorce/custody disputes to criminal prosecution and defense.  The practice of historical cell site analysis is not “junk science”, no matter what snake-oil salesman “defense expert” may try to tell you.  It works in most cases, if done properly.  And if it didn’t work, no one would use it.  Further, location of the phone is but one use of these records.  There are multiple others, as discussed here.


That said, the problem I’ve seen repeatedly with criminal investigations utilizing historical cell site analysis is that Defense Counsel may be misinformed or lacking in their knowledge about what is presented to them by the government’s analyst.  When a client is charged with a serious crime and the government gets the historical cell usage site location records and requests the [insert 3-letter law enforcement agency name here] to conduct an analysis and produce pretty maps showing that your guy was likely there at the wrong time, it tends to force a plea bargain because it looks good and it’s relatively technical.  This happens regularly and can often not be in the best interest of the client.


So what can help your client?  A thoughtful and informed conversation with an independent, experienced historical cell records analysis expert who can look at the records and provide a practical assessment.  To be clear, you do not want a “defense expert”.  You want an independent expert who will take in all of the available data and conduct as thorough analysis as possible, given what is available through discovery.  And there’s more to “available data” than simply the records in most cases.


A Few Tips From Experience


I’m not perfect and I don’t know everything.  On top of that, I’m not a lawyer.  However, I have worked many large litigation cases with these types of records and I’ve learned a few tips along the way that could help the process along more smoothly:


Consider obtaining the records allegedly associated with the target of the investigation independent of discovery.  This assists in the ability for you to introduce the records and your expert’s analysis at trial, even if the government chooses not to do so.  If the government never enters the records into evidence, it may not be possible for the hard work of your analyst to be presented to the judge or jury.  Obtaining these records can be done via Court Order and should be done as soon as possible and in consultation with your independent expert for proper terminology of the request.  Some carriers don’t retain certain records for a long period of time (see record retention article here.  Updated data may be available.)


The value of illustrating these usage events on a map can be compelling evidence, but static maps don’t always tell the whole story.  Consider using an expert who has access to tools that will help animate the movement in the usage to help paint an overall clearer picture of the cellular location evidence in your case.  To date, I’ve not seen a government analyst use animations to illustrate the records.  I have, however, conducted analysis for the government using animations.


Be careful with your stipulations prior to trial.  Stipulating to the authenticity of the records is probably OK.  Anything beyond that, including stipulating to the other analyst’s credentials, may cause issues down the road during trial testimony and presentation of evidence.


Don’t forget that there is probably relevant data in more than one place.  While it’s true the government has likely tried to cover all of their bases on this – particularly in a major criminal case – that doesn’t mean that there won’t be information to help confirm or refute alibis, alternate location data, etc. that is stored on the cell phone itself or potentially in cloud data sources.  If your cellular analyst doesn’t also have experience with analysis of these items, I’d suggest finding someone who has the ability to conduct this “holistic” type of analysis incorporating all potentially relevant pieces of data.


Look closely at what isn’t provided.  I’ve learned that there is almost as much (if not more) value in looking at the evidence that ISN’T presented than there is at looking at evidence that IS presented.  If something obvious – like data from the Defendant’s cell phone (i.e., the device itself) was obtained, analyzed and not presented as evidence, that probably means there may be something on that phone that is not favorable to the other side’s case.  Look at this closely.


In Conclusion


I was in law enforcement for nearly 15 years, and I still travel the country teaching cops in any number of different subjects, including this one.  Many of my former (and current) law enforcement compatriots may read this article and conclude that I’m trying to give the defense a “leg up” or reveal some trade secrets.  Nothing could be further from the truth.  My goal in relaying this information is simply to do my part to ensure the right people go to prison and the innocent people do not.  This involves hard work, no matter who the victim is or what the circumstances of their death or attack may have been.  I work many cases for the prosecution.  I work many cases for the defense.  The truth is always the ultimate goal, and should be for everyone involved in this process.  


A final note for prosecuting attorneys who are using government analysts in these investigations:  The devil is in the details with this data.  There can often be missteps, omissions or other potential Brady-like material that is overlooked simply because the right questions were not asked by the analyst or a plea is expected in many of these cases.  While it is true that many times this data can help prove your case, I’ve seen more success with a 360-degree approach to the evidence, rather than relying on one piece to illustrate guilt. 


Author: 

Patrick J. Siewert

Founder & Principal Consultant

Professional Digital Forensic Consulting, LLC 

Virginia DCJS #11-14869

Based in Richmond, Virginia

Available Wherever You Need Us!



We Find the Truth for a Living!

Computer Forensics -- Mobile Forensics -- Specialized Investigation

About the Author:

Patrick Siewert is the Founder & Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia (USA).  In 15 years of law enforcement, he investigated hundreds of high-tech crimes to precedent-setting results and continues to support litigation cases and corporations in his digital forensic practice.  Patrick is a graduate of SCERS & BCERT and holds several vendor-neutral and specific certifications in the field of digital forensics and high-tech investigation and is a court-certified expert witness in digital forensics and historical cell site analysis & mapping.  He continues to hone his digital forensic expertise in the private sector while growing his consulting & investigation business marketed toward litigators, professional investigators and corporations, while keeping in touch with the public safety community as a Law Enforcement Instructor.

Email:  Inquiries@ProDigital4n6.com

Web: https://ProDigital4n6.com

Pro Digital Forensic Consulting on LinkedIn: https://www.linkedin.com/company/professional-digital-forensic-consulting-llc

Patrick Siewert on LinkedIn:  https://www.linkedin.com/in/patrick-siewert-92513445/  

Monday, February 14, 2022

When the Absence of Evidence is Good Evidence

February 14, 2022


When the Absence of Evidence is Good Evidence


Fielding dozens of inquiries every month for nearly 9 years as a digital forensic service provider, we start to get a good sense about what many cases involve, even before the details of an incident are revealed.  Whether the case involves mobile device evidence, computer evidence, cellular records analysis or electronic-based investigation, the general approach to the case, depending on the scope, is about the same.  What many attorneys and their clients are seeking is the proverbial “smoking gun” or “nail in the coffin” of their case.  As we often tell them, that does happen, from time to time.  But it is not the norm.  


More often than not, we are provided data that is lacking or missing something important.  The question then becomes why is the data missing, when did it go missing and who (if anyone) caused it to become missing?  In this game of piecing the digital puzzle together, often what is absent can also be key to the case.  But there are some definite considerations that go along with this notion as well.




The Value of Missing Data


There are circumstances where missing data can tell a decent part of the story.  For instance, on some mobile devices, items in certain areas are stored sequentially and numbers (or indices) in the sequence are not repeated.  Accordingly, if we find that there are missing numbers in the sequence, we can conclude that something was removed from the table that stores this information.  Can we always recover the data itself?  No.  But we can often determine that it was removed and at the very least approximate when it was removed, using process of elimination.


We can further determine the prior existence of this data by:


1) Searching for the likely file names or monikers of the missing data to see if there are any other records of those files being accessed or used on the system or device.

2) Looking at the timeline of activity on the device or system to determine what took place during the time frame that the data is suspected to have been removed.  Many other areas of the device may have been used around these times to help show the overall activity around these times.

3) Looking at patterns of removal of data, either in this or other categories, to see if perhaps a mass-deletion of data may have taken place.  There are always alternative explanations which need to be explored before coming to concrete conclusions.


We can also try to determine if some or all of the missing data might have been stored elsewhere.  Alternative and backup data storage such as computer syncing and cloud-based storage are valuable, common areas that could potentially store either more data and/or the deleted data to help answer these important questions.


The Expert’s Conclusions re: Missing Data


The ultimate goal in missing data analysis is to be able to come to some conclusion within a reasonable degree of certainty.  This is not always easy and it’s almost never 100%.  However, as analysts and Experts who testify in legal matters, digital forensic practitioners can be *mostly* sure about what happened through thorough analysis and testing, depending on the scope of the case and the needs of the Client.  


The important point about our conclusions with regard to when items were deleted, who deleted them and when lies in the thoroughness of our work.  Leaving no stone unturned is a good approach, but it’s also time-consuming and expensive.  Many clients will not want to support this cost expenditure, mostly because they don’t see the need for it.  Ultimately, it is the analyst’s reputation and work that is to be scrutinized in court and by other experts, therefore, the analyst should be steadfast in their calls for whatever measures are appropriate to support their conclusions in court.  Whatever the conclusion(s) is/are, they must be articulated, defensible, repeatable and supported by the data.  Otherwise, they will not pass evidentiary muster and ultimately the client will not be served by the expenditure.


This is another area where peer review can play a vital role.  No digital forensic analyst knows everything about every data storage medium, file system, application, mobile device, etc.  However, with a thoughtful and thorough peer review of the procedures, findings and conclusions, we take another valuable step to validating those conclusions for the finder of fact.   




A Brief Case Study


We once worked a divorce case involving an iPod with internet connectivity.  The husband, our client, found videos on a computer of his wife engaged in sexual relations with another man.  When the Court ordered her devices turned over, including the iPod on which she was suspected to have chatted for months with her paramour, there were no messages found.  However, there were suggestive pictures and videos located on the iPod, which supported the suspicion of chatting behavior.


Additionally, the Court ordered her laptop hard drive to be analyzed.  On the laptop hard drive, there were a number of iPod backup files, nearly all of which contained the application-based chats with the paramour, including their sexually explicit conversations and his admission to killing another person in another state.


Wrapping It Up


We like to take the approach that the data is virtually always somewhere.  But even if it’s not anywhere, we can often find markers, indicators, patterns and evidence that it existed in some form prior to our obtaining the data enough to be able to come to some conclusion about it.  The key lies in the ability, competency & knowledge of the digital forensic analyst to be able to determine what may have happened, when and who is responsible.  Just because it’s not there doesn’t mean your case is dead or that your analyst can’t do anything to help.  Tenacity is a virtue in digital forensics.  Make sure to scrutinize the characteristics of your analyst before asking them to work your case.  Not all analysts (or lawyers or clients or… ) are created equally.


Author: 

Patrick J. Siewert

Founder & Principal Consultant

Professional Digital Forensic Consulting, LLC 

Virginia DCJS #11-14869

Based in Richmond, Virginia

Available Wherever You Need Us!



We Find the Truth for a Living!

Computer Forensics -- Mobile Forensics -- Specialized Investigation

About the Author:

Patrick Siewert is the Founder & Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia (USA).  In 15 years of law enforcement, he investigated hundreds of high-tech crimes to precedent-setting results and continues to support litigation cases and corporations in his digital forensic practice.  Patrick is a graduate of SCERS & BCERT and holds several vendor-neutral and specific certifications in the field of digital forensics and high-tech investigation and is a court-certified expert witness.  He continues to hone his digital forensic expertise in the private sector while growing his consulting & investigation business marketed toward litigators, professional investigators and corporations, while keeping in touch with the public safety community as a Law Enforcement Instructor.

Email:  Inquiries@ProDigital4n6.com

Web: https://ProDigital4n6.com

Pro Digital Forensic Consulting on LinkedIn: https://www.linkedin.com/company/professional-digital-forensic-consulting-llc

Patrick Siewert on LinkedIn:  https://www.linkedin.com/in/patrick-siewert-92513445/