February 14, 2022
When the Absence of Evidence is Good Evidence
Fielding dozens of inquiries every month for nearly 9 years as a digital forensic service provider, we start to get a good sense about what many cases involve, even before the details of an incident are revealed. Whether the case involves mobile device evidence, computer evidence, cellular records analysis or electronic-based investigation, the general approach to the case, depending on the scope, is about the same. What many attorneys and their clients are seeking is the proverbial “smoking gun” or “nail in the coffin” of their case. As we often tell them, that does happen, from time to time. But it is not the norm.
More often than not, we are provided data that is lacking or missing something important. The question then becomes why is the data missing, when did it go missing and who (if anyone) caused it to become missing? In this game of piecing the digital puzzle together, often what is absent can also be key to the case. But there are some definite considerations that go along with this notion as well.
The Value of Missing Data
There are circumstances where missing data can tell a decent part of the story. For instance, on some mobile devices, items in certain areas are stored sequentially and numbers (or indices) in the sequence are not repeated. Accordingly, if we find that there are missing numbers in the sequence, we can conclude that something was removed from the table that stores this information. Can we always recover the data itself? No. But we can often determine that it was removed and at the very least approximate when it was removed, using process of elimination.
We can further determine the prior existence of this data by:
1) Searching for the likely file names or monikers of the missing data to see if there are any other records of those files being accessed or used on the system or device.
2) Looking at the timeline of activity on the device or system to determine what took place during the time frame that the data is suspected to have been removed. Many other areas of the device may have been used around these times to help show the overall activity around these times.
3) Looking at patterns of removal of data, either in this or other categories, to see if perhaps a mass-deletion of data may have taken place. There are always alternative explanations which need to be explored before coming to concrete conclusions.
We can also try to determine if some or all of the missing data might have been stored elsewhere. Alternative and backup data storage such as computer syncing and cloud-based storage are valuable, common areas that could potentially store either more data and/or the deleted data to help answer these important questions.
The Expert’s Conclusions re: Missing Data
The ultimate goal in missing data analysis is to be able to come to some conclusion within a reasonable degree of certainty. This is not always easy and it’s almost never 100%. However, as analysts and Experts who testify in legal matters, digital forensic practitioners can be *mostly* sure about what happened through thorough analysis and testing, depending on the scope of the case and the needs of the Client.
The important point about our conclusions with regard to when items were deleted, who deleted them and when lies in the thoroughness of our work. Leaving no stone unturned is a good approach, but it’s also time-consuming and expensive. Many clients will not want to support this cost expenditure, mostly because they don’t see the need for it. Ultimately, it is the analyst’s reputation and work that is to be scrutinized in court and by other experts, therefore, the analyst should be steadfast in their calls for whatever measures are appropriate to support their conclusions in court. Whatever the conclusion(s) is/are, they must be articulated, defensible, repeatable and supported by the data. Otherwise, they will not pass evidentiary muster and ultimately the client will not be served by the expenditure.
This is another area where peer review can play a vital role. No digital forensic analyst knows everything about every data storage medium, file system, application, mobile device, etc. However, with a thoughtful and thorough peer review of the procedures, findings and conclusions, we take another valuable step to validating those conclusions for the finder of fact.
A Brief Case Study
We once worked a divorce case involving an iPod with internet connectivity. The husband, our client, found videos on a computer of his wife engaged in sexual relations with another man. When the Court ordered her devices turned over, including the iPod on which she was suspected to have chatted for months with her paramour, there were no messages found. However, there were suggestive pictures and videos located on the iPod, which supported the suspicion of chatting behavior.
Additionally, the Court ordered her laptop hard drive to be analyzed. On the laptop hard drive, there were a number of iPod backup files, nearly all of which contained the application-based chats with the paramour, including their sexually explicit conversations and his admission to killing another person in another state.
Wrapping It Up
We like to take the approach that the data is virtually always somewhere. But even if it’s not anywhere, we can often find markers, indicators, patterns and evidence that it existed in some form prior to our obtaining the data enough to be able to come to some conclusion about it. The key lies in the ability, competency & knowledge of the digital forensic analyst to be able to determine what may have happened, when and who is responsible. Just because it’s not there doesn’t mean your case is dead or that your analyst can’t do anything to help. Tenacity is a virtue in digital forensics. Make sure to scrutinize the characteristics of your analyst before asking them to work your case. Not all analysts (or lawyers or clients or… ) are created equally.
Author:
Patrick J. Siewert
Founder & Principal Consultant
Professional Digital Forensic Consulting, LLC
Virginia DCJS #11-14869
Based in Richmond, Virginia
Available Wherever You Need Us!
We Find the Truth for a Living!
Computer Forensics -- Mobile Forensics -- Specialized Investigation
About the Author:
Patrick Siewert is the Founder & Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia (USA). In 15 years of law enforcement, he investigated hundreds of high-tech crimes to precedent-setting results and continues to support litigation cases and corporations in his digital forensic practice. Patrick is a graduate of SCERS & BCERT and holds several vendor-neutral and specific certifications in the field of digital forensics and high-tech investigation and is a court-certified expert witness. He continues to hone his digital forensic expertise in the private sector while growing his consulting & investigation business marketed toward litigators, professional investigators and corporations, while keeping in touch with the public safety community as a Law Enforcement Instructor.
Email: Inquiries@ProDigital4n6.com
Web: https://ProDigital4n6.com
Pro Digital Forensic Consulting on LinkedIn: https://www.linkedin.com/company/professional-digital-forensic-consulting-llc
Patrick Siewert on LinkedIn: https://www.linkedin.com/in/patrick-siewert-92513445/