When the Absence of Evidence is Good Evidence

February 14, 2022

When the Absence of Evidence is Good Evidence

Fielding dozens of inquiries every month for nearly 9 years as a digital forensic service provider, we start to get a good sense about what many cases involve, even before the details of an incident are revealed.  Whether the case involves mobile device evidence, computer evidence, cellular records analysis or electronic-based investigation, the general approach to the case, depending on the scope, is about the same.  What many attorneys and their clients are seeking is the proverbial “smoking gun” or “nail in the coffin” of their case.  As we often tell them, that does happen, from time to time.  But it is not the norm.  

More often than not, we are provided data that is lacking or missing something important.  The question then becomes why is the data missing, when did it go missing and who (if anyone) caused it to become missing?  In this game of piecing the digital puzzle together, often what is absent can also be key to the case.  But there are some definite considerations that go along with this notion as well.

The Value of Missing Data

There are circumstances where missing data can tell a decent part of the story.  For instance, on some mobile devices, items in certain areas are stored sequentially and numbers (or indices) in the sequence are not repeated.  Accordingly, if we find that there are missing numbers in the sequence, we can conclude that something was removed from the table that stores this information.  Can we always recover the data itself?  No.  But we can often determine that it was removed and at the very least approximate when it was removed, using process of elimination.

We can further determine the prior existence of this data by:

1) Searching for the likely file names or monikers of the missing data to see if there are any other records of those files being accessed or used on the system or device.

2) Looking at the timeline of activity on the device or system to determine what took place during the time frame that the data is suspected to have been removed.  Many other areas of the device may have been used around these times to help show the overall activity around these times.

3) Looking at patterns of removal of data, either in this or other categories, to see if perhaps a mass-deletion of data may have taken place.  There are always alternative explanations which need to be explored before coming to concrete conclusions.

We can also try to determine if some or all of the missing data might have been stored elsewhere.  Alternative and backup data storage such as computer syncing and cloud-based storage are valuable, common areas that could potentially store either more data and/or the deleted data to help answer these important questions.

The Expert’s Conclusions re: Missing Data

The ultimate goal in missing data analysis is to be able to come to some conclusion within a reasonable degree of certainty.  This is not always easy and it’s almost never 100%.  However, as analysts and Experts who testify in legal matters, digital forensic practitioners can be *mostly* sure about what happened through thorough analysis and testing, depending on the scope of the case and the needs of the Client.  

The important point about our conclusions with regard to when items were deleted, who deleted them and when lies in the thoroughness of our work.  Leaving no stone unturned is a good approach, but it’s also time-consuming and expensive.  Many clients will not want to support this cost expenditure, mostly because they don’t see the need for it.  Ultimately, it is the analyst’s reputation and work that is to be scrutinized in court and by other experts, therefore, the analyst should be steadfast in their calls for whatever measures are appropriate to support their conclusions in court.  Whatever the conclusion(s) is/are, they must be articulated, defensible, repeatable and supported by the data.  Otherwise, they will not pass evidentiary muster and ultimately the client will not be served by the expenditure.

This is another area where peer review can play a vital role.  No digital forensic analyst knows everything about every data storage medium, file system, application, mobile device, etc.  However, with a thoughtful and thorough peer review of the procedures, findings and conclusions, we take another valuable step to validating those conclusions for the finder of fact.   

A Brief Case Study

We once worked a divorce case involving an iPod with internet connectivity.  The husband, our client, found videos on a computer of his wife engaged in sexual relations with another man.  When the Court ordered her devices turned over, including the iPod on which she was suspected to have chatted for months with her paramour, there were no messages found.  However, there were suggestive pictures and videos located on the iPod, which supported the suspicion of chatting behavior.

Additionally, the Court ordered her laptop hard drive to be analyzed.  On the laptop hard drive, there were a number of iPod backup files, nearly all of which contained the application-based chats with the paramour, including their sexually explicit conversations and his admission to killing another person in another state.

Wrapping It Up

We like to take the approach that the data is virtually always somewhere.  But even if it’s not anywhere, we can often find markers, indicators, patterns and evidence that it existed in some form prior to our obtaining the data enough to be able to come to some conclusion about it.  The key lies in the ability, competency & knowledge of the digital forensic analyst to be able to determine what may have happened, when and who is responsible.  Just because it’s not there doesn’t mean your case is dead or that your analyst can’t do anything to help.  Tenacity is a virtue in digital forensics.  Make sure to scrutinize the characteristics of your analyst before asking them to work your case.  Not all analysts (or lawyers or clients or… ) are created equally.

Author: 

Patrick J. Siewert

Founder & Principal Consultant

Professional Digital Forensic Consulting, LLC 

Virginia DCJS #11-14869

Based in Richmond, Virginia

Available Wherever You Need Us!

We Find the Truth for a Living!

Computer Forensics -- Mobile Forensics -- Specialized Investigation

About the Author:

Patrick Siewert is the Founder & Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia (USA).  In 15 years of law enforcement, he investigated hundreds of high-tech crimes to precedent-setting results and continues to support litigation cases and corporations in his digital forensic practice.  Patrick is a graduate of SCERS & BCERT and holds several vendor-neutral and specific certifications in the field of digital forensics and high-tech investigation and is a court-certified expert witness.  He continues to hone his digital forensic expertise in the private sector while growing his consulting & investigation business marketed toward litigators, professional investigators and corporations, while keeping in touch with the public safety community as a Law Enforcement Instructor.

Email:  Inquiries@ProDigital4n6.com

Web: https://ProDigital4n6.com

Pro Digital Forensic Consulting on LinkedIn: https://www.linkedin.com/company/professional-digital-forensic-consulting-llc

Patrick Siewert on LinkedIn:  https://www.linkedin.com/in/patrick-siewert-92513445/  

Three FAQs About Digital Forensics as a Service

 June 8, 2021

Three FAQs About Digital Forensics as a Service

There are many tentacles to the practice of digital forensics.  As explored in a previous article, there can be two main tracks to the practice of digital forensics:  Incident Response & Litigation Support.  Along the same vein, there are practitioners both in the public sector (law enforcement, government contractors, etc.) and the private sector.  While the practice is essentially the same across both sectors, the types of cases called upon to work and the complaints or inquiries received can be vastly different.  

When I was a law enforcement examiner, my time was spent mainly investigating criminal incidents involving child sex abuse material (CSAM) and other crimes, such as fraud, cyber-stalking, etc.  After transitioning to the private sector, I found the case inquiries and cases worked to be quite different.  Sure, there’s a minority percentage of cases in the criminal realm, but many of our cases span family law, corporate law, intellectual property theft and other civil disputes.  One of the most notable areas that the shift has occurred has been in the types of inquires receive.  The three questions explored and answered here are designed to provide those would-be clients with answers that they can readily access without the need to contact a forensic service provider and to help provide guidance for some in our industry as a whole.  These questions are taken directly from inquiries we receive weekly.

FAQ #1:  I think someone (estranged spouse, other person) is “hacking” me.  Can you find out who it is?

This is probably the most frequent question we receive and it eats up a ton of time.  Indeed, there are many reasons why someone might feel they’ve been “hacked”, but at a 30,000-foot level, it’s not likely.  Why isn’t it likely?  Well, the first question anyone needs to ask themselves is WHY would someone hack your devices on purpose?  Jeff Bezos’ iPhone was hacked.  He’s also the CEO of a multi-billion dollar corporation and he was targeted with a very specific electronic exploit by a quasi-trusted source in a coordinated event and the means to hack his device were engineered specifically for that purpose.  Let’s be clear:  No one is likely doing that to YOU.  The time, effort, resources and level of technical sophistication needed to hack an individual’s devices at that level are so advanced and multi-faceted that no one with a standard or mid-range knowledge of computers or cell phones would be able to do that to you.

And just because they “work in I.T.” doesn’t mean they have any advanced coding knowledge to be able to hack your devices.

Most of these allegations surround mobile devices, but to be more specific, an iPhone is quite difficult to “hack”, at least to the level where one would be reading your text messages or tracking your location or listening to your calls.  Everything on the phone needs to run in an application and there are no applications on the Apple App Store which allow this type of activity.  This is why iPhones are generally considered more secure than Android devices – because you *have* to run everything as an app and the only place to get an app is the App Store and Apple has tight controls over what they allow on the App Store. 

What is likely the case in roughly 99.9% of instances is that access was granted by the iCloud account holder (i.e., iPhone owner) to the alleged hacker at some point prior to the “hacking” and they are using utilities like Find my iPhone and iMessage syncing to track these locations and activities.  Also not unlikely is that a formerly-trusted source knows your standard passwords and accessed your account using one of those, and may even have 2-factor authentication access from an older device.  Change your iCloud login and password and make the password strong and unique.  Also, disconnect older devices from your iCloud.  Finally, don’t use public wi-fi.

Android devices, while theoretically easier to “hack” than iPhones, still require some access for 99.9% of users to be able to track location, read messages, etc.  Apple, Samsung, LG, etc. don’t make money and keep customers by making their devices easy to exploit to any sort of hacking activity.  If that were the case, we’d all be walking around with hacked smart phones.  The security on these devices, particularly the newer models, is strong enough to ensure that the vast majority of people to whom access is not granted to the data, cannot access the data… And with each new generation of device, the security gets stronger.  

The reality is that we are all bleeding our location, purchase history, check-in activity, life events and much more on our mobile devices every day without even realizing it.  Google has more data on you than the NSA and they exploit it to make money.  Does hacking of an iPhone or Android phone happen? Yes.  But it is very, very unlikely for 99.9% of users.

As a final note, I tell all potential clients that call with this complaint, hacking in many forms is a crime.  If you have evidence you’ve been hacked, report that to the authorities and initiate a criminal investigation.  They work for you and you pay them with your tax dollars.  They also have the power to issue things like subpoenas and search warrants, which any private practitioner does not.  In short, they can help you much more than we can.

FAQ #2:  Someone is sending me harassing text messages anonymously.  Can you identify who it is?

The short answer to this is, probably not.  If the only evidence we are afforded are the text messages from the phone of the person receiving them, there isn’t much evidence for us to investigate from the device itself.  The existence of the text messages is not in dispute, the origin is what is sought.  Most of these numbers are issued through a third-party and purposely anonymous at a practical level, so our ability to track down the number to a specific person is very limited.  

In order to track the number to a person, litigation needs to be in place or a criminal investigation needs to be undertaken.  This will provide the power of subpoena or search warrant to help track down and follow the bread-crumb trail to who may be responsible.  Even still, this can require multiple levels of subpoena, which can take time and often be a dead-end in the investigation.

Harassing text messages and/or calls are annoying.  They may even be illegal, depending on where you live.  But it’s much easier and less expensive to change your phone number and let trusted friends & family know you’ve changed your number than it is to try to dig down into the rabbit-hole that is a chain of subpoenas to try and track down who is responsible.  As a wise man once said to me, “the juice isn’t worth the squeeze”.

FAQ #3:  I suspect my spouse or significant other is cheating. Can you analyze their phone to let me know if this is true or not?

We get this question a lot.  And it’s usually followed up with a statement by the would-be client that “the account is in my name”.  The problem is, the data isn’t in your name, and the data is what you’re asking us to analyze.  The issue of marital ownership of property can get a bit murky, particularly when one feels their trust is being violated.  

I know a lot about the law, but I am not a lawyer.  Generally, we refer people who ask for this service to consult an attorney and the natural rebuttal is “I want proof that something is going on before I get an attorney”.  At that point, we gracefully exit.  Why?  Because past instances have taught us that getting involved in domestic issues where there is no litigation is messy and fraught with complications.  In short, we’re not going to be the reason you get a divorce.

Aside from that, there are technical issues which can arise in this.  The first is access to the data.  For all modern cell phones, we need the pass code in order to obtain the data.  Period.  There are no notable exceptions to this for private sector practitioners.  Oh, you have the pass code?  Great.  We still won’t do it.  Modern mobile forensic tools also extract authentication keys for social media and other cloud accounts, which is a very powerful tool, particularly if used in the wrong hands.  By accessing the data on the phone and/or the data on the cloud without proper authorization, we are breaking the law.  There is no client or any amount of money who would convince us that our professional integrity and reputation is worth one case.  Finally, if we engaged in this practice and the case did go to litigation, we’d have to testify about how we accessed the data and by what authority.  That would be a tough question to answer.

Are there digital forensic practitioners who will do this?  Absolutely.  Please contact them and let me know how their testimony goes.

Wrapping It Up

The FAQs discussed here are just a sampling of some of those we receive quite regularly.  And while the answers may have a bit of pointed clarification in them, they also touch on a wider theme of ethical practices in private sector digital forensics.  When you are researching a digital forensic service provider, please ask yourself 1) is what you’re asking them to do within the bounds of the law and/or ethical practices and 2) if they agreed to do it for you, what does that say about their ethical standards?   The training, tools and ability to do what we do are all extraordinarily powerful and if used by the wrong type of practitioner, could lead to drastic consequences.  Violations of what could be termed “standards of practice” will affect the industry as a whole.  Let’s all work together to ensure that doesn’t happen.

Author: 

Patrick J. Siewert

Principal Consultant

Professional Digital Forensic Consulting, LLC 

Virginia DCJS #11-14869

Based in Richmond, Virginia

Available Wherever You Need Us!

We Find the Truth for a Living!

Computer Forensics -- Mobile Forensics -- Specialized Investigation

About the Author:

Patrick Siewert is the Founder & Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia (USA).  In 15 years of law enforcement, he investigated hundreds of high-tech crimes to precedent-setting results and continues to support litigation cases and corporations in his digital forensic practice.  Patrick is a graduate of SCERS & BCERT and holds several vendor-neutral and specific certifications in the field of digital forensics and high-tech investigation and is a court-certified expert witness.  He continues to hone his digital forensic expertise in the private sector while growing his consulting & investigation business marketed toward litigators, professional investigators and corporations, while keeping in touch with the public safety community as a Law Enforcement Instructor.

Email:  Inquiries@ProDigital4n6.com

Web: https://ProDigital4n6.com

Pro Digital Forensic Consulting on LinkedIn: https://www.linkedin.com/company/professional-digital-forensic-consulting-llc

Patrick Siewert on LinkedIn:  https://www.linkedin.com/in/patrick-siewert-92513445/  

Case Study: Call Detail Records Analysis in Civil Domestic Litigation

May 15, 2017

Case Study: Call Detail Records Analysis in Civil Domestic Litigation

The conventional wisdom with regard to cellular call detail record analysis is that it is a tool primarily used by law enforcement to help prove or disprove the location of a criminal suspect in a given incident.  More and more, however, we’re seeing uses for cellular call detail record (CDR) analysis and mapping in the civil litigation world, too.  We’ll be discussing one such case in this article.

As a brief disclaimer, the exact locations of the houses of the parties involved in this case have been changed for confidentiality, but the rough geographical area and the cell tower information is the same.  This is a live case which we worked and was recently concluded.  So if you still don’t think that CDR analysis can be of use in your civil case, keep reading and let us help change your mind!

Background

In July, 2016, we received a call from a divorced client who was seeking to have his alimony agreement reviewed by the Court.  He had been divorced from his ex-wife for a number of years, but his spousal support agreement was costing him thousands of dollars every year, so he was researching ways to show that his ex-wife was not in compliance with the agreement.  Like many alimony agreements, his stipulated that if the ex-wife cohabitated with anyone for a period of 12 months or more, the client would be released from the alimony agreement.  The client, a very savvy and smart businessman in his own right, had already hired a traditional private investigator for surveillance, but the requirements to prove his suspicion in this case were too great and costly for that to be a viable year-long solution.  However, he surmised that if he could obtain the cellular call detail records for his ex-wife’s paramour for a period of 12 months and illustrate that he never stayed at his listed residence and always stayed at the ex-wife’s residence during the 12-month period, it would constitute cohabitation.  The client called us and we assisted with subpoena language, consultation, cellular record analysis and mapping.

The paramour’s cellular provider is Verizon Wireless.  His listed address is also the address on the cellular account, which made proving where he claimed to live a simple matter.  Both houses’ locations were verified through GPS coordinates and were not that far apart, but as you’ll see, they were far enough apart to make a difference in this case.

Methodology

Verifying the data is always a part of best practices.  To that end, we traveled to and physically verified the GPS coordinates of the houses of interest and the cellular towers primarily involved in this case.  We further verified the type of cellular device the paramour was using through Verizon Wireless and spent some time on the phone with technicians from Verizon Wireless to ensure the analysis in this case was accurate. 

Verizon Wireless records are provided in a series of Excel spreadsheets.  The call detail records (CDRs) for the requested time period are in one spreadsheet and another details every tower in every switch in every locality that the device connected to for the requested period.  It further details the GPS coordinates of those towers, the sectors (sides) of the towers and the azimuth and beam width of the given sectors.  CDRs do not provide cellular signal range, but we can estimate the range by identifying the next closest tower of the same provider (one of which also happened to be a relevant tower in this case), measure the total distance and calculate 60% of that distance for the range of each tower in that direction.

Finally, timing of use was a primary issue.  Because the paramour had a job that required him to travel all over the local area (in addition to out-of-state locations), the time frame for the analysis was restricted from 2100 hrs. to 0700 hrs. every day for all 12 months.  This would help demonstrate where the paramour may actually be laying his head at night.  In presenting our final report, we tallied the percentage of times calls were made from 2100 hrs. to 0700 hrs. on the towers that would likely service both the paramour’s listed residence and the ex-wife’s residence on a month-by-month basis.  The final numbers were greatly skewed toward the tower and sectors servicing the ex-wife’s house.

Challenges to Analysis

As you can imagine, this was a large amount of data to analyze, map and report.  Additionally, condensing over 12 month’s worth of cellular call data into a concise, easy to understand report was vital in this case.  To add to the challenges, the ex-wife’s residence lie on the border of two sectors of the tower that was closest to it, so if a call were made in the front driveway, it may “ping” off of sector gamma, but if a call were made from the back of the house, it pay “ping” off of sector beta (see graphic below).  This proved in the end to be an asset because it increased the percentages of calls that the paramour was making that hit off of that tower and those sectors. 

Mapping for Analysis

Mapping the locations of houses, cell towers and sectors in this case was essential.  To ensure a concise illustration, the data was pared down to the two relevant towers, three overall relevant sectors between them and the two relevant locations – the ex-wife’s house and the paramour’s listed residence.  When the data is distilled down, here’s what the map looked like:

As we stated in the final report, there are a number of factors that can affect the range of cell towers.  Terrain, tower load (use at a particular time), maintenance, weather, etc.  The pie-shaped wedges illustrated here are estimates and should be considered rough operational ranges. 

When all calls in the specified time frame were added up, 63% of them were sent or received from tower 468, sectors BETA and/or GAMMA.  While that may not seem like an astronomical amount, when you factor in that some months 100% of the calls were sent or received from those sectors and in the same time period, only 1% of calls were sent or received from tower 302, sector BETA, which would be the tower closest to the paramour’s alleged & listed residence.

The Outcome

Despite continued challenges from the opposing party throughout this case and receiving a subpoena to appear in court to testify as to our findings, the case settled to our client’s satisfaction about a week before trial.  The client’s attorney in the case emailed to say “I believe that a big reason it resolved was your report.”  Feedback like that is fantastic to hear.  This case involved many hours of tedious analysis work and we’re very happy it turned out postively for the client. 

The value of cellular call detail record data in any number of cases should not be overlooked.  Recently, I was discussing mobile data with some personal injury attorneys.  The challenge in distracted driving cases, for instance, is that the device that may have been in use may be long gone by the time litigation and discovery comes around.  Other evidence, such as cellular call detail records, can prove very useful and should be considered as a valuable resource of information in civil cases ranging from alimony to employment disputes to personal injury. 

Author:

Patrick J. Siewert

Principal Consultant

Professional Digital Forensic Consulting, LLC

Virginia DCJS #11-14869

Based in Richmond, Virginia

Available wherever you need us!

We Find the Truth for a Living!

Computer Forensics -- Mobile Forensics -- Specialized Investigation

About the Author:

Patrick Siewert is the Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia.  In 15 years of law enforcement, he investigated hundreds of high-tech crimes, incorporating digital forensics into the investigations, and was responsible for investigating some of the highest jury and plea bargain child exploitation investigations in Virginia court history.  Patrick is a graduate of SCERS, BCERT, the Reid School of Interview & Interrogation and multiple online investigation schools (among others). He continues to hone his digital forensic expertise in the private sector while growing his consulting & investigation business marketed toward litigators, professional investigators and corporations, while keeping in touch with the public safety community as a Law Enforcement Instructor.

Email:  ProDigitalConsulting@gmail.com

Web: www.ProDigital4n6.com

Linked In: https://www.linkedin.com/company/professional-digital-forensic-consulting-llc

Twitter: @ProDigital4n6