Chapter 6. Digital Forensics at Work in the Legal System
Information in this chapter:
• Mitigation
• Pre-trial motions
• Trial preparation
• Example trial questions
• Trial phase
Digital forensics evidence is used in many ways in legal matters not only as part of civil and criminal trials, but also during the pre-trial and post-trial phases. Sometimes a forensic examination can result in charges being dropped, sentences being reduced, and civil matters being settled, all without ever going to trial. The other side of the coin is that the result of a forensic examination may help a defendant to understand that going to court is too risky versus taking a plea bargain. In this chapter we will look at how some of these roles are played out through case examples and example trial questions.
Keywords
Mitigation, Pre-Trial, Sentencing, Trial Preparation
Introduction
Digital forensics evidence is used in many ways in legal matters not only as part of civil and criminal trials, but also during the pre-trial and post-trial phases. Sometimes a forensic examination can result in charges being dropped, sentences being reduced, and civil matters being settled, all without ever going to trial. The other side of the coin is that the result of a forensic examination may help a defendant to understand that going to court is too risky versus taking a plea bargain. As part of an informal poll of examiners, the number of cases where examiners actually testify is extremely low, less than 5 percent of the time according to an unscientific poll conducted by the authors. However, depending on the individual examiner and their area of expertise, this percentage can be significantly higher than the 5 percent.
On the other hand, digital forensics examiners can play a significant role at trial both in presenting evidence and in assisting attorneys preparing for the examination of opposing experts. In this chapter we will look at how some of these roles are played out through case examples.
6.1. Mitigation
There are cases where an examiner’s role is to perform examinations for mitigation purposes where the evidence could be used for pre-sentencing hearings. In the case study “Pre-Sentence Mitigation in an Internet Predator Case,” the pre-sentencing computer forensic examination brought to light more than one mitigating factor in getting the sentence of a client who was more than 60 years old reduced from 25 years to 14 years.
In one particular case, the client was charged in federal court with solicitation of a minor via the Internet. As part of the sentencing enhancement, the prosecution’s computer forensics expert was claiming that the client had downloaded child pornography. He was not charged with the four images claimed as child pornography; they were being used only for sentence enhancement.
In addition, this client claimed that while he was chatting with people on the Internet, someone had offered to sell him an underage girl. In light of that claim, the judge had offered to reduce the client’s sentence if the evidence of the chat could be produced.
A firm was brought in by the defense attorney to see if the claims being made by both sides could be verified. An examination of the computers proved that three of the four images were not child pornography. This also revealed that the one image that could be child pornography had been placed on his computer via the old Microsoft Messenger Service. The Microsoft Messenger Service was included in the Windows 98 operating system and ran on startup as a service, and was not controlled by the user of the computer. It was common to receive spam messages via this service, including files. The examination also showed that the images were placed on the computer four years previously and had never been opened.
On the claim by the client that he had been offered the sale of an underage girl, the examiner was able to locate and reconstruct his Yahoo chat logs from unallocated space on the computer hard drive. This allowed the examiner to present not only the chat text where the offer had been made, but the city and telephone number of the person who made the offer.
When this information was provided to law enforcement, the client received a sentence reduction of 11 years.
6.2. Pre-trial motions
One of the ways that digital forensics experts assist attorneys is during the pre-trial phase. Experts can assist and testify in the support or opposition of motions to suppress evidence, motions to dismiss civil actions, and spoliation or discovery compliance motions. While this is for the attorney to decide, the examiner can certainly assist with the technical aspects and provide factual information in support of the motion. The examiner may also testify during the pre-trial motion hearings in support of the evidence at issue.
6.3. Trial preparation
One major role of the expert during the pre-trial phase is to clearly answer any questions the attorney may have regarding the digital evidence in the case. Attorneys are smart people, but they are not typically experts in all forms of evidence. It is critical to make sure that the attorney understands the evidence being presented and has the proper technical foundation to proceed with the digital evidence portion of the case.
As part of trial preparation, the expert can also provide questions for the attorney to use in preparing for the examination of the opposing expert based on the opposing expert’s report and the findings of the engaged expert. Of course, it is up to the attorney to decide which, if any, of the questions he or she wants to use, as he or she is the one who is deciding case strategy, not the expert.
One critical aspect of the expert’s role in this phase is to provide the attorney with questions that will assist in bringing out the facts in a way that clarifies the issues at hand for the jury.
While this may seem obvious, providing questions without the expected and/or correct answers would be like only giving someone half a hammer to drive a nail. The question set must be prepared so that the attorney will know in advance how the opposing expert may or should respond. It is part of an expert’s role to anticipate the testimony of the opposing expert and prepare for rebuttal testimony.
However, no one is ever able to predict what may happen once testimony begins, so the ability to adjust is critical as examining an expert about digital evidence can take unexpected turns. The best situation is to have your expert at the table during direct and cross so he or she can listen to the testimony and provide new questions based on the expert’s responses. Whether or not this will be possible depends on the case, the judge, and the jurisdiction. If the expert is not at the table, he or she can still take notes and be ready to pass them to the attorney at a convenient time.
6.4. Example trial questions
These example question sets are designed to be part of trial preparation. Included here are two example question sets; one written for a civil hearing and one written for use at a criminal trial.
As these are from actual cases, they have been sanitized to remove any possible identifying information and the opposing expert is simply called Mr Examiner.
6.4.1. A civil case example
In this example the questions are for a civil case where the client has been accused of spoliation of evidence by using a file destruction program. This question set was used at a court hearing to question the plaintiff’s expert on his examination of the defendant’s computer. A preservation order had been issued previously in the case, and the discovery of the file destruction program was at issue in the production of discovery documents. The plaintiff’s contention was that not all responsive discovery documents were produced and that the file destruction program was used as a method by the defendant to destroy evidence. The defendant’s claim was that the file destruction program was used only to remove sensitive information in the normal course of business and had been removed from the computer immediately after the issue of the preservation order.
Q. Mr Examiner, you have in front of you a copy of your summary report dated March 27th, 2008. Is that correct?
A. Yes.
Q. Mr Examiner, is this the report you wrote regarding your investigation of the computer?
A. Yes it is.
Q. Mr Examiner, referring to your report, you state that this is the summary report of the procedures and findings of the computer investigation you did. Is that correct?
A. Yes it is.
Q. Mr Examiner, the word “summary” implies that there is a detailed report to support the summary. Did you do a detailed report?
A. No.
Q. If he answers No: So you did not write a detailed report of the steps taken during your investigation?
A. No.
Q. And you did not write a detailed report to support your summary report?
A. No.
Q. Mr Examiner, if you did not write a detailed report, how did you manage to write a summary report?
A. (No way to anticipate the answer.)
Q. Mr Examiner, in your summary report you state that on March 21st of 2008 that you; and I quote: “Received a computer laptop for investigation.” Is that accurate according to the document you have in front of you?
A. Yes it is.
Q. Mr Examiner, can you describe for the court the methods you used to receive the laptop?
A. At this point he should be able to articulate his method for beginning the chain of custody. If he cannot, then question him about chain of custody specifically:
Q. Mr Examiner, are you familiar with the phrase, “chain of custody?”
A. Yes.
Q. Mr Examiner, can you describe for the court what chain of custody is?
A. (Correct Answer): Chain of custody is a process for ensuring that evidence is properly identified, collected, and protected from any changes from the first contact with the evidence and continuing through the end of litigation.
Q. Mr Examiner, referring to your summary, you state that at 11:13 AM you: “Removed hard drive from laptop and began imaging.” Is that a correct reading of your summary?
A. Yes.
Q. And your summary then states: “Disk Imaging process began.” Is that correct?
A. Yes.
Q. Mr Examiner, can you describe for the court the steps you took to protect the original hard drive from my client’s computer prior to and during this disk imaging process?
A. He should describe here how he performed this in a forensically sound manner. If he is not specific about how he protected the hard drive, then ask him:
Q. Mr Examiner, did you use any special tools or equipment to protect the hard drive from any possible changes before and during the disk imaging process?
A. If Yes, have him describe them.
Q. Mr Examiner, can you describe for the court exactly how you went about protecting the evidence on the hard drive?
A. If No, attack his methods.
Q. Mr Examiner, are you telling this court that you did not take any precautions of any kind to protect the evidence provided to you by my client?
Q. Mr Examiner, do you have any idea of how to conduct a forensically sound examination of a computer?
A. If Yes: Mr Examiner, if you know how to conduct a forensically sound examination of a computer, why didn’t you?
A. If No, attack his expertise.
Q. Mr Examiner, you have presented yourself here today as an expert in computer forensics. But now you are telling this court that you really have no idea about computer forensics. Is that a correct assessment?
A. Yes.
Q. Mr Examiner, did you take any steps to validate the disk image you made from the hard drive?
A. He should say here that the tool he used created a verification hash value for the hard drive. If not, then ask about hash values.
Q. Mr Examiner, are you familiar with the term hash value?
A. Yes.
Q. Mr Examiner, specifically in the realm of computer forensics, can you explain for the court what a hash value is?
A. (Correct Answer): A hash value is a mathematical operation that computes a unique value for the contents of a hard drive or a file. This acts as a fingerprint so that the contents of the hard drive or file can later be validated as unchanged by recomputing the hash value against the original evidence. This is the only accepted method for verifying that evidence has not been changed in some way.
Q. Mr Examiner, did the tools you used to create the image of the hard drive from my client’s laptop computer compute this hash value?
A. No, it did not.
Q. Mr Examiner in your report, you state that at 2:46 PM: “Started data recovery process on disk image.” Is that correct?
A. Yes.
Q. Mr Examiner, what is data recovery?
A. (Correct Answer): Data recovery is the process of locating and rebuilding files that have been deleted on a computer hard drive.
Q. Mr Examiner, can you tell the court what software you used to perform this data recovery?
A. (Not in his report)
Q. Mr Examiner, have you received any training for this particular data recovery software?
A. (Not in his report or CV)
Q. Mr Examiner, can you explain for the court what happens when someone deletes a file on a computer?
A. (Correct Answer): When the user “deletes” the file, the operating system marks the file for deletion and puts it in the Recycle Bin. The operating system does not allow the space used by the deleted file to be used just in case the user changes their mind and wants to get the file back out of the Recycle Bin.
Q. What happens when the user empties the Recycle Bin on their computer?
A. (Correct Answer): Initially when a file is deleted it goes into the Recycle Bin. However, when the computer user empties the Recycle Bin, the operating system, in this case Windows, just stops keeping track of the file since the user has indicated that they no longer care about the file. The file itself is not actually deleted. Only the information about where the file is located is deleted. In effect, the operating system now “releases” the space used by the deleted file so that the operating system can use that space again for new files when the space is needed.
Q. Mr Examiner, is there a name for the space you are talking about when you refer to files that have been removed from the Recycle Bin?
A. (Correct Answer): Yes, this area is called “free space,” or the correct term is “unallocated space.”
Q. Mr Examiner, can you explain for the court how files are recovered by the software you used?
A. (Correct Answer): Data recovery software uses three methods for recovering files.
The first method is the equivalent of just looking in the Recycle Bin and restoring the file from there. This will result in the entire file being recovered.
The second method involves “reading” the file table that is maintained by Windows. This allows the recovery software to locate at least the first piece of a file. Then the recovery software follows a method called chaining, in which each piece of the file it finds contains information about the next piece of the file. This method may get some or all of the file.
The third method uses file signatures to recover files from unallocated space. This method will result in many files that cannot be opened.
Q. Mr Examiner, can you explain to the court what a file signature is and how it is used to recover a file from this unallocated space?
A. (Correct Answer): Nearly every kind of file has something called a header and sometimes a footer as well. A file header is in the first little bit of the file and describes what kind of file it is. The footer is at the end of the file itself and tells the software where the end of the file is.
For example, a Microsoft Word document has a specific header that tells the recovery software what kind of file it is. When the recovery software sees the header for a Microsoft Word document, it will then attempt to recover that document beginning at the point where it finds the header. However, this method only knows about the very first part of the file that contains the header information. From that point the software grabs everything until it either locates a footer for that file or finds a new header for a different file.
This method has to assume that all of the file pieces are next to each other on the hard drive. If all of the pieces of the file are together on the hard drive, the file can be recovered and can probably be opened. However, if all of the pieces are not together on the hard drive, the recovery software will still attempt to recover the file. This results in a lot of files that cannot be opened.
Q. Mr Examiner, did you at any time during your investigation operate or use my client’s computer after you made the disk image? (This is a reference to the notes of the witness who observed the examination.)
A. Yes.
Q. Mr Examiner, are you aware that by doing so you altered and destroyed some of the original evidence?
A. He might say here that he asked the client for permission. If he does, then ask:
Q. Mr Examiner, is my client a computer forensic expert?
A. Not that I am aware of.
Q. Did you inform my client that by operating his computer you would be altering and destroying evidence contained on his hard drive?
A. No.
Q. Mr Examiner, in your summary you stated that on March 22, at 11:11 AM you identified that program “File Wiper” was used on the subject hard drive on January 27, 2008 at 3:03 PM. Is that an accurate reading?
A. Yes.
Q. Mr Examiner, are you certain about the date and time that you show in your report as being accurate?
A. Yes I am.
Q. Mr Examiner, can you tell the court what time zone you are referring to for the time to be 3:03 PM?
Q. Mr Examiner, if the time you show in your report is GMT, what time would it be in the current time zone for my client’s computer?
A. (Correct Answer): 11:03AM Eastern Daylight Time
Q. Mr Examiner, you stated that the program “File Wiper was used on the subject hard drive.” Is that an accurate reading of your report?
A. Yes.
Q. Mr Examiner, how do you know that the program was used on the subject hard drive on that date and time?
A. Here he will probably say that was the last accessed time, which would indicate the last time the program was run.
Q. Mr Examiner, I don’t see anything in your report that shows where that date and time came from. Is it in here and I just cannot see it?
A. This information is not in the report.
Q. Mr Examiner, is there some other report that contains this information? (If so, where is it?)
A. No.
Q. Mr Examiner, can you tell the court exactly where you obtained the date and time that you indicate is the last time the File Wiper program was run?
A. He should say that he got this from the thumbs.db file in the File Wiper folder.
If Yes then:
Q. Mr Examiner, is this thumbs.db file you are referring to part of the File Wiper program?
A. (Correct Answer): No it is not.
Q. Mr Examiner, can you explain for the court what a thumbs.db file is?
A. (Correct Answer): The thumbs.db file is a file that is automatically created by the Windows operating system that contains little pictures of the program’s icons, documents, and so on.
Q. Mr Examiner, can you explain to the court how and when the dates and times get updated for a thumbs.db file?
A. (Correct Answer): The dates and times in a thumbs.db file are updated any time the files in the folder where the thumbs.db file is located are changed in some way.
Q. Mr Examiner, would deleting a file in that folder be a change to that file?
A. Yes.
Q. Mr Examiner, would the thumbs.db file be updated when the files in the folder are deleted?
A. (Correct Answer): Yes.
Q. Mr Examiner, can you explain for the court what the program “File Wiper” does?
A. (Correct Answer): It permanently destroys data on a computer hard drive.
Q. Mr Examiner, can you explain for the court how this program accomplishes the permanent destruction of data on a computer hard drive?
A. (Correct Answer): The software writes over the file with new data, usually in the form of ones or zeroes. Once data is overwritten in this manner, it cannot be recovered.
Q. Mr Examiner, on the second page of your report you have a paragraph title “Findings.” Is that correct?
A. Yes.
Q. And in that paragraph you have two sentences. Is that correct?
A. Yes.
Q. In the first sentence you state and I quote, “File Wiper” is software that is designed to permanently destroy data from computers. Is that an accurate reading of your statement?
A. Yes.
Q. Mr Examiner, in the second line of the paragraph you have labeled as Findings in your report, you state, and I quote, “Because this software was being used on the hard drive, many of the files recovered were unreadable.” Is that an accurate reading of your statement?
A. Yes.
Q. Mr Examiner, if as you indicate in your findings that File Wiper permanently destroys data, how it is possible that the files recovered were unreadable?
A. (Correct Answer): It is not possible.
Q. Mr Examiner, if as you state, the program that the File Wiper was run on January 27th of 2008, how is it possible that any files were recovered that existed prior to that date?
A. (Correct Answer): It is not possible.
Q. Mr Examiner, you are telling this court that this File Wiper program was run on a particular date and time. Is that correct?
A. Yes.
Q. Mr Examiner, is there any kind of evidence to back up your statement in your report?
A. Not directly.
Q. You mean not at all, don’t you?
A. Yes.
Q. So you offer your opinion based on your report, but offer no evidence of any kind to support your statement?
A. Yes.
6.4.2. Criminal trial example
While criminal and civil matters share many characteristics and evidence types, evidence in many criminal cases depends heavily on timelines and user attribution, that is, who was at the computer when something happened, and who had access to the computer. When computer evidence is being relied on to show when someone performed a map search, ran an Internet search, downloaded a file, had an online chat and so forth, getting the time right is critical. Failing to perform basic examination steps like making sure the time is correct on a computer or other digital device can make a huge difference in the reliability of the timeline evidence.
The same is true when one side or the other is trying to prove that a particular person performed some action on a computer; knowing who had accounts and whether or not any or all of those accounts were secured by passwords can be used to show that only one person or any one of multiple people could have performed the map search, Internet chat, or other action.
Another issue that comes up in a lot of cases is whether or not the computer clock could have been changed to disguise when something occurred.
This set of questions was prepared for a death penalty trial. However, the case never went to trial and the defendant received 17 years as part of a plea bargain.
Q. Mr Examiner, can you tell us what physical evidence you received in order to conduct an examination of the computer evidence in this case?
A. I received three hard drives.
Q. When you say you received three hard drives, does that mean that you did not receive the actual computers?
A. Yes.
Q. Mr Examiner, did you ever have an occasion to examine the computers themselves?
A. No.
Q. So you conducted your entire examination on the hard drives and not the computers?
Q. Mr Examiner, do you know who removed the hard drives from the computers?
A. No.
Q. Mr Examiner, do you know if the person who removed the hard drives from the computers examined the computers in any way?
A. No, I do not.
Q. Moving on to the analysis of the hard drives. When you examined the hard drives in this case, did you locate and examine the user accounts for each of the computers?
A. No. (See below.)
Q. If Yes, then: Mr Examiner, you say that you did locate the user accounts on each of the computers?
A. Yes.
Q. Did you include this listing in any of your reports?
A. No.
Q. Mr Examiner, in regard to user accounts on the hard drive evidence, did you check to see if any of the computers were password protected?
A. No. (See below.)
Q. Did you include this information in any of your reports?
A. No.
Q. Optional question: Mr Examiner, if a computer is password protected, but the password is known by several people, and those people are authorized to all use the same password, would this be the equivalent of no password protection for that group of people?
A. Yes.
Q. Optional question: Mr Examiner, if a computer has a blank password, in other words, you just press Enter to log on, would that be the same as no password?
A. Yes.
Q. Mr Examiner, I would like to go back for a moment to the physical evidence you examined in this case. You stated that you only received the hard drives, and not the computers. Is that correct?
A. Yes.
Q. Mr Examiner, would you consider examining the computer itself to determine such things as the current setting of the computer clock time to be a normal part of a forensic analysis?
A. Yes.
Q. In this case, Mr Examiner, are you aware of anyone examining the computers to determine the accuracy of the clocks on the computers?
A. No.
Q. Mr Examiner, in your experience, when you receive a complete computer as evidence, do you examine the computer to get the computer clock time?
A. Yes.
Q. Can you walk us through how that process should go?
A. (Correct Answer): First, you disconnect any hard drives in the computer to prevent them from accidentally being written to during this part of the examination. Then you start the computer up into BIOS. (This is the part of the computer that contains information about the computer itself, including the real-time clock information.) Then you record the time from the computer’s real-time clock and check it against an external time source for accuracy.
Q. Mr Examiner, would you consider this to be an important step in a complete computer forensics examination?
A. Yes.
Q. Can you explain to the jury why this is an important part of a complete computer forensics examination?
A. (Correct Answer): It is important to know the time from the computer to make sure that when you review items on the computer hard drive, the time recorded for each of those items is accurate.
Q. And why is it important to know if the times that items are recorded are accurate?
A. (Correct Answer): If you are trying to say that someone did something on the computer on a certain date at a specific time, you must have this information. If the computer clock is wrong and you don’t have a comparison to an external time source, you cannot say for certain when something happened.
Q. Would it be fair to say that youdon’t knowif the clocks on the computers in this case are accurate?
A. Yes.
Q. Mr Examiner, I’d like to ask you about Item 17. This is the hard drive from a computer that was located at my client’s business. Is that correct?
A. Yes.
Q. When you examined the hard drive for evidence, did you determine if more than one person used this computer on a regular basis?
A. No. (See below.)
Q. How did you determine that more than one person used this computer on a regular basis?
A. (Correct Answer): By examining the folders and e-mail accounts on the hard drive. Several folders had names such as …. Also, several e-mail accounts were present with different identities.
Q. Is it possible that more than one person used this computer on the same account?
A. Yes.
Q. Mr Examiner, in your report you stated that “the computer user logged in to Item 17 under my client’s user account.” Can you explain what that means exactly?
A. (Correct Answer): Someone logged in to the computer using the defendant’s account rather than a user account of their own.
Q. Does that mean that the user was my client and could only have been my client?
A. No.
Q. So it could have been anyone with access to the computer?
A. Yes.
Q. You stated that someone logged in to the computer under my client’s user account and visited the websitewww.mapquest.comon 12/4/06 from 11:23AM EST until 11:42AM EST. Is that an accurate account of what you stated in your report?
A. Yes.
Q. But you cannot say that the user logged in to the computer was in fact my client. Is that correct?
A. Yes, that is correct.
Q. As part of the statement I just read, you gave the exact date and times for thewww.mapquest.comwebsite. Now Mr Examiner, without knowing what the actual time was on the computer, can you say without a doubt that the times stated in your report are accurate?
A. No.
Q. So it could have been some other time than the time you stated in your report?
A. Yes.
Q. Mr Examiner, let’s talk about Item 15. This is the hard drive from the laptop computer from my client’s home. Is that correct?
A. Yes.
Q. Was the real-time clock information for this computer checked and recorded as part of the forensic analysis for the computer?
A. No.
Q. So you don’t know if the computer clock was accurate on the computer taken from my client’s home?
A. No, I do not.
Q. Is that because you only received the hard drive from the computer and not the whole computer?
Q. And do you know if this computer was password protected?
A. No, I do not.
Q. Do you know if access to this computer was restricted in some other way? Locked in an office in his home, for instance?
A. No, it was not.
Q. Would be fair to say that someone other than my client could have used this computer?
A. (The correct answer could be “Yes,” or “I don’t know,” or “It is possible.”)
Q. But you cannot say if there was anything that would prevent someone other than my client from using this computer, correct?
A. Yes.
Q. In your report you stated that several Internet searches were made on this computer for keywords such as death, murder, and accidental deaths, as well as searches for videos and images based on the search term “death.” Is that correct?
A. Yes.
Q. But you cannot say with certainty that my client was the person who made these searches, can you?
A. No.
Q. It could have been someone he allowed to use his computer. Is that correct?
A. Yes.
Q. The actual web pages returned by these searches were not recovered. Is that correct?
A. They were not.
Q. Did you attempt to find out what kind of results would have been returned by these searches?
A. No.
Q. So you don’t know what the user saw once these search terms were entered into the computer. Is that correct?
A. Yes.
Q. Did you locate any web pages or other information from the computer hard drives related to committing a murder?
A. No.
Q. Did you locate any web pages or other information on the computers related to disposing of a body?
A. No.
Q. Item 16 is a hard drive from one of the computers at my client’s place of business. Is that correct?
A. Yes.
Q. You stated in your report that a text fragment was recovered from that computer hard drive that contained references to “death, murder, and revenge through guns.” Is that correct?
A. Yes.
Q. Mr Examiner, I have a printout of that text fragment here. Would you classify this as a document that has any meaning, or would you say it is just a bunch of words typed over and over?
A. Yes, it is words typed over and over.
Q. Would it be fair to say that someone reading this document would not receive any useful information about death, murder, and revenge through guns?
A. Yes.
Q. Mr Examiner, fax machines were also collected by police in this case. Were you or anyone at your agency ever asked to examine these fax machines?
A. No.
6.5. Trial phase
When a case does go to trial where digital evidence is to be presented by one or both sides through expert or fact witness testimony, the examiner can be of assistance in parsing the responses of the opposing expert during direct and cross examination.
Summary
In this chapter we looked at the various ways that digital forensics experts participate in the legal system. We also looked at some case examples for mitigation and pre-sentencing. Finally, we looked at some question sets developed for real cases that demonstrated lines of questioning about digital evidence in a civil and a criminal case.
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.