RMRI, LLC.'s Blog

Private Investigations Blog

Archive for the ‘Cyber Investigations’ Category

RMRI, LLC. People Locates!

with one comment

rmri-llc-web-size

RMRI, LLC.

Today I’d like to talk a little about locating people, which is one of the things that RMRI, LLC. does really well. Rick Gurley, the owner of RMRI, LLC. has over 28 years of history at locating hard to find people. Rick Gurley honed his skip tracing skills in the Bail Bonds Industry starting in 1989 by locating fugitives that were on the run and trying to avoid criminal prosecution from crimes ranging from petty theft to murder. Rick Gurley learned how to investigate the ‘old fashioned way” back in those days, by taking trips to the courthouse to review case files, going to the libraries to look in Cole’s Directories, interviewing people face to face, and spending long hours on surveillance watching locations.

As the technology evolved Rick Gurley knew that the Internet would be the wave of the future when it came to efficiently locating people. Rick Gurley knew that the Internet would be a place that all of the resources he had to physically travel to and spend so much time looking up in books and hard copy files could be packed into. So, Rick Gurley began to learn about the Internet, computers, and how this could enhance his ability to investigate fugitives and locate them. Rick Gurley spend hours and hours a day on the Internet researching site that housed personal information. Rick Gurley also learned how the Internet worked, what the Internet Tool Suite is, and how to use it to trace information on the Internet, becoming very proficient with Internet Investigations.

As technology progressed in the early to mid 90s, Rick Gurley started noticing that the new technology on the Internet was customized databases that were being privately developed for profit. customized databases that could house huge amounts of personal data. Rick Gurley knew that it would be imperative to learn about these new databases, how they worked, where the information in them came from, and how it could be updated. Rick Gurley gained access these databases, and started experimenting with the databases. Rick Gurley became very knowledgeable on where the information came from in these databases, which databases were the most up-to-date, and which databases kept their information the freshest. Later Rick Gurley would go on to consult to the private sector and to the government a little on how these databases could be used to locate and background people.

Now, Rick Gurley has the history behind him to feel confident in his abilities to locate even the hardest to find of people. Rick Gurley has amassed the tools and technology to be able to locate a person very quickly and without having to spend much in expenses, therefore economically to his clients. You know those people that are “shadows”? hard to find? Hard to know anything about? Well, that is what RMRI, LLC. does, we cast light on those shadows. We can find out where they live, what their phone number is, what their email address is, and who they are.  RMRI, LLC. can do this very affordably, in most cases under $1,00.00., and in a lot of cases under $500.00.

IMG_20170826_091332_338

When you need to know. When you have only a “shadow”, and you need to know more. Call RMRI, LLC. and let us bring those shadows out into the light for you. We can find that long lost relative, that Military buddy, that old college friend, that witness you may need on a court case, or that person that owes you money. This is what RMRI, LLC. has been doing for over 28 years! Call RMRI, LLC. today: (573) 234-4871

 

2011-03-03_09-22-31_88

Personal Signature

Beware Of What You Don’t Know: SKIPSMASHER!

 

That pesky weather bulletin that you are getting, you know the one that keeps “popping up” on your cell phone? That text message to call a number that is listed in the text, you know the one that looks like there is some kind of a dire emergency that you need to be warned about? BEWARE, these could very well be some unethical Private Investigator trying to locate your exact geographical position! Yeah, REALLY!

The average consumer is probably unaware of how many times a day his or her privacy is violated. The average consumer is probably unaware that at any give time most Private Investigators and Collection Agencies, Repossession Agencies can find a person’s exact location. Thanks to sites like “Skip Smasher” you’ll never know if that Weather Bulletin is a real weather alert that was sent to you strictly to warn you about weather conditions, or if it is someone trying to find out what your exact location is. Below is the description from “Skip Smasher” of the service it offers to it’s customers:

Cell Stinger

This is actually a wonderful way to invade someone’s privacy and claim it is legitimate because they have location services turned on, on their phone. The problem is that this method uses subterfuge to exploit your location bases services that were originally designed to help drives and hikers navigate. What happens is the weather bulleting starts to pop up and nag the unsuspecting victim and it asks the unsuspecting victim if they would like to opt out of receiving these alerts, when the unsuspecting victim does this the opt out process captures the unsuspecting victim’s location and sends it to a server where it is processed and sent to the person paying to have this service in the form of a  Google Map with as much details as can be processed on the unsuspecting victim’s location.

Enter Robert Scott, the man that owns “Skip Smasher” and who is making good money off of showing Private Investigators how to exploit your privacy. And he does not care at all that this could be an invasion of privacy, because he is a Private Investigator himself and that is how he markets this service, as a service for Investigative Professionals by Investigative Professionals. Actually what happens here is some Private Investigator uses this to locate you, the unsuspecting citizen for someone that is paying that Private Investigator money. And the service is CHEAP! For under five dollars ($5.00) a Private Investigator can use this service to “ping” your exact location. Does it not seem a little “creepy” that a person that does not like you, or is obsessed with you, or intends you harm can get someone with this type of technology to find your exact location at almost any given time, for a price? Are you still comfortable with that weather bulletin that just came in on your cell phone?

Okay, so you are a Private Citizen and you want to do something about this. What do you do? Well, right now this service is not illegal, however in 2001 pretexting a cell phone for a third party’s cell phone records was not illegal either. Until Senator Charles Schumer made it illegal to gain another person’s cell phone call details without authorization. If you feel like you don’t want to be the victim of this type of privacy invasion, call your State Representatives, Call your Senators; request that they open an investigation into Robert Scott and “Skip Smasher” . Request that your Senator or your State Representative try to pass new legislation to outlaw this practice. Request that your State Senators and State Representatives send Robert Scott a stern message that it is not acceptable to profit from the wholesale invasion of people’s privacy.

Below are links that will help you find the contact details for your State Senators and State Representatives, if you decide that you don’t want to accept this type of privacy invasion:

State Senators Directory

U.S. House Of Representatives Directory

California State Representatives  Mr. Robert Scott lives in California.

Search State House of Representatives This is the Google Search Link, all you have to do is click it and peruse the results.

Privacy is in short supply. You will find the word “privacy” nowhere in the constitution. But we should all have an expectation that the items we purchase to make our lives a little more comfortable should not be exploited and turned against us to take what little bit of privacy we have left.

2011-03-03_09-22-41_508

 

 

 

 

 

 

 

 

 

Read the rest of this entry »

Confidentiality: Good P.I.’s Remain Silent About Their Cases And Clients!

leave a comment »

I have been on the Internet for a very long time, probably longer than most Private Investigators have. I am always amazed at the information one can find on the Internet. Most of the information on the Internet is information that we freely give about ourselves. Between social networks, email, and the “deep web”, we can find out almost anything about anyone. It has become accepted and even expected that the consumer will inadvertently give out private information about their self on the Internet in current times. But what about Private Investigators? One would think that a Private Investigator would be cautious of what they allow others to see about them and their business on the Internet. Sadly, this does not seem to be the case.

The Private Investigation business is a funny business, while the Private Investigator has to be able to keep his or her case information confidential, he or she also has to find an effective way to advertise or market on the Internet these days, also. Often times Private Investigators blur the lines between marketing and giving out confidential information on the Internet. I was amazed eight years ago when I found a naked picture of one Private Investigator on the Internet. Not surprisingly this Private Investigator was the very person responsible for their naked picture being on the Internet. If this Private Investigator had not sent their naked picture to other unsuspecting people of the opposite sex in email, their picture would have never been found on the Internet. This is just an example  of how careless one Private Investigator had become with their information. But there are literally hundreds of examples like this where Private Investigators have shared a little too much on the Internet.

We all remember the Baby Lisa Irwin Case, and one Private Investigator’s attempt to grab some attention by proclaiming how he was working this case, then “backpedaling” and stating that he was blogging this case as an “Investigative Journalist”, right? Look at all of the information and inferences one could make from that situation. First, the question comes to mind; why wouldn’t anyone actually hire him to work this case? Second, one has to wonder was this Private Investigator using his fee based, proprietary databases to cull information on this case, while he was clearly not working as a hired Private Investigator conducting a Private Investigation? Third, was it appropriate to share the results of his investigation with the public, while the Police were conducting an investigation into the disappearance of this infant, if he was not hired by anyone to conduct this investigation? It is one thing to conduct an investigation as a hired Private Investigator where you have an obligation to your client to investigate the case and keep the information that you gather confidential; it is entirely another thing to possibly interfere with a Police investigation by conducting an investigation for the sake of blogging about your findings for a little media attention. And to this day, this Private Investigator has put himself in the unenviable position of not being able to prove that he did one single thing that helped in locating this child; the only thing he did do was make himself look like an attention starved, low-rent Private Investigator that would do anything for a little media attention.

RMRI, Inc. works a good deal of very sensitive cases that go to court and can be “life altering” to our clients if certain critical information were to come out about our cases. RMRI, Inc. has a few hard and fast rules and protocols about how we conduct business and what we choose to let the public know about our business. First, the ONLY time we are working a case is when we have a paying client, we don’t work cases for free in the hopes of getting some media attention. In all cases that go to court, we enter into a contract with the client. If the case is something simple, where a contract is not necessary (such as: serving a summons) we get an email acknowledgement or an on-line acknowledgement that we are working for the client and that the client expects any information we find in the course of doing our work to remain confidential. We NEVER speak to anyone outside of the client and our team members about an active and ongoing case. Even after a case is completely finished we have a ninety (90) day wait time before we can even acknowledge that we had any involvement with the case whatsoever, and then after that ninety (90) days we can not mention anything that identifies the case we can just speak in general terms about the case.  Our approach is quite simple; “we don’t want attention, we want to be paid”. We liken our work to that of any other job, we “punch in” and work, we “punch out” and go home, and we collect our pay. We work to make a living, not for glamour and fame.

While it is true that you can find RMRI, Inc.’s company name in certain publications for attorneys and certain news papers and magazines, what you wont find is any specific information about cases we work, such as names, dates, and specific locations. While you might see a mentioning of cases on our website, what you will not see is any specific mentioning of the details of these cases unless they are over seven (7) years old. While you might see a Facebook Page for RMRI, Inc., what you won’t see is any mention of a case we are working. We make tremendous efforts and take great pains at RMRI, Inc. not to blur the lines between advertising and giving out even a hint of information about our clients and our cases. RMRI, Inc. is not so desperate for attention that we are willing to forsake our client’s privacy for some media attention.

RMRI, Inc. is made up of two (2) licensed Private Investigators, one (1) Pending Licensed Private Investigator, one (1) Process Server, two (2) Technical Consultants qualified as Expert Witnesses, and one (1) Secretary and all of our staff have committed to keeping all case and client data at RMRI, Inc. confidential. Each member is well aware that intentionally “leaking” case and/or client information outside of the confines of RMRI, Inc. is grounds for termination and possible civil action.

In Summary

A Private Investigator’s ability to keep his or her case and client information is paramount. Confidentiality in the Private Investigation Business is a justified expectation of the client. A successful and confident Private Investigator feels no need to boast about their cases or their clients. Confidentiality is the hallmark of any successful Private investigation Business. If you don’t understand confidentiality, you don’t understand the Private Investigation Business!

A Case To Remember!

leave a comment »

For the past two days I have been in court in Boone County, MO. Tonight on 04/10/2012 I got out of court around 10:30 PM. I was there with one of my Technical Consultants on a very interesting case. I want to discuss this case a little here on this blog.

First of all; before I post about this case I think that there are some really outstanding people who need to be acknowledged. The Boone County Sheriff’s Department’s Cyber Crimes Task Force deserves a lot of recognition. My company has worked cases involving several Internet Crimes Units in Law Enforcement; and this team is by far the very best in the state of Missouri. Andy Anderson, Scott Richardson, Mark Sullivan, and Tracy Perkins are simply phenomenal Investigators that are highly skilled, well-organized, and impressively knowledgeable about their work. These Detectives are an example of what Law Enforcement should be. These Detectives make sacrifices that most people could not begin to comprehend, everyday! They see things that are beyond heart breaking, and somehow manage to keep their humanity and integrity intact; indeed they are very special people. They are incredible people who we should all be grateful to. These wonderful people are keeping our children safe in Boone County and the surrounding areas, and doing a most impressive job of it! They are honest, decent people that I am proud to have working as Law Enforcement in the county that I live in. We owe them a tremendous debt!

When I post about the types of cases that RMRI, Inc. often finds itself working, I have a policy that I never mention the name of the defendant on my blog. So, here in this blog entry we will simply call the person that was charged in this case “The Defendant”.

In the case that I am posting about tonight a person was charged with Possession of Child Pornography and Promoting Child Pornography, two very serious felonies that have a potential of sending the defendant to prison for thirty years if convicted of these two crimes. This person was a young college student when they were charged with these offenses. A college student doing what most college students did back when Limewire was a functioning piece of software. This person was downloading music and videos, and was curious about what they could get from Limewire. As you can imagine, as a college student this person’s curiosity was vast and even extended into wanting to view some adult content material. In the process of downloading files from Limewire this person also downloaded three files that can only be termed as “illegal content”. These three files are what constituted the charges that were filed against this person.

When the defendant in this case had their computer seized and had a computer forensics examination performed on their computer, there were literally hundreds for music and video files on the computer and three clearly identifiable illegal files on their computer. Due to these findings, the defendant was charged with Possession of Child Pornography for having the files on their computer and Promotion of Child Pornography for having these files in a shared folder on their computer.

Now there is no doubt that the defendant downloaded these files, there is no doubt that the defendant possessed these files, there is no doubt that these files resided on the defendant’s computer in a shared folder. These facts were well established by the The Boone County Sheriff’s Department’s Cyber Crimes Task Force . And I will say this, if that were all that it would take to be guilty of these crimes, then the defendant would be guilty. However, these cases are far more complex than this. In almost every crime there is an element of intent, except in a few crimes which are called “Strict Liability Crimes”. In these intent based crimes the Prosecution has to show that the Defendant knowingly intended to commit the crime. In this case that means the Prosecution has to prove that the Defendant intended to download thee files for the purpose of deriving some sort of sexual satisfaction by viewing these files.

In this case Tracy Perkins and Scott Richardson gave testimony as to their factual findings in this case. Both of these Detectives should be commended for giving honest, factual testimony with no embellishment whatsoever. I have come to expect that high level of integrity and honesty from the Detectives at The Boone County Sheriff’s Department’s Cyber Crimes Task Force .

Attorneys George Batek and Kathryn Benson questioned these Detectives on cross-examination thoroughly and these Detectives just relayed the facts of their case honestly and with no embellishment.  George Batek and Kathryn Benson are two SUPER Attorneys too, they did not miss a beat in this case. George and Kathryn are simply two of the hardest working attorneys that I have ever met!

George Batek and Kathryn Benson contracted with RMRI, Inc. to aid them on the technical aspects of this case about forty-five days ago. I chose to bring Steve Turner in on this case due to his extremely extensive knowledge of computers, the Internet, and working with people from novice computer users to advanced computer users in instructing them on how to properly use their computers and maintain their computers for over twenty years. Steve Turner was able to quickly develop a profile on the level of sophistication that the defendant possessed with regard to computers and the Internet-based on how the defendant used their computer. Steve Turner was able to demonstrate that the defendant was only a novice computer user and easily made some mistakes on setting their computer up and maintaining the software on their computer. Steve Turner gave Expert Witness testimony on exactly how the defendant managed to get the three files in question, and how it was entirely possible that the defendant mistakenly downloaded these files due to making some mistakes that only a novice computer user would make. Steve Turner is simply a phenomenal person with an impressive amount of experience and knowledge when it comes to working with computers, servers, the Internet, mobile devices, and telecommunications devices.

It is first necessary to say that The Boone County Sheriff’s Department’s Cyber Crimes Task Force did nothing wrong or incorrect. Their methodologies are sound, they are thorough, and they have a very impressive knowledge of Digital Forensics and Digital Evidence issues. Their work was never at anytime in question. The question simply came down to this: Was a Jury ready to send a young adult to prison for a long time and negatively impact their life for a long time over what may have very well been a simple mistake made by a novice computer user? And this Jury had the humanity and the wisdom to refuse to do so and to return a verdict of Not Guilty on both charges.

I have to admit that when the verdict was read I made a “whooping sound” that I felt quickly ashamed of afterwards, but this was because I really had some reservations about the wisdom of the Prosecution in charging this young person with these very serious crimes over what even looks like on its face to be a completely unintentional. I know that the Prosecutor was doing her job. And I am grateful that she too is a very tough lady with zero tolerance for these types of crimes. I have just never been sure in this case if it was wise to charge a young person with such terrible crimes. I mean, I have a hard time understanding the benefit to society in negatively impacting someone’s life with these types of charges for over what even on its face looks to be an honest mistake. But, I will concede that this Prosecutor is smarter than I am about these matters, and she has a level of understanding about the law that far exceeds my understanding of the law.

Despite my reservations about this young person being charged with these crimes; I was happy to be a part of this case. I was surrounded by really good and decent people on this case; two SUPER Defense Attorneys, four WONDERFUL Detectives that are just consummate Professionals at what they do, one of my Technical Consultants that I have become so proud to call a friend, a colleague, and a work associate, and a really nice, family that bound together with love for one another and showed that through their support of their family member, the defendant! In my mind, this was not a “win or lose case”; this was a case that restores one’s faith in people, in Law Enforcement, in the Family Unit and there is simply no better feeling than that!

 

 

 

 

 

 

 

 

 

Working A Good Case With Good People

leave a comment »

Back in the last part of 2011 RMRI, Inc. was called upon to review a case in Camdenton, MO. The case involved a young man who had three illegal files on his computer. The state of Missouri Family Services Division has what is known as a “Stat Team”; this is the team of Investigators that conduct technical investigations for the Division of Family Services. The “Stat Team” conducts Computer Forensics Examinations in cases where they might have a complaint of sexual abuse in the family home. If the “Stat Team” finds illegal content on the computer that the Investigator is examining the Investigator that did the examination can refer this case for prosecution.

In the case that RMRI, Inc. was contacted about the Missouri “Stat Team” found three images on the defendant’s computer of an illegal nature. Often times RMRI, Inc. will be called in by the defense attorney to consult on these types of cases. Because these specific types of cases are so technical due to the very nature of these cases often the Defense Attorney wants to call on an expert to explain exactly what occurred on the defendant’s computer that resulted in these charges, to interpret the evidence since it will usually consist of a good deal of technical jargon, and to see if the Investigator made any statements that might indicate that he or she did not correctly interpret their evidence. RMRI, Inc. has some of the best expert witnesses in the state of Missouri for cases involving almost all manners of digital evidence. RMRI, Inc. has a “Technical Team” of two experts that have a combined fifty years of experience in working with everything from software development and programming, source code analysis, virus and malware defense and protection, computer repair, file recovery, software development, computer security consulting, and forensic acquisition techniques.

When RMRI, Inc. is first called in to consult on a case of this nature the first thing that we want to do is see all of the discovery on these cases. We want to see the report from the Investigator that did the forensic analysis of the computer in question, we want to see any deposition material where the Investigators were deposed by the defense attorney, we want to see any interviews conducted with the defendant, and anything else that the prosecution has provided that will give us an accurate picture of what happened to cause the defendant to be charged. RMRI, Inc. also wants to be present for any testimony that the Investigator that worked this type of case gives.

In the present case that we are discussing here, the testimony of the Investigator that conducted the computer forensics examination on the defendant’s computer gave us great pause as to whether this Investigator correctly interpreted the evidence that he found on the defendant’s computer. In this case the Investigator believed that the defendant downloaded three illegal files to their computer for viewing. The reality of the case is that the defendant never even knew that these files resided on their computer. These files were simply thumbnails that were residing in the temporary file section of the defendant’s computer and were put their as a result of the defendant looking at a website, but NOT even knowing that this website would place these thumbnail images on their computer as a result of viewing this website. Through careful and methodical research RMRI, Inc. was able to not only come to understand what had occurred on the defendant’s computer but was also prepared to prove what happened on the defendant’s computer.

The main figure in this case that was actually able to get this case dismissed at deposition without it ever seeing a trial was the attorney. The attorney is Deirdre O’Donnell of Phillips, McElyea, Carpenter, & Welch, P.C. who was one of the sharpest and most intelligent attorneys that I have ever worked with. Deirdre grasped the issues that we found very quickly, she understood our explanation of what occurred  in this case, and she clearly understood what questions needed to be asked of the Investigator for the state of Missouri. Below are the contact details for Deirdre O’Donnell:

Deirdre O’Donnell

Firm: Phillips, McElyea, Carpenter, & Welch, P.C.

Website: http://www.pmcwlaw.com

Phone Number: (573) 346-7231

Address: 85 Court Circle N.W., Camdenton, MO. 65020

After RMRI, Inc. heard the State’s Investigator testify, analyzed the discovery evidence, and then worked with Deirdre a little on going over what had occurred on the defendant’s computer, Deirdre decided to depose the State’s Investigator. RMRI, Inc. worked with Deirdre on some of the more technical questions that she would ask the State’s Investigator during deposition, and Deirdre already had a comprehensive understanding of the issues that we wanted to find out more about in deposition, but RMRI, Inc.’s Technical Expert wanted to make sure that Deirdre was armed with all of the questions necessary to give us a complete understanding of what lead the State’s Investigator to apply for charges against the defendant in this case.

Deirdre O’Donnell spent countless hours preparing for this deposition, and she went into the deposition and started asking key questions of the State’s Investigator as to what he believed happened on the defendant’s computer, and why he believed as he did. The State’s Investigator had enough integrity and honor to admit shortly into the deposition that he did not have a complete understanding of how to conduct a forensic examination at the time of his testimony because he had only had the basic computer forensics course at that time; since his testimony he had taken an intermediary computer forensics course and has come to understand that some of what he testified to may not have been completely accurate. At this point in time the Prosecuting Attorney “nollied” (dismissed)  the case against the defendant. The State’s Investigator and the Prosecuting Attorney showed a tremendous amount of integrity and honor once they came to an accurate understanding of what had occurred in this case.

Deirdre O’Donnell fought intelligently and passionately for her client. Deirdre worked this case in the most effective way possible and achieved the best possible outcome on this case. It takes a lot of work to convince a Prosecutor that he or she should drop charges and not proceed to trial. The Defense Attorney has to be able to clearly convince the Prosecutor that a crime was not committed; and Deirdre did that perfectly! God forbid, but if I ever have legal problem in the Camdenton, MO. area the ONLY attorney I would hire in that part of Missouri would be Deirdre O’Donnell!

Cyber-Investigations For The Defense: Fair Discovery?

leave a comment »

Last week the Missouri Lawyer’s Media did an article on a discovery issue that Prosecutors, Defense Attorneys, and Investigators have been wrestling with for a while now. In this article I was quoted by the reporter that interviewed me for this article. I wanted to take some time and elaborate a little further on my position in regards to this issue. First I’d like to present to you a copy of the article. I snipped the full article, but cropped out the other articles that were mentioned in this Trade Journal. Below is the entire article:

Lawyers Weekly Article with Rick Gurley 1

Lawyers Weekly Article with Rick Gurley 2

 

 

 

 

 

 

 

 

 

 

 

 

 

First of all I should state that I know some of the members of our Local Internet Crimes Task Force, and the ones that I know are good and honest people. I do trust the members of our local Internet Crimes Task Force and I don’t think they would ever do anything intentional that might send an innocent person to prison. I should caution anyone reading this that attempting to gain access to the hard drive of the investigating agency’s computer should not be the first course of action by the defense, a Digital Forensic’s Expert should first read the reports written by the Investigating Officer’s to try to determine if there is any cause to try to gain access to the investigating agency’s hard drive; often times there is no cause to do so. I should also state that I am not an attorney but I think it is also fair to state that most of the attorneys mentioned in this article are not Digital Forensics Experts either; and certainly not Merilee Crockett as evidenced by some of her statements in this article.  The first quote from Merilee Crockett that I noticed was this:

A lot of people believe that once something is on a hard drive it is there forever. That’s a myth. There are no layers. It’s either there or it is not.

Well in essence that is true, but it is also over-simplistic. What is important to remember here in these types of cases is that we are dealing with Digital Evidence, and there is nothing simple about Digital Evidence. When someone tries to over-simplify how data on a computer is stored, over-written, or deleted there are a lot of key issues that get lost in the translation from complex to simple. First of all let me explain data deletion. When a file is “deleted” as the layman may believe, the file is not actually deleted initially, instead it is simply no longer linked to a “file tree” on the computer. The file is still on the computer for the time being until another file is saved and the space where that old file is at is reallocated for the new file, and then the old file gets overwritten. So often Digital Forensics Experts will say something like this to a layman as an example:

Nothing is ever deleted from a computer, it is overwritten. Think of the data on a computer as layers of information, and think of computer forensic software as a tool that can lift these layers of data to expose what you thought was once “deleted”.

Now one must understand that this quote is usually being made from a Digital Forensics Expert trying to explain data storage and deletion to a layman. This too is also an over-simplification of how data is stored, overwritten, and deleted. The difference is that what Merilee Crockett is saying here is for the purpose of trying to give an excuse as to why the defense should be hampered in discovery by limiting what can be key and important information that the defense needs, while all the Digital Forensics Expert is trying to do is give a layman an idea of what to expect in a Computer Forensic Examination. What may be the most accurate way to explain what happens is through this illustration listed below that was provided to me by a well known, and world renowned Digital Forensics Examiners and close associate of mine; Brian Ingram

Hard Drive Data Illustration by Brian Ingram

How many computer novices and laymen do you think would completely understand that illustration above? There is one thing that is clear, if there is a file that occupies a portion of a cluster on a hard drive, then there is room for data from another file on the portion of that cluster that is not occupied, that portion of the cluster that is not occupied is called “File Slack“; and it is not only possible but also likely that a completely different file may occupy this same cluster in the unused portion of this cluster or the “File Slack”. This is a completely accurate illustration of the example that Digital Experts are trying to give laymen when they explain how data is overwritten and they use an example involving “layers of data”. And if you look at the example carefully, and read closely you will see that Merilee Crockett did actually simplify this issue to the point that some key issues on how data is recovered from a hard drive are lost in her “translation” of how data is stored, over-written, and deleted from a hard drive.

There is a reason that I gave the example of how an over-simplified interpretation of an issue such as what we are addressing here can be harmful. Prosecutors typically want to try to limit as much as they can with regard to discovery in a criminal case; but I should also say that there are a few Prosecutors that also believe in “Open Discovery” and Full Disclosure. There is nothing wrong with that, the defense also does the same thing. This is a good example of attorneys doing their jobs. But when a Prosecutor tries to limit evidence that can be exculpatory to the defendant; they start to breach a more sinister area resulting in a denial of justice to the defendant. As any good attorney knows this at the very least may border on what is known as a “Brady Violation”.

One of the key points that the prosecution tries to make when arguing against the defense looking at the hard drive from the Law Enforcement Agency that conducted the forensic examination on a defendant’s hard drive is that the hard drive from the Law Enforcement Agency’s computer will contain sensitive case information from other cases.  If you read what Merilee Crockett has to say in this article, she proposes the same argument:

The hard drive contains chats from ongoing investigations. It has names of potential suspects never charged with crimes. It has the photos and names of underage personas used by undercover investigators, which a disgruntled defendant could easily post online. Defense attorneys can’t prevent that from happening. They have an ethical obligation to give the client everything they can

That sounds like a good argument; doesn’t it? I’d say that if I did not know what I know about Digital Forensics, encryption, and how to safely store data I’d agree with that as a good reason NOT to have to hand over the hard drive from the Law Enforcement Agency’s computer. But the problem with this argument is that the whole issue of exposing such sensitive case information to Defense Investigators is that there are a number of remedies that can be applied here. A digital image can be transferred to a hard drive and check-summed to show that it is a true bit image of the original hard drive from the defendant and all of the notes and other such pertinent information that is gathered in the course of the investigation of the specific case in question can also be transferred to that same hard drive; thereby consolidating the case information generated from the Law Enforcement investigation onto one hard drive for the Defense Investigator and keeping all of the other non-pertinent sensitive case information protected. Encryption could also be used on the hard drive belonging to the Law Enforcement Agency to limit what is viewed to only the pertinent data that applies to the case at hand. Under the Adam Walsh Child Protection Safety Act the Defense Investigator has to view the evidence at the Law Enforcement Agency’s facility, so a Law Enforcement Officer can easily sit down and decrypt the section or sections of the hard drive that needs to be examined by the Defense Investigator, thereby protecting all of the non-pertinent sensitive case information on the hard drive in question. The court can also impose orders that limit what the Defense Investigator can discuss with the Defense Attorney and their client to only case related material. There should also be multiple computers that are being used by the Law Enforcement Agency tasked with these types of investigations that have specific purposes; for example the computer that is being used to image and analyze the defendant’s hard drive should be a stand alone computer, not attached to the Internet in any way, that has all wireless adapters turned off this way there is a minimal chance of any evidence corruption issues. The computer that is used to chat with potential offenders should also have that one specific purpose; this way with the use of encryption all chat logs for a specific case can be freely examined by the defense in these types of cases. Are some of these methods labor intensive? Sure, but we are discussing a criminal case in which there is a possibility that a person can be wrongly accused, sent to prison, put on a sex offender registry for the rest of their life, and have their entire life negatively impacted as a result; isn’t doing everything we can to eliminate that possibility worth a little more work? There are ways around this issue; IF the concern here is a level playing field for the defense?

There are always questions in these cases when it comes to best practices in the forensic analysis of the defendant’s computer, evidence preservation and storage, and evidence spoliation issues. Often times these issues are insignificant enough that the chance of them presenting a problem in a case are so unlikely that they don’t warrant any consideration. I am not saying that I don’t trust that Law Enforcement is dong the best they can to make sure that their evidence is correct, but I am saying that it is real easy to make a mistake in cases that involve digital evidence. However when these questions rise to a level of concern to cause a realistic possibility that they could impede a defendant’s right to a fair trial; if the Defense’s expert can clearly articulate the reason for that concern the court should weigh the defendant’s right to a fair trial against the possibility that the investigating agency may have to expose some of it’s sensitive data to the Defense team. In my personal opinion; if you are looking at sending a man to prison for ten (10) years, then his right to a fair trial trumps a risk of exposure of sensitive data from the investigating agency’s computer.

There are a number of questions that the Defense Investigator should be trying to answer when looking over the discovery material from the prosecution.

(1) Was the computer that was used to conduct the Digital Forensic Examination attached to the Internet?

(2) What digital forensic software was used to conduct the examination with?

(3) Was there a virus scanner used by the investigating agency to see if the defendant’s hard drive may have a virus, Trojan, or some other type of malware that could have caused any content to be downloaded to the defendant’s computer without the defendant’s knowledge? If so, what virus scanner was used, what version, was it updated, and are there any known vulnerabilities associated with the virus scanner?

(4) Are there any anti-forensic tools on the investigating agency’s computer? If there are; why are they there?

These are only a small sampling of the questions that the Defense Investigator should be asking and trying to answer by reading the discovery material. If enough of these questions are answered in such a way that they give the Defense Investigator clear concerns that may need to be further examined, then it may be necessary to ask for the hard drive from the investigating agency’s computer. The Defense Investigator should be able clearly articulate these concerns to the court and explain the impact that they may have on the evidence. If the court finds that the Defense Investigator gave a reasonable accounting to the court of his or her concerns, and the court is convinced that these concerns are realistic; then perhaps it is not such a bad thing that the Defense Investigator is given what he or she needs to further explore these concerns instead of having to be forced to trust a detective that may not even know if he or she made a mistake in how they gathered and handled the case evidence?

I have noted that Merilee Crockett has compared handing over the hard drive from the investigating agency’s computer in cases that involve digital evidence to handing over a breathalyzer machine. One difference to note in these two examples is that with regard to digital evidence, usually the defense gets a copy of a detailed report from the investigating agency that outlines their computer examination in fair detail. With breathalyzer tests, there is less detail, and less tools and procedures for the Law Enforcement Officer to detail in his or her report, thus short of a fishing expedition there usually is not enough information to articulate a need to examine the breathalyzer machine source code. In People v. Cialino, 831 N.Y.S.2nd 680, 681 (Crim. Ct. 2007) the court did not deny access to the breathalyzer source code because it was not significant to the case; the court denied access to the breathalyzer because the defense could not clearly articulate why access to the breathalyzer source code was significant to the case; this can be seen in the language the court used when the court first called the defendant’s request a “fishing expedition” but then went on to say “it is incumbent on the defendant to show that a software change has altered the reliability and accuracy of the machine” and the court said that the defendant had not provided a reasonable basis that changes in the software of the Intoxilyzer 5000 had caused it to become unreliable. So the court left the door open for the examination of the source code of the breathalyzer machine in question, but it required a clear articulation as to why it would be reasonable for the defense should be permitted to examine the source code. In cases involving digital evidence that is gathered from imaging a hard drive, the investigative agency’s digital forensic analysis report will usually allow the Defense Investigator more information on the software used, processes used, and evidence interpretations made by the Detective to form any questions that might be pertinent to the case and research these questions to see if there may be good cause and NOT just a “fishing expedition” to ask for the hard drive from the investigating agency’s computer.

In summary; I am not saying that in every case the defense should have access to the investigating agency’s computer hard drive. What I am saying is that the courts should try to be open to seriously considering any request by the defense to examine the investigating agency’s hard drive if the defense can clearly articulate a need to do so. In my mind the whole issue comes down to a balancing act; the court should balance the defendant’s right to a fair trial against the need for Law Enforcement to keep sensitive case information confidential; once a clear articulation is made by the defense that demonstrates that there are reasonable issues that need to be explored by the defense in order to defend the defendant against any evidence corruption issues that may negatively impact the defendant’s right to a fair trial.

Ricky B. Gurley

Net Tools 5.0; One Of The Best FREE Internet Investigation Tools On The Net!

leave a comment »

I was looking to update my “arsenal” of software to conduct some of the investigations that I usually conduct for clients. Of course I found the “old usuals” like Sam Spade and a few other ancient tools. Don’t read into the terms I just used the wrong way, Sam Spade was really good in its time and is still very useful today; but things have changed a bit in regards to how the Internet works now and how it worked only ten years ago.  I like real robust tools that work dependably and give accurate results.

So in my quest for an updated, robust, and comprehensive tool for conducting various Internet Investigations such as Internet Profiling, Email Tracing, Security Scanning and other services that my company offers to select clients; I was surprised to find a tool matching my description of current, robust, and comprehensive being offered for FREE! Of course I would not have known how useful and comprehensive this tool would turn out to be until I tested it. So I downloaded the tool and started putting it through various tests to see how well it performed. I was surprised at the sheer volume of tools that could be found inside of this piece of software. I was even more surprised when I saw how well all the tools in this piece of software worked.

Net Tools 5.0 turned out to be one of the best, most versatile, comprehensive, and diverse pieces of software that I have used in a long time. Net Tools 5.0 has far too many tools to list here; but it really does live up to the name “multipurpose”!

Below is a screenshot of just a few of the tools that come with Net Tools 5.o:

Net Tools 5.0 Tools Menu

Net Tools 5.0 has many applications that are useful for anything from Internet Profiling, Email Tracing,  Internet Searching (Try The “Power Of Google” Tool For Deep Web Searches for Confidential and Classified Documents), to even analysing your own computer for problems.

If you are a Private Investigator and a portion of your work is Computer or Internet Based, this is one tool that I HIGHLY recommend!

Written by Rick Gurley

March 20, 2011 at 3:46 PM

%d bloggers like this: