RMRI, LLC.'s Blog

Private Investigations Blog

Posts Tagged ‘Computer forensics

Working A Good Case With Good People

leave a comment »

Back in the last part of 2011 RMRI, Inc. was called upon to review a case in Camdenton, MO. The case involved a young man who had three illegal files on his computer. The state of Missouri Family Services Division has what is known as a “Stat Team”; this is the team of Investigators that conduct technical investigations for the Division of Family Services. The “Stat Team” conducts Computer Forensics Examinations in cases where they might have a complaint of sexual abuse in the family home. If the “Stat Team” finds illegal content on the computer that the Investigator is examining the Investigator that did the examination can refer this case for prosecution.

In the case that RMRI, Inc. was contacted about the Missouri “Stat Team” found three images on the defendant’s computer of an illegal nature. Often times RMRI, Inc. will be called in by the defense attorney to consult on these types of cases. Because these specific types of cases are so technical due to the very nature of these cases often the Defense Attorney wants to call on an expert to explain exactly what occurred on the defendant’s computer that resulted in these charges, to interpret the evidence since it will usually consist of a good deal of technical jargon, and to see if the Investigator made any statements that might indicate that he or she did not correctly interpret their evidence. RMRI, Inc. has some of the best expert witnesses in the state of Missouri for cases involving almost all manners of digital evidence. RMRI, Inc. has a “Technical Team” of two experts that have a combined fifty years of experience in working with everything from software development and programming, source code analysis, virus and malware defense and protection, computer repair, file recovery, software development, computer security consulting, and forensic acquisition techniques.

When RMRI, Inc. is first called in to consult on a case of this nature the first thing that we want to do is see all of the discovery on these cases. We want to see the report from the Investigator that did the forensic analysis of the computer in question, we want to see any deposition material where the Investigators were deposed by the defense attorney, we want to see any interviews conducted with the defendant, and anything else that the prosecution has provided that will give us an accurate picture of what happened to cause the defendant to be charged. RMRI, Inc. also wants to be present for any testimony that the Investigator that worked this type of case gives.

In the present case that we are discussing here, the testimony of the Investigator that conducted the computer forensics examination on the defendant’s computer gave us great pause as to whether this Investigator correctly interpreted the evidence that he found on the defendant’s computer. In this case the Investigator believed that the defendant downloaded three illegal files to their computer for viewing. The reality of the case is that the defendant never even knew that these files resided on their computer. These files were simply thumbnails that were residing in the temporary file section of the defendant’s computer and were put their as a result of the defendant looking at a website, but NOT even knowing that this website would place these thumbnail images on their computer as a result of viewing this website. Through careful and methodical research RMRI, Inc. was able to not only come to understand what had occurred on the defendant’s computer but was also prepared to prove what happened on the defendant’s computer.

The main figure in this case that was actually able to get this case dismissed at deposition without it ever seeing a trial was the attorney. The attorney is Deirdre O’Donnell of Phillips, McElyea, Carpenter, & Welch, P.C. who was one of the sharpest and most intelligent attorneys that I have ever worked with. Deirdre grasped the issues that we found very quickly, she understood our explanation of what occurred  in this case, and she clearly understood what questions needed to be asked of the Investigator for the state of Missouri. Below are the contact details for Deirdre O’Donnell:

Deirdre O’Donnell

Firm: Phillips, McElyea, Carpenter, & Welch, P.C.

Website: http://www.pmcwlaw.com

Phone Number: (573) 346-7231

Address: 85 Court Circle N.W., Camdenton, MO. 65020

After RMRI, Inc. heard the State’s Investigator testify, analyzed the discovery evidence, and then worked with Deirdre a little on going over what had occurred on the defendant’s computer, Deirdre decided to depose the State’s Investigator. RMRI, Inc. worked with Deirdre on some of the more technical questions that she would ask the State’s Investigator during deposition, and Deirdre already had a comprehensive understanding of the issues that we wanted to find out more about in deposition, but RMRI, Inc.’s Technical Expert wanted to make sure that Deirdre was armed with all of the questions necessary to give us a complete understanding of what lead the State’s Investigator to apply for charges against the defendant in this case.

Deirdre O’Donnell spent countless hours preparing for this deposition, and she went into the deposition and started asking key questions of the State’s Investigator as to what he believed happened on the defendant’s computer, and why he believed as he did. The State’s Investigator had enough integrity and honor to admit shortly into the deposition that he did not have a complete understanding of how to conduct a forensic examination at the time of his testimony because he had only had the basic computer forensics course at that time; since his testimony he had taken an intermediary computer forensics course and has come to understand that some of what he testified to may not have been completely accurate. At this point in time the Prosecuting Attorney “nollied” (dismissed)  the case against the defendant. The State’s Investigator and the Prosecuting Attorney showed a tremendous amount of integrity and honor once they came to an accurate understanding of what had occurred in this case.

Deirdre O’Donnell fought intelligently and passionately for her client. Deirdre worked this case in the most effective way possible and achieved the best possible outcome on this case. It takes a lot of work to convince a Prosecutor that he or she should drop charges and not proceed to trial. The Defense Attorney has to be able to clearly convince the Prosecutor that a crime was not committed; and Deirdre did that perfectly! God forbid, but if I ever have legal problem in the Camdenton, MO. area the ONLY attorney I would hire in that part of Missouri would be Deirdre O’Donnell!

Cyber-Investigations For The Defense: Fair Discovery?

leave a comment »

Last week the Missouri Lawyer’s Media did an article on a discovery issue that Prosecutors, Defense Attorneys, and Investigators have been wrestling with for a while now. In this article I was quoted by the reporter that interviewed me for this article. I wanted to take some time and elaborate a little further on my position in regards to this issue. First I’d like to present to you a copy of the article. I snipped the full article, but cropped out the other articles that were mentioned in this Trade Journal. Below is the entire article:

Lawyers Weekly Article with Rick Gurley 1

Lawyers Weekly Article with Rick Gurley 2

 

 

 

 

 

 

 

 

 

 

 

 

 

First of all I should state that I know some of the members of our Local Internet Crimes Task Force, and the ones that I know are good and honest people. I do trust the members of our local Internet Crimes Task Force and I don’t think they would ever do anything intentional that might send an innocent person to prison. I should caution anyone reading this that attempting to gain access to the hard drive of the investigating agency’s computer should not be the first course of action by the defense, a Digital Forensic’s Expert should first read the reports written by the Investigating Officer’s to try to determine if there is any cause to try to gain access to the investigating agency’s hard drive; often times there is no cause to do so. I should also state that I am not an attorney but I think it is also fair to state that most of the attorneys mentioned in this article are not Digital Forensics Experts either; and certainly not Merilee Crockett as evidenced by some of her statements in this article.  The first quote from Merilee Crockett that I noticed was this:

A lot of people believe that once something is on a hard drive it is there forever. That’s a myth. There are no layers. It’s either there or it is not.

Well in essence that is true, but it is also over-simplistic. What is important to remember here in these types of cases is that we are dealing with Digital Evidence, and there is nothing simple about Digital Evidence. When someone tries to over-simplify how data on a computer is stored, over-written, or deleted there are a lot of key issues that get lost in the translation from complex to simple. First of all let me explain data deletion. When a file is “deleted” as the layman may believe, the file is not actually deleted initially, instead it is simply no longer linked to a “file tree” on the computer. The file is still on the computer for the time being until another file is saved and the space where that old file is at is reallocated for the new file, and then the old file gets overwritten. So often Digital Forensics Experts will say something like this to a layman as an example:

Nothing is ever deleted from a computer, it is overwritten. Think of the data on a computer as layers of information, and think of computer forensic software as a tool that can lift these layers of data to expose what you thought was once “deleted”.

Now one must understand that this quote is usually being made from a Digital Forensics Expert trying to explain data storage and deletion to a layman. This too is also an over-simplification of how data is stored, overwritten, and deleted. The difference is that what Merilee Crockett is saying here is for the purpose of trying to give an excuse as to why the defense should be hampered in discovery by limiting what can be key and important information that the defense needs, while all the Digital Forensics Expert is trying to do is give a layman an idea of what to expect in a Computer Forensic Examination. What may be the most accurate way to explain what happens is through this illustration listed below that was provided to me by a well known, and world renowned Digital Forensics Examiners and close associate of mine; Brian Ingram

Hard Drive Data Illustration by Brian Ingram

How many computer novices and laymen do you think would completely understand that illustration above? There is one thing that is clear, if there is a file that occupies a portion of a cluster on a hard drive, then there is room for data from another file on the portion of that cluster that is not occupied, that portion of the cluster that is not occupied is called “File Slack“; and it is not only possible but also likely that a completely different file may occupy this same cluster in the unused portion of this cluster or the “File Slack”. This is a completely accurate illustration of the example that Digital Experts are trying to give laymen when they explain how data is overwritten and they use an example involving “layers of data”. And if you look at the example carefully, and read closely you will see that Merilee Crockett did actually simplify this issue to the point that some key issues on how data is recovered from a hard drive are lost in her “translation” of how data is stored, over-written, and deleted from a hard drive.

There is a reason that I gave the example of how an over-simplified interpretation of an issue such as what we are addressing here can be harmful. Prosecutors typically want to try to limit as much as they can with regard to discovery in a criminal case; but I should also say that there are a few Prosecutors that also believe in “Open Discovery” and Full Disclosure. There is nothing wrong with that, the defense also does the same thing. This is a good example of attorneys doing their jobs. But when a Prosecutor tries to limit evidence that can be exculpatory to the defendant; they start to breach a more sinister area resulting in a denial of justice to the defendant. As any good attorney knows this at the very least may border on what is known as a “Brady Violation”.

One of the key points that the prosecution tries to make when arguing against the defense looking at the hard drive from the Law Enforcement Agency that conducted the forensic examination on a defendant’s hard drive is that the hard drive from the Law Enforcement Agency’s computer will contain sensitive case information from other cases.  If you read what Merilee Crockett has to say in this article, she proposes the same argument:

The hard drive contains chats from ongoing investigations. It has names of potential suspects never charged with crimes. It has the photos and names of underage personas used by undercover investigators, which a disgruntled defendant could easily post online. Defense attorneys can’t prevent that from happening. They have an ethical obligation to give the client everything they can

That sounds like a good argument; doesn’t it? I’d say that if I did not know what I know about Digital Forensics, encryption, and how to safely store data I’d agree with that as a good reason NOT to have to hand over the hard drive from the Law Enforcement Agency’s computer. But the problem with this argument is that the whole issue of exposing such sensitive case information to Defense Investigators is that there are a number of remedies that can be applied here. A digital image can be transferred to a hard drive and check-summed to show that it is a true bit image of the original hard drive from the defendant and all of the notes and other such pertinent information that is gathered in the course of the investigation of the specific case in question can also be transferred to that same hard drive; thereby consolidating the case information generated from the Law Enforcement investigation onto one hard drive for the Defense Investigator and keeping all of the other non-pertinent sensitive case information protected. Encryption could also be used on the hard drive belonging to the Law Enforcement Agency to limit what is viewed to only the pertinent data that applies to the case at hand. Under the Adam Walsh Child Protection Safety Act the Defense Investigator has to view the evidence at the Law Enforcement Agency’s facility, so a Law Enforcement Officer can easily sit down and decrypt the section or sections of the hard drive that needs to be examined by the Defense Investigator, thereby protecting all of the non-pertinent sensitive case information on the hard drive in question. The court can also impose orders that limit what the Defense Investigator can discuss with the Defense Attorney and their client to only case related material. There should also be multiple computers that are being used by the Law Enforcement Agency tasked with these types of investigations that have specific purposes; for example the computer that is being used to image and analyze the defendant’s hard drive should be a stand alone computer, not attached to the Internet in any way, that has all wireless adapters turned off this way there is a minimal chance of any evidence corruption issues. The computer that is used to chat with potential offenders should also have that one specific purpose; this way with the use of encryption all chat logs for a specific case can be freely examined by the defense in these types of cases. Are some of these methods labor intensive? Sure, but we are discussing a criminal case in which there is a possibility that a person can be wrongly accused, sent to prison, put on a sex offender registry for the rest of their life, and have their entire life negatively impacted as a result; isn’t doing everything we can to eliminate that possibility worth a little more work? There are ways around this issue; IF the concern here is a level playing field for the defense?

There are always questions in these cases when it comes to best practices in the forensic analysis of the defendant’s computer, evidence preservation and storage, and evidence spoliation issues. Often times these issues are insignificant enough that the chance of them presenting a problem in a case are so unlikely that they don’t warrant any consideration. I am not saying that I don’t trust that Law Enforcement is dong the best they can to make sure that their evidence is correct, but I am saying that it is real easy to make a mistake in cases that involve digital evidence. However when these questions rise to a level of concern to cause a realistic possibility that they could impede a defendant’s right to a fair trial; if the Defense’s expert can clearly articulate the reason for that concern the court should weigh the defendant’s right to a fair trial against the possibility that the investigating agency may have to expose some of it’s sensitive data to the Defense team. In my personal opinion; if you are looking at sending a man to prison for ten (10) years, then his right to a fair trial trumps a risk of exposure of sensitive data from the investigating agency’s computer.

There are a number of questions that the Defense Investigator should be trying to answer when looking over the discovery material from the prosecution.

(1) Was the computer that was used to conduct the Digital Forensic Examination attached to the Internet?

(2) What digital forensic software was used to conduct the examination with?

(3) Was there a virus scanner used by the investigating agency to see if the defendant’s hard drive may have a virus, Trojan, or some other type of malware that could have caused any content to be downloaded to the defendant’s computer without the defendant’s knowledge? If so, what virus scanner was used, what version, was it updated, and are there any known vulnerabilities associated with the virus scanner?

(4) Are there any anti-forensic tools on the investigating agency’s computer? If there are; why are they there?

These are only a small sampling of the questions that the Defense Investigator should be asking and trying to answer by reading the discovery material. If enough of these questions are answered in such a way that they give the Defense Investigator clear concerns that may need to be further examined, then it may be necessary to ask for the hard drive from the investigating agency’s computer. The Defense Investigator should be able clearly articulate these concerns to the court and explain the impact that they may have on the evidence. If the court finds that the Defense Investigator gave a reasonable accounting to the court of his or her concerns, and the court is convinced that these concerns are realistic; then perhaps it is not such a bad thing that the Defense Investigator is given what he or she needs to further explore these concerns instead of having to be forced to trust a detective that may not even know if he or she made a mistake in how they gathered and handled the case evidence?

I have noted that Merilee Crockett has compared handing over the hard drive from the investigating agency’s computer in cases that involve digital evidence to handing over a breathalyzer machine. One difference to note in these two examples is that with regard to digital evidence, usually the defense gets a copy of a detailed report from the investigating agency that outlines their computer examination in fair detail. With breathalyzer tests, there is less detail, and less tools and procedures for the Law Enforcement Officer to detail in his or her report, thus short of a fishing expedition there usually is not enough information to articulate a need to examine the breathalyzer machine source code. In People v. Cialino, 831 N.Y.S.2nd 680, 681 (Crim. Ct. 2007) the court did not deny access to the breathalyzer source code because it was not significant to the case; the court denied access to the breathalyzer because the defense could not clearly articulate why access to the breathalyzer source code was significant to the case; this can be seen in the language the court used when the court first called the defendant’s request a “fishing expedition” but then went on to say “it is incumbent on the defendant to show that a software change has altered the reliability and accuracy of the machine” and the court said that the defendant had not provided a reasonable basis that changes in the software of the Intoxilyzer 5000 had caused it to become unreliable. So the court left the door open for the examination of the source code of the breathalyzer machine in question, but it required a clear articulation as to why it would be reasonable for the defense should be permitted to examine the source code. In cases involving digital evidence that is gathered from imaging a hard drive, the investigative agency’s digital forensic analysis report will usually allow the Defense Investigator more information on the software used, processes used, and evidence interpretations made by the Detective to form any questions that might be pertinent to the case and research these questions to see if there may be good cause and NOT just a “fishing expedition” to ask for the hard drive from the investigating agency’s computer.

In summary; I am not saying that in every case the defense should have access to the investigating agency’s computer hard drive. What I am saying is that the courts should try to be open to seriously considering any request by the defense to examine the investigating agency’s hard drive if the defense can clearly articulate a need to do so. In my mind the whole issue comes down to a balancing act; the court should balance the defendant’s right to a fair trial against the need for Law Enforcement to keep sensitive case information confidential; once a clear articulation is made by the defense that demonstrates that there are reasonable issues that need to be explored by the defense in order to defend the defendant against any evidence corruption issues that may negatively impact the defendant’s right to a fair trial.

Ricky B. Gurley

%d bloggers like this: