As of June 1, 2024, Vestige Digital Investigations is part of ArcherHall, a leading digital forensics, e-discovery, and cybersecurity service provider.
The Vestige team that you know and trust will continue to serve you at ArcherHall. Our expanded team, capabilities, and infrastructure will allow us to serve you and your clients even better.

Forensics in the Spotlight — A Look at Context

Articles

Forensics in the Spotlight — A Look at Context

Author photo
Senior Director, Digital Forensic & E-Discovery
BS, EnCE, DFCP

Justin Ross Harris left his son in his SUV for seven hours on June 18, 2014 in the sweltering Georgia heat. The tragic end result was the death of 22-month-old Cooper Harris. The father’s story was that it was an accident and he forgot his son was in the car. When he realized that his son was left in the car, witnesses to the scene described him as emotionally distraught and needing to be restrained.

It is reported that during interviews the father admitted to researching on the internet child deaths in vehicles and the temperatures needed for it to occur. As a result, law enforcement filed search warrants to seize his computers, cell phones and other electronic devices. Let the analysis begin…

Initial reports are that law enforcement did find evidence of the very searches that Harris admitted in an interview. But the key here is when did those searches occur? There could be other issues too, which we will get into in a moment. The main point I want to make in this blog post is that when it comes to electronic evidence, it isn’t just that the evidence exists, it is the context surrounding that evidence that is most important. Let’s explain.

The father admitted that he performed these searches. Well, what if he didn’t make that confession, which is often the case. When internet searches are left behind on a computer, they are often left behind with what user account performed that search. Was the user account “guest”, “administrator”, “owner”? Or was it something more descriptive such as “Justin” or “Leanna” (the mother of the child)?

Let’s take it a step further. Let’s say it was the “Justin” account. Was that the only account on the computer? If so, one can reasonably assume that anyone that used the computer used that account. Maybe the passwords were known to everyone in the house? Again, the “Justin” account might be incriminating on the surface but further analysis might indicate that its relevance is diminished by any number of factors. Or, just as equally important, searches performed by the “Justin” account might be highly relevant if electronic evidence comes out that the owner was the only person to use the computer or the only person who knew the password. Either way, you want the facts in order to properly defend your client.

Vestige worked a matter years ago involving incriminating electronic evidence on a client’s computer. Contraband was found and the client was indicted. Analysis indicated that there were multiple accounts on the computer, which corresponded to the fact that the defendant had multiple people living with him over time. Further analysis indicated that while most of the contraband existed under the defendant’s account, some of it existed under other user accounts on the computer. As a result, counsel was able to negotiate a reduced sentence for his client.

Of equal, or more importance, is time. When did this search occur? It is one thing if the father searched after the tragic accident. It is quite another if the searches were conducted before the tragic accident. Research before could be used by a prosecutor to say that the accident was not an accident but instead a pre-meditated murder. To many of you out there, this analysis is old school. So, let’s take it a step further. What if you had other electronic evidence that showed the father was out of town on certain days or time cards showing when the father worked. Now the timing of the searches can be compared to computer forensic evidence of his whereabouts to indicate whether the father was even around when the searches occurred regardless of what account conducted the search or whether the searches were conducted before or after the accident.

One of the devices seized was a laptop, a mobile device. Allegations can be made that even if the father was out of town, he may have had that laptop with him. In order for those searches to be performed, however, the computer would need to have internet access. Analysis can be performed to determine wireless networks to which the laptop may have been attached and sometimes when that occurred. That information can help prove whether or not the computer went traveling or stayed at home.

Law enforcement also seized an iPhone. Was the iPhone tethered to the laptop allowing the laptop to access the internet and when did that occur with respect to the searches? Was the iPhone used to conduct internet searches, send chats or other relevant information? Finally back to the laptop and desktop, what other searches were conducted and when? Searches on handling depression? Maybe being the father of a 22 month old was too much pressure and he needed help?

There is a take away here for companies as well. Many small companies that we consult with share the same username and passwords across computers. When that happens, you can often throw out a lot of the context because everyone uses the same account and it makes it very difficult to say who actually performed the internet search. That issue extends to all sorts of other artifacts including who inserted a USB drive into a computer and stole your company files.

Another take away for corporations is that all of the above discussions can be applied to employment issues. Is someone suing you for harassment or wrongful termination? What internet searches were they conducting? We recently performed an analysis on a computer with respect to a non-compete matter and found that the departing employee was conducting searches as to how to leave the company and surrounding issues regarding leaving the company to work for a competitor. Needless to say that information can go towards the employee’s mindset before leaving and whether or not they had an idea as to whether they were doing anything wrong.

The point in all of this is not to make your head swim with all of the digital forensic evidence that can be found. The point is that the context with which the electronic evidence is found can go miles towards saying whether the evidenced is exculpatory or incriminating.

A side note. It was also reported that the mother requested pictures of her son from the seized computers. Law enforcement denied the request for “chain of custody issues”. I don’t have all of the facts involved in making this decision but of course I have an understanding of chain of custody with respect to computer evidence. To be honest, I’m puzzled as to what chain of custody issues there could be. If the computers have been forensically preserved, which would be step 1 in a case like this before any analysis, then files can be exported from that forensic image without any chain of custody issues whatsoever. But does the average lay person or attorney understand the technical aspects behind that argument? Likely not.All the more reason to consult with a forensic expert in these types of situations.

Greg Kelley - Vestige CTO lft smallby Greg Kelley, EnCE, DFCP, Chief Technology Officer at Vestige Digital Investigations