Computer Forensics for Criminal Defense
Digital Forensics for Criminal Defense has become a critical component for cases involving electronic evidence that is introduced by the government. More so than physical evidence, electronic evidence presents a multitude of variables that can impact the integrity and authenticity of the government’s evidence.
Electronic data is dynamic and susceptible to many variables before, during and after it has been collected and analyzed by the government. In some cases, these variables are ignored, neglected or undisclosed.
There’s more involved than merely reviewing and responding to the evidence introduced by the government. At IT Acceleration, we use a six-step process to identify gaps in the investigation and determine what really happened.
- Review the government’s criminal complaint pertaining to the quality of evidence, collection methods, analysis and production of electronic evidence.
We look at the value and source(s) of the evidence introduced in the government’s reporting to determine if and how the evidence benefits their case. Based on their reporting, we assess the government’s trustworthiness and reveal external influences that could impact the integrity of the introduced evidence that were not identified and fleshed out beforehand.
- Validate all processes and procedures used by the government investigators.
Making the government accountable for their efforts eliminates the “free pass” when entering evidence at trial. We look at the state of the original evidence before the government had access and if the government used sound forensic practices when preserving evidence. Validating the electronic preservation and chain of custody can bring to the surface many questions that otherwise would be hidden.
- Review original evidence for signs of tampering and spoliation.
Sound forensic processes include hashing data to provide an electronic fingerprint to ensure the authenticity of the data moving forward. But hashing does not authenticate the state of the data before it was collected. Understanding the state of the data before and after the government seized it, and identifying any outside influences such as viruses, malware, spyware or tampering, may provide evidentiary insight that the government neglected to identify. More info >>Case in Point: In U.S. v. Peter Farnum, the government failed to report that the seized hard drive had a virus exploit and could provide unauthorized access from an internet user. In addition, they failed to note the that MD5 hash did not match that of an FBI informant who initially imaged and analyzed the drive, and didn’t report that data was written to the drive while in the hands of non-FBI investigators. Until trial, the government didn’t report any information about another inoperative hard drive received at their lab that was working before they took possession.
- Scrutinize the government’s report for proper and improper evidence introduction and determine any analyses the government neglected to perform that may benefit your client.
In this stage, we answer a number of questions to determine if the evidence presented aligns with the government’s story. It’s not the government’s job to find exculpatory evidence, so their investigation may be limited to only solidify their allegations rather than understand what really happened. More info >>Case in Point: In Lamm Rubenstone v. Lesavoy et al, the plaintiff’s expert testified that 1.6Tb of data was deleted from a 300Gb hard drive – a physical impossibility. Prior to trial, the plaintiff’s expert misreported how they came to that conclusion, then admitted in deposition that they did not perform the work themselves. Once we received the true information, we were able to replicate their steps and determine the negligence in their analysis.
- Perform an investigation for the defense.
Preparing for trial with an alternative story to the government’s, rather than merely challenging the government solely on their evidence, may be critical to help the judge and jury reject the government’s allegations. Depending on the illicitness of the evidence, our work may be performed in our lab or at the government’s forensics lab. Upon completion, a comprehensive report of our investigation can be provided for the defense’s case. More info >>Case in Point: In re: JD (minor), the county never explained how illicit material was copied to the juvenile’s hard drive, resulting in arrest. Our investigation showed that these files were copied while the computer was unattended (and the student was confirmed to be at school) and as a result of a peer-to-peer application used to download music. All charges were dropped.
- Prepare for trial.
Having a strong witness who can articulate complex technical issues in a clear and easily understood manner is critical for cases involving technology. David Yarnall has been certified as an expert witness in various courts for both digital forensics and Information Technology. He explains technical issues in a way the jury understands and breaks down issues involving the government’s case that pertain to the electronic evidence. More info >>Case in Point: In Cubberly v. HR imaging, exhibits showing graphs of file activity presented by the plaintiff’s expert were profoundly inaccurate. This error was brought up by David at the start of his testimony, which resulted in a recess and testimony retraction of the plaintiff’s expert.