Evidence trapped inside a locked smartphone or hard drive could exonerate your client.

By: David Notowitz, NCAVF

There is an unprecedented treasure trove of information with evidence from cell phones and computer hard drives — evidence that can prove helpful when investigating cases for court. But sorting through that information can take weeks or months — a painful and expensive process as our clients try to organize massive amounts of text messages, photos, call records, and location data.

New technology is streamlining this process, increasing the accuracy of results, and decreasing the time to do it.

LOCATION TRACKING

Do you want to know exactly where an individual’s phone has been over the last 6 months? 

This could be a nightmare to piece together manually.

When the user of a phone takes a photo or video, location and time is often saved also, showing where the phone, and presumably its owner, was at the moment the picture or video was recorded. Every time a phone connects to a Wi-Fi hotspot, for example at a coffee shop or the beach, location data is saved.

If you had to manually extract data by opening each app, checking logs, checking GPS data for each photo and video, and determining location from each Wi-Fi connection, it would take a very long time to create a chart or map.

By using new tools, data analysis that once took months can be completed in one day with software that assists like a detective, traveling back months in time and compiling phone location results onto a map.

Location data from cellphones can be extracted and mapped to show movement over time. GPS details can come from connections to wireless routers, from photos and videos, app data, and text messages.

CRACKING PASSWORDS

Another new technology that can aid investigations is hardware that cracks passwords faster. While most people use relatively simple passwords, passwords can potentially be hundreds of alphanumeric digits long and contain not just English letters, but letters from different languages, combinations of languages, even emojis, making cracking passwords a complicated business.

Up until now, existing technology might test random combinations at 60,000 passwords per second, but the latest password cracking tools can try a staggering 7.7 million combinations per second. What used to take weeks or months can now be done in minutes or hours.

RECOVERING DELETED FILES

Another growing area of digital evidence gathering involves restoring deleted files. While many people believe deleting something from a phone or computer means it’s gone, that’s rarely the case. The information may still be available. New programs help find and extract those deleted files.

RECENT EXAMPLE OF DELETED FILES

Recently a surveillance Digital Video Recorder (DVR) system was delivered to our lab. A home owner had a break in while she was on vacation, and several items were missing. The owner suspected her estranged husband — with whom she was having a dispute in family law court. After checking the surveillance, she saw that the system showed no recordings for that time period, and that was odd, so she sent the DVR to us for a forensic analysis.

We found a log file in the DVR showing the hard drives were formatted early one morning while she was away. We sent her a copy of the log and explained that formatting the drives in this way is like ripping out the table of contents in a book; the book is still intact and the table of contents can be reconstructed.

The estranged husband found out about the log and quickly settled the case.

SEARCHING AND SORTING THROUGH ALL THIS NEW DATA

Once data has been gathered from a cellphone or hard drive, finding the specific text message, video, web search, or GPS location to help your case is the next important step. The sheer amount of data can be overwhelming without a carefully considered process, the right software, and a forensic technician working with an attorney to guide the search.

Possibly important words can be compiled into a list and a search performed on texts, emails, internet inquiries, and photos, allowing software to sort and output the results.

Attorneys can streamline their practice by adopting the newest data recovery and analysis techniques and find that needle in the haystack — the one piece which makes the case.

David Notowitz is the founder of NCAVF and an Emmy award-winning producer, expert witness and forensics lecturer. No newcomer to speaking and educating, Notowitz has presented at many trials, meetings, and conferences and taught thousands of attorneys and investigators at CLE State Bar Certified continuing education courses.