Tuesday, July 19, 2011

Casey Anthony - More on the chloroform evidence


I was reading the comments by readers of the story that appeared in the NY Times on July 18, 2011 regarding the chloroform searches in the Casey Anthony case.


Software Designer Reports Error in Anthony Trial

Several people commented that they didn't understand why John Bradley didn't notify the defense team or the media of the discrepancy in the 84 searches for chloroform in the Casey Anthony case.

First of all, the defense team was notified of the discrepancy by me as I was in Orlando during the trial and gave Jose Baez the questions to use to clear it up once it came out in testimony.

However, there is a valid reason why John Bradley did not notify the defense team or the media:  That would be against the rules.

What happens in cases involving experts is that the expert has an ethical obligation to notify the attorney he is working for of any mistakes or errors that he or she notes in the evidence so that the correct facts can be presented to a jury.  What the attorney does with that information is not up to the expert.


Also, experts on opposing sides of a case cannot discuss the case in any way as that would also be unethical.

I have also received numerous questions about why I didn't testify in rebuttal since I was working for the defense team.  Mostly from fellow experts in other countries that have rules different from the US legal system.

In the US, in order for an expert to testify, they must be disclosed to the other side prior to testimony, and are put on the witness list.  I was originally on the witness list, but was taken off so that I could assist in other areas of digital forensics as a consulting expert.  Since I was not disclosed to the other side as an expert any longer, I could not testify at trial.

The defense team had a testifying expert on the witness list, but he withdrew from the case prior to trial.  So by the time trial started, the defense team did not have any testifying witnesses for the computer forensics.  Everything that had to be done regarding the computer forensics testimony at that point had to be done via cross examination or during rebuttal testimony, which is much less powerful than having an expert testify.

While there was an error in the results of the analysis by Cacheback, it is the responsibility of the computer forensics experts to verify the results and check the reports of any expert on a case. 

There have also been reports that both programs' analysis contained errors.  However, the difference was in how substantial the errors were.  Based on my analysis of the evidence, the NetAnalysis errors were not substantial and had no impact on the results from an evidence standpoint.  The CacheBack error was substantial in that it presented evidence that would have substantial impact on the understanding of the jury as to the facts in the case. 

The expert's job is to assist the triers of fact in understanding the evidence.  That means that the expert has to make sure that the triers of fact hear evidence that is accurate, independent of the impact on the case.


Enhanced by Zemanta

Tuesday, July 12, 2011

John Bradley Responds to Chloroform Search Discrepency in Casey Anthony Trial

John Bradley who testified about the chlorofrm search hits at the Casey Anthony trial responds to the questions about his testimony.

This is well worth reading if you want to get the inside scoop on what occurred regarding the Internet History in the Casey Anthony case regarding the chloroform searches, according to Mr. Bradley.

The link to John's response is below:


http://www.cacheback.ca/news/news_release-20110711-1.asp

Monday, July 11, 2011

Casey Anthony Digital Evidence - Chloroform Searches

Digital Detective posted an excellent analysis of the MORK file that was part of the Casey Anthony trial evidence related to the computer searches, particularly for chloroform.

Here is a link to the post. Digital Evidence Discrepencies - Casey Anthony Case  it is highly technical, but I would expect no less from the people who make NetAnalysis, a forensic tool I have used for several years now.

I don't know how they got a copy of the history.dat file used in the case.  However, as the consulting expert that assisted the defense team in this area, I can say that based on the analysis I did of all of the digital evidence in the case, that Digital Detective got it right.

The history.dat file was carved from unallocated space.  At the time I carved it from the hard drive, I knew is was not a complete history file as the end of the file was not "clean".  However, what was carved from unallocated space could be parsed.  At the time that I did the original analysis, I used NetAnalysis, since at the time, there were no other forensic tools I was aware of that could parse a MORK file.

I also went and found the programming documents describing the MORK file format and studied it to make sure that what I was seeing matched the construction of the data.  This was also critical in making sure that was what carved from unallocated space was as complete as possible.

When John Bradley of SiQuest, makers of CacheBack, testified that there were 84 hits for the chloroform page, I was shocked.  That certainly did not match my analysis results or those of Sandra Cawn Osborne.  So I went back and reparsed the file using the most current version of NetAnalysis and compared it to the original parse results I got back in 2008.  They matched exactly.

An immediate red flag to me about the 84 hits was that the normal progression you see in Internet history records was missing.  I went back and re-analyzed the data and came to the conclusion that the other program had incorrectly parsed the MORK database file.

Anytime you examine Internet history, you are looking for certain things that indicate that the history file parsed correctly; Dates and times that are in the correct order, the proper progression of visit counts, and the presence of correct headers, page titles, etc.

Since I was a consulting expert and could not testify at trial, I supplied the cross examination information for Jose Baez to use in confronting the 84 hits when the opportunity came at trial.

I think Jose did a great job using the information I prepared for him and exposed a glaring error in the evidence presented to the jury.

Friday, July 8, 2011

A Digital Forensics Innocence Project

Any digital data storage device can be used to...Image via WikipediaJoe Windish posted an article on the need for a computer forensics innocence project. For A Computer Forensics Innocence Project over at the TheModerate Voice.  What he advocates makes a lot of sense.

"What we need is a Computers Forensics version of the Innocence Project. We need experts who believe in the presumption of innocence and are willing to spend the time it takes to dig through logs, registry entries and hard drives to find exculpatory material when present. Prosecutors who look for – and presume – guilt do selective searches for data supporting guilt; those accused rarely have the resources to counter such selective evidence."

I agree with him in principal, considering that there are people who are charged with crimes who do not have the resources to hire experts.   And in cases where the client cannot meet the standard to be declared indigent and receive funding for an expert, I believe that we as experts in the field should be willing to take on a reasonable number of pro bono cases.

It is our policy at Guardian Digital Forensics to take on pro bono cases when we can spare the resources.  The Casey Anthony case was one of our pro bono cases.

I am a firm believer in the presumption of innocence, not matter how heinous the crime a person is accused of committing.

I can speak for the other examiners at our firm and state that we would gladly support the formation of an innocence project for digital forensics.  However, one firm cannot do it alone.  I invite my colleagues in the field to start a conversation on how we could make this a reality.  If you are interested in working on creating an innocence project for digital forensics, contact me and let's see where we can take this.
Enhanced by Zemanta

Tuesday, July 5, 2011

Casey Anthony Verdict

Having spent two and a half years as a consulting expert in computer forensics and cell tower forensics on the Casey Anthony defense team, I have to say that Jose Baez was a pleasure to work with and did an herculean job in defending Casey Anthony.  Somehow he managed to juggle thousands of facts, dozens of experts and witnesses while under the intense scrutiny of the media and general public, the majority  of that being negative.  He persevered where many might have fallen away or caved under the intense pressure of such a high profile case.

While many will not agree with the verdict returned today, it is fortunate that public opinion is not the driving force behind the justice system in the United States.  The only opinions that matter are the 12 people sitting in the jury box who get to hear all of the testimony, listen to all of the arguments and review all of the evidence that is presented by both sides.

The rule of law prevailed today and that is gratifying to see, independent of popular or other opinions.

At the end of the day, the jury was not convinced that the state met the burden of proof beyond a reasonable doubt.  It is important to remember that to render a verdict in a case like this, all 12 jurors must be unanimous whether the verdict is guilty or not guilty.

While some may believe that vengeance is what is needed, that is not the purpose of our justice system and this case reminds all of us that justice must be blind to any factors or pressure beyond the evidence presented.

It would be a sad day in America if our court system was reduced to meting out vengeance rather than justice, no matter how much we as observers may like or dislike the outcome.

Sunday, May 29, 2011

Wireless Alone Is Not Probable Cause. . .

Linksys BEFW11S4 Router Sitting on a Cable ModemImage via Wikipedia
A Wired and Wireless Router
I saw a post over on Technology Forensics, LLC's blog  on the topic of whether an IP (internet protocol) address from a wireless router should be enough to show probable cause to issue a warrant.

I can kind if see where they are going, but whether or not a warrant is issued for any IP address is not really the issue.  Whether or not the wireless connection is unsecured or not is not really the issue either or even whether the connection is wireless or wired.

To obtain a warrant to search a home, business, person vehicle or other location, the police have to establish "probable cause".  Probable cause in legal terms is defined as:


"A reasonable belief that a person has committed a crime. The test the court of appeals employs to determine whether probable cause existed for purposes of arrest is whether facts and circumstances within the officer's knowledge are sufficient to warrant a prudent person to believe a suspect has committed, is committing, or is about to commit a crime. U.S. v. Puerta, 982 F.2d 1297, 1300 (9th Cir. 1992). In terms of seizure of items, probable cause merely requires that the facts available to the officer warrants a "man of reasonable caution" to conclude that certain items may be contraband or stolen property or useful as evidence of a crime. U.S. v. Dunn, 946 F.2d 615, 619 (9th Cir. 1991), cert. Denied, 112 S. Ct. 401 (1992)." http://www.lectlaw.com/def2/p089.htm

Because of the way that networking technology works, the issue might be to determine just how far  probable cause should extend beyond the IP address.

I'm no lawyer, so I am just going to explore this from a practical standpoint of how probable cause is developed in cases involving the Internet that lead to a search warrant being issued, and some points on how the search and seizure should be limited based on the kind of probable cause established in an Internet investigation where the target address is developed from an IP address.

First, it must be understood that an IP address is not the Internet address of a particular computer in most instances, but is the Internet address of a router.  A router is a device that allows multiple computers to use a single Internet connection, i.e. a single IP address, to connect to the Internet.

Example of a Single Point of FailureImage via Wikipedia
Multiple Computers Connected to a Router

When the router happens to be a wireless router, then multiple computers can connect to the Internet via that wireless router from some distance, without ever being in or on the premises that house the wireless router.

How Probable Cause is Developed - File Sharing.


Internet investigations into the sharing of child pornography are cases where probable cause is developed entirely though technology.  Using software to locate child porn files on the peer to peer networks, the investigator will use the IP address advertised by the file sharing client to perform a look up to see where the IP address is located and also to get the owner of the IP address.  By owner, I mean who has the right to allow someone to use the IP address, which is going to be an Internet Service Provider (ISP). When the investigator finds out the owner information the next step is to issue a subpoena to the ISP to get the account information for the subscriber who is assigned that IP address.

At this point for the purpose of probable cause, the presumption has to be that the physical address of the person who pays the bill for the Internet account that was using the IP address at the time of the investigation is also where the computer will be found that is doing the sharing.


Of course, if the address happens to be a 500 room hotel, then that could be an issue since it might be a stretch to storm the hotel and seize every computer from everyone on the premises including employees and guests.  Yet when a search warrant is executed on a house, the same thing happens on a smaller scale.  Every computer is seized independent of whether or not there is any evidence at all that one of those computers is the one doing the sharing.  Additionally, the way the warrants are worded, anything else can also be seized such as video tapes, CDs, DVDs, magazines, sticky notes, manuals, and the list goes on.  Police even seize the computer mouse, keyboard, monitor, and the power supply, items that are pretty unlikely to contain any evidence.

One question that should be raised is whether or not the probable cause developed for an IP address is enough to permit wholesale seizure of computers and storage devices without any idea which if any of them might be the instrument of the suspected crime.

It is not a difficult task, from a technology standpoint, to determine quickly which computer, if any was actually the one that the investigator saw sharing on the Internet.  They have the tools in hand to get the GUID if the sharing computer during the investigation.    Checking the computers to locate that GUID is simple and fast, thus avoiding having to seize every computer on the premises.

The argument could be made that the software used during the online investigation is acting as an electronic "informant" by telling the investigator the location of the computer doing the sharing.  The problem with that argument is the the informant in such a case would not actually know the location of the computer with any more precision than the location of the router in that 500 room hotel.  In order for the informant to be a reliable source, it should have to be able to pinpoint the room, not just the hotel.

Another issue that really should be addressed is the fact that computers are closed containers.  You cannot tell by looking at them if they contain any evidence at all related to an investigation.  So should it be correct that all of the closed containers should be seized and broken open and searched?  Here is another analogy to consider.  An informant tells an investigator that crack cocaine is present in a car in a parking lot. The information can only provide the address of the parking lot, and nothing about the car that might contain the cocaine.

Since the parking lot is like the router, i.e. lots of cars can park in a parking lot and the address of the lot is only going to get you to a whole bunch of cars, not a particular car; does it make sense to impound and search every car on the lot based on the probable cause that a car parked in the lot might contain cocaine?  Shouldn't the probable cause for the warrant specify a particular car, or at least a description of a car that would prevent the wholesale seizure and subsequent search of all the cars?  To equate it back to the Internet investigation, the car's license tag number would be the same as the GUID of the file sharing client on computer that was seen sharing on the Internet.  Simple and easy to check to attempt to get the right car, not just all cars or the right computer and not just all computers.
Enhanced by Zemanta

Wednesday, May 4, 2011

False Porn Accusations Underscore Wi-Fi privacy dangers

Wi-Fi Alliance logoImage via WikipediaNearly everyone is going wireless these days.  It is just more convenient to have the ability to walk around the house with your iPad, use your laptop in a room where no cable connection exists, and is a lot cheaper than running network cable though the house or office.

What amazes me is how many open hotspots there are still around.  With all the news about security issues, bandwidth stealing, and even false allegations of child porn downloading, you would think that securing your home or business wireless would be JOB #1.  But in many cases it isn't.

I can be riding in a car working on my laptop and as we travel down the interstate, run around town or even drive through the rural areas, I get wireless availability notices if I don't bother to turn off my wireless on the laptop.  Out of curiosity, I occasionally pop up the little "connection available" window and take a look at nearby wireless hotpots.

What I see is that there are still a lot of unsecured wireless routers out there.  I have to smile when I see an unsecured wireless with names like, "dontstealmyinternet" or "nointernetforyou" and they are sitting there open to connections.

On the other hand, being in an area with random unsecured wireless routers can also be annoying.  Even today, the wireless networking in your computer wants to connect to wireless, even wireless you don't have any right to.  And, if the signal for an unsecured hotpot is stronger than one that you should be on, you can inadvertently make a connection.

Occasionally I get a call from a friend or client asking me to help with their wireless connection being slow and causing issues.  When I check, I see they have accidentally connected to the neighbor's wireless, or even more concerning to a small business wireless with no security.

Once your laptop or wireless device gets a connection, it will keep it even it if it not the best connection.  In other words, once it connects, it wants to hang on to that connection rather than always making sure that you are connected to the best source or the correct source for the wireless.

You can mitigate that some by setting your wireless properties on your computer to only connect to "preferred" wireless. 


If you are planning on, or already have a wireless router in your home of business, make sure that it is secured, is using at least WPA2 security and has a strong password.

If you are a do-it-yourself person and you are not sure how to make this a certainty, call someone you know who can handle it for you.

You don't want to end up like this guy.


"BUFFALO, N.Y. — Lying on his family-room floor with assault weapons trained on him, shouts of "pedophile!" and "pornographer!" stinging like his fresh cuts and bruises, the Buffalo homeowner didn't need long to figure out the reason for the early-morning wake-up call from a swarm of federal agents.
That new wireless router. He'd gotten fed up trying to set a password. Someone must have used his Internet connection, he thought.
"We know who you are! You downloaded thousands of images at 11:30 last night," the man's lawyer, Barry Covert, recounted the agents saying. They referred to a screen name, "Doldrum."
"No, I didn't," the man insisted. "Somebody else could have but I didn't do anything like that."
"You're a creep ... just admit it," they said"
False porn accusations underscore Wi-Fi privacy dangers
Enhanced by Zemanta

Phone companies' ditching of text messages might hamper crime investigations

mobile phone text messageImage via WikipediaHolly Zachariah, a  reporter for The Columbus Dispatch filed this story on Sunday, May 1, 2011:


Phone companies' ditching of text messages might hamper crime investigations

And her is report is right on the money.  The value of text messages in criminal cases cannot be denied.  They can be critical on both sides of the case.

The fact that the cellular carriers like Verizon, Sprint, AT&T, etc. don't keep them for any period of time  is even more of an issue for the defense where they may not even know of the need of text message preservation for several months after a crime occurred.

The good news / bad news is that text messages, even deleted ones, can be retrieved from the phones themselves in some cases.

But that is not always the case, nor even the most common scenario.  Much of the time cell phones are not collected and preserved properly, leading to the loss of valuable data that can be used in cases.


If you are an attorney and have a client contact you with a case involving text messages, civil or criminal,  a couple of things should probably happen:

One: If the incident is recent enough or you have an ongoing situation involving text messages, it may be a good idea to issue a preservation order to the carrier so they stop purging them.

Two: Take immediate steps to preserve the evidence on the phone  by having a qualified cell phone forensics expert collect the data from the unit.

 If you have a case where neither of the above occurred, all is not lost;  Have the phone examined to see if the deleted messages can be retrieved.  Even still, time is of the essence since deleted text messages do not remain forever on a cell phone.  They should be collected right away.  Not all phones allow for the retrieval of deleted text messages.  Your cell phone examiner can tell you if the phone is supported for retrieval of deleted text messages in most cases.  However, due to the nature of cell phone forensics today, sometimes the only way to know if deleted text messages can be retrieved from a particular phone is to make the attempt using forensic tools.

Processing a cell phone is not expensive or very time consuming.  It is well worth the investment if you need to preserve evidence in  case.
Enhanced by Zemanta

Tuesday, May 3, 2011

SONY On-Line Entertainment Breach Woes Continue

It has been in the news that SONY's Playstation network was breached in the last few days.  Their on-line gaming network has been breached as well.

Here is the gist of the email.



Wednesday, April 20, 2011

The Book is Almost Here!

41lGKt3eALL._SL500_AA300_Over the last few months, Lars and I have been writing like crazy on our Syngress book, Digital Forensics for Legal Professionals.  While the book is still a few months away, you can order it now on Amazon!

Permalink: http://amzn.com/159749643X


Monday, January 31, 2011

PI Law Update–Virginia Weighs In

VA State Seal outside State Capitol
Image by MudflapDC via Flickr

On January 31, 2011 the Virginia house voted 98 to 0 to pass House Bill HB 2271  to exempt Digital Forensics from the state Private Investigator law.

Here is a summary:

”Computer and digital forensic services; exempt from regulation as a private security service business.  Exempts from regulation as a private security service business any individual engaged in (i) computer or digital forensic services or in the acquisition, review, or analysis of digital or computer-based information, whether for purposes of obtaining or furnishing information for evidentiary or other purposes or for providing expert testimony before a court, or (ii) network or system vulnerability testing, including network scans and risk assessment and analysis of computers connected to a network.”
This is good news.

You can read the full text of the bill here:  HB 2271

This follows North Carolina passing similar legislation to exempt Digital Forensics from the PI law last year.