The evidence shows that…

How digital forensic science can be used to make a watertight legal case

At a time when a laptop has been supposedly been left behind at a repair shop, and said laptop supposedly contains evidence of wrongdoing committed by a relation of a prominent US politician, it is worth looking at just how such ‘evidence’ may be collected and verified.

Firstly, there must be a clear chain of evidence – this means that the original laptop hard drive (or phone) is not examined. Rather, exact digital imaging is carried out twice; once for examination, and once as a control. The second image is bagged and sealed and witnessed, as is the original device. Such imaging is much more than a simple copying of all the files, but may include all supposedly empty disk sectors and unused space, which may contain traces of wiped files. The first image is then examined, leaving the second copy untouched as evidence that the examination process has not contaminated or altered the original data.

This examination is based on the assertion by the early forensic scientist Dr Edmond Locard that “every contact leaves a trace”, whether this be in the field of biometric or other physical forensics, or forensics applied to digital devices.

Every connection to the Internet, every visit to a Web site, every email exchange, and every file opened leave a trace of some kind behind. There are privacy modes on browsers, and there are ways of deleting files which supposedly cover one’s tracks, but there are still traces that may be uncovered.

In the case of the laptop mentioned at the beginning of this piece, one question on social media asked, defending the delay between the laptop’s supposed appearance and the appearance of the accusations, “Have you any idea how long it would take to go through 60,000 email messages?”

The answer to this question can be measured in hours. As an experienced digital forensics practitioner, First Response uses the most powerful specialist software tools to extract and analyse all the information on a digital image, not just the information that is visible at first sight, and this information may be summarised and presented in hours, rather than days or weeks.

For example, if a computer’s clock has been reset to make it appear that a document has been created before the date it was actually created, there may well be clues embedded in the document itself that prove that the claimed date is in fact false.

Digital photos may contain much more than a visual representation of the subject. The specific model of camera or phone, together with a timestamp and often a GPS geotag, among other information, form a part of such an image.

Such information hidden within photos and files may be used to support or to help disprove both allegations and alibis in a number of different contexts. First Response forensic specialists are experienced expert witnesses who can confidently present evidence, either written or oral, in a court-friendly and compatible format.

If you have a problem that might involve the examination of digital records, whether on a desktop, laptop, server, or phone, and accurate results are needed speedily, call First Response and see how our forensic services team can be of service to you.