“Every contact leaves a trace,” said Dr. Edmond Locard, a French criminologist and pioneer of forensic science, often informally called the “Sherlock Holmes of France.” His theory became known as Locard’s exchange principle and is the basis for all forensic science as we know it today.
Locard asserts the actions a person takes leave behind remnants or trace evidence. Today those traces transcend familiar examples like fingerprints and hair follicles. Now digital traces include a computer’s web browser cache, or a smartphone’s deleted text messages, or resilient date and time stamps buried deep within documents, photographs, and videos.
Last month I described how digital forensic examiners are now collecting online cloud accounts directly as best evidence for production in civil and criminal cases. This month we will explore how digital forensic examiners routinely recover online evidence indirectly by collecting digital traces left behind by a user’s prior cloud access using a smartphone or computer.
In this situation Locard’s “contacts” are web or cloud browsing sessions undertaken by a user on his or her smartphone or computer using Chrome, Safari, Firefox, Edge, Internet Explorer, or other browser software to access the cloud.
Locard’s “traces” are data retained by the smartphone’s or computer’s browser software. Traces include web history, downloads, cache, cookies, bookmarks, web addresses, pages, tokens, tabs, sync data, autofill, and logins.
The smartphone or computer provides clues to the discovery of user cloud accounts. When a digital forensic examiner recovers device evidence, its analysis highlights cloud evidence. He or she identifies connections between the cloud and a smartphone, or between the cloud and a computer. The analysis can prove document movement or other cloud-based activity relevant to the investigation.
What promising clues can the legal team discover from analysis of smartphones and computers to identity and prioritize online, cloud evidence worthy of investigation?
Clues from digital evidence traces
Device information recovered from smartphones and computers yields helpful clues for additional discovery from the cloud. An iPhone, for example, contains information identifying the Apple iCloud account to which it is connected. The iPhone knows whether it was backed up to the iCloud account and when. The opportunity to forensically collect the iPhone backup and analyze it for live and deleted mobile evidence goes to a more probative recovery of contemporary evidence. Recovering the iCloud backup of the iPhone, instead of the iPhone handset, can shave months off the elapsed time since the incident date. It can cause a much fresher iPhone specimen closer in proximity to the incident for evidence analysis.
Android smartphones, for example, contain information about connected Google cloud accounts. They store information on whether Gmail, Google Drive documents, or the Google Timeline might be available for forensic collection and analysis. The Google Timeline, called Google Location History, is often effective for recovering and mapping out device locations passively tracked by Google from the Android smartphone. It’s used to prove the user’s whereabouts in relation to a crime. It’s also useful in motor vehicle accidents and other personal injury and wrongful death investigations.
Smartphones also contain key information to identify uniquely the device and its cell phone service provider (carrier). The information can be used immediately to launch an investigation by issuing a subpoena to obtain the carrier’s business records. They will supplement the mobile evidence collected from the smartphone and include call detail records, text message logs, Internet protocol sessions, and cell site locations.
Smartphones and computers also yield clues for finding additional case actors unknown to the legal team. A review of emails and messages can uncover them. Also social media accounts give up friends, connections, followers, and those followed, those who post, and those who correspond using direct messages in the account. Contacts and phone books stored on the phone or computer are often the best sources of names, aliases, and other identifiers for case actors. I often find two or more e-mail addresses, phone numbers, or web site addresses associated with a person for which the legal team possessed only one.
What useful cloud evidence can the legal team discover on smartphones and computers for leverage in advocating for their client in civil and criminal cases?
Finding material cloud evidence
Cloud storage and backup accounts have vast, often unlimited, storage capacity available to users for offloading data from their limited personal and company devices. Users will archive and share documents, files, and folders in cloud storage accounts such as Dropbox, Google Drive, Microsoft OneDrive, Box, and many others. They archive and share photographs and videos online using Flickr, iCloud Photos, Google Photos, and Amazon Photos. And they commonly backup their computers today for safekeeping to the cloud using services like Carbonite, iDrive, Backblaze, and CrashPlan among many others. These cloud accounts are potential alternative discovery sources for historic document evidence. Digital forensic examiners easily locate and identify them with particularity on smartphones and computers.
Most of us perform Google searches daily or weekly for work, personal problem solving, or to satisfy ad hoc curiosities. Or, maybe you use an alternative search engine like Bing, Facebook, YouTube, Yahoo, or DuckDuckGo. Whichever one we use, we perform the search using browser software on a smartphone, tablet, or computer. And browsers keep web history, cache, and URLs for every search entered and for all hits generated by the search engine. Modern digital forensic tools collect, parse, and analyze browser data for searches performed on the device.
When lawyers hire a digital forensic examiner and ask for search engine evidence, the examiner produces a comprehensive report. The report includes for each search the user’s search terms (exact typed queries), any previous query, the web page title and address of search hits, and the date and time stamp of the search. And search engine evidence can be searched itself using keywords defined by the lawyer. It is highly effective for showing state of mind and for establishing intent. Many lawyers request it on every case and scrutinize it carefully to develop case facts and arguments.
Putting it all together
Starting an investigation with indirect cloud evidence sourced by collecting and analyzing smartphones and computers used by key case actors is a best practice. When the smartphone or computer evidence is relevant, and the cloud account is available with a reasonable likelihood of producing material evidence, a cost effective direct forensic collection is often justified. Years of experience in civil and criminal cases show examination of one or more devices and carefully chosen cloud accounts yield best evidence for use at trial or settlement talks.
Taken together, this approach enables the combination of forensic collections from smartphones, computers, and cloud accounts into one case evidence corpus. It can be large, but it’s a highly useful, data set. It makes fast work of identifying and mapping out connections between cloud accounts, smartphones, and computers to prove document movement or other activities between user devices and accounts. It eases generation of comprehensive reports like super timelines for understanding how incidents developed and progressed. It also makes possible map exhibits showing device locations from multiple sources. Connecting the dots between case facts with insight to answer the big questions positions lawyers effectively to win or advantageously settle cases.
I will focus on other ways mobile evidence recovered from smartphones and tablets can strengthen a lawyer’s evidence strategy in next month’s Exemplary Evidence article.
John J. Carney, Esq., is the chief technology officer of Carney Forensics, www.carneyforensics.com.