Exemplary Evidence: ‘Every contact leaves a trace’

Listen to this article

Evidence is nothing new. But while forensics goes back to the 19th century, digital forensics is a much more recent science. With all the technology development and changes, most lawyers—and even some digital forensic experts—are tempted to pine for the days of carbon copiers, Betamax, and rotary phones.

But cheer up, digital forensic experts—and savvy attorneys working with them. A grounding in long-standing forensic and evidentiary principles, a mastery of cutting-edge technology, and a wealth of real-world experience can deliver results for clients and our justice system that others can’t or won’t achieve. In this article, we examine how these time-tested, but state-of-the-art best practices can bridge the gap between technology and the law.

Locard’s Principle — ‘Every contact leaves a trace’ — applies to cyberspace as well as the real world

“Wherever he steps, whatever he touches, whatever he leaves, even unconsciously, will serve as a silent witness against him. Not only his fingerprints or his footprints, but his hair, the fibers from his clothes, the glass he breaks, the tool mark he leaves, the paint he scratches, the blood or semen he deposits or collects. All of these and more, bear mute witness against him. This is evidence that does not forget. It is not confused by the excitement of the moment. It is not absent because human witnesses are. It is factual evidence. Physical evidence cannot be wrong, it cannot perjure itself, it cannot be wholly absent. Only human failure to find it, study and understand it, can diminish its value.”

— Prof. Edmond Locard, c. 1910
© 2003-2006, Gary C. Kessler

Going back in time: Dr. Edmond Locard

Let’s begin at the beginning—in 19th century France. Enter Dr. Edmond Locard, a pioneering French forensic scientist known as the “Sherlock Holmes of France.” He devised his Exchange Principle, which states that “every contact leaves a trace.” This means that small particles or traces of evidence are inevitably exchanged, or transferred (such as fibers, hair, or soil) whenever a person or object encounters another person or object. In other words, every contact involves bringing something in and taking something out with you.

With little more than a microscope and a spectrometer, Dr. Locard famously brought coin counterfeiters to justice by matching the metals in the counterfeit coins with the metals in the coins found in the suspect’s clothes. But this principle isn’t just another quaint Victorianism, like steamships.

In fact, this principle also applies to our modern digital world, where doing almost anything electronically leaves a digital trace behind. This trace evidence can manifest in forms like network logs, file metadata, and system artifacts. Digital forensic experts can leverage these digital traces to reconstruct the events at issue in criminal and civil cases, including the identity of the parties involved.

There’s a problem. The wrinkle on the principle (and as Locard recognized) is that the value of the evidence depends on the forensic examiner’s ability to understand—and explain—the evidence. This matters because digital forensic evidence is almost always circumstantial. Direct evidence “is based on personal knowledge or observation and that, if true, proves a fact without inference or presumption.”¹ Circumstantial evidence is “based on inference and not on personal knowledge or observation.”² Evidence is circumstantial when it is “[e]vidence of some collateral fact, from which the existence or non-existence of some fact in question may be inferred as a probable consequence….”³ Of course, “[s]ome circumstantial evidence is very strong, as when you find a trout in the milk.”⁴ But judges and juries don’t always see it that way.

As any lawyer aware of the “CSI effect” knows, digital forensic evidence can be a double-edged sword for the party offering it. If the evidence meets the jury’s often television-influenced expectation of smoking-gun evidence, you win. But if the evidence falls short of the jury’s expectations, you may lose—even when other evidence strongly favors your side. And if you try to sidestep the problem by not offering digital evidence that isn’t a slam dunk, the jury might punish you for that too.

Applying the Locard Exchange Principle in the Digital Age

As technology evolves, the challenges faced by digital forensics experts have become increasingly complex. Even so, the Locard Exchange Principle remains crucial to navigating these challenges. These experts (and the lawyers who retain them) must adapt their techniques to account for new and abstruse digital artifacts, volatile evidence, and emerging computing environments.

The proliferation of electronic devices and the ubiquity of digital communication have created a wealth of potential evidence. From smartphones and laptops to cloud storage and connected vehicles, every interaction with technology leaves behind a digital trace that forensic investigators can leverage.

Forensic examiners can uncover a wealth of evidence by analyzing network logs, file metadata, and system artifacts. The news is filled with examples of how deleted voicemail messages, iTunes backups, and text message snapshots provide valuable evidence in both criminal and civil cases.

Of course, the Locard Exchange Principle extends beyond the device itself to cloud-based services, connected vehicles, and paired or synced wearable devices. This data lets digital forensic experts develop findings and piece together a comprehensive picture of a crime or an event. It also empowers effective lawyers to craft a more accurate and compelling story about the crime or event.

Examples of the Locard Exchange Principle

Lawyers could spend a lifetime talking about and attempting to apply digital forensic tools in their legal practice. And an equally long time mastering each one, just in time for it to be replaced with a new one. But that would defeat the purpose of digital forensics: (1) examining digital evidence to identify, preserve, recover, analyze, and present facts and opinions about digital information that (2) may be relied on in court. The second part is the reason effective lawyers are increasingly incorporating a real-world knowledge of digital forensics to better serve their clients and the justice system.

Many of us are familiar with the classic applications of Locard’s Exchange Principle in the digital age. Here are two all-too-familiar examples from employment law:

• A departing employee steals company data with a USB thumb drive. USB flash drives are portable and can hold over 100 gigabytes of data. The saboteur may think they have gotten away with it, but many traces are left by USB devices when plugged into computers.
• An employee behaving inappropriately on a work computer tries to cover their tracks and eliminate the evidence of their misconduct by clearing their browser’s cache, erasing their internet history, and deleting documents. Forensic tools and techniques for uncovering deleted data let digital forensic experts rebuild the electronic story of what happened.

The illustrations below show how Locard’s Exchange Principle applies in real-world cases on three technological platforms:

Mobile

• Screenshots in a smartphone’s huge gallery of photographs. User screenshots recorded from the phone screen can provide vital evidence. This common knowledge means that people often forget they captured the screenshot. Or, they delete the original content such as a text message, a post, etc. But they may not know (yet) that relevant phone screenshots may be conveniently recovered from the gallery using artificial intelligence. Another example is Android’s clipboard, which (depending on the setting) may keep a separate copy of screenshots the user thought they had deleted.
• Data synchronization between devices. Data is synchronized between the user’s devices using Bluetooth or Near Field Communication to make their experience seamless. The synchronization of data between devices is both a benefit and a curse for digital forensics experts. The benefit is that the device being analyzed may have evidence that no longer exists on the synced device. The curse is proving that the synced device belonged to or is legally attributable to the user.
• Factory reset. Factory resetting a mobile device destroys data on the device. Digital forensic experts seek to understand and explain the missing data using tools that can help detect and recover the effects of factory resets on mobile devices.

Cloud

• Apple iCloud backup. Any data on your iPhone that isn’t regularly synced by user choice may be stored in your iCloud backup. With backup turned on, your iPhone sends periodic snapshots of its data to iCloud to make sure that it is easy to restore any time you get a new Apple device.
• Google account backup. Android smartphones connect to the user’s Google account similarly to how Apple devices connect to iCloud backup. The benefit to the user is the ability to back up data, messages, photos, and video to the almost unlimited capacity of the connected cloud account. The cloud provides a safe administrative interface for protecting the user’s smartphone and then finding its precious evidence when lost. This also means that data that the user deleted from their phone and hoped to make disappear may still exist in Google’s account backup.

Vehicle

• Bluetooth connections. Many people know that information from an allegedly distracted driver’s smartphone in a vehicle can be used to prove or disprove distracted driving. Attorneys, paralegals, and investigators must become conversant in the data saved in mobile devices and how those devices may record information that helps explain what the vehicle’s driver was doing before and during a collision. But many don’t know that evidence transferred by Bluetooth from the driver’s smartphone is discoverable on the vehicle’s infotainment system. Even if the smartphone is later disconnected, lost, or destroyed. The smartphone via Bluetooth also shows vehicle speaker or headset usage—which can go to distraction even though they may be hands-free compliant.
• USB port charging. USB port data shows smartphone power charging as recorded by the device’s power logs. They show metadata that can detect which mobile apps were in use while driving.

Challenges and Limitations of the Locard Exchange Principle

While the Locard Exchange Principle is a fundamental tenet of forensic science, it is not without its challenges and limitations. The amount of exchanged evidence can vary depending on the nature of the contact, the type of materials involved, and environmental factors. Additionally, the potential for cross-contamination and the need for careful handling and preservation of evidence to maintain its integrity are ongoing concerns.

On the digital front, smartphones compute hypothetical data and it’s not direct evidence.  A good example is small-size and resolution-reduced thumbnails of photographic images.  An iPhone example is anticipatory GPS data generated by the device for faster future performance and a richer user experience. Experts must be careful to detect data residing on the smartphone that is not anthropomorphic and preclude it as evidence prior to written or courtroom testimony.

Conclusion

The Locard Exchange Principle, with its foundational tenet of “every contact leaves a trace,” remains a cornerstone of forensic science in the digital age. As technology continues to evolve, we have every reason to believe that it will remain adaptable and essential in digital forensics.

By upholding the Locard Exchange Principle, forensic examiners can maintain the relevance and effectiveness of their work in the face of technological advancements, making sure digital evidence continues to play a vital role in our criminal and civil justice systems. And for lawyers, their ability to understand, apply, and argue Locard’s Exchange Principle will increasingly determine their ability to serve their clients, the courts, and the public.

John J. Carney, Esq., is chief technology officer of Carney Forensics

Brendan Kenny is one of Hellmuth & Johnson’s top legal writers with prior experiences working for both Minnesota and California Attorney General’s Offices.

Endnotes

1. EVIDENCE, direct evidence, Black’s Law Dictionary (11th ed. 2019).
2. EVIDENCE, circumstantial evidence, Black’s Law Dictionary (11th ed. 2019).
3. Id. (quoting William P. Richardson, The Law of Evidence § 111, at 68 (3d ed. 1928)).
4. Henry David Thoreau, Journal, 11 Nov. 1850, in 2 Journal of Henry D. Thoreau 94 (Bradford Torrey & Francis H. Allen eds., 1962) (quoted in EVIDENCE, Black’s Law Dictionary (11th ed. 2019).