Recently I came across a law blog written by attorney Jeremy Rosenthal. He discussed the importance of proving that computer evidence can be linked to the accused with absolute certainty. From his article:
The biggest challenge for the prosecutor is to ‘put the Defendant’s fingers on the keyboard.’ In other words, the prosecutor must show that the computer crime, if any, was committed by the Defendant and not someone else on the same computer.
We know that didn’t happen in this case. The FBI agent told Cary police to verify the search through Cisco’s server and/or through Google … they did not. It’s common practice for law enforcement to subpoena Google for these records. This was the most important piece of evidence in this case. In fact, it was the only evidence linking Brad Cooper to the murder. All the rest of the “evidence” presented was refuted at trial, so why did they drop the ball on this? Why didn’t they obtain the necessary verification so that there could be no question about who did the search? Did they know it wouldn’t lead back to Brad?
I researched other cases where computer evidence was key in proving a person’s guilt to see if the evidence was verified in those cases. In each case, it’s assumed that this is part of the procedure. It’s the only way to know for sure that the person accused actually did the searches in question. From the Melanie McGuire case in 2007:
Melanie McGuire, 33, used the Google search engine to find more ways to kill her husband, entering phrases like “undetectable poisons,” “fatal digoxin levels,” “instant poisons,” “toxic insulin levels,” “how to purchase guns illegally,” how to find chloroform,” “fatal insulin doses,” “poisoning deaths,” “where to purchase guns illegally,” “gun laws in Pa.,” “how to purchase guns in Pa.,” and “where to purchase guns without a permit,” as PC Advisor reports.
Although some users might accuse Google for violating the users’ privacy, the authorities ordered the company to provide the information while the search giant had nothing to do than to agree with the demand and offer the information.
From the Coleman trial in May, 2011 –
Ken Wojtowicz ,of the Granite City Police Department, is a computer technician who testified Monday. There were a total of 7 emails sent from a firstname.lastname@example.org account. The tech says a subpoena sent to Google proves the gmail account and all 7 of the emails were linked to IP (internet protocol) addresses on Coleman’s Dell laptop, provided by Joyce Meyer Ministries.
And here is a case where the evidence was verified on a server:
The evidence, which eventually secured Mr Baker’s conviction, included data recovered from a laptop hard drive released by his church, and the main computer server at a youth center where he also served. Computer forensic analysis was able to reveal that Mr Baker had entered the term “overdose on sleeping pills” into a search engine and viewed several pharmaceutical websites prior to his wife’s death.
So clearly it IS common practice to verify computer evidence, because if it’s not verified it isn’t proof — the data hasn’t been authenticated and traced to the originating IP address. Police and prosecutors recognize the importance in all of these other cases, but they failed to verify the evidence in the Cooper case and no explanation was given for the enormous oversight.
What is the purpose of forensic protocols in the handling of evidence? It’s to ensure that it’s properly handled and not subject to manipulation or tampering so that it can hold up in court. We know that didn’t happen in this case. It was not properly handled. Protocols weren’t followed. The prosecutor stated “The FBI did the analysis. Are we not going to trust the FBI report?” Well, if the FBI analyzed a computer that was not properly collected by police and evidence preserved, the answer should be no, it is not trusted.
From the CISSP (Certified Information Systems Security Professional) manual, a standard in computer security and recognized and followed by many government agencies:
Computer forensics and proper collection of evidence: Forensics is a science and an art that requires specialized techniques for the recovery, authentication, and analysis of electronic data for the purposes of a criminal act. Specific processes exist relating to reconstruction of computer usage, examination of residual data, authentication of data by technical analysis or explanation of technical features of data, and computer usage.
The people conducting the forensics investigation must be properly skilled in this trade and know what to look for. If someone reboots the attacked system or inspects various files, it could corrupt viable evidence, change timestamps on key files, and erase footprints the criminal may have left.
Protocols were ignored in this case. When one is discussing digital forensic evidence, the main subject and the reason for the term “forensic” is related to how the evidence is collected and preserved so that it is suitable for court – so that it is trusted. We know that over 600 files were altered. We know that passwords were changed and the time on the computer was changed. We know that the computer wasn’t hashed until the FBI took custody of it in August, approximately 6 weeks after police took possession of it. We know that chain of custody was not followed.
If the court isn’t going to require that protocols be followed in the handling of digital evidence, there is nothing preventing police or whomever is handling the evidence from tampering with the evidence. Protocols protect the evidence and when they’re ignored, the evidence simply can’t be trusted. The procedures are in place to protect the evidence which in turn protects us from the possibility of evidence tampering.
What should happen when protocols are ignored and the evidence is mishandled?
- The FBI agent could have refused to do the work – that would have been the proper thing to do because if he’s signing off on the data, it’s only valid if the computer has been properly handled, free of any possibility of tampering. I certainly wouldn’t sign off on something if I wasn’t certain it was preserved. Nonetheless he did the analysis anyhow and he did sign off on it.
- The judge could have refused to accept the evidence due to improper handling, but he stated that he didn’t know anything about technological stuff. It’s interesting because he attended a workshop in ’08 on computer forensics. But giving him the benefit of the doubt and assuming he didn’t learn anything at the workshop… If he didn’t understand it, should he have called for a meeting in his chambers, a consult with an expert to explain it to him so that he could rule properly? Instead of seeking assistance and gaining an understanding so that he could make an educated ruling, he defaulted to always ruling on the side of the State.
Significance of digital evidence handling:
From the CISSP manual:
Because this type of evidence can be easily erased or destroyed and is complex in nature, identification, recording, collection, preservation, transportation, and interpretation are all important.
For a crime to be successfully prosecuted, solid evidence is required. Computer forensics is the art of retrieving this evidence and preserving it in the proper ways to make it admissible in court. Without proper computer forensics, hardly any computer crimes could ever be properly and successfully presented in court.
The fact that the Google search of Fielding Drive wasn’t verified should have been a game changer – no charges, no trial. Aside from all of the anomalies associated with the files themselves, no one would have had to even analyze them at all if there was proof that Brad did the search. It was readily accessible. What happened in this case is unacceptable and should be concerning to everyone.