An Example of How Computer Evidence Is Supposed To Be Handled

iStock_000015937208_SmallI wrote an article about the importance of third party verification of digital evidence a while back.  It is the only way to know for sure that the evidence — the files or search terms or whatever is pertinent to the case were actually searched for by the accused.  It is standard procedure in civil or criminal cases to procure this verification –  it is irrefutable proof of the time of the search along with the IP address of the search.  If this isn’t done, uncertainty will always remain about whether the files could have been planted on the machine.  It is an easy step to confirm the evidence.  They never bothered to do this with the Google search evidence in Brad’s case.

I came across a recent case in Pittsburgh.  A research doctor is accused of poisoning his wife and investigators allegedly found some incriminating search terms on his computer.  They followed the standard procedure of requesting verification of the search terms through Google’s legal department – common practice!  I just wanted to share it here to show an example of the proper procedure to confirm that we are indeed prosecuting the person who did the searches in question.

I won’t go into the details but I believe it’s well known now that there were multiple anomalies associated with the files on Brad’s computer that were consistent with files that are dropped onto a machine from an external source – a disc or USB.

Why can’t they verify the files now? Google has a privacy policy in place.  I believe it is 18 months.  After that time, they will no longer release any information about the searches.

Pittsburgh case:

Ferrante case

Search warrant – details of Google inquiry

Ferrante case Google affidavit

Link: http://www.wtae.com/blob/view/-/23868288/data/1/-/pt0s91/-/Robert-Ferrante-affidavit-details.pdf

Advertisements

2 thoughts on “An Example of How Computer Evidence Is Supposed To Be Handled

  1. Something I’ve been thinking about… I wonder if the prosecution tried to perform the same Google search they claim Brad performed. In just a matter if seconds, they said he search for a place to dump the body. I even think they said he went directly to that location. How can anyone so quickly find a place? I’d say it’s impossible to find a place so fast. And why not check again later for a better place? I just don’t think he was looking for such a place.

    And I’ve said it before, but anyone who has used Google maps knows that satellite images are never current. They’re sometimes years out of date. So you can’t trust an image to be accurate. That place he supposedly found could have been fully developed.

    Prosecution is very wrong on this search claim.

    Like

    • The FBI agent did reproduce the search. This was a subject of the appeal because Howard Kurtz asked Agent Johnson to provide the documents of the duplicated search – in particular the cursor files to see if they would increment. Remember that the cursor file from the alleged search did not increment and that is impossible in a dynamic file with panning and zooming. The Judge said no. Then Kurtz asked him to duplicate it live in court – NO. Of course we know that the time would have increased/incremented and I’m sure it did when they duplicated the search in their lab as well.

      You’re right that it’s illogical to do such a search and rely on outdated maps. I believe the map in evidence was from ’06 so a lot had changed to the area since that time.

      Like

Leave a comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s