Digital devices like iPods, cameras, voice recorders, flash drives, and memory cards have become so commonplace that it is easy for first responders to assume they're unassociated with criminal activity. How can an iPod hold images, or a digital camera documents?
Yet convictions have been secured based on evidence contained in these devices. Thus officers and investigators must take care, when entering a crime scene, to seize any and all digital devices as evidence.
Focus on the suspect — not the device
New storage and entertainment devices are constantly released to the mass market. Files can be stored on anything that a computer sees as a "drive." It may be tempting to leave a digital camera at a crime scene because the investigator sees nothing on the screen. In fact, however, the documents contained on its SD card may not be viewable on its screen, or may have been deleted but are easily recoverable. Most cameras are made to only recognize files with a certain extension: .png, .jpg (images), and so forth — not .doc or .xls (Microsoft Word documents, Excel spreadsheets). In fact, many laptops now contain an SD slot that makes it easy to transfer the files from hard drive to card, which can expedite the media card review.
In one case, investigators searching a parolee's home saw pictures of his gang affiliations on the walls, which made enough of a parole-violation case for an arrest. Meanwhile, the digital camera on his dresser didn't immediately reveal additional photo evidence.
It was seized though. Later they recovered files that had been deleted from the memory card, which included not only the images on the walls, but also additional images of the suspect with his gang associates and tattoos. Together with the date and time stamps that showed the documents had been created since the suspect's parole, the images were enough to make a solid case against him.
Even "expected" digital data — an MP3 file stored on an iPod or other digital player — can be evidence. In the case of a murdered California Highway Patrol officer, the suspect, a rapper, had made a song detailing everything he had done to the officer. The only difference was the officer's agency.
The point then is not to think about which devices to seize, or even which kinds of evidence (video, e-mail, documents, etc.) to look for. The key word is "anything:" any kind of device, any kind of evidence.
Evidence at the scene
It's possible to preview digital devices on-scene while executing a search warrant. Lt. Chuck Cohen, commander of the Indiana State Police Special Investigations and Criminal Intelligence Section, says this is valuable to investigators in terms of time. "A remote lab's turnaround time is too long for someone who may be at risk," he explains. "Recovering images from a camera during interviews of a suspect, witness or victim can make a real difference."
How to accomplish this? Cohen says an investigator's laptop with an external USB media reader — a cell phone-sized box that plugs into the laptop's USB ports — can be used. To prevent evidence alteration, the investigator can write-protect the laptop's USB ports using Windows functionality.
It's possible to mount the external media as a virtual folder, just as one would any other Windows folder, enabling the investigator to pull and review even deleted files. "The imaging software looks at all the sectors on a flash drive, which contain data until it's overwritten," Cohen says.
On-scene evidence previews can also help investigators learn which specific devices to search for. A preview of a suspect's hard drive, or interrogation of the wireless router, can show whether an external device such as a thumb drive was connected to the computer — and when.
However, Gary Kessler, associate professor of digital investigation management at Champlain College and a member of the Vermont Internet Crimes Against Children Task Force, cautions that whether an investigator can or should perform this kind of function in the field depends on training and equipment.
"Most first responders, unless they are going to a scene where they know digital evidence is important, won't have the necessary imaging equipment," Kessler says. "The main thing we emphasize during training is for them to be cognizant about sources of evidence and to seize it rather than acquire the data."
He cites one case in which detectives seized a drug dealer's computer, but did not check the mass of CD jewel cases near his stereo to see if any of them contained data disks. As recently as a few years ago, officers at a crime scene might power on a suspect's computer to see if it contained information relevant to the crime. "We now train them to be aware — and that if they don't know what they're doing, not to touch it," Kessler says.
Recovering 'lost' evidence
Mishandled evidence is not always lost. Following a homicide, a California lieutenant took the department-issued digital camera from the detectives he was supervising. As he handled it, he inadvertently reformatted its memory. Nonetheless, the six images related to the murder were recovered along with more than 100 images indicating personal use by the lieutenant, including a motorcycle trip.
More frequently, witnesses use camera phones — which are becoming increasingly advanced with higher resolutions — to take still images or videos of their friends committing crimes. Often later deleted, this kind of evidence is becoming a factor in more criminal cases.
Actually recovering lost evidence is not complicated; a number of tools exist that require no specialized skills. The non-technical field officer can use them with ease, but it's important to take time to familiarize him or herself with the tools, to practice and learn to validate evidence.
"Validation" can be as simple as learning on a device owned at home, while training can be undertaken via software tools' manufacturers — or via the latest podcasts on the subject. Thus non-specialized officers have the ability to identify and acquire valuable evidence without significant consumption of either time or budget.
Still, vice president of the digital forensic and electronic discovery firm MJ Menz & Associates, Mark Menz, says that "the tools used to recover deleted digital images will vary depending on the media the images are stored on, along with the operating system and the file system used by the computer and media from which the files were deleted." (An operating system, such as Windows, controls the computer's hardware. Within operating systems, several levels of file systems exist.)
"Recovery can become even more complicated when the investigator adds the variable of the media — hard disk, floppy disk, flash drive, or optical drive — used to store the images, along with the image file's level of deletion," Menz says. Examples of the file's level of deletion include that it's located in the Recycle Bin; not in Recycle Bin but still listed in the directory or Master File Table (MFT); not listed in a directory or MFT; partially overwritten; or deleted and fragmented."
Each level of deletion requires different programs or processes, and in most cases involves hard or floppy disks and the assistance of a computer forensic specialist.
Menz adds, "On various storage media, traditional forensic tools such as FTK Imager [a free tool that requires somewhat of a learning curve to use] can work, but some vendor tools [such as SanDisk RescuePro] actually do a better job at image recovery."
'Cloud' evidence
Most mobile device service providers allow data to be uploaded to private servers. Third-party applications allow the same. Part of the concept of "cloud computing" services like Microsoft Mesh, Google Gspace, Evernote and Zoho allow data to be transferred from mobile device to server, then to the user's desktop — or vice versa.
While this is more common for individuals to do with cell phones, Evernote's software, for instance, is downloadable direct to a SanDisk U3 Flash drive, and Microsoft Mesh has plans to allow synchronization with digital photo frames and other portable devices.
In these cases, because evidence from these kinds of accounts can be time sensitive, investigators must take care to send a letter of preservation to the company to have it lock the account before the suspect can have evidence deleted.
Even so, as Kessler points out, data recovered from third-party servers will not be as good as evidence recovered from a forensic examination; the company can obtain only current data, not deleted files from a server's unallocated or slack (unused) space.
New technology, new devices
Cohen says that criminals have always had unique ways to hide evidence — such as wireless devices hidden inside drywall — but that as wireless technology becomes more sophisticated, storage media can be concealed up to 200 meters away without need for a repeater.
It has also become more mobile. The Eye-Fi Inc.'s wireless SD card, for instance, uses a wireless home network to upload images from a camera — or even directly from the card — to a computer or Web-based photo-sharing server.
Kessler adds that larger capacity devices packaged in smaller sizes can make it difficult for investigators to easily find. "My cell phone has a micro SD card, the size of my pinky fingernail, with four gigabytes of memory," he says. "Finding it in a seized phone is not the problem — finding it in a drawer is." So is finding the increasingly creative form factors of many thumb drives, which can be hidden inside pens, dolls, rubber "thumbs" and other toy-type enclosures.
Cohen points out that just as dashboard GPS systems show detectives what suspects have been up to — whether used for themselves or used to track another person — non-data technology can show patterns of behavior. For instance, "apps" or applications installed on iPhones or BlackBerries can show intent, or other reference points to a particular crime.
Moreover, technology advancements mean ever-shifting rules of evidence. "Search incident to arrest" of mobile devices now varies by state; it follows that courts will interpret the law in varying ways, depending on the degree of individual privacy involved — such as with GPS units. This makes it important for officers to back up their activities with search warrants or other court orders.
At the same time, however, new technology may render such issues moot. "Solid state memory devices look like a hard drive to a computer," says Kessler, "but the electronics and physics are totally different. When you delete data from a solid state memory device, it resets that portion of the drive — deleting and then rewriting the space. So unallocated and slack space are different in this type of drive than we are used to, making recovery difficult if not impossible."
It's not technical — it's police work
Because digital devices and storage media have become so widespread, investigators may wonder what they should focus on, besides a desktop or laptop computer, when executing a search warrant. This is where old-fashioned police work comes in.
The suspect's associates can often be counted on to reveal his or her habits, such as, "He always has his thumb drive with him." This can be especially crucial in cases of child pornography or intellectual property theft. Further, data recovered from devices such as in-vehicle GPS units and mobile phones can back up suspect patterns — or breaks in patterns.
Interviews can also get suspects and witnesses to reveal how to obtain evidence, especially on scene. For example, if the investigator sees an unfamiliar icon on a device, he or she can ask what it's for; if the suspect is unwilling to talk, a Google search can help.
While trained field investigators such as Indiana State Police digital evidence recovery specialists can easily handle this kind of evidence themselves, certain cases warrant involvement of a digital forensic examiner.
These include homicide, rape, and robbery; standard protocols for the seizure of digital evidence should be followed, and investigators should not take shortcuts such as "the computer guys take too long." Even if evidence can be located more quickly, the likelihood that the case will be jeopardized due to lack of following protocol remains strong.
Exceptions to this rule include exigent circumstances, especially a child's disappearance. Protocol should never override common sense, like turning the device on to try to find where the person may be.
Just like computers and mobile phones, digital storage media are getting smaller, able to hold more data, and harder to recover data from. All too often, what cops don't understand, they tend to ignore. Yet crucial evidence is often found on these devices. Investigators and first responders alike must take care to stay up to date on what's available, what's coming, and what it takes to retrieve evidence from it.
Christa Miller is a Greenville, S.C.-based writer specializing in public safety issues. She can be reached at [email protected]. Kipp Loving, of the Tracy (Calif.) Police Department, has been attached to the Sacramento Valley Hi-Tech Crimes Task Force for over nine of his 26 years in law enforcement. In addition to his experience with mobile device evidence recovery and analysis, he has taught numerous classes on the subject as a POST instructor with the Robert Presley Institute of Criminal Investigation. For more information, e-mail him at [email protected].