Tales & Insights From Real-World Forensics Cases

Show Notes

In Episode 3 of Data Discourse, Pete Mansmann and Jeff Stiegler focus on the crucial role of digital evidence in contemporary legal disputes. The episode explores how forensic analysis of digital data can offer vital insights across various scenarios, from accidents to employment issues, by looking at real-world cases and experiences we’ve tackled at Precise Discovery. 

Throughout this episode you’ll learn the complexities of digital evidence, highlighting that proving an event occurred on a device is distinct from identifying responsibility. In workplace investigations, for instance, tracing actions like file access or login activity requires a thorough examination of computer systems and user accounts - nuances that are essential for accurate forensic analysis and legal argumentation.

Real-world case studies featured in the episode illustrate the impact of digital evidence on legal outcomes. A notable case involves a fatal truck accident where forensic experts used data from fitness apps to reconstruct the victim's activities. By analyzing GPS and workout history, they effectively countered the driver's account, demonstrating the victim's familiarity with the route and reinforcing the value of digital data in establishing factual accuracy.

Key Topics Covered

• Importance of Digital Evidence: The critical role of digital evidence in proving or disproving claims in legal disputes.
• Challenges in Evidence Collection: Difficulties in piecing together fragmented data to establish facts and responsibility.
• Workplace Investigations: Analyzing digital evidence such as file access and login activity in employment-related cases.
• Case Study Examples: How digital data, such as fitness app information, was used to influence legal outcomes in real-world scenarios.
• Complexity of Modern Technology: The evolving challenges posed by advanced smartphones and applications in forensic analysis.
• Impact on Legal Outcomes: The significant influence of digital evidence on the resolution of legal disputes and the establishment of factual accuracy.

Precise is your trusted resource for all things mobile forensics and e-discovery.

Precise is your trusted resource for all things mobile forensics and e-discovery. We look forward to partnering with your firm and helping you win your next case!

Visit our website to learn more and set up a free consultation:
Click here to get started

Or call us at 866-721-5378

Transcript

Welcome everybody to episode 3 of Data Discourse, which is practical advice and insights about digital forensics and e-discovery. I'm joined again today with Jeff Stiegler, who is our director of forensics here Precise. And today's episode we're going to talk about tales from the field. So we think this is a great way to sort of bring home some of the practical elements that we've talked about in previous episodes and use this to talk about how some of that has come to play in real life cases. So we're going to talk about cases that are in the news that have a digital forensics element to it. And then we're going to talk about some cases that we internally have worked on. And we will certainly keep them anonymous and confidential. So we don't give up any case specific information, but we'll be talking about the basics of each one of those that give you a good feel for how some forensics work has become relevant in these cases. So welcome back, Jeff. Thank you, Pete. 

So First things first, there are a few cases in the news right now at the time that we're recording this podcast that I have had some forensic elements to them that I think are worth talking about. And it's just showing us how prevalent this has become in all sorts of cases. So going to talk about a couple just to illustrate that point and then come back to some other cases that we've worked on personally through precise. 

One of the first cases I wanted to talk about is the Utah murder cases. And people may remember, it's been probably close to a year ago at this point, but there were several college students in, excuse me, Idaho, not Utah, Idaho that were tragically murdered in the middle of the night at a small college town in Idaho. And subsequently, a gentleman by the name of They thinks it's Kyle Korberger. But regardless, his last name's Korberger was arrested and charged with these murders. They caught him in Pennsylvania, where he grew up, and subsequently extradited him back to Idaho. 

So a lot of this case has been driven around. Where were people when there's questions about whether this guy was stalking a couple of the girls who lived in this house at the time prior to the murders occurring and things like that. But recently, within the last, you know, several weeks, the defense in this case submitted an alibi motion or something along those lines in in Idaho to the court that said we have an alibi showing that our client, the defendant, was not at this murder scene at the time the murders happened. And the alibi turned out to be his phone. 

And basically, we don't know yet specifically what they're claiming because the trial has not happened yet. We certainly aren't Privy to all the evidence that may ultimately be submitted here. But my understanding is that something on the phone, some location services, something else is basically saying, hey, this phone was not in this location at the time the murders happened. And therefore, if this phone was on me, I wasn't at the murder scene when the murders happened, therefore I couldn't have committed them. This corresponds also with Korburger's assertions that he would regularly take walks in the early morning hours out in the desert or surrounding wilderness area of Idaho to go out and view the stars and do hiking and things like that on his own. And he's saying this is where I was at the time of the murders, my phone backs what happened, therefore I can't be the one who did these murders. Now, I understand there is some competing evidence on his phone that are showing that on the night of the murder or close around the time or some critical time period where they're trying to place where the defendant may have been, his phone was turned off for like 2 1/2 hours in the middle of the night. 

So there is no activity on this phone. It's completely turned off from something like 2:00 in the morning to 4:30 in the morning or thereabouts, and that his phone is shut off and therefore location pinging, cell phone tower pinging, any location, servers or activity that would have been happening on his phone is just dead. 

There's nothing happening. So a sort of counterpoint to this is the prosecution saying, well, we have evidence that your phone's turned off at this weird time, you know, during a critical period where we're trying to place you. And additionally, they have location evidence that says that he is at the site of the murder. In the months leading up to it, his phone is pinging location, saying he is is at that location, which further supports the the notion, the theory, the argument that he may have been stalking one or more of these girls at this house prior to the murders happening and that he was had no other reason to be at this particular location before then. So I point that out because it's a current case. There's going to be, I'm sure, a lot more detail that comes out in the next year or so when this thing actually goes to trial. But it's interesting because that's starting to become a critical element both of the defense and potentially evidence for the prosecution in this case. 

So Jeff and I were discussing this case over lunch and one of the questions I had to him was, you know, do you think we're going to see more of this kind of stuff? I mean, how hard or easy would it be for someone to basically plant false evidence through a phone, particularly as it relates to location services. If you know how these things work, what could you do that would make it look like your phone was somewhere where you weren't or you wanted to make it look like, you know your phone was somewhere else? I think before we even discuss, you know, the possibility of someone, you know, willing fully altering data, you also have to take into consideration now just how much data some of these devices are turning over. So it's not uncommon to see things like background processes, system updates, application updates, myriad of other, you know, just basic cell to cell tower usage, you know, creating various artifacts on devices that you know, can represent locations, can represent maybe locations that specific, you know, dates and times, but maybe can't represent much more than that. 

You know, location data can show up on a device for a myriad of reasons. You know, first of all, being with someone was actually there, you know? Wi-Fi check, insurance, Bluetooth connections in those are kind of physical connections that can be traced. But a lot of times you have a lot of background info. You know, if I'm say I'm sitting in Pennsylvania and I perform a Google search of some address in Florida that happens to contain maybe GPS coordinates, You know, if someone runs a location report on my device, they're going to see, hey, on September 1st, we see A Gps coordinate in Florida. It doesn't necessarily mean I was there. And a lot of times we can go through and, you know, prove, hey, this was a Google search, you know, the user was in fact somewhere else. But going back to, you know, I, I don't think people even need to willingly, you know, change evidence for some of these various aspects that, you know, come into play. You know, where someone was at a specific date and time is always a big question and a lot of investigations. 

Yeah. And it's interesting because, again, you know, some of the argument other than inadvertent artifacts being created like you just described, you know, people I think are going to have a tendency to believe that, hey, if your phone's saying it was here, we think you were there as well because people are so tied to their phones. 

And again, if you knew what you were doing and if you said, hey, I'm planning on committing some kind of crime and I want some evidence or an alibi, electronic alibi that says I was somewhere else, there certainly could be ways that you could plant that. 

You know, it's something interesting to keep an eye on here to see how this unfolds in this particular case. I think certainly the evidence on the same device points to two different stories here. Both sides are potentially using evidence off of this phone. So it'll be really interesting to see what the experts have to say about the validity of the data that they pull off of this. And you're pinning a device to a location at a date and time is one thing, but additionally, tying a person to that device, you know, is a whole different aspect. I mean, we may be in some instances, you know, not this particular scenario we may be talking about, you know, multiple potential actors. You know, there may be more, you know, maybe a third party involved, you know, be an instance of, hey, you know, take my phone, drive across town, I'm going to go commit a crime on this side of town. So, you know, all those things kind of need to be considered. And you know, it's even going down to computer investigations. 

I mean one of the hardest parts. Aside from proving that something happened on a device was, you know, he was actually on the device at the time, yeah. I mean, it's rare, I guess today maybe with more facial recognition software that can only turn on if your face is recognized or something like that. 

Maybe there's more pieces that could tie a little more information to an individual user rather than someone entering a passcode or something like that. But that's always going to be an issue of saying, well, we know the device is here. We know this computer had XY or Z entered on it. It's, you know, how we can conclusively say who did it is usually going to be pulled up by, you know, other evidence that may support that it had to be that individual. 

Yeah. And to go back to the last one of the other things you mentioned in this case was it's often referred to as a pattern of life report. You know, hey, we're not necessarily just interested in what happened the day of this incident, you know, going back to the phone being said turned off for its, you know, hours of the night, you know, be maybe very interested in one party might want to know, Hey, is this normal practice? So no, we can be investigating an accident that happened on Friday. But you know, a party wants to know what you know, what's this person's driving, sleeping records, you know, for the month or week leading up to it, because that helps you learn, you know, various aspects about, you know, just users' general behavior. But it can come into play too, whenever it comes to trying to tie a person to a device. Hey, this is the device. 

This is the behavior we expected to see on Steve Smith's phone. It is what it is. I guess they did one more point on that. I just made myself think of it on an iPhone, for instance, you have your health app and your health app is, you know, saying how many miles you walk in a day and different things like that. But one of the things that are on there is also measuring your sleep patterns. 

It's measuring when it thinks you're asleep and how long you're sleeping. Are you having undisturbed sleep? And I don't understand completely how all that works. I'm guessing they're measuring it off of. You know, are you utilizing your phone in the middle of the night, which is showing that you're not sleeping that kind of stuff. But that's all potential evidence. I suppose that would show, you know, patterns of do people, you know, wake up early in the morning, you know, do they, you know, typically get up in the middle of the night and hike in the mountains? Who knows? You know, to your point, showing a pattern could become very important and showing that this stuff wasn't fabricated. So that's one case that's recently ongoing. Again, I think we'll have a lot more information coming to light here in the next year or so when this trial is anticipated to start. So that'll be some things in particular to take a look at. Keep an eye on a couple other cases in the news currently and not to say or to ever be accused that that we hear a precise are favoring one side of the aisle or the other. 

We have both a story about a Trump trial and a story about a Biden trial. This is not President Biden but Hunter Biden, but both of them have a forensics element that again is very topical given what we're discussing here today. So we'll start, we'll start with the Trump trial. He recently was found guilty of hush money trial where essentially he was hiding what money was going to pay off Stormy Daniels. 

I think everybody knows the background of that case at this point. But one of the interesting things that came up in that case, sort of a little more ancillary to what we're discussing is their use of social media at the trial that became relevant when jury selection was going on. 

Both sides did their own research on juror profiles to see what people may have been saying during jury selection. And my understanding is there were two jurors that were struck based upon information they put out there on social media. One said something like posted something that said get them out then lock them up. And the judge asked him about it and he said, oh, I didn't, you know, that didn't really mean anything. And he said, no, that's too prejudicial. 

We have to strike you. The other one again, something I can't remember the exact quote was that he put out there, but something that showed that he may have been biased against Trump, which also gave a strike from the judge. And interestingly, looking into, you know, social media searching has been done for quite a while now and it is typical and big trials that people want to make sure they know which jurors they may need to remove. Now we all want to know, hey, who's the best year I should have on my trial. But the way it works is you're striking people who you can prove, you know, can't be unbiased or impartial. 

And a lot of times what's happening in these cases is now you need to find that stuff and find it quickly at the time where jury selection is going on, there's a lot of judges who, unless you come back with something later to show that they're actively doing their own research or something like that, may not allow you to come back and strike someone even if they make comments after the trial is started. Every jurisdiction is different, every judge is different. But it's something to consider that just proves that, you know, social Media Research can become very relevant in these jury selections, as it did here in the Trump case and then in the Biden case. So Hunter Biden within the last few days was convicted of lying on a form for the purchase of a gun. So a quick background on the case. Again, I think it's one most people are familiar with at this point. But he purchased a gun in 2018. He owned it for 11 days as far as I understand, but in this time period was when Hunter Biden was having a lot of drug problems. 

Apparently crack cocaine was his drug of choice and he was pretty deeply involved in its use during this time period. One of them. Questions on the form for applying for a drug or excuse me, a gun permit, are they ask you a question that basically says are you an illicit drug user or are you a drug addict? So basically, when you apply for a gun, you basically have to answer a bunch of questions and some of them are easily able to be fact checked. Did you have a felony, you know, were you ever involuntarily committed for, you know, mental issues? So things like that are easy to to be able to find, but illegal drug use is very hard to do, you know, find out any other way other than maybe someone admitting it. And so in this case, you know, this drug question that said basically like, hey, do you use illegal drugs or are you a drug addict? He answered no. 

And basically the defense argument in this case was he didn't consider himself a drug addict at the time that he purchased this weapon. The prosecution said we sure should have considered him as a drug addict. And beside that, the way this is written, it's asking if you use illegal drugs. 

He obviously was found guilty of this, but part of the evidence that supported this conviction, why the jury found the way they did is that they went into his phone and pulled out a bunch of text messages. And there were plenty of messages in the days leading up to his purchase of this gun where there were text messages arranging drug deals and discussing smoking crack and days, you know, in the days leading up to the gun purchase. And what it basically meant was that the jury put a lot of weight on these text messages saying, look, this is your frame of mind heading into the time when you answered this form where you said A, you weren't a drug addict and B, you weren't using illegal drugs. Now, there are other pieces of evidence, witnesses, and a memoir he wrote that certainly played into this. But I think it just shows that the text messages in this were one of the first things they went after and one of the things that the jury came back and I think probably weighed pretty heavily on them in terms of their conviction. 

Yeah, I mean not every case forensic matter needs to be some, you know, grand search and uncovering of deleted data or you know, off the wall artifacts and putting puzzles together. I mean, sometimes concrete evidence in the form of, you know, messages, conversations you can verify, you know, are still number one. Yeah, Yeah. And I don't think he argued that this wasn't his phone or these weren't his text messages. He was arguing they meant something different or his intentions at the time of filling out this form were different. But again, it just shows, to your point, it's not always a deep forensics dive, but it's showing that this digital data is important. 

It's something that needs to be looked at in most cases. So those are three cases that are currently in the news that we wanted to just bring to light because they're topical and relevant to some of these issues we're discussing. So next thing we want to go into is to talk about cases we've actually worked on. And again, we'll keep them anonymous to maintain any confidentiality, but to give some flavor to some different cases, how some of the data had come and came into play, where it was valuable, how this stuff was utilized. So Jeff, I'm going to sort of key you up on some topics. Please talk about it, give some background to what it is, the issues that in particular we're dealing with and we'll just kind of go back and forth on this. So the first one we have is a truck accident involving a pedestrian and this ends up in a fatality. And my understanding is that GPS and health app data became important in this. 

Can you explain a little bit more about this case and what you ended up doing? Yes. So this is, you know, a number of years ago before, you know, fitness watches, you know, a lot of the health tracking, you know, GPS, you know, apps were in use. 

This is a particular case. Was the girl running on a, you know, a state road. The question was whether a truck driver had enough time to respond seeing her around the bend. We had an accident, you know, the reconstructor come in and do a lot of work on the vehicle itself. The question was, you know, hey, what you know. Where specifically was this girl? You know, how fast was she moving? You know, was she familiar going back to some of the patterns of life things, you know, was she familiar with this route? So I mean, we were able to access the phones. There wasn't much information on the phone itself, but we did notice she was recording her runs on an app called, I believe, map my run at the time. 

We were able to, you know, figure out the password, log into this and pull her, you know, herself recorded running history. 

This was tied to the GPS on her phone. So we went and, you know, produce reports not just showing that, hey, you know, what time of the accident. This is where her last, you know, GPS check in was how fast she was moving. But also the fact that, you know, she had run up and down this road probably hundreds of times in her life, was probably more aware of traffic conditions and all that. So using that, we would help determine fault at the case of the driver. And I'm assuming the driver in this case was claiming she came out of nowhere. I, I, you know, she, I had the right of way, etcetera. 

She didn't seem to know where she was going. And, this was the evidence that countered that. Yeah, it was a, you know, a story of, you know, someone's, you know, sprinting or running, you know, in quote UN quote the middle of the road as to being, you know, well off the sidewalk in a, you know, clearly visible with enough reaction time where it could have been avoided. 

So I think that's a good example of how, you know, the digital data certainly her device. And even though this is years ago, probably with the advent of fitness watches and things like that, we may even have more of this data that's available to us like that. It would be, yeah, it would. It would probably be easier these days, right? That's great. So we have another one. We're going to, this is an employment case. And my understanding, a real quick background is that, you know, half a dozen employees or so left a small company and they resigned all on the same day and went and started their own competing service. And you were brought in to investigate what may have been happening leading up to the mass resignation or what information may have been acquired in that time frame. Can you talk a little bit more about that? Yeah, so, you know, it's not uncommon to get engagements about, you know, a single individual, you know, leaving, joining competitor questions about, you know, IP theft, client lists, you know, pop up. This was a bit odd in that, you know, Dick said it was probably 2/3 of this small company left, just up and left one day. 

So the engagement started as a, you know, how a conspiracy kind of look at how long were these communications taking place was you know, what's planning happening on company time where non compete potentially being violated and all that stuff collected number of devices, accounts and everything. Two things immediately and just a new initial analysis. 

We noticed first of all a hard drive attached to a machine with a mass copy of files to it, external hard drive. The owner of the company has no recollection of, you know, this drive. 

We actually found the receipt of this drive being bought by one of the departing employees. We had activity pertaining to one of the ex employees, so they resigned on Friday. Someone entered the office premises on a Saturday and accessed the computer, being able to determine that by tracing Facebook data that occurred on that computer. We tied it to an account which belongs to one of the former employees, I think. Lastly, we uncovered some written in or some printed out invoices that had individuals names instead of the company's name. You know, hey, write it out to me instead of the company, you know, I'll take care of it. 

These invoices were not necessarily being reconciled nor was the business aware of some of these. I don't know what happened, you know, details regarding this matter, but I know it was when we presented some of our findings, everything kind of closed up pretty quickly. 

They had a lot of ammo to go after everyone involved. And so we step back a minute. This Facebook evidence was basically that, hey, someone logged into this computer using this username and password and spent some time on Facebook interacting with it, which would be pretty strong evidence that that person was on the computer at that time, which was a resigned employee from the day before. Yeah, I believe it was actually Facebook like a thumbnail, like cached files. You know, if you're browsing around, it's going to pick up little profile pictures of all your friends and everything. So we had enough of that where, you know, I could. 

Fairly easily put together who, whose accountant have you ever come across? And I, I know this probably less so nowadays, and it may have been in the past where because I, I remember people would always warn about this in hotels, for instance, that using a hotel printer or copy machine or things like that, that the, the devices sometimes are containing copies of that data on the devices themselves. Have you ever had a case that you've had to deal with that type of information? Not that specifically, you know, I've been asked, hey, can you determine what happened, You know, on some of these, you know, network printers and whatnot and more pertains to the device, particularly the order, your order multifunction huge printers, which you don't see too often anymore had physical hard drives in them. You can remove, maybe get some data off of them. 

Now. Most everything's flash media or even just stored temporarily on a server somewhere. You're kind of limited as far as document forensics goes to that extent. You know what the bigger concern would be in public spaces like, you know, hotels and whatnot would be just interception of your general Wi-Fi traffic, you know, not necessarily printing to a device. 

Gotcha. All right, so we're going to move on to a couple harassment cases. We have two of them here to talk about. One, we're going to call it online harassment. 

And, and this involves an employee who was honestly stalking and harassing another employee. And, and I understand that you got involved with the organization's HR resources to help sort of track down what was happening here, pull some evidence together that was showing them what was going on. Can you talk a little bit about that case? Yes. So this was an instance of two coworkers having an issue with each other. 

One of them went ahead and created, first of all, some fake screenshots of messages that never occurred as far as to post these online to public sites such as Facebook and news sites. Basically, you know, painting the picture that this person was extremely abusive, emotionally abusive, committing, you know, racial discrimination, you know, went so far as this person had, you know, protesters showing up outside their house. They got, you know, doxed there, their online address was posted as part of these messages. So, you know, we were brought in to kind of assist in the HR internal investigation. They, they knew they did a really good job on their own of, you know, coming up with some ideas and collecting, you know, some of the internal evidence to the point where we, we were able to come in and start, you know, not interrogating, but interviewing potential witnesses, getting idea of, hey, you know, if we do want to look at some accounts and devices, we know who should we look for? We eventually stumbled upon what would end up being the main major actor in the case We had evidence of. 

First of all, just. Communications regarding committing this conspiracy with the other actor that was also involved. We had a PayPal account username that was the same email address that these leaked 8 emails came from. 

We had screenshots of edited conversations. We had links to other websites where you can edit conversations, you know, between, you know, myself and the HR department. You know, we built this Evans catalog enough where law enforcement stepped in and said we will take it from here. 

I believe that trial was very fast from what I heard with some of the, you know, it's not always you get, you know, smoking gun evidence like you did. But this is a case where we had, you know, the perpetrators dead to rights. So, and you mentioned something in the, the description of some of the evidence you found that you found the username or user handle that was able to be tied to different, a different account. 

How often is that where you sort of breadcrumb your way through some of this digital evidence where you're like, oh, I, I found this name, which might be different from the person's name. It could be whatever they describe themselves online. And that leads you to finding where they may exist in other areas on the Internet, but whether it be social media sites or pay sites or whatever. Is that something that you come across somewhat regularly in your analysis? I think more and more, you know, we're not just a name of phone number and an e-mail where a name of phone number and Instagram handle, a WhatsApp handle, a Snapchat. You know, the more apps we use, the more accounts we get. You know, I, I probably have e-mail addresses over the years that I've accumulated that I have no idea about. You know, they're just sitting there eating up spam. You know, it happens. When you go to school, you get a university email address. So you, you know, sometimes when it comes to you trying to identify people or communications, you're ready to sit and you just think and interview people. Hey, you know. Tell us, remember all the phones you had, remember all the email addresses you've had, you know, tell us about them, right. 

And so we have a second harassment case to discuss. And this one was actually you got involved after criminal charges were filed against somebody. Is that correct? And, and you testified in Criminal Court on behalf of the defendant to dispute what was being portrayed as that they were doing harassing activities online. Can you talk about that one? Yeah. This was an individual that was accused of writing printed out threatening letters to, you know, various local government officials, neighbors, things like that. I think there were almost a dozen letters that were sent out. You know, the criminal child charges were filed against this individual. 

At some point we were asked to do analysis on his own computer. You know, my stance was, you know, through that analysis, you know, several, many searches, you know, related to these letters, activities around the time newsletters are received, other activity. You know, I, I went to court to testify that, you know, I, I saw no signs of these letters, you know, having been done by this individual on his digital evidence. 

I also kind of, I'd say, offered some rebuttal against law enforcement's, you know, accusations that, you know, these were done by this individual on his computers. You know, so far as to say I didn't see any evidence of that. 

The individual, you know, was found to be not guilty. I'd like to say hopefully in part because some of the stuff that we didn't find in the scenario, you know, sometimes it's I don't know what's easier finding things or looking for things to not exist because they're asked, asked the same amount. 

I mean, do you remember in that case what it was the law enforcement had that they were pointing to, to say this is our digital evidence that says he was doing these activities. It was basically there that they thought it was this individual and he had a computer that was capable of, you know, producing letters. 

Which is every computer. Yeah. You know, it was just we found no evidence that any of these letters were, you know, crafted on that device. Little, little flimsy evidence on that one. 

All right, Well, thanks. So we're going to talk next about another unfortunate fatal accident. 

This is going back a few years. And so this involved an older iPhone model. And I, I think we had talked in a previous episode about older iPhone models that babies basically gave access to more information on the phones in an unencrypted form than we see today. And this is one of those cases that not only was it an older phone that was involved, but it was an older phone that had been updated in some time. So, you know, we were able to get a lot of information off of it. And so when I caution everybody to say that what happened here is probably not going to be typical what you would see on a more modern phone, but gives an idea of the breadth of information you were able to find in this particular device. 

Yeah. So most of these engagements are, you know, hey, was there a phone call being made around the time or a message, you know, a message being sent or maybe a video streaming or website being visited? But because in this instance, the accident occurred a number of years ago. And at the time of the accident, the phone itself was a number of years old. I believe it was an iPhone 6, which, you know, hasn't existed for a while. And it also hadn't been updated. So, you know that the evidence sat in storage for years with law enforcement until the time, you know, the civil trial came to be filed. 

By that time, you know, an iPhone 6 that hadn't been turned on for probably six years. You know, our forensic software was able to extract a lot more information than we could from a modern phone. The specific database that was helpful in this case is actually or actually entries related to what is on the screen at a specific time. 

You know, we could see, hey, at 8:30 AM the email application was open. OK, let's look at the email application. Oh, it looks like a draft was sitting in the outbox at 8:30. We ultimately made the determination that it was extremely likely the user was drafting an email at the specific time of the accident and found it to be a fault. 

And again, would you typically have that type of information on a more modern phone? They've kind of locked all that stuff down, haven't they? Yeah, we got lucky that day. 

Yeah. That is not you. You don't normally, like I said, you would get maybe that draft of that email sitting in that, you know, box at 8:30. But you won't have access to the database entry that says this was actively what was on the screen. 

This is probably what the user was looking at. So let's talk about another distracted driver case. And as I understand it, this was a case of a commercial truck driver and there was an accident. And the question was what was happening at the time of this accident? Is there any evidence to show, you know, what's happening on this individual's phone where they were distracted at the time of the accident? So with that bit of background, can you talk a little bit more about what happened in this case? Yes, so this one, I mean, on the accident report, you know, it was actually noted by the officers on scene that hey, you know, given conditions, given everything we know, we can't explain this accident besides likely distraction. So that kind of started, you know, the wheels getting a motion of hey, you know, maybe something was going on on this device. So cell phone records were subpoenaed. You know, we had everything from tower records to, you know, how much data was being sent back and forth. 

The first thing that stood out was, you know, over a period of 6 to 8 hours, you know, when this individual was driving their commercial tractor trailer. 

An abnormal amount of data was being sent to the device. When I say abnormal amount, we're talking, you know, in the range of a few gigabytes here. 

The most obvious, you know, data category that would take up that much bandwidth, that much size is video. So we are able to use the cell phone tower records to determine a large volume of data was being sent to the device. 

We got IP records from Verizon and traced several of those IPS to Netflix. There were a number of, you know, Netflix connections over the course of, you know, half an hour, hour and a half, you know, multiple gateway being sent. 

There were also other pirated movie sites that were being visited. We basically made the argument that, you know, this was almost a pattern of life, but in a much, you know, narrow window, that, hey, you know what? We have what looks like evidence of, you know, a movie being watched at the recorded time of the accident. But we also have this same activity, 8 to 10 hours leading up to it. 

You know, the question came up was, could a phone download data without someone, you know, actively watching a video on it? Absolutely. 

You know, if you're familiar with Netflix, you can always download a movie to watch later. Hey, I'm going to get on the plane. I'm not going to have Wi-Fi, so I'll download it. You were able to make comparisons of Hey, if you know, if a user was downloading it, we would expect thoughts of this size. We would expect the connection, you know, duration to be this long, not this long. 

The fact that a pirated movie was or a pirated movie site was in play. You know, those make their revenues by, you know, displaying pop up ads. 

They don't give you an option to download. You have to stream it. So we made those arguments, you know, to kind of back up the fact that, you know, we believe a movie was being watched at the time of this accident. So this in that case in particular, had not only evidence it was coming off the device itself, but also evidence from the carriers. So that you had corroborating sort of pieces of data that we're saying, look, we're painting the picture here of what's possible. The phone itself yielded very, very. 

I'm trying to think if I included any phone data in the evidence report because you know. A lot of time had passed since the accident occurred. The phone had been turned on and off by law enforcement, you know, during their investigation, during the other parties investigation, then during my investigation. So over time some data was being removed, but it wasn't like there was going to be a Netflix database that said users were doing this at a time. 

We had to basically build the story from various sources. You know, we could have got you. So, the last case in particular I want to talk about and we'll just touch base on some general categories after this, but this is one that I have some familiarity with because we both worked on this together and it was a lot of unraveling on this particular case. The very basic background is that there was a, a contract was terminated and there was terminated based upon the contention that someone who was the subcontractor in this case was basically offering to pay someone improperly for the work that they were doing. So we'll leave it at that. 

That's the sort of genesis for the case. And then a suit was brought against the main company that was contracting with a subcontractor saying, hey, you did this improperly. 

There was no reason for you to do this. And the whole investigation as to and the reason why this happened sort of kicked off because of a screenshot that was submitted to the company saying, look, here's the text message saying they were offering to compensate me in this way. And that led to a whole series of examinations on devices and trying to figure out what was going on. And if I remember correctly, were we ever able to find that exact text? I can't remember for sure. 

I don't think we ever did. That text itself was never found on the devices we were given access to. Yeah. I I think the question from the beginning was, you know, is this actually real or not? You know, there were questions about, hey, the formatting looks weird. 

The bubbles aren't the right shape. The colors look odd. You know, this was a few years ago. 

I think an Android was involved. You know they can always look different. So it was not only a question of, hey, where did this message come from? But did it actually exist or not? Or if it didn't, where, where did it create? Where was it created? Well, and there was not only questions of the, the formatting looks odd, but we had Android devices talking to iPhones. And if you remember discussing this in a previous episode, that's one of the issues you come across when you're comparing cell phone records to data pulled off of phones. And there was a disconnect there because it was saying, look, Verizon saying that there's only, you know, 20 messages, for instance, but the phone saying there's 45. And we were able to show. Well, yeah, that's because you got iMessage to iMessage, iPhone to iPhone isn't going to show up or an iPhone to an Android or vice versa is going to show up on these or Android to an Android, I guess would would also. So it was explaining that why, why the carrier records weren't matching up to what the device is coming off of or the information coming off the the devices themselves. 

Do you remember that as one of the issues we had to deal with and explain? Yeah. And there was also, you know, a number of, you know, from going through depositions and whatnot of high numbers of suspicious. Oh, I had a different phone at the time. 

I was borrowing someone else's phone. I got a new phone plan. You know, I didn't pay the bill on the old one that we got cut off at a different number at the time. It went so far to the point where they convinced someone to come in and allow their phone to be formally examined by someone like me. That examination happened through the review of the data sometime later by us. It was you who figured out that the correct phone wasn't even submitted. You know, Sharon Smith showed up claiming to submit her phone when it was her cousin Denise Smith's, and no one had checked whether it was actually her phone or not. So therefore, we had no evidence that, you know, there was no evidence that was needed. You know, that kind of opened your eyes on, you know, it's just the basics of are we working on the right device? Right. That was interesting. 

Yeah. And I remember, I believe one of the ways that it finally came to light that we're not even looking at the phone. This is purported to be war. The person on that phone had been texting the person who said it was their phone and was communicating directly with them. We're like, wait, this doesn't make any sense. Why are they talking to this person in the third, third party sense where this isn't making sense? And then we went back and looked and we're able to determine at that point it was they handed over somebody else's phone. 

That was a bit of a mess to unravel all those pieces, but shows you the complexity that can be involved with those, especially when you're getting in multiple devices and trying to figure out, you know, who said what when. 

I know part of what you did in that case was look at some sites that were designed specifically for creating fake text messages. And they're out there. There's apps that will do that and they, I believe they'll make it look like it's one type of phone over another. 

Again, it creates a screenshot. So you may not have anything other than a screenshot to back up that it actually existed, but they're out there. So, you know, if somebody wanted to come to you with something and said, look, I got evidence that X or Y or Z was said, certainly could do that through one of these apps designed to, to do that. 

So to wrap this up, I appreciate talking through some of these stories. We have tons of them that we could go through, but I think we talked about some of the main ones we thought would illustrate, you know, the practical way that forensic evidence has, has become important in some of the cases we've worked on. 

I know there's just some bullet points that maybe you want to just touch base upon to say look beyond the specifics. These cases we talked about. Here's some things we come across a lot. You know, we're regularly asked to look for these things or they happen. Or here's a couple areas where you might just say highlight a couple cases that, you know, we got involved on porn, people watching porn. 

Is that, you know, I'm guessing it's fairly common, but is it also something that you're asked to look for regularly or how's that come up in the context of your examination? That would be a kind of an employment law engagement. You know, typically, hey, you know, improper use of computer systems, you know, we'll be asked to extract, you know, typically web history. You know, in some, I can think of some specific cases where, you know, we used, you know, Incognito private browsing data, you know, which gave us some limited evidence, but still it was enough to prove, you know, some inappropriate use. 

That's a fairly common engagement. And, and there's a lot of cases, whether they're employment or accident cases or otherwise, where the evidence just doesn't say anything. It doesn't support what's being contented or, and, and it's investigative and we're looking for, you know, hey, maybe it didn't happen or maybe didn't happen the way that it's being contented, it happened, etcetera. And so part of what our job is is not only to say, Hey, we've checked these devices and we've confirmed we're not missing something on them, but sometimes it's also saying it supports what their argument is. Even if it's against your own clients interest, a lot of those types of cases are putting the user, you know, behind the device. OK, you found activity on a computer. So how do we know it wasn't the evening janitor or, you know, that, you know, person in the cubicle, you know, across the aisle. 

So that there's where you have to take in considerations of, you know, computer usage, who has access to what, who shares accounts, you know, how hardware is handled in an organization organization because, Yep, proving the the activity is one thing, but, you know, proving the actor is another. And we've seen this in our, in our last example here, nursing home cases. You know, oftentimes there will be lots of shifts coming through. There will be a computer that is kind of a workstation for anybody who's on shift. And they don't necessarily have to login using any special credentials to, to, to access that device. 

It's just turned on. And so they can look at calendars, they can web browse, they can do different things on there. And so you don't always have, you know, a very clean digital footprint, if you will, on that device saying, well, somebody had to have entered this username, password, what we have to support it. You know, the contention of somebody might be there is do you have video or is it were they on shift? Were there other things like that that would say this could have been the person that was there. But to your point, you don't always have conclusive evidence saying, I can show this is that person. Not everybody's going to Facebook while they're on there where it's like, oh, we know it was your personal account, which leaves a higher probability that's the person who was on the device at the time. Yeah, I, I try to preface, you know, most engagements by, you know, saying, hey, this isn't anything at all like you might see on episode of CSI or there's no, you know, red button, I'm hitting the corner that's giving me all my relevant evidence. I know we're putting together, you know, pieces of the little bits of information that we can and, you know, their computer doesn't track everything. 

It would make my job a lot easier if it did. But you should be happy that they don't. So what we're trying to do with them is, you know, fill in the gaps. Hey, what's, what's the logical explanation for this? I think to that extent, proving that something didn't happen can be challenging because a lot of times you don't have much to work with. 

Well, I think that is the end of our storytelling for today. Hopefully some of these just gave a flavor for the types of stuff that we're regularly asked to do, how some of this evidence becomes important and critical in cases. Clearly, there's lots of different scenarios we've been involved with that we can't cover in a short period of time for a podcast. So if anybody has questions to please reach out to us and let us know. 

We'll walk you through what's possible or not. So Jeff, I wanted to thank you for joining us for these episodes. Appreciate all the insight that you provided and would welcome our listeners to stay tuned to the next couple episodes where our data discourse is going to be focused on e-discovery. And there's definitely some forensic crossover with any e-discovery, but we're going to be more, more moving towards data that has been collected. How do we handle this stuff now? How are we going to find what's actually important and relevant outside of a forensic analysis? So thank you very much. 

Appreciate your time and attention here and I will see you in the next episode. Thanks everyone.