Chapter 5: Investigative Reconstruction with Digital Evidence | Digital Evidence and Computer Crime, Second Edition

Overview

Eoghan Casey and Brent Turvey

Reconstructing human behavior from physical evidence is a multidimensional jigsaw puzzle. Pieces of the puzzle are missing, damaged, and some are even camouflaged. The puzzle pieces come in seemingly incompatible data types - some are visual, some are in such microscopic form that it takes days of specialized analysis to show their existence and in some cases the evidence is intangible, such as oral testimony. But practitioners of these two disciplines, each for totally different reasons, sit at their desks and doggedly persist in completing these puzzles - archaeologists and forensic scientists

(Scott and Conner, 1997)

Crime is not always committed in a straightforward or easily decipherable manner. Nor is it always possible for the investigator to prove what they suspect occurred with the evidence left behind. A crime can involve multiple victims, multiple crime scene locations, and offenders engaging in various degrees of planning, aggression, fantasy, concealment, victim response, and a multitude of other behavioral interactions. Only the offender knows the full story of their involvement in a crime, and it can be difficult to establish their associated motives, movements, interactions, sequences, and timing using the fragmentary clues.

Reconstruction refers to the systematic process of piecing together evidence and information gathered during an investigation to gain a better understanding of what transpired between the victim and the offender during a crime. A core tenet of this process is that, when they commit a crime, criminals leave an imprint of themselves at the scene. This is provided by Locard's Exchange Principle, which states that when any two objects come in contact, there is a cross-transfer. Footwear impressions, fingerprints, and DNA from bloodstain patterns are clear examples of imprints left by an offender at a crime scene. Reconstruction involves taking physical imprints a step further, using them to infer offense related behavior, or behavioral imprints. For example, footwear impressions show who walked on a particular surface (and perhaps even when), fingerprints show who touched a particular object, and DNA from bloodstain patterns can demonstrate who bled where, when, and in what sequence.

Taken together, the behavioral imprints established at a particular crime scene can be used to provide who did what, when, where, and how. Taken together, a connected series of behavioral imprints can also be used to establish an offender's modus operandi, their knowledge of the crime scene, their knowledge of the victim, and even their motivation. This is as true in digital crime scenes as it is in corporeal world; digital crime scene evidence contains behavioral imprints. For example, the words that an offender uses on the Internet may disclose precious details, the tools that an offender uses online can be significant, and how an offender conceals their identity and criminal activity can be telling.

Take the issue of toolkits as an example. Some computer intruders use toolkits that automate certain aspects of their modus operandi. Any customization of a toolkit may say something about the offender and the absence of a toolkit is also worth pondering. Did the offender erase all signs of the tool kit? Is the tool kit so effective that it is undetectable? Was the offender skilled enough not to need a toolkit? Perhaps the offender had legitimate access to the system and would ordinarily be overlooked as a suspect, making a toolkit unnecessary. On this one issue alone we find enough of a behavioral imprint from the digital evidence to build a healthy list of questions that require investigation.

Therefore, creating as complete a reconstruction of the crime as possible using available evidence is a crucial stage in an investigation. The basic elements of an investigative reconstruction include equivocal forensic analysis, victimology, and crime scene characteristics. Although investigative reconstruction is presented as a stage that follows the initial investigation, in practice, a basic reconstruction should be developed concurrently. When investigators are collecting evidence at a crime scene, they should be performing some of the reconstructive tasks detailed in this chapter to develop leads and determine where additional sources of evidence can be found. Once investigators are confident that they have enough evidence to start building a solid case, a more complete reconstruction should be developed.

In addition to helping develop leads and locating additional evidence, investigative reconstruction has a number of other uses. It can be used to:

Develop an understanding of case facts and how they relate. Getting the big picture can help solve a case and can be useful for explaining events to decision makers.
Focus the investigation by exposing important features and fruitful avenues of inquiry.
Locate concealed evidence.
Develop suspects with motive, means, and opportunity.
Prioritize investigation of suspects.
Establish evidence of insider or intruder knowledge.
Anticipate intruder actions and assess potential for escalation. This can prompt investigators to implement safeguards to protect victims and install monitoring to gather more evidence.
Link related crimes with the same behavioral imprints. This is a contentious area and care is required to rely on evidence rather than speculation to establish connections between crimes.
Give insight into offender fantasy, motives, intents, and state of mind.
Guide suspect interview or offender contact.
Case presentation in court.

Because investigative reconstruction is used to learn more about a particular offender in a particular case, the arrows may begin to point in a specific direction. Subsequently, the temptation to point a finger at a specific individual may become unbearable. However, great care must be taken not to implicate a specific individual until enough evidence exists to support an arrest. Even then it is not advisable to make public declarations of guilt or innocence. Recall the discussion in the previous chapter regarding legal truth versus scientific truth. An investigator's job is to present the facts of a case objectively and it is up to the courts to decide if the defendant is guilty. If investigators make any statements naming or implicating a specific individual, their objectivity is immediately compromised, casting a fog of doubt over their work.

Investigators can avoid this pitfall by concentrating on the evidence rather than the suspect. For instance, in an intrusion investigation, one might assert, "the files found on the suspect's computer are consistent with those found on the compromised server." However, this does not imply that the suspect broke into the server to obtain the files. Someone else may have gained unauthorized access to the files and given them to the suspect. In a child pornography case, one might assert, "the files found on the suspect's computer were last accessed on November 18, 2001" but this does not imply that the images were viewed at this time, only that the files were accessed in some way. For instance, the files may simply have been moved or copied from another disk, changing file creation and access times.

Making objective statements becomes more challenging when a suspect appears to be implicated by evidence such as a photograph. For instance, in an online child pornography investigation one might state, "the images found on the suspect's computer were also found on the Internet." However, a claim that "the images found on the suspect's computer depicting the suspect and victim engaged in sexual acts were also found on the Internet" could be inaccurate if the suspect's face was morphed into the images. Alternatively, a claim that "the images found on the suspect's computer were distributed by the suspect on the Internet" could be inaccurate if someone else distributed the images and the suspect obtained them from the Internet.

CASE EXAMPLE (CALIFORNIA v. WESTERFIELD 2002):

There was much confusion in the murder trial of David A. Westerfield regarding whether he or his son (David N. Westerfield) viewed specific pornographic images on a given computer. Efforts to attribute specific computer activities to one or the other caused both the prosecution and defense to overstate or incorrectly interpret the digital evidence. For instance, one forensic examiner did not initially realize that the date-time stamps in an important e-mail were in GMT rather than local time. The opposing expert did not realize that an important CD-ROM attributed to the son was assigned the name "Spectrum" when it was created. The name of the defendant's company was Spectrum, suggesting that he created the CD-ROM.

The challenge for investigators is to stay within the confines of the evidence when forming conclusions about the established case facts and making subsequent comments. This requires no small amount of investigative objectivity, and a certain amount of immunity from the zeal and personal motives that often accompany those who desire justice to be more swift than accurate.

Note that some Web browsers retain a history of the pages visited, when they were first viewed, and how many times they were accessed. Although it is tempting to attribute such activities to an individual, several people may share systems and even passwords. Therefore, great care must be taken to avoid jumping to the incorrect conclusions. Since seemingly minor variations in language can make a major difference in an investigator's notebook or final report, it is important to become adept at stating only what is known and questioning all underlying assumptions.

The mark of the truly objective forensic investigator is objectivity. In report writing and testimony alike, casual use of inflammatory, editorial or partial language signals either a lack of training, a lack of experience, or a personal agenda. This should be kept in mind not only when forming opinions, but when reviewing the work of others.