22.1 Investigating an Alibi


22.1 Investigating an Alibi

When investigating an alibi that depends on digital evidence, the first step is to assess the reliability of the information on the computers and networks involved. Some computers are configured to synchronize their clocks regularly with very accurate time satellites and make a log of any discrepancies. Other computers allow anyone to change their clocks and do not keep logs of time changes. Some computer networks control and monitor which computers are assigned specific IP addresses using protocols like BOOTP and DHCP. Other networks do not strictly control IP address assignments, allowing anyone to change the IP address on a computer.

In some situations, interviewing several individuals who are familiar with the computer or network involved will be sufficient to determine if an alibi is solid. These individuals should be able to explain how easy or difficult it is to change information on their system. For example, a system administrator can usually illustrate how the time on a specific computer can be altered and the effects of such a change. If log files are generated when the time is changed, these log files should be examined for digital evidence related to the alibi.

In other situations, especially when an obscure piece of equipment is involved, it might be necessary to perform extensive research - reading through documentation, searching the Internet for related information, and even contacting manufacturers with specific questions about how their products function. The aim of this research is to determine the reliability of the information on the computer system and the existence of logs that could be used to support or refute an alibi. If no documentation is available, the manufacturer is no longer in business, or the equipment/network is so complicated that nobody fully understands how it works, it might be necessary to recreate the events surrounding the alibi to determine the reliability of the associated digital evidence.

By performing the same actions that resulted in an alibi, an investigator can determine what digital evidence should exist. The digital data that are created when investigators recreate the events surrounding an alibi can be compared with the original digital evidence. If the alibi is false, there should be some discrepancies. Ideally, this recreation process should be performed using a test system rather than the actual system to avoid destroying important digital evidence. A test system should resemble the actual system closely enough to enable investigators to recreate the alibi that they are trying to verify. If a test system is not available it is crucial to back up all potential digital evidence before attempting to recreate an alibi.

It is quite difficult to fabricate an alibi on a network successfully because an individual rarely has the ability to falsify digital evidence on all of the computers that are involved. If an alibi is false, a thorough examination of the computers involved will usually turn up some obvious inconsistencies. The most challenging situations arise when investigators cannot find any evidence to support or refute an alibi. When this situation arises, it is important to remember an axiom from Forensic Science - absence of evidence is not evidence of absence. If a person claims to have checked e-mail on a given day from a specific location and there is no evidence to support this assertion, that does not mean that the person is lying. No amount of research into the reliability of the logging process will change the fact that an absence of evidence is not evidence of absence. It is crucial to base all assertions on solid supporting evidence, not on an absence of evidence. To demonstrate that someone is lying about an alibi, it is necessary to find evidence that clearly demonstrates the lie.

CASE EXAMPLE

start example

A suspect claims to have been at work during the weekend at the time of a homicide, fixing a network problem, and checking e-mail. The investigators were not familiar with computer networks and depended heavily on the system administrators at the organization where the suspect worked. Unfortunately, the system administrators were not fully briefed on the details of the case and did not have all of the information necessary to examine their log files thoroughly.[1]

As a result, one of the most important IP addresses involved was not included in the search and the investigators could not find any indication that the suspect checked his e-mail. The investigators jumped to the conclusion that the suspect was lying about his alibi based on this absence of evidence.

A few days later, the suspect was at work and noticed a timestamp that was created when he fixed the network problem on the day of the crime. The suspect prudently asked his coworkers to witness and document the evidence. However, when the suspect presented this evidence to the investigators, they were incredulous, assuming that he had fabricated the timestamp after the fact. However, the truth of the matter was that the investigators did not research the network components involved and did not recognize an important source of digital evidence. Their negligence led them to suspect the wrong man, causing over two years of disruption in his life, costing him his job, costing the state and organization untold amounts of money, and worst of all, letting the actual murderer go free.

end example

Although absence of evidence is not necessarily evidence of absence, an alibi can be severely weakened by a lack of expected digital evidence. In one case, a homicide suspect claimed that he had been at work when the crime occurred and that he was using a particular computer for several hours. The computer in question showed no sign of use during that period, contradicting the suspect's alibi. He was subsequently convicted of the crime.

An interesting aspect of investigating an alibi is that no amount of supporting evidence can prove conclusively that an individual was in a specific place at a specific time. With enough knowledge and resources, any amount of physical and digital evidence can be falsified to fabricate an alibi. Therefore, a large amount of supporting evidence indicates that the alibi is probably true, but not definitely true. For this reason, it rarely makes sense for a defense attorney to spend time and resources searching for digital evidence that supports a client's alibi. No amount of evidence will prove that the alibi is true and the more the alibi is examined, the more likely it is that an inconsistency will be found that could weaken the attorney's ability to defend the client.

[1]The oversight was noticed several years later when the case was being tried.




Digital Evidence and Computer Crime
Digital Evidence and Computer Crime, Second Edition
ISBN: 0121631044
EAN: 2147483647
Year: 2003
Pages: 279

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net