5.4 Evidence Dynamics and the Introduction of Error

Investigators and digital evidence examiners will rarely have an opportunity to examine a digital crime scene in its original state and should therefore expect some evidence dynamics. Evidence dynamics are any influence that changes, relocates, obscures, or obliterates evidence, regardless of intent between the time evidence is transferred and the time the case is resolved. Offenders, victims, first responders, digital evidence examiners, and anyone else who had access to digital evidence prior to its preservation can cause evidence dynamics.

For instance, responding to a computer intrusion, a system administrator deleted an account that the intruder had created and attempted to preserve digital evidence using the standard backup facility on the system. This backup facility was outdated and had a flaw that caused it to change the times of the files on the disk before copying them. Thus, the date-time stamps of all files on the disk were changed to the current time making it nearly impossible to reconstruct the crime. As another example, during an investigation involving several machines, a first responder did not follow standard operating procedures and failed to collect important evidence. Additionally, evidence collected from several identical computer systems was not thoroughly documented making it very difficult to determine which evidence came from which system.

Media containing digital evidence can deteriorate over time or when exposed to fire, water, jet fuel, and toxic chemicals. Errors can also be introduced during the examination and interpretation of digital evidence. Digital evidence examination tools can contain bugs that cause them incorrectly to represent data, and digital evidence examiners can misinterpret data. For instance, while a digital evidence examiner was examining several log files, transcribing relevant entries for later reference, he transcribed several dates and IP addresses incorrectly. For instance, he misread 03:13 as 3:13 P.M., resulted in the wrong dial-up records being retrieved, implicating the wrong individual. Similarly, he transcribed 192.168.1.54 as 192.168.1.45 in a search warrant and implicated the wrong individual.

These examples are only a small sampling - there are many other ways that evidence dynamics can occur.

CASE EXAMPLE (UNITED STATES v. BENEDICT):

Lawrence Benedict was accused of possessing child pornography found on a tape that he exchanged with another individual named Mikel Bolander who had been previously convicted of sexual assault of a minor and possession of child pornography. Benedict claims that he was exchanging games with many individuals and did not realize that the tape contained child pornography. Although Benedict initially pleaded guilty purportedly based on advice from his attorney, he changed his plea when problems were found in digital evidence relating to his case. A computer and disks that the defense claimed could prove Benedict's innocence were stored in a post office basement that experienced several floods. The water damage caused the computers to rust and left a filmy white substance encrusted on the disks (McCullagh 2001). Furthermore, after Bolander's computer was seized, police apparently copied child pornography from the tape allegedly exchanged by Bolander and Benedict onto Bolander's computer for examination. Police also apparently installed software on Bolander's computer to examine its contents and files on the computer appeared to have been added, altered, and deleted while it was in police custody. According to the defense:

On February 2, 1995, Robert Davis of the San Diego Police Department, while examining the computer evidence, placed computer programs and evidentiary files onto the Bolander C-drive. The programs, which Davis supplied himself, were used to download the evidentiary files from tape onto the computer for examination. As I discussed in my previous affidavits, this is an unacceptable practice since it destroys the integrity of the original evidence. Davis's excuse was that he had no other computer available to perform a forensic analysis. However, it can be shown that files were also deleted from the Bolander C-drive while said evidence was in custody in San Diego. Not only were the files that Davis downloaded onto Bolander's drives deleted, but also a large number of files that he did not download were deleted while said drives were in the custody of the San Diego Police. In addition, attempts were made to completely "wipe" (obliterate all evidence of previous existence) these files from the computer. Among these files were "MB" letters, including MB626, MB57, MB51, and M425. (Littlefield 2002)

Bolander's computer was destroyed before Benedict's sentencing. Additionally, a floppy disk containing evidence was mostly overwritten, presumably by accident. The evidence dynamics in this case created a significant amount of controversy.

Evidence dynamics creates investigative and legal challenges, making it more difficult to determine what occurred and making it more difficult to prove that the evidence is authentic and reliable. Additionally, any conclusions that a forensic examiner reaches without the knowledge of how evidence was changed will be open to criticism in court, may misdirect an investigation, and may even be completely incorrect.