In 1911, it was fingerprints. In 1990, it was DNA. "In 2014, its digital evidence that's now playing a lead role at determining the fate of criminal defendants," says Mark J. McLaughlin of Computer Forensics International.
The ability to place someone at the scene of a crime is typically done by eyewitnesses, or through something unique they leave behind like fingerprints or DNA. And when a solid chain of custody is made, it rarely can be refuted. But while digital evidence from personal computers or mobile devices can place a defendant at the scene, it can also show they were actually miles away or didn't commit the crime.
Three months ago there was a home invasion robbery and kidnapping in Los Angeles. One of the victims made a positive identification on the young defendant. The kid was arrested and faced a list of serious charges that, if convicted, would have placed him behind bars for over 25 years. But he always proclaimed his innocence and said he was at school during the robbery.
However, school attendance records were inconclusive. His family offered up a printed picture of their son standing next to a friend on campus, and printouts of text messages as proof he was at school. The Court said that's not good enough.
"We live in a Photoshopped world where any original image can be easily made to look like something it's not. It was clear the original digital photograph needed to be recovered and examined to establish a solid chain of custody," says McLaughlin.
A Los Angeles Superior Court Judge appointed McLaughlin to authenticate that photograph and the purported text messages. He examined 4 iPhones and recovered not one, but a series of 8 photographs taken in rapid succession. The photograph's hidden metadata showed the creation time of the photographs and text messages were the same time as the robbery 5 miles away. The case was dismissed.
What type of digital evidence can be involved in a case? It always should begin at the source and could involve; a mobile phone, personal computer, USB thumb drive or email account. And then the target data recovered could be in the form of; specific date and time stamps from relevant computer files, surveillance video, hidden metadata, Wi-Fi connections, GPS coordinates, unique IP addresses, or recoverable text from a deleted document or email.
However, it's up to the defense attorney to recognize the possible involvement of digital evidence and bring in a forensic expert. Unfortunately, that always doesn't happen because many attorneys are not trained on what questions to ask or what to look for. McLaughlin added, "the attorneys that do, are giving their client's the best chance for a successful resolution of their case."
Last June, McLaughlin helped defend another robbery case where the defendant claimed he was 40 miles away at home, and working remotely on his laptop connected to a college computer system. Records were obtained from the defendant's college login account that showed multiple accesses during the robberies. Then an examination of the laptop recovered his unique college login with matching dates and times. And lastly, the unique IP address from his parent's home Internet Service Provider that matched the college records. The case was dismissed.
Over the last 18 years, McLaughlin has handled over 500 criminal, civil and internal investigations and examined over 2,000 digital items. He testifies in court as an expert and even trains attorneys on how to enhance their cases through digital evidence. McLaughlin says, "you can rest assured if there's evidence of a defendant's innocence in digital form, we'll find it."