Wednesday, May 28, 2014

Digital Evidence Has Become the New DNA in Criminal Cases, Says Expert

In 1911, it was fingerprints. In 1990, it was DNA. "In 2014, its digital evidence that's now playing a lead role at determining the fate of criminal defendants," says Mark J. McLaughlin of Computer Forensics International.
The ability to place someone at the scene of a crime is typically done by eyewitnesses, or through something unique they leave behind like fingerprints or DNA. And when a solid chain of custody is made, it rarely can be refuted. But while digital evidence from personal computers or mobile devices can place a defendant at the scene, it can also show they were actually miles away or didn't commit the crime.
Three months ago there was a home invasion robbery and kidnapping in Los Angeles. One of the victims made a positive identification on the young defendant. The kid was arrested and faced a list of serious charges that, if convicted, would have placed him behind bars for over 25 years. But he always proclaimed his innocence and said he was at school during the robbery.
However, school attendance records were inconclusive. His family offered up a printed picture of their son standing next to a friend on campus, and printouts of text messages as proof he was at school. The Court said that's not good enough.
"We live in a Photoshopped world where any original image can be easily made to look like something it's not. It was clear the original digital photograph needed to be recovered and examined to establish a solid chain of custody," says McLaughlin.
A Los Angeles Superior Court Judge appointed McLaughlin to authenticate that photograph and the purported text messages. He examined 4 iPhones and recovered not one, but a series of 8 photographs taken in rapid succession. The photograph's hidden metadata showed the creation time of the photographs and text messages were the same time as the robbery 5 miles away. The case was dismissed.
What type of digital evidence can be involved in a case? It always should begin at the source and could involve; a mobile phone, personal computer, USB thumb drive or email account. And then the target data recovered could be in the form of; specific date and time stamps from relevant computer files, surveillance video, hidden metadata, Wi-Fi connections, GPS coordinates, unique IP addresses, or recoverable text from a deleted document or email.
However, it's up to the defense attorney to recognize the possible involvement of digital evidence and bring in a forensic expert. Unfortunately, that always doesn't happen because many attorneys are not trained on what questions to ask or what to look for. McLaughlin added, "the attorneys that do, are giving their client's the best chance for a successful resolution of their case."
Last June, McLaughlin helped defend another robbery case where the defendant claimed he was 40 miles away at home, and working remotely on his laptop connected to a college computer system. Records were obtained from the defendant's college login account that showed multiple accesses during the robberies. Then an examination of the laptop recovered his unique college login with matching dates and times. And lastly, the unique IP address from his parent's home Internet Service Provider that matched the college records. The case was dismissed.
Over the last 18 years, McLaughlin has handled over 500 criminal, civil and internal investigations and examined over 2,000 digital items. He testifies in court as an expert and even trains attorneys on how to enhance their cases through digital evidence. McLaughlin says, "you can rest assured if there's evidence of a defendant's innocence in digital form, we'll find it."

Tuesday, January 14, 2014

Digital Evidence Became Smoking Gun In A-Rod Investigation
Los Angeles, California  (January 14, 2013 ) - Coded text messages and documents detailing an elaborate doping scheme were reportedly recovered that ultimately became the crucial evidence needed by Major League Baseball in the case against the Yankees Alex Rodriguez.
“Merely testifying that a paper document is authentic just isn’t enough anymore”, says Digital Forensic Examiner Mark McLaughlin of Computer Forensics International. “That’s why we’re brought into all types of cases where digital evidence may be found”, he added.
Today, nearly all the world’s information was initially created from a digital device. Plus it’s widely understood that by using Word or Photoshop, you can easily make anything look authentic. So unless you’ve verified the source, the authenticity of printouts as evidence are always questionable. That’s why Digital Forensic Examiners establish a verifiable chain of custody to prove what you’re looking at, is an exact representation of the original.
Examiners like McLaughlin, routinely use cutting edge software tools like EnCase and Lantern when analyzing computers and cellphones on civil and criminal cases. They start by making an exact forensic copy of the entire device – which includes active and deleted data.
Then just the copy is searched, either visually or by using keywords for relevant hits. And those searches can produce tens of thousands of hits that all must be manually reviewed. “That may seem daunting, but considering the alternative, it’s a walk in the park”, adds McLaughlin.
Over the last 17 years, McLaughlin has handled over 500 cases and examined over 2,000 digital items. He testifies in court as an expert and even trains attorneys on how to enhance their cases through digital evidence. McLaughlin says, “I really enjoy the sleuthing part of what we do. Because when we find that smokin’ gun, it’s pretty much game over”.

# # #

Monday, December 19, 2011

Agent: Soldier's laptop had sensitive files

Agent: Soldier's laptop had sensitive files
Investigators said they found evidence Army Pfc. Bradley Manning downloaded thousands diplomatic cables, Guantanamo assessment documents, video from a controversial 2007 airstrike in Baghdad and military records of a 2009 U.S. airstrike in Gerani, Afghanistan, in which dozens of civilians were found dead.

As the evidentiary hearing for Manning entered its fourth day, the government had called 13 witnesses and was expected to ask eight more to testify before the defense presents its case. Expected to last several more days, the hearing will help determine whether Manning should be court-martialed on 22 charges, including aiding the enemy. If convicted at court-martial, Manning could face life in prison.
Manning, 24, of Crescent, Okla., is accused of giving the secrets-sharing website WikiLeaks a trove of government material while working as an intelligence analyst in Iraq in 2009 and 2010, including Iraq and Afghanistan war logs, and State Department cables.

On the stand Monday, digital-crimes investigator David Shaver said he recovered more than 100,000 State Department cables and other sensitive information on a secure computer that Manning used.
The cables were contained in a deleted .csv file, ordered by a message record number that indicated the embassy where they originated.

"It seemed like someone wanted to make sure they got all of them," said Shaver, who is special agent with the Computer Crime Investigative Unit of Army Criminal Investigation Command.
In open session, prosecutors and defense attorneys sparred over the potentially damaging evidence. Under cross examination, Shaver said to defense attorney Capt. Paul Bouchard that some of the cables did match those published by WikiLeaks. The damaged file could only be opened with special tools, which could explain why those documents weren't published.

Based on an examination of Manning's computer, Shaver said he recreated Manning's searches, which led to downloads of detainee assessments that have been published by WikiLeaks.
On Manning's personal laptop, a MacBook Pro, CCIU investigator Mark Johnson said he found chat logs between Manning and hacker Adrian Lamo.

On Sunday, Shaver said in court that "it stood out" that on one of Manning's laptops, Firefox's homepage was set to Intelink, considered the main search engine for the U.S. intelligence community's secure networks, and that it was set not to record its browsing history.

From the time Manning arrived in Iraq in October 2009 to May 2010 when he was arrested, Manning had conducted many intelligence searches using key words including "WikiLeaks," "Julian Assange" (WikiLeaks' founder), "Iceland" and "retention of interrogation videos," Shaver said. The last term corresponds with a solicitation from WikiLeaks.

Investigators concluded that hundreds of documents, image and video files that had been downloaded through Manning's computer profile that were connected to a controversial U.S. airstrike in May 2009 at Gerani village. Shaver said files included documents about burn victims and aerial reconnaissance video.

Shaver said he found two versions of a 2007 video, called "Collateral Murder" by WikiLeaks: The "released version from WikiLeaks and another version that seemed to the source for it." WikiLeaks used the gunsight video from Apache helicopters involved in a series of air-to-ground attacks in 2007 in which 11 people died, including two employees of the Reuters news service.

Defense attorneys have focused on supervisors' failure to pull Manning's security clearance in spite of his erratic and sometimes violent behavior, as well as broader security lapses in the facility on Forward Operating Base Hammer where Manning worked. Fifteen people, including the noncommissioned officer in charge of the facility, have been disciplined in the case.

Contributing: The Associated Press

Tuesday, November 1, 2011

Documents Show 'A Culture' of Illegal Phone-Hacking At The News of The World

Reprint from The Hollywood Reporter - 10:13 AM PDT 11/1/2011 by Mimi Turner
James Murdoch
Bloomberg/Getty Images


A 2008 legal opinion from Michael Silverleaf QC will put further pressure on James Murdoch to explain whether he was part of a cover-up.

LONDON - Pressure is mounting on James Murdoch to explain his knowledge of phone-hacking allegations after the Parliamentary Culture Media and Sport Committee Tuesday published a cache of devastating documents showing that phone-hacking was known about by senior executives at News International as early as 2008, almost three years before the publisher admitted that the problem was systemic.

A legal opinion dated June 2008 prepared for News International lawyer by Queen's Counsel Michael Silverleaf, said that there was "overwhelming evidence" that senior journalists were involved in what amounted to "a culture" of illegal phone-hacking at the newspaper.

The lawyer also said that News of The World investigator Glenn Mulcaire appeared to have been hired purely "to engage in illegal gathering."

Silverleaf was hired as an external senior barrister in 2008 to advise News International on the legal case being brought against it by Gordon Taylor, head of the Professional Footballers' Association.

James Murdoch later approved a payment of almost $3 million to keep the case out of court.
The damning legal opinion tells News International's legal team that the chance of winning the case is "slim to non-existent" because of the amount of "truly damaging" information that Taylor's legal team had obtained after getting a court order to access the documents in a previous legal case against Glenn Mulcaire, who was jailed for four months in relation to hacking the phones of members of the Royal family.

"In addition there is substantial surrounding material about the extent of NGN journalists' attempts to obtain access to information illegally in relation to other individuals." The Silverleaf legal Opinion went on.

"In the light of these facts there is a powerful case that there is (or was) a culture of illegal information access used at News Group Newspaper in order to produce stories for publication.
The Silverleaf memo was sent to Tom Crone, the News of The World's internal lawyer.

"Not only does this mean that NGN is virtually certain to be held liable to Mr Taylor, to have this paraded at a public trial would, I imagine, be extremely damaging to NGN's public reputation. If the trial proceeds there would seem to be little doubt that Mr Taylor's case will be advanced on the basis that Mr Mulcaire was specifically employed by NGN to engage in illegal gathering."
These new documents could prove immensely damaging to James Murdoch's claim that he had not been aware of the suggestion that phone-hacking had gone beyond one reporter when he authorised the near $3 million payment.

Murdoch will face tough questions on what he knew about the payment when he is recalled on November 10, given the extent to which the information about illegal behaviour was known internally.
But it is still unclear the extent to which James Murdoch, then chief executive of News International was fully informed.

In a handwritten memo of a conversation between former News of The World editor Colin Myler and an advisor to Silverleaf, Julian Pike of Farrar's Solicitors, about five reporters under investigation, Pike appears to quote Myler in a handwritten scrawl: "Les no longer here - James wld say get rid of them - cut out cancer."

The most likely interpretation of the - note could be that Myler had told Pike that James Murdoch would not have entertained keeping the reporters on, however senior.

James Murdoch is due to give evidence again to the House of Commons Parliamentary Committee on November 10