Digital Evidence Has Become the New DNA in Criminal Cases, Says Expert

Los Angeles, CA (May 28, 2014) In 1911, it was fingerprints. In 1990, it was DNA. “In 2014, its digital evidence that’s now playing a lead role at determining the fate of criminal defendants”, says Mark J. McLaughlin of Computer Forensics International.

The ability to place someone at the scene of a crime is typically done by eyewitnesses, or through something unique they leave behind like fingerprints or DNA. And when a solid chain of custody is made, it rarely can be refuted. But while digital evide= nce from personal computers or mobile devices can place a defendant at the scene, it can also show they were actually miles away or didn’t commit the crime.

Three months ago there was a home invasion robbery and kidnapping in Los Angeles. One of the victims made a positive identification on the young defendant. The kid was arrested and faced a list of serious charges that, if convicted, would have placed him behind bars for over 25 years. But he always proclaimed his innocence and said he was at school during the robbery.

However, school attendance records were inconclusive. His family offered up a printed picture of their son standing next to a friend on campus, and printouts of text messages as proof he was at school. The Court said that’s not good enough.

“We live in a Photoshopped world where any original image can be easily made to look like something it’s not. It was clear the original digital photograph needed to be recovered and examined to establish a solid chain of custody,” says McLaughlin.

A Los Angeles Superior Court Judge appointed McLaughlin to authenticate that photograph and the purported text messages. He examined 4 iPhones and recovered not one, but a series of 8 photographs taken in rapid succession. The photograph’s hidden metadata showed the creation time of the photographs and text messages were the same time as the robbery 5 miles away. The case was dismissed.

What type of digital evidence can be involved in a case? It always should begin at the source and could involve; a mobile phone, personal computer, USB thumb drive or email account. And then the target data recovered could be in the form of; specific date and time stamps from relevant computer files, surveillance video, hidden metadata, Wi-Fi connections, GPS coordinates, unique IP addresses, or recoverable text from a deleted document or email.

However, it’s up to the defense attorney to recognize the possible involvement of digital evidence and bring in a forensic expert. Unfortunately, that always doesn’t happen because many attorneys are not trained on what questions to ask or what to look for. McLaughlin added, “the attorneys that do, are giving their client’s the best chance for a successful resolution of their case.”

Last June, McLaughlin helped defend another robbery case where the defendant claimed he was 40 miles away at home, and working remotely on his laptop connected to a college computer system. Records were obtained from the defendant’s college login account that showed multiple accesses during the robberies. Then an examination of the laptop recovered his unique college login with matching dates and times. And lastly, the unique IP address from his parent’s home Internet Service Provider that matched the college records. The case was dismissed.

Over the last 18 years, McLaughlin has handled over 500 criminal, civil and internal investigations, and examined over 2,000 digital items. He testifies in court as an expert and even trains attorneys on how to enhance their cases through digital evidence. McLaughlin says, “you can rest assured if there’s evidence of a defendant’s innocence in digital form, we’ll find it.”

Digital Evidence Became Smoking Gun In A-Rod Investigation

Los Angeles, California  (January 14, 2014) – Coded text messages and documents detailing an elaborate doping scheme were reportedly recovered and ultimately became the crucial evidence needed by Major League Baseball in the case against the Yankees Alex Rodriguez.

“Merely testifying that a paper document is authentic just isn’t enough anymore”, says Digital Forensic Examiner Mark McLaughlin of Computer Forensics International. “That’s why we’re brought into all types of cases where digital evidence may be found”, he added.

Today, nearly all the world’s information was initially created from a digital device. Plus it’s widely understood that by using Word or Photoshop, you can easily make anything look authentic. So unless you’ve verified the source, the authenticity of printouts as evidence are always questionable. That’s why Digital Forensic Examiners establish a verifiable chain of custody to prove what you’re looking at, is an exact representation of the original.

Examiners like McLaughlin, routinely use cutting edge software tools like EnCase and Lantern when analyzing computers and cellphones on civil and criminal cases. They start by making an exact forensic copy of the entire device – which includes active and deleted data.

Then just the copy is searched, either visually or by using keywords for relevant hits. And those searches can produce tens of thousands of hits that all must be manually reviewed. “That may seem daunting, but considering the alternative, it’s a walk in the park”, adds McLaughlin.

Over the last 17 years, McLaughlin has handled over 500 cases and examined over 2,000 digital items. He testifies in court as an expert and even trains attorneys on how to enhance their cases through digital evidence. McLaughlin says, “I really enjoy the sleuthing part of what we do. Because when we find that smokin’ gun, it’s pretty much game over”.

That iPhone in Your Pocket Is Tracking Your Every Move

Los Angeles, California  (April 24, 2012 ) – “iPhones record every step you take and when you took it,” says Mark McLaughlin of Los Angeles based Computer Forensics International. “Armed with that location data, examiners can draw a Google map of the route you took and the exact time you were there, down to the second.” iPhones are the premier member of the smartphone family that record bucket loads of data and are built on a mobile computing platform.

The iPhone’s location data is automatically captured from two sources; nearby cellphone tower sites and any wireless data network – like the Wifi network at your local Starbucks. Unfortunately for the iPhone’s owner, this data collection feature can only be stopped by turning off the phone’s wireless transmit and receive capability – also referred to as airplane mode. However, the previously recorded data will still be there and will be recoverable. iPads use the same location tracking technology.

Digital forensic examiners like McLaughlin, routinely use cutting edge software tools when analyzing iPhones and other smartphones on civil and criminal cases. They start by first making an exact copy of the phone’s entire memory – which includes active and deleted data. Then the copy is searched either visually or by using keywords for relevant evidence to the case.

This data can be a boon for attorneys and investigators working on civil and criminal cases. It could provide the corroboration to put a cheating spouse at a specific residence when they should have been at work. Or it could be used to tie individuals together in a criminal conspiracy where they otherwise couldn’t be connected.

McLaughlin says, “This location data capture shouldn’t be a problem for most iPhone owners. But if you’re trying to hide where you’ve been, leave the iPhone at home”.

Jackson Death Trial Showcases iPhone Forensic Capabilities

Los Angeles, California  (October 5, 2011) – “iPhone users would be stunned to learn the amount of recoverable data we can get”, says Mark McLaughlin of Los Angeles based Computer Forensics International. “When you hit delete it doesn’t necessarily mean that message, text or picture is gone forever. You’re just telling the iPhone, don’t show it to me anymore and it flags that deleted data so it can be overwritten. So depending on the activity after the deletion, we may be able to bring it back like it was never deleted.”

DEA Computer Forensics Examiner Stephen Marx testified today in the Michael Jackson Death Trial that he found emails the defendant Dr. Conrad Murray had sent hours before Michael Jackson died on June 25, 2009. Not only did Marx recover critical timeline emails, he also discovered digital medical charts thought to be non-existent. But the key piece of evidence was a damaging audio recording of an impaired Michael Jackson reportedly made by Murray.

Computer forensic examiners like McLaughlin, routinely use very sophisticated software tools, such as EnCase, on civil and criminal cases. They start by first making a copy of the iPhone’s entire memory – which includes active and deleted data. This exact copy doesn’t disturb the original data which makes the examination forensically sound and admissible in court. Then the copy can be searched either visually or by using keywords. The recovered data is ultimately put into known iPhone categories and displayed.

McLaughlin says, “our SmartPhone forensic capabilities have improved exponentially. But it stands to reason because they’re just pocket computers, and we’ve been searching them successfully for nearly 20 years now. So I guess people need to realize that if it’s there, we’re usually going to find it”.

Companies Regularly Use Same Forensic Search Tactics Employed on bin Laden Computers

Los Angeles, California — (May 5, 2011) It’s been reported the analysis of bin Laden’s seized computer disks should help thwart future attacks and locate terrorists. “I’m certain government forensic experts have their hands full  looking for the proverbial needles in an acre of haystacks,” says Mark J. McLaughlin, President of Los Angeles based Computer Forensics International. “The breakthrough software tools and search techniques used by government examiners are the same ones we routinely use to analyze hard drives and cellphones for attorneys, corporations and the courts.”

Computer forensic examiners start by making exact copies of seized digital evidence. Then experts would typically use EnCase, a forensic software package, to conduct the analysis. “We can easily view computer files just as you would normally look at them on your computer” says McLaughlin, a senior examiner with over 500 cases under his belt. The software automatically recovers deleted documents, emails and images. Plus each data file’s date and timestamp is displayed making it easy to assemble a timeline of when the file was created, modified or even viewed. He adds, “we also have a very cool program for conspiracy examinations that visually shows the frequency and relationship email senders have to one another.”

But the real power of a forensic examination comes from the ability to search through hundreds of gigabytes of data quickly, thoroughly and in any language – even Arabic. Lists of relevant keywords are searched against the evidence, later returning search hits where the keyword was found. It’s also important that each hit is seen in context to other words, which makes it easier to reassemble fragments of text. McLaughlin says, “by using wildcard search terms we can recover partial email addresses, phone numbers and a person’s internet browsing history. Computer forensic examiners work hard for our clients. I can truly say, if it’s there, we’re going to find it”.