Category Archives: Digital Forensics

Digital Evidence Series: Part I – Cell Phone Location Evidence for Legal Professionals

The NC Office of Indigent Defense Services will offer a series of free presentations on digital evidence that are designed to enhance the knowledge of criminal defense attorneys. Available for CLE credit, these programs will occur at lunchtime in various locations around central North Carolina. Participants receiving CLE credit will be billed $3.50 per credit hour by the NC State Bar.

The first program in the series will begin at 12:15 pm on Friday, Nov. 3, 2017 at the Johnston County Courthouse in Smithfield, NC. Part II is planned for January in Alamance County and Part III is planned for February in Pitt County. Details will be posted about those programs when they are finalized.

During the first in the Digital Evidence Series, Larry Daniel will cover techniques for locating cell phones, including call detail records, drive testing, Google location services, E-911 Records, Phone Based Location, and Find my iPhone. He will cover how records are obtained and limitations of each technique. Information on how cell phones work will be covered to aid in understanding how cell towers are used to determine location. Case examples will be used to demonstrate the limitations to these techniques.

Registration available here: https://goo.gl/forms/LwCAumzp4LCrS21A2

Program website: http://www.ncids.com/forensic/resources/nov3.pdf

Contact Sarah.R.Olson@nccourts.org if you have questions.

 

November 3, 2017

12:15-12:30 PM   Sign-in (pizza lunch provided for registered participants)

12:30-2:00 PM     Cell Phone Location Evidence for Legal Professionals

CLE: 1.5 hours general credit

 

Speaker Bio:

Larry Daniel began performing computer forensics in 2001. He holds numerous certifications in computer, cell phone and GPS forensics including the Encase Certified Examiner (EnCE), Access Data Certified Examiner (ACE), Digital Forensics Certified Practitioner (DFCP), Blackthorn 2 Certified Examiner (BCE), the Access Data Mobile Examiner (AME), Certified Telecommunications Network Specialist (CTNS), Certified Wireless Analysis (CWA) and Certified Telecommunications Analyst (CTA).

Mr. Daniel has provided computer and cellular phone and cellular tower technology in hundreds of criminal and civil cases. Additionally, he has qualified and testified as a computer forensic expert, a cellular phone forensics expert, a GPS forensics expert and a cellular technology expert over 50 times in state and federal courts.

He has provided training via presentations and continuing legal education over 75 times for attorneys, prosecutors, judges, and law enforcement, as well as presenting at such conferences as the Department of Defense Cyber Crime Conference, the Computer Enterprise and Investigations Conference, the American College of Forensic Examiners and the National Association of Criminal Defense Lawyers. He is co-author of the book, “Digital Forensics for Legal Professionals, Understanding digital evidence from the warrant to the courtroom” 2011, Syngress. Larry’s latest book is “Cell Phone Location Evidence for Legal Professionals, Understanding Cell Phone Location Evidence From the Warrant to the Courtroom”, Academic Press.

Advertisements

Leave a comment

Filed under Digital Forensics, Meetings/Events, Resources

NACDL Releases Primers on Surveillance

With a focus on Fourth Amendment concerns, the National Association of Criminal Defense Lawyers (NACDL) recently began a series of surveillance primers. The first primers in the series provide information on Automated License Plate Readers, Cell Phone Location Tracking, and Cell Site Simulators. NACDL will periodically release more primers on surveillance technologies. These documents are available to members and non-members here.

Each primer describes what the technology is designed to do, how it is used, and suggested defense strategies to identify and challenge the use of these technologies. The primers discuss law enforcement justifications for their use and provide lists of resources to aid in further research. These are a great starting point to further one’s understanding of these technologies, including determining if they were used in a case.

Leave a comment

Filed under Digital Forensics, Uncategorized

Stingrays and Privacy

The Florida Supreme Court recently issued an opinion holding that the Fourth Amendment protections apply to real time cell site location information. The court distinguishes real-time cell site location records from historical data, emphasizing that historical cell site location records are not at issue in this case. This real time location surveillance is done with devices used by law enforcement to track cell phones. These devices, known as “IMSI catchers,” are sold under the names StingRay, TriggerFish, AmberJack and other fish names.

In Tracey v. State, 39 Fla. L Weekly S 617 (2014), the court rejects the mosaic theory of the Fourth Amendment that was applied in United States v. Jones, 132 S. Ct. 945 (2012). Using this approach, courts evaluate a sequence of government activity as an aggregated whole to consider whether the sequence amounts to a search. The Florida Supreme Court notes that the theory’s “case-by-case, after-the-fact, ad hoc determinations” are not workable and present the danger of arbitrary and inequitable enforcement. Tracey at 38. The court also rejects the idea of “setting forth a chart designating how many hours or days of monitoring may be conducted without crossing the threshold of the Fourth Amendment.” Id. at 39-40.

The court bases its opinion on the “normative inquiry” put forth in Smith v. Maryland, 442 U.S. 735 (1979). In Smith, the Supreme Court said that a normative inquiry would be proper “where an individual’s subjective expectations had been ‘conditioned’ by influences alien to well-recognized Fourth Amendment freedoms.” Smith at 740-741. Applying the normative inquiry, the Tracey court looks to various factors and considerations. One consideration is how easy it is for the government to monitor and track cell phones. The court also notes that “[s]imply because the cell phone user knows or should know that his cell phone gives off signals that enable the service provider to detect its location for call routing purposes . . . does not mean that the user is consenting to use of that location information by third parties for any other unrelated purposes.” Tracey at 45. While cell phone users can turn off their cell phones to prevent location signals from being used, the court finds that this would place an “unreasonable burden on the user to forego necessary use of his cell phone, a device now considered essential by much of the populace.” Id. at 46. Finally, the court finds that cell phones are “effects” under the Fourth Amendment, having become “virtual extensions of many of the people using them for all manner of necessary and personal matters.” Id. at 49.

The Florida Supreme Court distinguishes this case from the U.S. Supreme Court’s decision in United States v. Knotts, 460 U.S. 276 (1983) where the Court found that the use of an electronic beeper to track a car’s movement was not a violation of the Fourth Amendment. The relationship between Knotts and the beeper is different from that of an owner and his cell phone. The Florida court also found that in Tracey, though the defendant’s movement on public roads was tracked, law enforcement would not have been able to locate him on those roads but for the real time cell location data.

The court concludes by stating that “a subjective expectation of privacy of location as signaled by one’s cell phone—even on public roads—is an expectation of privacy that society is now prepared to recognize as objectively reasonable under the Katz ‘reasonable expectation of privacy’ test.” Tracey at 53.

For more information on Stingrays, check out this previous blog post about what defense attorneys need to know and this School of Government post about the legal status of these devices. A recent Charlotte Observer article discusses the use of the technology locally. The article reports that Charlotte-Mecklenburg police department has owned this surveillance equipment for eight years and currently uses it on a weekly basis. While police seek court orders before using the equipment, one Superior Court judge said that he has approved hundreds of requests, has never turned down a request, and is unaware of any other Superior Court judge ever rejecting a request. Orders allowing this type of surveillance are sealed and not provided to the defense through discovery, so it is unclear when and how this technology is being used.

Leave a comment

Filed under Digital Forensics

Stingrays: What defense attorneys need to know

Law enforcement agencies nationwide have been secretly using IMSI (international mobile subscriber identity) catchers to track suspects through their cell phones. Typically this surveillance occurs without a warrant or court order. Also called “Stingray,” this device tracks cell phones using the radiofrequency signals radiating from the phone. The device is a shoebox-sized receptor that mimics a cell phone tower and tricks the cell phone into transferring its location and other information to the surveillance device. Its ability to be concealed and its mobility allow police officers to track suspects in many situations and also in real time. Compared to the traditional method of subpoenaing a suspect’s phone records and tracing the call locations accordingly, this technology allows law enforcement much broader real-time locating and tracking capability. Stingray is also capable of connecting to bystanders’ cell phones near the targeted cell phone and relaying their locations and private information back to the investigating agency.

According to records obtained by the American Civil Liberties Union, police departments in Wilmington, Durham, and Charlotte have been appropriated funds for purchasing Stingray equipment. Use of Stingray by the Wilmington Police Department has been the subject of investigation by local media outlets as covered here, here, and here. However, Stingray’s manufacturer, the Harris Corporation, requires purchasing agencies to sign a nondisclosure agreement which prevents the law enforcement agency from disclosing how the instrument works or whether the department is using it for surveillance. In Florida, law enforcement officers have hidden the use of Stingrays from courts by stating that a suspect’s location information was obtained from a “confidential source” rather than saying it was obtained through use of a Stingray.

The ACLU of Northern California has created a guide to inform defense attorneys about the Fourth Amendment implications of this controversial device and to explain how law enforcement agencies are currently using Stingray to track suspects. To learn more about Stingray’s functionality, how to identify when Stingray has been used in a case, and potential legal arguments, click here to read the ACLU Guide for Criminal Defense Attorneys.

 

Leave a comment

Filed under Digital Forensics

Using cell tower data to track a suspect’s location

With the recent U.S. Supreme Court decision Riley v. California, the topic of cell phone forensics is on the mind of many attorneys. Cell tower location tracking is a related area where investigators gather information about a cell phone’s location using data from cellular towers contained in phone records. Attorneys should be aware that location tracking through cell tower data is a questionable practice, as explained in these recent articles in The New Yorker and The Washington Post.

How its proponents say it works:

Proponents of cell tower location tracking explain that when a phone call is made through a cell phone, the phone sends out a radiofrequency signal to the “nearest” tower. Investigators will look at phone records to see which tower the phone connected to at a specific time. Once they have located the individual tower that facilitated a particular call, investigators will determine the geographical range of that tower and conclude that the phone and therefore the person using the phone were within that tower’s range at the time the call was made. Triangulation or the use of three different calls or cell towers to create an overlapping area similar to a Venn diagram that produces a smaller potential location, is more reliable than the single tower method. However, triangulation data or GPS data (which could potentially give an exact location) often is not available. Police frequently trace the phone call, find the tower, determine its range, and see if the suspect’s cellular phone data places him at or near the crime scene at the relevant time.

Limitations of this technique:

Cellular communications experts explain that tracking a phone’s location based on its connection to cell towers is not so simple. The proposition that a cell phone will connect to the nearest tower is not accurate. There are many complex, proprietary algorithms that a cellular company’s control center uses to decide which tower gets the call. Cell towers’ ranges can vary from several square miles in urban areas to in excess of 20 square miles in rural areas. Geography, network congestion, weather, height of the tower, and many other factors can affect which cell tower picks up a call. For these reasons, claiming that a person is within a specific radius of a certain cell tower is not possible with the current technology.

Misuse of this evidence:

On May 28, 2014, Lisa Marie Roberts was released from prison in Oregon. She had been in custody since pleading guilty to manslaughter in 2004. When Roberts’s trial attorney learned that the state’s evidence included the pinpointing of Roberts’s location at the time of the crime using cellular tower data, he urged her to take a plea. The prosecution claimed that Roberts’s cellular phone records placed her specifically in Kelley Point Park at the time they believe the victim’s body was dumped there. Investigators used the aforementioned technique of tracing phone calls made by Roberts that day to show that not only was her alibi not credible, but also that she was exactly in the location where the body was found. On appeal, the defense’s expert testified that the notion that the nearest tower to a cell phone is per se the one that facilitates the call is not testable, reliable, or provable science.

The appellate court decided that it was because of this flawed evidence that the trial attorney encouraged Ms. Roberts to take the deal, without which she would not have plead guilty to a crime she says she did not commit. This myth of the police’s ability to track missing persons or suspects by their cellular phone by using only single tower data is commonly accepted and unchallenged by defense counsel. Attorneys should consider consulting with a cell tower forensics expert to determine the reliability of this evidence and whether this evidence can either locate the defendant at the scene of the crime or support an alibi.

To read Ms. Roberts’s granted Habeas Corpus Motion for Ineffective Assistance of Counsel, click here.

Leave a comment

Filed under Digital Forensics

Defense attorney taps into the NSA’s surveillance of telephone metadata in hopes of finding exculpatory evidence

Among the documents leaked by Edward J. Snowden to the Guardian in June 2013 was an April 2013 order by the FISA Court directing Verizon to provide the National Security Agency (NSA) records of “telephony metadata” for all foreign calls between the U.S. and other countries and all domestic calls within the U.S, including local calls. After the Verizon Order was published, the Wall Street Journal reported that since 2006 AT&T, Sprint, and Verizon have been providing metadata to the NSA every three months which is being stored by the NSA in a large database. The metadata provided to the NSA includes the telephone numbers on both ends of the call, the locations where the call was made and received, the duration of the call, and the time of the call. The collection of metadata is indiscriminate, meaning that it is collected from all U.S. citizens making phone calls, not just those suspected of terrorism or other criminal activity. Although the conversation itself is not recorded, the compilation of records detailing who Americans are calling, for how long they speak, and from where they are speaking can reveal information that may be relevant in criminal cases.

According to this article by NBC News, a defense attorney in Florida is attempting to gain access to the telephone records compiled by the NSA in an effort to prove his client’s innocence in a murder trial. The defendant, Terrance Brown, claims that the NSA records can prove his innocence by showing that he was not at the scene of the crime when the murder took place. Brown’s cell phone provider, MetroPCS, was unable to produce the records during discovery because they had already deleted the records from their database.

Click here to read the order by District Court Judge Robin Rosenbaum requiring the federal government to respond to Brown’s discovery request for the NSA records. In response, the government filed a motion stating that the telephone metadata is classified and whether or not the government has the phone records is also classified. Specifically, the motion states that the government does not have the cell site information sought by Brown. The government also cites the Classified Information Procedures Act (CIPA) which allows the government to speak with the judge in camera and ex parte regarding classified information to explain what data it does or does not have.

According to the NBC News article, experts say that the “novel legal argument” used by Brown’s attorney could encourage other defense attorneys to pursue the records held by the NSA database during discovery. Before June 2013, attorneys were unaware that these NSA records existed, but according to Mark Rasch, former head of the Department of Justice Computer Crimes Unit, “now lawyers know, and they will ask for it.” Rasch notes that “you can’t hold massive amounts of personal data with impunity” and there are responsibilities that come with storing data which could open the NSA up to discovery.

In most cases, the cell phone provider is the best source for getting telephone records as it is not clear what records the NSA has collected or whether courts will order that the NSA provide this information through discovery in criminal cases. However, cell phone providers delete data after a certain period of time. In cases where the cell phone provider does not have the requested data and defense attorneys believe that cell phone data can provide exculpatory information, attorneys may consider seeking discovery from the NSA.

Leave a comment

Filed under Digital Forensics

Digital Forensics for Attorneys

The UNC School of Government has posted a new on-demand virtual CLE entitled, Digital Forensics for Attorneys. Digital forensics expert Larry Daniel teaches this one-hour course which attorneys can view for free or purchase for $50 if CLE credit is needed. Daniel’s program provides an overview of digital forensic concepts, case examples, and relevant terminology. Attorneys will learn the basic information needed to understand the process of computer and cell phone forensics; the primary areas of focus in digital forensics; and the proper methods for search and seizure of electronic evidence.

Daniel discusses document metadata and the capabilities of computer forensic recovery of email, internet history, documents, and pictures. He also provides answers to common questions, such as: What is a forensic copy of a hard drive? What kind of information can be recovered?  How do I know if the evidence was properly obtained and preserved? What is a computer forensics expert and what should an attorney expect from such an expert?

This program is a great way for attorneys to learn more about the type of analysis performed on digital devices and is an excellent refresher for anyone confronting digital forensic evidence in a case.

Leave a comment

Filed under Digital Forensics, Resources