• Dave Hulshizer

Creative Digital Forensics - 3 Case Studies

Cases used to go unsolved a lot more often than they do today - and much of that can be attributed to forensics - whether we're talking DNA or digital. The phrase, "crime scene" often conjures up a gory image consisting of blood spatter, bullet holes and a chalk outline. But, many times the crime scene consists of a digital device with a story to tell and more evidence than any taped off area could possibly provide. When it comes to digital evidence, the story's protagonist is a detective behind a screen - not Sherlock Holmes or Matlock.

Attorneys have become very comfortable working with traditional types of digital evidence (e.g., email, text messages, social media profiles, standard PC files, etc). There is a lot to learn from these forms of evidence, but a professionally trained digital forensics examiner has a lot more creative ways to find information, especially as technology evolves and our world becomes increasingly digitalized. Many times technology is underused, and important, key evidence is overlooked if you do not utilize a trained professional.

With 95% of the Americans owning mobile phones today [1], the existence of data is staggering. But, it is more than mobile phones that are part of a digital investigation. Other devices like laptops, desktops, tab, juke box, Play Station, smart watches, and everything under the Internet of Things (IoT) family are responsible for exchange of data. The advancement of technology adds more to the volume of data, and therefore, digital forensics has expanded. The emergence of highly sophisticated devices has also sparked the need for advanced digital forensics software and equipment, which further stresses the need for a professional to conduct this work.

In this article, we are going to examine three case studies that were solved through the use of creative and professional digital forensics.


The Facts: The case of Howze v. Western Express, Inc. revolved around injuries caused when a tractor-trailer forced a motorcycle off the road. The truck in question could not be definitively identified by an eye witness, although the witness recalled that the trailer logo read “Western Express.” The defendant’s trucks were equipped with asset trackers which included a GPS feature. Data from the trackers was collected and retained in a centralized database. The defendant claimed that a search of the database showed that it had no trucks on the road in question on the night of the accident. To counter that claim, the plaintiff cited Western Express’ six-month GPS data retention policy, and challenged the validity of the defendant’s search, which was conducted 27 months after the accident. The judge decided that there was a question of material fact that needed to be sorted out by a jury.

The Takeaway: Asset trackers take advantage of GPS, Wi-Fi and Bluetooth technology to allow organizations to monitor their moveable assets. They may collect basic locational data or may have expanded features that capture other information like diagnostics, messaging, weather conditions, or compliance data. They are used to track high-value, moveable assets (e.g., fleet vehicles, construction equipment, medical devices) and are starting to show up in the growing array of consumer IoT devices. This case helps demonstrate that asset tracker evidence is highly probative. As in Howze, the client’s database can be searched or the data can be extracted to a better platform to help understand and preserve the who/what/when/where details in a controlled manner. Howze also demonstrates the need to handle structured data (i.e., records stored in a database) in a defensible manner. Structured data should be collected and validated early in the investigation to avoid destructive events like a regularly-scheduled database purge. Handling of the structured data should be defensibly documented.


The Facts: Connie Dabate was murdered in her home in 2015. According to the arrest warrant, her husband, Richard, provided an elaborate explanation of the day’s events, claiming that he returned home after receiving an alarm alert. Richard went on to claim that, upon entering his house, he was immobilized and tortured by an intruder. He told police that the intruder then shot and killed Connie when she returned home from the gym. Relying on evidence collected from Connie’s Fitbit, police were able to show that she had been in the house at the time Richard said she was at the gym. According to the Fitbit’s data, Connie stopped moving one minute before the home alarm went off.

The Takeaway: Wearable devices like Fitbits monitor location via GPS and activities like distance traveled, steps taken, sleep time and heart rate. The devices are configured to synchronize data to applications on smartphones and personal computers or to cloud or social media sites. Evidentiary collections can be made from either of these sources using standard digital forensics tools and techniques.


The Facts: Following the Russian annexation of Crimea in February 2014, international tensions built over allegations that Russian troops were operating in other parts of Ukraine. Russian officials repeatedly denied these allegations. Starting in late June 2014, Alexander Sotkin, a sergeant in the Russian Army, posted a month-long series of selfies taken from his cell phone to his public Instagram account. The press picked the story up when it was discovered that the jpeg files posted included geotag metadata, and that the geotags and pictures showed the sergeant moving on-duty from a military base in Russia into eastern Ukraine and then back to the base.

The Takeaway: Geotags, such as those embedded in Sotkin’s pictures, are a form of locational metadata. Geotags generated by smartphones tend to be very accurate and are associated with other types of file metadata, like date- and timestamps. Combine these attributes with the conventional wisdom that a picture is worth a thousand words and reports showing that smartphone users take over 150 pictures per month, and you have a treasure trove of data to pin down who/what/when/where details during an investigation.

Geotags and other types of locational data can also be embedded in other types of files, such as video files and SMS text messages. Other cell phone locational data can be drawn from routes stored in mapping applications, Wi-Fi connections, cell towers in call history and applications like weather or real estate tools.

No aspect of the world we live in changes faster than digital technology. Today's investigations find themselves in a technologically different landscape. Key Forensics can help you think creatively and in our technological world, a thorough and strategic digital investigation can be essential to a successful outcome.


[1] https://www.pewinternet.org/fact-sheet/mobile/