Posts Tagged ‘Forensic science’
Back in the last part of 2011 RMRI, Inc. was called upon to review a case in Camdenton, MO. The case involved a young man who had three illegal files on his computer. The state of Missouri Family Services Division has what is known as a “Stat Team”; this is the team of Investigators that conduct technical investigations for the Division of Family Services. The “Stat Team” conducts Computer Forensics Examinations in cases where they might have a complaint of sexual abuse in the family home. If the “Stat Team” finds illegal content on the computer that the Investigator is examining the Investigator that did the examination can refer this case for prosecution.
In the case that RMRI, Inc. was contacted about the Missouri “Stat Team” found three images on the defendant’s computer of an illegal nature. Often times RMRI, Inc. will be called in by the defense attorney to consult on these types of cases. Because these specific types of cases are so technical due to the very nature of these cases often the Defense Attorney wants to call on an expert to explain exactly what occurred on the defendant’s computer that resulted in these charges, to interpret the evidence since it will usually consist of a good deal of technical jargon, and to see if the Investigator made any statements that might indicate that he or she did not correctly interpret their evidence. RMRI, Inc. has some of the best expert witnesses in the state of Missouri for cases involving almost all manners of digital evidence. RMRI, Inc. has a “Technical Team” of two experts that have a combined fifty years of experience in working with everything from software development and programming, source code analysis, virus and malware defense and protection, computer repair, file recovery, software development, computer security consulting, and forensic acquisition techniques.
When RMRI, Inc. is first called in to consult on a case of this nature the first thing that we want to do is see all of the discovery on these cases. We want to see the report from the Investigator that did the forensic analysis of the computer in question, we want to see any deposition material where the Investigators were deposed by the defense attorney, we want to see any interviews conducted with the defendant, and anything else that the prosecution has provided that will give us an accurate picture of what happened to cause the defendant to be charged. RMRI, Inc. also wants to be present for any testimony that the Investigator that worked this type of case gives.
In the present case that we are discussing here, the testimony of the Investigator that conducted the computer forensics examination on the defendant’s computer gave us great pause as to whether this Investigator correctly interpreted the evidence that he found on the defendant’s computer. In this case the Investigator believed that the defendant downloaded three illegal files to their computer for viewing. The reality of the case is that the defendant never even knew that these files resided on their computer. These files were simply thumbnails that were residing in the temporary file section of the defendant’s computer and were put their as a result of the defendant looking at a website, but NOT even knowing that this website would place these thumbnail images on their computer as a result of viewing this website. Through careful and methodical research RMRI, Inc. was able to not only come to understand what had occurred on the defendant’s computer but was also prepared to prove what happened on the defendant’s computer.
The main figure in this case that was actually able to get this case dismissed at deposition without it ever seeing a trial was the attorney. The attorney is Deirdre O’Donnell of Phillips, McElyea, Carpenter, & Welch, P.C. who was one of the sharpest and most intelligent attorneys that I have ever worked with. Deirdre grasped the issues that we found very quickly, she understood our explanation of what occurred in this case, and she clearly understood what questions needed to be asked of the Investigator for the state of Missouri. Below are the contact details for Deirdre O’Donnell:
Firm: Phillips, McElyea, Carpenter, & Welch, P.C.
Phone Number: (573) 346-7231
Address: 85 Court Circle N.W., Camdenton, MO. 65020
After RMRI, Inc. heard the State’s Investigator testify, analyzed the discovery evidence, and then worked with Deirdre a little on going over what had occurred on the defendant’s computer, Deirdre decided to depose the State’s Investigator. RMRI, Inc. worked with Deirdre on some of the more technical questions that she would ask the State’s Investigator during deposition, and Deirdre already had a comprehensive understanding of the issues that we wanted to find out more about in deposition, but RMRI, Inc.’s Technical Expert wanted to make sure that Deirdre was armed with all of the questions necessary to give us a complete understanding of what lead the State’s Investigator to apply for charges against the defendant in this case.
Deirdre O’Donnell spent countless hours preparing for this deposition, and she went into the deposition and started asking key questions of the State’s Investigator as to what he believed happened on the defendant’s computer, and why he believed as he did. The State’s Investigator had enough integrity and honor to admit shortly into the deposition that he did not have a complete understanding of how to conduct a forensic examination at the time of his testimony because he had only had the basic computer forensics course at that time; since his testimony he had taken an intermediary computer forensics course and has come to understand that some of what he testified to may not have been completely accurate. At this point in time the Prosecuting Attorney “nollied” (dismissed) the case against the defendant. The State’s Investigator and the Prosecuting Attorney showed a tremendous amount of integrity and honor once they came to an accurate understanding of what had occurred in this case.
Deirdre O’Donnell fought intelligently and passionately for her client. Deirdre worked this case in the most effective way possible and achieved the best possible outcome on this case. It takes a lot of work to convince a Prosecutor that he or she should drop charges and not proceed to trial. The Defense Attorney has to be able to clearly convince the Prosecutor that a crime was not committed; and Deirdre did that perfectly! God forbid, but if I ever have legal problem in the Camdenton, MO. area the ONLY attorney I would hire in that part of Missouri would be Deirdre O’Donnell!
When researching a topic such as the one we are discussing here it is important to find the right people to question about certain issues that come up in these cases. Every Private Investigator has to have “Go To Guys”; people that specialize in areas of of investigation and are considered experts in their fields. I have a my own group of “Go To Guys” that I request consultations with in cases where I need to know something, or I may need to be able to refer an expert witness to an attorney. If it is financial crimes and fraud, I call Bill Branscum. If it is due diligence , criminal defense or civil litigation I call Sue Sarkis. If it is cyber investigations or more specifically Computer Forensics, although I have a well qualified staff, I still call Brian Ingram. These are people that I know are qualified, tried, and proven in their fields of expertise and I know I can rely on them to give me accurate information. I have several other “Go To Guys” that I also call upon, and this network of people enables me to be just a little more effective at what I do. When it comes to Death Investigations, I call Dean Beers. Dean Beers has an extensive resume, and his credentials, qualifications, and experience are second to none in the field of Death Investigations. Below is a small sampling of Dean’s qualifications and experience:
As a Certified Legal Investigator, I am very passionate about legal investigations and working with my clients to provide the best information and tools in advocating for our mutual client.
I formed my legal investigative agency in 1987, quickly becoming a leading and innovative provider of investigative, legal and trial support services. I left the private sector in late 2005 to accept a full-time position as a deputy coroner / death investigator with the Larimer County Medical Examiner’s Office, after graduating with honors from the Weld County Law Enforcement Academy. In late 2008 I returned to the private sector, focusing on Personal Injury, Negligence & Death, as well as Criminal Defense. This is built on my extensive education, experience and training in the private sector, as well as my internship, training and job experience at both the Larimer and Weld County Medical Examiners’ Offices.
Services include incident and scene investigations, causation of injuries and death, photography, videography, interviews, evidence collection, records and reports reviews, statement analysis, and many other related services. I have extensive education, training and experience in many investigative disciplines, and have also lectured extensively, written many articles and a book on individual locate investigations.
We are centrally located approximately one hour north of Denver, CO and one hour south of Cheyenne WY. We are pleased to bring our expertise and passion to the front range investigative and legal communities. We welcome your inquiries and the opportunity to assist you.
I am a member of the Professional Private Investigators Association of Colorado (PPIAC – senior), National Association of Legal Investigators (NALI), Colorado State Investigators Association (CSIA), Colorado Criminal Defense Bar (CCDB – investigator/affiliate), International Association of Identification (IAI / RMDIAI), and National Association of Medical Examiners (The NAME).
Extensive experience is in death investigation and related forensics. My specific areas are medical records review, autopsy protocol and report reviews, death and injury evaluation and causation, all incident and crime scenes, equivocal death, photography and videography, statement analysis and fingerprints lifting and comparison. In addition, we provide Individual Locates, Address Verifications, Assets & Liabilities Records, Civil and Criminal Histories and Complete Personal Profiles.
Dean Beers’s Experience
Chairman of the Board
Legal Services industry
November 2010 – Present (1 year)
Excited to lead the board in the continued forward professionalism of the members of the PPIAC. Our current professional licensing effort has gained momentum and is moving forward!
Region 5A Director – NCISS
National Council of Investigation and Security Services
Legal Services industry
September 2010 – Present (1 year 2 months)
Regional Director for CO WY NE & AZ for NCISS – the voice of professional investigators in DC. Duties include membership communication, recruitment and keeping our members informed.
Region 6 CLI Representative
CLI Committee – Region 6
Legal Services industry
July 2010 – Present (1 year 4 months)
I am the Region 6 Representative on the Certified Legal Investigator Committee for the National Association of Legal Investigators. I will be working with other CLI representatives and the CLI committee to further this exceptional certification and our profession. Region 6 includes CO, MT, WY, NM, AZ, UT and ID. There are six CLIs in the region.
Expert – Forensic Investigation, Pattern Injury Analysis and Investigative Protocols
Forensic Investigators of Colorado LLC (Self-employed)
Self-Employed; Legal Services industry
April 2009 – Present (2 years 7 months)
Qualified in Colorado district & county courts in Forensic Investigation, Pattern Injury Analysis and Investigative Protocols. Expert Consultant: crime scene, pattern injury, fingerprint comparison, investigative protocols, forensic photography and blood spatter.
Certified Legal Investigator / Owner
Associates in Forensic Investions LLC (Self-employed)
Self-Employed; Legal Services industry
October 1987 – Present (24 years 1 month)
I have been a Professional Investigator since 1987. I have extensive experience in individual backgrounds and locates, as well as current education, training and experience in Personal Injury, Negligence & Death, as well as Criminal Defense supplemented by my recent position with the Larimer County Medical Examiner’s Office.
Legal Services industry
2008 – 2010 (2 years)
Deputy Coroner / Death Investigator
Larimer County Medical Examiner’s Office
Government Administration industry
September 2002 – August 2008 (6 years)
Beginning with training and internship and progressing into part-time then full-time, after graduating the Weld County Law Enforcement Academy. We were responsible for responding to and investigating deaths and incident scenes, assisting with autopsies and complete follow-up investigation.
Forensic Autopsy Assistant
Larimer and Weld Counties Medical Examiner’s Offices; Colorado Pathology Associates
Legal Services industry
September 2002 – August 2008 (6 years)
Assisted with forensic, medical and hospital autopsies.
Deputy Coroner / Investigator
Weld County Medical Examiner’s Office
Legal Services industry
January 2003 – June 2005 (2 years 6 months)
Certified Medicolegal Death Investigator and Deputy Coroner
As we can see, Dean Beers is well qualified to speak with us on the topic of Human Body Decomposition. I wanted to explore this topic a little because there is some debate on the accuracy of the “hit” that a Cadaver Dog made on the scent of a deceased human body in the Irwin home. I first want to understand the process of Human Body Decomposition, so I called Dean and asked him if he would spend a little time explaining this to me along with any experiences he may have had with Cadaver Dogs. I got a good education from Dean, and I think my readership here may also find that they will learn some interesting things here too.
First, I want to point out some facts that I learned from Dean; then I will give the audience here the entire audio file of the conversation that I had with Dean Beers.
(1) The human body starts to decompose almost immediately after death.
(2) The time frame in which a human body can be in a state of decomposition before a Cadaver Dog can pick up the scent of decomposition varies, but it can be as little as one (1) hour, and in almost all cases a Cadaver Dog can pick up the scent of decomposition within three (3) hours after death.
(3) Cadaver Dogs can detect “the scent of death” from bodies buried underground and from bodies that are under water.
(4) The smell of a human body in advanced stages of decomposition is so unique that a person can smell the scent just one time and remember it for years.
Now here is my conversation with Dean Beers on this topic in it’s entirety: Dean Beers on Human Body Decomposition
Dean also wants everyone to have a clear understanding of what is meant by decomposition from a medical perspective; so here is a quote from Dean that will help you to better understand how a Cadaver Dog can pick up the scent of a decomposing body even in a place where it has been for only one (1) hour to three (3) hours, but has also been moved away from after said period of time:
The process starts almost immediately after death with biological changes, causing build up of internal gases and bacteria. This can be in the first hour and is dependent on environment, decedent’s health, and chemistry (i.e. toxicology can have a role). These seemingly imperceptible changes are what develop the odor that can be left behind after a body is removed or can lead the Cadaver Dog to the body.
From listening to this audio file, you should gain a little more clarity on the probability of a Cadaver Dog making a “hit” on “the scent of death” in the Irwin home. It would seem that it was entirely possible for the Cadaver Dog to have made the “hit” on the scent of a decomposing body in the Irwin home.
I hope this is helpful to the public, and my readership gains just a little more of an understanding of the investigation into the disappearance of Baby Lisa Irwin.
Thank you all for your time.
Ricky B. Gurley
Last week the Missouri Lawyer’s Media did an article on a discovery issue that Prosecutors, Defense Attorneys, and Investigators have been wrestling with for a while now. In this article I was quoted by the reporter that interviewed me for this article. I wanted to take some time and elaborate a little further on my position in regards to this issue. First I’d like to present to you a copy of the article. I snipped the full article, but cropped out the other articles that were mentioned in this Trade Journal. Below is the entire article:
First of all I should state that I know some of the members of our Local Internet Crimes Task Force, and the ones that I know are good and honest people. I do trust the members of our local Internet Crimes Task Force and I don’t think they would ever do anything intentional that might send an innocent person to prison. I should caution anyone reading this that attempting to gain access to the hard drive of the investigating agency’s computer should not be the first course of action by the defense, a Digital Forensic’s Expert should first read the reports written by the Investigating Officer’s to try to determine if there is any cause to try to gain access to the investigating agency’s hard drive; often times there is no cause to do so. I should also state that I am not an attorney but I think it is also fair to state that most of the attorneys mentioned in this article are not Digital Forensics Experts either; and certainly not Merilee Crockett as evidenced by some of her statements in this article. The first quote from Merilee Crockett that I noticed was this:
A lot of people believe that once something is on a hard drive it is there forever. That’s a myth. There are no layers. It’s either there or it is not.
Well in essence that is true, but it is also over-simplistic. What is important to remember here in these types of cases is that we are dealing with Digital Evidence, and there is nothing simple about Digital Evidence. When someone tries to over-simplify how data on a computer is stored, over-written, or deleted there are a lot of key issues that get lost in the translation from complex to simple. First of all let me explain data deletion. When a file is “deleted” as the layman may believe, the file is not actually deleted initially, instead it is simply no longer linked to a “file tree” on the computer. The file is still on the computer for the time being until another file is saved and the space where that old file is at is reallocated for the new file, and then the old file gets overwritten. So often Digital Forensics Experts will say something like this to a layman as an example:
Nothing is ever deleted from a computer, it is overwritten. Think of the data on a computer as layers of information, and think of computer forensic software as a tool that can lift these layers of data to expose what you thought was once “deleted”.
Now one must understand that this quote is usually being made from a Digital Forensics Expert trying to explain data storage and deletion to a layman. This too is also an over-simplification of how data is stored, overwritten, and deleted. The difference is that what Merilee Crockett is saying here is for the purpose of trying to give an excuse as to why the defense should be hampered in discovery by limiting what can be key and important information that the defense needs, while all the Digital Forensics Expert is trying to do is give a layman an idea of what to expect in a Computer Forensic Examination. What may be the most accurate way to explain what happens is through this illustration listed below that was provided to me by a well known, and world renowned Digital Forensics Examiners and close associate of mine; Brian Ingram
How many computer novices and laymen do you think would completely understand that illustration above? There is one thing that is clear, if there is a file that occupies a portion of a cluster on a hard drive, then there is room for data from another file on the portion of that cluster that is not occupied, that portion of the cluster that is not occupied is called “File Slack“; and it is not only possible but also likely that a completely different file may occupy this same cluster in the unused portion of this cluster or the “File Slack”. This is a completely accurate illustration of the example that Digital Experts are trying to give laymen when they explain how data is overwritten and they use an example involving “layers of data”. And if you look at the example carefully, and read closely you will see that Merilee Crockett did actually simplify this issue to the point that some key issues on how data is recovered from a hard drive are lost in her “translation” of how data is stored, over-written, and deleted from a hard drive.
There is a reason that I gave the example of how an over-simplified interpretation of an issue such as what we are addressing here can be harmful. Prosecutors typically want to try to limit as much as they can with regard to discovery in a criminal case; but I should also say that there are a few Prosecutors that also believe in “Open Discovery” and Full Disclosure. There is nothing wrong with that, the defense also does the same thing. This is a good example of attorneys doing their jobs. But when a Prosecutor tries to limit evidence that can be exculpatory to the defendant; they start to breach a more sinister area resulting in a denial of justice to the defendant. As any good attorney knows this at the very least may border on what is known as a “Brady Violation”.
One of the key points that the prosecution tries to make when arguing against the defense looking at the hard drive from the Law Enforcement Agency that conducted the forensic examination on a defendant’s hard drive is that the hard drive from the Law Enforcement Agency’s computer will contain sensitive case information from other cases. If you read what Merilee Crockett has to say in this article, she proposes the same argument:
The hard drive contains chats from ongoing investigations. It has names of potential suspects never charged with crimes. It has the photos and names of underage personas used by undercover investigators, which a disgruntled defendant could easily post online. Defense attorneys can’t prevent that from happening. They have an ethical obligation to give the client everything they can
That sounds like a good argument; doesn’t it? I’d say that if I did not know what I know about Digital Forensics, encryption, and how to safely store data I’d agree with that as a good reason NOT to have to hand over the hard drive from the Law Enforcement Agency’s computer. But the problem with this argument is that the whole issue of exposing such sensitive case information to Defense Investigators is that there are a number of remedies that can be applied here. A digital image can be transferred to a hard drive and check-summed to show that it is a true bit image of the original hard drive from the defendant and all of the notes and other such pertinent information that is gathered in the course of the investigation of the specific case in question can also be transferred to that same hard drive; thereby consolidating the case information generated from the Law Enforcement investigation onto one hard drive for the Defense Investigator and keeping all of the other non-pertinent sensitive case information protected. Encryption could also be used on the hard drive belonging to the Law Enforcement Agency to limit what is viewed to only the pertinent data that applies to the case at hand. Under the Adam Walsh Child Protection Safety Act the Defense Investigator has to view the evidence at the Law Enforcement Agency’s facility, so a Law Enforcement Officer can easily sit down and decrypt the section or sections of the hard drive that needs to be examined by the Defense Investigator, thereby protecting all of the non-pertinent sensitive case information on the hard drive in question. The court can also impose orders that limit what the Defense Investigator can discuss with the Defense Attorney and their client to only case related material. There should also be multiple computers that are being used by the Law Enforcement Agency tasked with these types of investigations that have specific purposes; for example the computer that is being used to image and analyze the defendant’s hard drive should be a stand alone computer, not attached to the Internet in any way, that has all wireless adapters turned off this way there is a minimal chance of any evidence corruption issues. The computer that is used to chat with potential offenders should also have that one specific purpose; this way with the use of encryption all chat logs for a specific case can be freely examined by the defense in these types of cases. Are some of these methods labor intensive? Sure, but we are discussing a criminal case in which there is a possibility that a person can be wrongly accused, sent to prison, put on a sex offender registry for the rest of their life, and have their entire life negatively impacted as a result; isn’t doing everything we can to eliminate that possibility worth a little more work? There are ways around this issue; IF the concern here is a level playing field for the defense?
There are always questions in these cases when it comes to best practices in the forensic analysis of the defendant’s computer, evidence preservation and storage, and evidence spoliation issues. Often times these issues are insignificant enough that the chance of them presenting a problem in a case are so unlikely that they don’t warrant any consideration. I am not saying that I don’t trust that Law Enforcement is dong the best they can to make sure that their evidence is correct, but I am saying that it is real easy to make a mistake in cases that involve digital evidence. However when these questions rise to a level of concern to cause a realistic possibility that they could impede a defendant’s right to a fair trial; if the Defense’s expert can clearly articulate the reason for that concern the court should weigh the defendant’s right to a fair trial against the possibility that the investigating agency may have to expose some of it’s sensitive data to the Defense team. In my personal opinion; if you are looking at sending a man to prison for ten (10) years, then his right to a fair trial trumps a risk of exposure of sensitive data from the investigating agency’s computer.
There are a number of questions that the Defense Investigator should be trying to answer when looking over the discovery material from the prosecution.
(1) Was the computer that was used to conduct the Digital Forensic Examination attached to the Internet?
(2) What digital forensic software was used to conduct the examination with?
(3) Was there a virus scanner used by the investigating agency to see if the defendant’s hard drive may have a virus, Trojan, or some other type of malware that could have caused any content to be downloaded to the defendant’s computer without the defendant’s knowledge? If so, what virus scanner was used, what version, was it updated, and are there any known vulnerabilities associated with the virus scanner?
(4) Are there any anti-forensic tools on the investigating agency’s computer? If there are; why are they there?
These are only a small sampling of the questions that the Defense Investigator should be asking and trying to answer by reading the discovery material. If enough of these questions are answered in such a way that they give the Defense Investigator clear concerns that may need to be further examined, then it may be necessary to ask for the hard drive from the investigating agency’s computer. The Defense Investigator should be able clearly articulate these concerns to the court and explain the impact that they may have on the evidence. If the court finds that the Defense Investigator gave a reasonable accounting to the court of his or her concerns, and the court is convinced that these concerns are realistic; then perhaps it is not such a bad thing that the Defense Investigator is given what he or she needs to further explore these concerns instead of having to be forced to trust a detective that may not even know if he or she made a mistake in how they gathered and handled the case evidence?
I have noted that Merilee Crockett has compared handing over the hard drive from the investigating agency’s computer in cases that involve digital evidence to handing over a breathalyzer machine. One difference to note in these two examples is that with regard to digital evidence, usually the defense gets a copy of a detailed report from the investigating agency that outlines their computer examination in fair detail. With breathalyzer tests, there is less detail, and less tools and procedures for the Law Enforcement Officer to detail in his or her report, thus short of a fishing expedition there usually is not enough information to articulate a need to examine the breathalyzer machine source code. In People v. Cialino, 831 N.Y.S.2nd 680, 681 (Crim. Ct. 2007) the court did not deny access to the breathalyzer source code because it was not significant to the case; the court denied access to the breathalyzer because the defense could not clearly articulate why access to the breathalyzer source code was significant to the case; this can be seen in the language the court used when the court first called the defendant’s request a “fishing expedition” but then went on to say “it is incumbent on the defendant to show that a software change has altered the reliability and accuracy of the machine” and the court said that the defendant had not provided a reasonable basis that changes in the software of the Intoxilyzer 5000 had caused it to become unreliable. So the court left the door open for the examination of the source code of the breathalyzer machine in question, but it required a clear articulation as to why it would be reasonable for the defense should be permitted to examine the source code. In cases involving digital evidence that is gathered from imaging a hard drive, the investigative agency’s digital forensic analysis report will usually allow the Defense Investigator more information on the software used, processes used, and evidence interpretations made by the Detective to form any questions that might be pertinent to the case and research these questions to see if there may be good cause and NOT just a “fishing expedition” to ask for the hard drive from the investigating agency’s computer.
In summary; I am not saying that in every case the defense should have access to the investigating agency’s computer hard drive. What I am saying is that the courts should try to be open to seriously considering any request by the defense to examine the investigating agency’s hard drive if the defense can clearly articulate a need to do so. In my mind the whole issue comes down to a balancing act; the court should balance the defendant’s right to a fair trial against the need for Law Enforcement to keep sensitive case information confidential; once a clear articulation is made by the defense that demonstrates that there are reasonable issues that need to be explored by the defense in order to defend the defendant against any evidence corruption issues that may negatively impact the defendant’s right to a fair trial.
Ricky B. Gurley