Digital Forensic
huhdishes
Week11Slides1.pptxDigital Evidence as Alibi
MSDF 630 – Digital Forensics Evidence
Learning Objectives
Investigating an Alibi
Time as Alibi
Location as Alibi
Investigating an Alibi
An alibi is a defense used in criminal procedure. The accused presents evidence that he or she was in another place at the time the alleged offense was committed.
When investigating an alibi, the key things you need to focus on are the time and location of the user, based on the computing devices used in the commission of the crime.
Digital Forensics and the alibi
Digital Forensics and the false alibi: Always remember that computer times and IP addresses can be manipulated.
Always verify the time settings on a device, how time is set, and review logs for time discrepancies.
Always verify the network settings on a device, how IP address is set, and review logs for discrepancies as well as indications of IP assignments.
The more locked-down the computer and network, the more reliable the alibi.
Garlasco Case (Italy)
Alberto Stasi charged with killing Chiara Poggi - Link
Problems with the evidence
Alibi defense not immediately raised.
System crashed after the fact (70% of data lost)
Initial police forensic exam was done incorrectly & changed data.
Second review was more detailed and more disputed.
Lack of computer skills inferred to show that clock not altered.
Numerous Appeals
Guilty verdict was based on the interpretation of the judge.
The further away from the time of the crime that the evidence is obtained, the less likely it will serve as an alibi.
Alibi Evidence in Italy
Alibi evidence alone cannot result in a guilty verdict.
Alibi evidence is not required as proof innocence.
A judge cannot use alibi evidence against the defendant just because the alibi could not be proved.
If the alibi evidence indicates the alibi is false, the evidence may be used as evidence of dishonesty
Time as Alibi
Time may be the easiest part of an alibi to investigate from a digital forensics perspective.
Things to Look for in a Time Alibi Investigation
Check the logs for evidence of tampering. (e.g., out of sequence entries or gaps in the logs.)
Check the timestamps in the various protocols to compare times.
A protocol may include a time stamp in a header that does not match the timestamp on the suspect’s computer.
A network packet capture logs may be different than the local file’s times
Check for previous attempts to alter time on the computer. It shows intent and is more likely to show early failures and improvements.
Gipson v. Sheldon (6th Circuit, 2016)
Gipson charged with murder
Appeals court did not mention evidence that raised doubt
Gipson arrived in downtown Detroit, two hours away, at 8:13 p.m.
Only one witness linked Gipson to Harper's residence before 8:13 p.m.
No alibi, since the State proved through the cell phone records that Gipson was in Sandusky earlier in the evening of the crime.
The time/location evidence was not withheld from the defense.
Cell Phone Tracking – The technical facts
Cell phone records include:
The antenna(s) with which the cell device connects
The azimuth of the antenna (direction of the cell device to the antenna(s)
Timestamps related to when the connection was started and stopped.
Cell towers are not the only way to find a device location:
GPS data
Atmospheric data
Accelerometer data
Location as Alibi
Never forget that just because you can place a device in a particular location, that does not prove that the suspect was with the device.
Things to Look for in a Place Alibi Investigation
Look for automated tasks that may simulate activity.
Look for remote desktop software and logs indicating it was used.
Never assume that just because a device was elsewhere, that the owner was with the device.
Example: Left the phone at home instead of taking it to the crime.
Example: Left the phone in a friend’s car to set a false alibi.
Remember that technology can be more complex than it once was
A device can have more than one network card or SIM
Computers can spoof other computers
Douglas v State (Ga. SCt, 3/5/2018)
Murder case – evidence was sufficient to convict:
Cell-phone records indicated that, at the time of the shooting, the suspect’s mother’s cell phone was within two miles of the scene
Testimony established the suspect sometimes used his mother's cell phone and to also traveled in the same car with her
Additional evidence
Suspect was identified as the shooter by the surviving victim
Suspect was discovered with the murder weapon while driving a vehicle that
had been spotted leaving the murder scene by a second witness,
Was driven by a female resembling his mother.
Summary
Always remember that just because you cannot find the evidence, that fact does not prove or disprove an alibi.
Collusion and conspiracy may make it easy to prove a false alibi. Do not stop investigating just because you found some evidence supporting the alibi.
A false alibi, including attempts to hide or destroy evidence, usually leaves as much evidence as the evidence the suspect was trying to eliminate.
