VIOLENT CRIME AND DIGITAL EVIDENCE

Violent crimes are challenging to investigate not only because of the severe
behavior that is involved, but also the complexity of formative events and relationships.
That is to say, these types of crimes do not happen in a vacuum.
For instance, the victim may know or have a relationship with the offender.
This can involve a history of emotional distress, perhaps marked with violence
and prior crimes. The crime may also be the result of a destructive outburst
that both creates and destroys evidence; or a long period of pressure, anticipation,
and build-up that lends itself to premeditation and careful planning. In
cases where violent offenders target strangers, it can be challenging to develop
potential suspects, let alone determine their connection to the crime with any
degree of certainty. This is especially true when the offender is both skilled and
experienced.
THE ROLE OF COMPUTERS IN VIOLENT CRIME
The key to any investigation is information, which has value only when it is properly
recognized and collected. In the modern world, information is very often stored in digital
form (e.g., cell phones, PDAs, laptops, and GPS devices). As a result, some of the most
informative and objective witnesses in violent crime investigations are computers and
networks. Digital investigators can use information gleaned from many forms of digital
evidence to find likely suspects, uncover previously unknown crimes, develop leads, build
a more complete timeline and reconstruction of events, and check the accuracy of
witness statements and offender statements
Cybertrails

Computers may contain useful information about the Internet activities of

individuals involved in a violent crime. For instance, computers have been known to
contain communications between the victim and offender, especially in cases of
intimate homicide. Consider the killing of Yeardley Love, which occurred in her room
at the University of Virginia. Her boyfriend, George Huguely, a lacrosse player, took
her computer from the scene in an apparent attempt to conceal his online
communications with her, including references to previous instances of domestic
violence.

Mobile Devices
Mobile devices may contain information about communications as well as audio or
video recordings relating to an offense. For example, two brothers, aged 10 and 11,
captured portions of their assault of two other boys on video using the mobile
phone of one of the victims (Walker, 2010). Mobile devices may also provide the
location of victims and suspects at key times. In one homicide case, Joe O’Reilly
claimed that he was at work when his wife was killed but his cell phone location
showed him traveling from work to the scene of the crime and then returning to
work. His location and the direction he was moving were confirmed by digital
evidence obtained from CCTV cameras.
Personal Computers
A victim’s computer may contain a diary and frequently retain sent and received
e-mails that offer a unique view into his/her personal life. This can include evidence of
fantasies, criminal activity, and clandestine relationships that even
friends and family do not know about. Digital evidence may be useful for locating
a missing person when it contains clues of whom she communicated with and
where she might have gone. For instance, after Chandra Levi was reported missing,
an examination of her laptop revealed an Internet search for Klingle Mansion in
Rock Creek Park in Washington, D.C. Although initial searches of the park did not
uncover her body, her remains were found a year later in a remote area of the park.

Private Networks
As discussed in Chapter 1, privately owned networks can also be a rich source
of information when investigating violent crimes. These networks usually contain
a higher concentration of digital information (more bits per square foot)
about the individuals who use them, making it easier to find and collect relevant
digital data than on the global Internet. Information gathered in digital
form by other businesses such as banks, telecommunication providers, credit
card companies, and electronic toll collection systems can reveal a significant
amount about an individual’s whereabouts and activities. In some cases, data
such as medical records entered routinely by an individual or organization can
become important in a violent crime investigation.
10.1.5 Intent and Motive
In addition to providing concrete leads, a murderer’s computer or mobile
device may disprove offender statements, show his intent to commit a crime,
and uncover evidence of staging such as a fake suicide note created after the
victim’s death. For instance, Reverend William Guthrie was sentenced to life in
prison partly on the basis of digital evidence showing that he used a computer
to search online for ways to kill his wife and to fabricate a suicide note several
months after her death
Processing The Digita l Crime Scene
Violent crime investigations are generally messy and complicated because of
the extreme emotions, concealment behavior, and various types of evidence
involved. These investigations require a methodical approach to ensure that
all relevant items are recognized, collected, and examined properly. Given
the scope and consequences of violent crimes such as rape and homicide, it
is advisable to seek out and preserve all available digital evidence—not just
what is proximate to the crime scene. In addition, the offender may have
taken steps to conceal incriminating data or misdirect investigators. Provided the
proper authorization is obtained, digital evidence searches can include the
victim’s and suspect’s home and workplace, and other places they frequent.
Given the amount of effort involved, it is generally necessary to have a team
working together to preserve all of the digital evidence related to a violent
crime. Although such thorough search and seizure can be disruptive to an
organization when one of their employees is involved, the impact can be
mitigated by careful planning and working closely with system administrators
when feasible.
10.3 INVESTIGATIVE RECONSTRUCTION
The investigative reconstruction process involves pulling all evidence together
and letting it speak for itself. It is meant to be an objective learning exercise,
without an expected outcome. In any digital investigation, but particularly in
violent crimes, it can be a challenge to piece everything together and obtain
a coherent picture. A major challenge in digital investigations is that the evidence
is a static result of dynamic events. Certain digital evidence may not be
available or may be incomplete, particularly when evidence dynamics have
occurred as discussed in Chapter 1. Even in the ideal case, when all digital evidence
is available, only certain events are captured in a static form, leaving gaps
that may never be filled. For example, digital traces may show that a victim
arranged to meet a prime suspect on the afternoon she was killed, but may not
prove that she actually met him. Furthermore, in violent crime investigations,
there is generally a substantial amount of information from many different
sources. Therefore, reconstructing all of the events that led to the available
evidence may require substantial forensic analysis and may be open to multiple
interpretations.
Case Example: Guilt by GPS Tracking
In 2007, George Ford was accused of intentionally running over 12-year-old Shyanne
Somers, who he was supposed to drive home after she baby-sat for his family. Ford
claimed it was an accident that occurred around midnight and there were no
witnesses to prove him wrong. However, a GPS device that his wife had placed in his
car showed that he was lying about his journey on the night in
question. The location of Ford’s car could be reconstructed in detail and revealed that
he had actually taken the victim to a house for several hours until around 3 AM before
driving to the location where her body was found. Based on this digital evidence, Ford
was found guilty of second degree murder and sentenced to 25 years to life (Grace,
2009).
DIGITAL EVIDENCE AS ALIBI
Case Example (People v. Durado, 2001)
•Jerry Durado was found guilty of killing his parents despite his claim that he was at
work in Boeing’s Long Beach offices 300 miles away. A forensic analysis of activities
on his workstation showed that the only activity on his computer at the time was the
result of a routine virus scan.

•In addition, telephone calls, credit card purchases, subway ticket usage, automated
toll payments, and ATM transactions are all supported by computer
networks that keep detailed logs of activities. Telephone companies keep a
record of the number dialed, the time and duration of the call, and sometimes
the caller’s number. In addition, when mobile devices are involved, telephone
companies may be able to determine the location of a defendant’s mobile
device at crucial times.
•Credit card companies keep records of the dates, times, and locations of
all purchases. Similarly, banks keep track of the dates, times, and locations
of all deposits and withdrawals. These dates, times, and locations reside on
computers for an indefinite period of time and individuals receive a report
each month with some of this information in the form of a bill or financial
statement.
Other computer networks, like the Internet, also contain a large amount of
information about times and locations. When an e-mail message is sent, the
time and originating IP addresses are noted in the header. Log files that contain
information about activities on a network are especially useful when investigating
an alibi because they contain times, IP addresses, a brief description of
what occurred, and sometimes even the individual computer account that was
Involved.

When dealing with an alibi based on digital evidence, keep in mind that computer
times and IP addresses can be manipulated, allowing a criminal to create
a false alibi. On many computers it requires minimal skills to change the clock
or the creation time of a file. Also, people can program a computer to perform
an action, like sending an e-mail message, at a specific time. In many cases,
scheduling events does not require any programming skill—it is a simple feature
of the operating system. Similarly, IP addresses can be changed, allowing
individuals to pretend that they are connected to a network from another location.
Therefore, investigators should not rely on one piece of digital evidence
when examining an alibi—they should look for an associated cybertrail.
1.Investigating an Alibi
When investigating an alibi that depends on digital evidence, the first step is
to assess the reliability of the information on the computers and networks
involved. Some computers are configured to synchronize their clocks regularly
with very accurate time satellites and make a log of any discrepancies. Other
computers allow anyone to change their clocks and do not keep logs of time
changes. Some computer networks control and monitor which computers are
assigned specific IP addresses using protocols like BOOTP and DHCP. Other
networks do not strictly control IP address assignments, allowing anyone to
change the IP address on a computer.

2. Time as Alibi
Suppose that, on March 19, 1999, an individual broke into the Museum of Fine
Arts in Boston and stole a precious object. Security cameras show a masked
burglar entering the museum at 20:00 h and leaving at 20:30 h. The prime
suspect claims to have been at home in New York, hundreds of miles away
from Boston, when the crime was committed. According to the suspect, the
only noteworthy thing he did that evening was to send an e-mail to a friend.
The friend is very cooperative and provides investigators that particular e-mail.
11.3 Location as Alibi
Suppose that the same precious object was stolen again when the burglar from
the previous scenario was released from prison a few months later. This time,
however, the burglar claims to have been in California, thousands of miles away,
starting a new life. The burglar’s parole officer does not think that the suspect left
California but cannot be certain. The only evidence that supports the suspect’s
alibi is an e-mail message to his friend in Miami. Though the suspect’s friend is
irritated at being involved again, she gives the investigators the respective e-mail.
11.4 Summary
As digital investigators learn about new technologies, it is useful to think about
how they will affect routine aspects of investigations such as alibis. With people
spending an increasing amount of time using mobile devices, computers, and
networks, there are bound to be more alibis that depend on digital evidence.
Computers contain information about times and locations that can be used to
confirm or refute an alibi. However, digital evidence can rarely prove conclusively
that someone was in a specific place at a specific time. Remember that IP
addresses and phone numbers are associated with computers—not individuals.
Therefore, an accomplice could help a criminal fabricate an alibi using the
criminal’s computer or mobile device. However, if a thorough forensic analysis
and reconstruction of digital evidence reveals that the individual’s computer or
mobile device was used for a variety of personal communications (e.g., e-mail,
SMS, social networking) and other activities (e.g., online banking) around the
time of the alibi, this can help paint a compelling picture that someone was