Deconstructing Digital Evidence to Understand Defensibility

Colten GillBlog, TrainingLeave a Comment

There is generally no argument that social media and the web represent a valuable source of digital evidence for legal and fraud detection professionals. The advent of the social web has changed the game for investigators as subjects now can provide all the information needed to close a case. However, it is important for professionals that are looking to leverage digital evidence in their cases to fully understand the intricacies of digital evidence collection that is defensible in a court of law.

The process is the similar for both physical and digital evidence and it must comply with the Rules of Evidence; these are rules and legal principles that help determine the validity of evidence in a legal proceeding. At SMI Aware, our Export Report is the preservation product that converts online content into evidence.

Screenshots as Digital Evidence in Court

Digital evidence collected from the web and social media is commonly captured through screenshots; in other words, the investigator takes a picture of the content on the screen in hopes that will hold up in court. Unfortunately that is not the case. A screenshot is merely an image that can easily be manipulated and tampered with using image editing software like Photoshop.

How Can Online and Digital Evidence be Defensible? 

All online content contains a digital footprint that allows it to be published. The technical term is source code, a programming language that the browser “translates” into the images and text that we see when viewing web content. The source code holds the defensibility of online digital evidence, but only if it is properly collected and preserved.

While it can be hard to visualize digital evidence, every webpage that has information about your subject can be thought of as a journal recovered from their residence. A screenshot is equivalent to presenting a photocopy of the journal, while an SMI Aware Export is equivalent to presenting the original journal. After a proper search and seizure, the physical journal would be tagged, recorded, and analyzed. This process, commonly known as the Chain of Custody, was put in place in order to prevent evidence tampering.

The same process must occur with online and digital evidence. According to the American Bar Association, the authentication process of digital evidence (such as a subject’s Facebook profile or Twitter page) is one of the easiest evidentiary rules to grasp in theory, but “in practice, its application can be a challenge.” The rules that state how a piece of digital evidence may be authenticated can be confusing, and in the past have usually required an Expert Witness to testify the information downloaded was authentic and original. Unfortunately, in many cases hiring an Expert Witness will create an additional cost.

By partnering with the experts at SMI Aware, you’re ensuring the proper handling of digital evidence for your clients and staying ahead of the curve when it comes to fast-paced changes in technology and digital preservation.

What Makes Up Digital Evidence

Remember the journal analogy from above, where we treated each website as a physical journal? Unlike physical evidence, digital evidence can be confusing to the everyday user. It’s important to understand what makes up the URL, source code, hash value  behind your digital evidence.

Below we have created a digital evidence reference glossary. Please leave us a comment below if you have any questions and one of our in-house Export Analysts will be more than happy to assist!

Deep Report The SMI Aware Deep Report is the intelligence gathering and curation of information found on the Internet about a subject, company, or incident. The Deep Report allows you to find and identify URL’s that are associated with the subject, along with analytical insights related to your needs.
Export The SMI Aware Export preserves the source code and metadata of a specific website and/or social media site. This allows you to prevent the deletion of information by a subject, view a website offline, and prepare digital evidence for use in a court of law.
HTML Hypertext Markup Language (or HTML) is the standard coding format for most of the Internet, and it’s what makes up the Source Code (see below) that creates what you see on a screen.
Source Code The source code is the coding that builds the visuals you see on your screen, along with any text, images, and videos that may be on there.

SMI Aware’s Exports preserve the Source Code, allowing us to capture the digital evidence exactly as it was at the time of capture, along with any metadata attached to it.

Metadata Metadata is commonly referred to as the data about data. It includes the date, user, and URL of a specific post, image, or video, along with information like what file type makes up the image, or where it was posted from.

With an SMI Aware Export, we capture and preserve the metadata that’s available, which can be useful in authenticating digital evidence in court.

PDF The Portable Document Format (PDF) is the file format used to universally present and exchange digital documents.
Screenshot A screenshot (or screen capture) is a digital representation of what’s visible on your computer screen.
URL A URL is the web address you type in to get to the page you’re viewing. “Facebook” is not a URL, but “http:/facebook.com/userprofile123” is a URL that points to a specific page. This can be copied and pasted from the top of your web browser. Think of it as your home’s specific street address, as opposed to Anytown, USA.
Username A username is an name used by a person online to gain access to online sites or identify themselves online. This is different from an e-mail; usernames typically combine a name or nickname, with various letters or numbers.

For example: John Smith may use “jsmith,” “johnn1,” or “john_smith145” as usernames, in addition to his email of johnsmith@email.com.

Website A website is a place on the Internet that is usually made up of a collection of web pages.
Public vs. Private Posts Posts on various social media networks may be set to Public or Private, depending on the layout of the specific network. Public posts are visible to anybody with the URL (see above) that directs to the post. Private posts are typically visible to those who have friended the subject. Posts on a subject’s profile can be a combination of public and private.

Generally, anything public is available to Export and prepare for evidence. It is important to note that it goes against SMI Aware’s Code of Ethics (and the law, in most cases) to obtain Private posts without consent of the subject.

How to Get the Most From Your Exports

Want to get the most out of your Export order? Follow these three tips for success that help us get you the evidence you need quickly and effectively:

1. Ditch the screenshots

Already know the webpage you’d like preserved? Don’t waste your time by trying to screenshot, then crop, what’s on your screen. If you’ve already opened the page in your browser, mouse over the address at the top (which usually starts with https:// or www.) and copy and paste it in your order. This allows our analysts to quickly navigate to the exact page you want without any chance of miscommunications or delays.

2. Maintain your privacy

Did you know if you view a Facebook profile multiple times while logged-in you’re likely to appear as a suggested friend the next time your subject logs in? Keep your investigation (and yourself) private by viewing the Facebook offline. An SMI Aware Export allows you to navigate the subject’s full public profile from anywhere without being detected.

3. Be prepared to rush

In the middle of litigation when the idea hits you: what if my subject chooses to delete all this information? Let us know there’s a risk of deletion, and we’ll work as fast as possible to preserve the needed website before you lose data critical to your case.