Recently I reviewed a computer crime case where the dates on files on an SD card seized by the police, examined by the police computer forensic laboratory, and by a defense expert in computer forensics showed some unusual patterns in the dates of files that allegedly contained contraband. Those files on the SD-card were later the basis of criminal charges and an arrest. There were claims of evidence spoliation. “Spoliation” is a fancy word for tampering. Sometimes a Computer Crimes Experts can come in handy. During a lengthy interrogation by the Prosecutor there were some answers given that may apply to virtually any cases involving data stored on a mobile phone SD card.
Questions and Answers from Computer Crimes Expert testimony on SD Storage Devices in Mobile Devices
What are hash values in SD cards and stored files?
“These are the hash values of that. That is a method that I use to be able to correlate that picture with the picture on the SD cards, things like that; but it’s a fingerprint. Every file has a unique fingerprint.”
What is the creation date on a file stored on an SD card?
“I have seen instances where if a file was moved to another system, the creation date is what the current date is of that system. Because, as far as that system’s concerned, hey, it was created on my system today.”
What about iPhone, where there are no SD storage devices?
“For example, with iPhone being a proprietary system, you’re — you’re talking about something that’s an encrypted system and we constantly stay abreast . . . . “-
Do both police and forensic examiners use Cellebrite?
“[W]e — as a company, in general, stay abreast of that, the changes there, as I’m sure your group has the same — same challenges. With that, we’re — we ‘ re always challenging our vendors. There’s three primary vendors we use, including Cellebrite, which you guys use, as well. But challenging them to stay abreast of it.”
What is the job of a computer forensic examiner in case involving cell phone data and SD storage devices?
“To look at it with the eyes of a computer forensic expert to determine whether the evidence being portrayed was accurate or if there was evidence being omitted or not looked at from a different way and we all know that when you’re looking at it from a prosecution point of view, you look at evidence from that angle. If you’re looking at it from a defense point of view, since I work both sides, I know I’m going to look at the evidence differently in cases because in one you’re trying to find underlying causes one way or another. So I felt my job in this was to look at the evidence to determine whether or not everything was being described accurately and completely.”
Are there different types of files stored on mobile device SD cards?
“When you talk about system files, it’s a little bit more complex. The system does many, many things to make your life work better on a computer. And storage locations could be temporary areas; the system just uses and works with. That’s very beneficial to us in a forensic area because that can be very telling as far as how the system was used, what the system is doing, who’s doing what and what’s automatic, what’s not, what’s user initiated, what’s system initiated, all that is good. You can tell that from the temporary areas. There’s also caching areas.”
What are Cache files on an SD card?
“Caching areas are when the computer does something and then it goes and does something else, it caches it out, caches something back in; that’s very telling of what’s going on in the system to us. Who initiated, whether it’s automatic, whether it’s deliberate, stuff like that. There is allocated resources, unallocated resources, deleted areas; there’s just a — just a plethora of stuff that the system does and there’s a lot of different storage locations. Now the ones that I’m focusing in on, for this particular case and this particular report, are the ones that, you know, give us telltale sign of something. And I would have to read it real quick here to know what we’re getting at. I was hoping you were going to ask something specific in here, but that’s basically an overview of what storage locations are.”
What is the significance of where files are stored on an SD Card?
“So storage locations, I gave you an example to help you understand how storage locations work, the difference between pictures and documents, stuff like that. The system is the same way. It does certain things, it will store them in different places. The other key point here then, also is that in — when you’re talking about the system storage locations, they’re not accessible by the user. These are areas that obviously if the user could access those, you could — you could destroy your system. But these are typically areas that are not accessible by the user. By us, yes, from a forensic point of view.”
Why are system storage files important?
“Because, depending on how the device acquired a particular piece of information, whether it be media or text or whatever, how it was — how it came to exist on the phone matters. And system storage can help us to determine that.”
Can date meta data on an SD storage device used on a phone be altered?
“I’ve seen people fool that and they’ll put a cell phone in a shield bag in which case it doesn’t make connection; and there is an app, I think, that can change the date. So there’s people that could do things like that but in these particular cases, these were active and that’s really not the issue that I want to get into. The problem is that depending on the software use or how things come about — and it’s called a feature. And there’s a feature that when you take a file and you put it onto a system, that it maintains the original creation date that that particular, let’s say photograph you made, was maintained. And it’s a feature because you want to know that the Christmas of 2004 occurred on December of 2004, not when you happened to move it over there. So it is a feature of something. But then there are some operations when you move things over, and I’ve seen it before because I’ll see stuff come to be on a system, and they’re milliseconds apart, the creation date. And I know that those were — that was a copy operation performed.”
“You plug in the SD card and the metadata is put on the SD card. Last access date in — in doing the correlation was — would be updated on the phone, as well. But let’s say, for instance, if you put
an image, a brand new image on there, and the creation date was last year and you put another image on there, maybe you copied three images and the way you copied it it happened to pick up the date of the computer which was, you know, maybe you changed the date of the computer and you wanted to show it to be last month. Then when you take that SD card and you plug it in the phone, you’re going to see one image with that date from last year as a create date and then you’re going to see three images, milliseconds apart, that are from last month. What I’m saying is that the phone becomes slave to the SD card as far as the metadata –“
Can computer crimes experts discover data files placed on a mobile device without the user’s knowledge?
“[J]ust realize that when I’m talking about the push, that the technology is there, that the . . . potential is there for stuff to be pushed on your computer. And of course, the user is oblivious to all this going on. And that’s why you could actually go to a website that had unfortunate information on it and your computer now is a recipient of that information and you, the user, are none the wiser.”
“Sometimes the user doesn’t even know they went somewhere. Sometimes in — in this world of malware and viral attacks and exploitation of compu — of people’s identities, there’s a lot of times — like, and I use the term unfortunate, is if you do a search, one thing these search engines do not do is assess where it’s going to take you and you could click on something and then it could actually take you to a site that doesn’t display anything but it certainly puts stuff on your computer and then redirects you to something else to show you what you think you wanted to see. There’s a lot of smoke and mirrors going on behind the scenes that the user’s not aware of. That’s the push technology I’m
talking about . . . .”
“Whether or not you saw it, whether or not you meant to go there, that’s — that does not — those two statements don’t come into play when it comes to push. . . . Push includes whatever the — and I’ll call it malicious in some cases, but whatever the site, or whatever the originating prospect that might be. It could be a server, it could be a site, it could be almost anything. Whatever it is, it will push on there
and I can’t tell you what that will be. In — I can tell you in general what it is. In general it’s thumbnails.’
“The fact that Windows does that, is a feature to allow you to operate better. But how many times have we heard about there being a hole, an exploited hole in Windows that Microsoft had to go in
and patch with a new release or with — with a new update they patched this hole or they discovered this — this whatever was open and they come in. You take a feature on something and you get a
website that exploits that feature, I think you kind of then answered your question because then okay, well whose fault is it? Well, it’s a feature of Windows to do this. But they’re — the reason it was written was to optimize web browsing, that’s it. Now to push big stuff on there, and push other stuff on there, when people are taking it to its limit and exploiting it and doing the wrong thing, then I’d say it’s the fault of the site.”