Digital forensics has expanded the methods of investigating crime throughout the world. As the use of technology grew so did the ways of using digital evidence to solidify a case against a suspect. Digital sources have provided forensic investigators with evidence that is needed to build a case against someone who committed a crime and often times the evidence is presented in court. Incriminating evidence can be found in web searches, deleted history, and online photo archives. As time goes on people are becoming more aware that even though you delete something from your computer or cell phone does not mean it is gone forever. There was a point in time when people believed the use of our electronic devices came with privacy. Privacy as in no one can see what they send out to people except the receiver. Even though we have passwords and lock codes that prevent the common people from accessing our private files that privacy is no longer there when investigators are looking for information against a suspect. “Digital evidence is commonly associated with electronic crime, or e-crime, such as child pornography or credit card fraud. However, digital evidence is now used to prosecute all types of crimes, not just e-crime. For example, suspects’ e-mail or mobile phone files might contain critical evidence regarding their intent, their whereabouts at the time of a crime and their relationship with other suspects” (NIJ, 2016). In today’s world digital devices are a key part of solving a broad variety of crimes and people’s perception of digital evidence is now changing as technology evolves.
In the beginning of this technology era people did not think twice about sending provocative texts/pictures, emails and so on. “Digital evidence is not well perceived by the human senses. Crucial pieces of digital evidence may simply be missed due to the fact that examiners do not fully comprehend how seemingly useless pieces of data can be converted to evidence of high value” (Koen & Olivier, 2008). Now every time we use our devices it leaves behind an electronic paper trail that can be impossible to get away from. These trails make it easier for investigators to link particular crimes with certain people. The evidence becomes incriminating once it starts to match up to the times leading up to the crime and investigators can piece this information together because of time lines and time stamps. Time lines and time stamps has been a key part of forensic investigation since the beginning of the digital age. “The use of timestamps in digital investigations is pervasive. Timestamps are increasingly used to relate events which happen in the digital realm to each other and to events which happen in the physical realm, helping to establish cause and effect” (Schatz, Mohay, & Clark, 2006). This makes time lining and time stamps so vital because it provides a window of time when a crime was committed which leads to the discovery of new findings within a case. Timelines in forensics are a representation of events leading up to the crime as well as after. Timelines in digital forensics takes different sources of media such as video, and pictures to see when the activity occurred on a digital device. This information can be found through the use of automated tools. Automated tools are used for testing software, comparing and reporting date capable of executing tests, reporting outcomes and comparing results with earlier test runs. “Many existing automated tools have focused on the extraction stage of a digital investigation, i.e. making more information accessible from the raw data, and are very effective at this. For example, Internet Evidence Finder automates the recovery of artefacts on a disk image that relate to certain Internet use, e.g. Facebook chat artefacts” (Hargreaves & Patterson, 2012). Some examples of automated tools are Ranorex, Sahi, Selenium and Watir. The outcomes of these is how digital investigators are able to see the time line of activity happening on the device and can retest as many times as they would like.
Time stamps give a day and time where something is sent, delivered or recorded using a digital device. Using these two pieces of data, it can help investigators know an estimate of the time something occurred and why. Knowing the time of the crime and other related occurrence that surround it is extremely important because it allows investigators to point out when someone is lying about the events that took place during the crime. When people are under investigation they start with what sounds like a solid story then over time as police continues to bring up newfound evidence, their story changes. By investigators knowing specific things it can save a lot of time by quickly being able to tell if someone’s story is fabricated.
In the 21st century technology rapidly became an apart of our everyday lives since more families were able to own computers at home and as regular cellphones turned into smartphones. Technology has become so essential to our lives that most do not even realize the trail of information they are leaving behind even just by making a call. As with everything else, there are positives and negatives of using technology. Since online shopping has become a main source of how we shop, this allows hackers to steal important credit card information that they may use for future purchases. This can be a very frustrating issue because the person has no idea who could be using their card and now they must order new ones and go through the long task of updating websites on their method of payment. The plus side to technology in this situation is that every single transaction on the card leaves behind a time stamp of when the purchases were made and where. This allows investigators to separate real charges made by the owner to the fraudulent ones made by the criminal. Even though technology allows us to spot criminals in our personal finances, sometimes it can catch us up in the criminal activity that we do.
Even though people are now aware that investigators can easily retrieved off of computers and cellphones, no one thinks twice about a device that has become popular through the world which is a Fitbit. A Fitbit is a device that people use to keep track of their physical activity throughout their day. For one man, his wife’s Fitbit landed him in prison for murder. Richard Dabate initially told investigators that he and his wife had been victims of an armed intruder. Dabate claimed the intruder entered his home and tortured him and when his wife returned home, the intruder fatally shot her. Police realized that Dabate’s story was not adding up and they received some unlikely evidence through his murdered wife’s Fitbit she was wearing at the time of the murder. The Fitbit gave police a timeline of the murder by comparing timestamped evidence on the Dabate’s cellphones and computers. Investigators later found out that Richard Dabate had emailed his supervisor claiming that the alarm had been gone off which was an entire hour prior to the alarm actually being set off by Richard. His wife’s Fitbit recorded the distance she had walked that day which did not add up to her husband’s story. Also, timestamped evidence showed that his wife was active on Facebook around the time Richard claimed the intruder ordeal was taking place. Without these multiple digital devices, police would have trouble creating a timeline that went against the husband’s story of a masked intruder.
Our social media accounts have become a platform where we as people share what is going on in our daily lives and also lets us vent our opinions about contemporary issues around the world. While most see their social media as a way to keep in contact with friends in family, it can become a vital source of information for investigators when it comes to solving a crime. There are not many people that live their lives without some form of social media so this is something that investigators pay attention to when conducting an investigation. Days before an incident happens people may post about what has been troubling them or if they are being stalked by someone or unknowingly leave clues about their whereabouts. Social media sites like Facebook and Snapchat have features installed in which the user can turn on their location setting, which lets others know what city they are in whenever they updated a status or post a picture. Some people see this as a dangerous feature because you are letting the world know where you are 24/7 but when it comes to solving crimes this is an important way to find out the last location of missing or wanted people. It gives investigators a peek into that person’s life before the crime and allows them to see their activity leading up to the crime as well. Every time someone updates a status or posts a video it leaves behind a timestamps of when these things were posted. Facebook now has a live feature and it allows you to record a video of what you are currently doing. It provides people to go into live more to show what is happening at that exact moment in time. Since Facebook live was establish people have posted themselves in an act of crime. You would think why would someone post a live video of them committing a crime but this has become a reality of today’s world. An example of this includes the story of Steve Stephens, a Cleveland man who gunned down an innocent elderly man he did not know on Facebook live because he could not get in contact with his girlfriend which angered him to the point where he decided he was going to kill until she reconciled with him. Since this random act of violence was posted online, investigators were able to know the exact time the crime occurred and why the crime was committed. The video also provided a timeline leading up to murder which Steve Stephens discussed his motive and his plans for revenge. In the video it showed how Steve felt before the murder, and what he did right after the murder. Without Steve’s post to Facebook it would have been a more difficult task for law enforcement to find out who committed the crime since the victim was an innocent when no reason why someone would want to hurt him. He went on the run for several days and eventually committed suicide after someone spotted him and contacted authorities. The Facebook live video has been seen by millions and it made people more aware of the fact that even if a video is deleted there are ways it can resurface through other social media sites.
Many believe that simply wiping out files on their computer can get rid of crucial evidence for investigators, but this is not the case due to the information remaining on the hard drive. Through hard drives deleted files can be recovered and it can also show if time data has been manipulated. The manipulation of time data is includes altering or deleting time stamps in order for the criminal to create an alibi and detach themselves as suspects. “The time variable of evidence is very important for the examiner regardless of the tool used. The criminal might therefore use a tool like Timestomp to clear all timestamps in the file system. Our tool however handles many kinds of file types and does not only rely on the file system timestamps to be useful to the examiner” (Olsson & Bolt, 2009). The tools investigators are equipped with can recover any data the person tried to delete, and any incrimination evidence found can be used against the suspect. Another important way in which investigators can retrieved hard drive information is through the LDFS: Live Data Forensics System. The LDFS is a tool that helps speed up the investigation by finding criminal related evidence in a quicker time frame. “LDFS demonstrates the ability of the tool to automatically gather evidence according to general categories, such as live data, Windows Registry, file system metadata, instant messaging services clients, web browser artifacts, memory dump and page file. In addition, unified analysis tools of ELF provide a fast and effective way to obtain a picture of the system at the time the analysis is done. The result of the analysis from different categories can be easily correlated to provide useful clues for the sake of the investigation” (Lim, Savodi, Lee, & Lee 2012). There are two types of data that can be relevant for an investigation which are non-volatile and volatile. Non-volatile data can be described as long term storage. Even when the computer is powered off that data still remains in the hard drive. Examples of non-volatile data includes passwords, emails, and browser history. Compared to non-volatile data, volatile data the computer needs to be powered on in order to keep the stored information. If the power of the device is lost so is the volatile data. RAM data, which stands for random access memory would be considered volatile data because the information is not stored permanently within the device. These data’s are important because it helps investigators piece together a timeline with the correlated data and use it as evidence.
Another case where timestamp evidence was a crucial part of an investigation was in the Jodi Arias case. The Jodi Arias case was a well-known criminal case that focused on the murder of a successful salesman named Travis Alexander who was found dead at his home in 2008. At the time of the murder Jodi Arias was Travis Alexander’s ex-girlfriend who killed him out of jealousy and rage because he did not want to continue a relationship with her. Initially, Arias denied any knowledge of what happened to Travis and also denied being involved with his murder. After a few weeks of investigation, it was determined that Jodi was present in the home of Travis Alexanders the day of the murder through physical evidence found such as a bloody palmprint mixed with the victim and suspect’s blood, and hair belonging to Jodi. Her story and alibi soon changed about not knowing what happened that day. She then claimed she was present the day of the murder, but it was armed intruders who killed him and they happened to let her go without harm. She claimed to not know why the intruders would kill Travis and spare her life. This story quickly became proven untrue due to more evidence recovered from the scene of the murder. Although there was a good number of physical evidence presented at the crime scene, what really made the prosecutors case strong against Arias was the digital forensics evidence found. Investigators recovered a camera from the crime scene which had been severely water damaged after Arias placed it in a washing machine. She assumed the evidence on the camera would be destroyed due to the water, she was clearly mistaken. On the camera investigators were able to recover images of Travis and Jodi the day of the murder which not only did the time stamp evidence prove that she was at the scene but even showed Travis during his last moments of life and his murder. The camera accidentally snapped photos of Travis while he was being murdered by Arias and the time stamp on the camera was able to tell investigators the exact time and date he died. This type of digital evidence that is accidentally taken or filmed was rare and investigators found it very crucial to present this evidence in court to convince the jury that Jodi Arias was guilty of first degree murder. Jodi then claimed Travis was abusive toward her but the photos that Jodi took that day provided investigators a timeline of what events took place before the murder. Jodi and Travis had been sexually involved that day and there were no indications that she was battered woman so this showed that the murder was premeditated. Jodi’s motive was jealousy and anger over the fact that Travis did not want to marry her and the jury found her guilty of first degree murder.
Even though investigators have digital evidence of a crime, they must make sure they connect the right person to it. When there are cases in which incriminating evidence is found on a home or office computer it takes more steps into finding out who to link it to. There may be multiple users of that device which broadens the list of suspects. “In many investigations placing the investigated events at a specific moment in time is also important in attributing usage of a computer to the correct person. For example, finding contraband images on an office workstation does not necessarily imply that the current user of the workstation placed them there, or even knew of their existence. In order to attribute storing of the images to the current user, it is necessary to find evidence that links the user and the contraband” (Willassen 2008). Time stamps can help with this issue because if the crime happens at a workplace investigators can see what time these activities were going on, and start looking at employees schedules to see who was present and using the device at that time. Many people use their work computers to commit crime because they feel if anything was ever suspected of them, they would check their personal computers. This is not always the case because once you become a suspect in a crime everything linked to you is investigated. Sometimes though, we as people incriminate ourselves unknowingly, and this was the case for a former college professor named James Kent. James Kent was arrested and charged with possession of child pornography on his work computer. The timeline of his browser history showed that this activity had been going on for quite some time. The child pornography was discovered after Kent himself took his computer to tech staff because he it was constantly rebooting and he did not know why. This led the tech staff to discover the images and promptly alert the police. Even though Kent’s sentencing was overturned due to no law stating that it is illegal to go on a child pornography website at the time, this case shows how sometimes we do not think about how easily something done in the dark can quickly come to the light.
Not only are time stamps important for computer devices, it is also useful in surveillance footage. Surveillance cameras are installed to monitor activity in a certain area. When businesses experience theft they are able to bring up old surveillance footage not only to see who committed the thefts but also what date and time did it occur. This is important because it helps people solve unexplainable events that are taken place from robberies to kidnappings. In the kidnapping case of Carlesha Freeland-Gaither who was abducted off a street in Philadelphia by a man named Delvin Barnes in 2014. Her abduction was caught on surveillance camera which allowed investigations to obtain a make and model of the car Carlesha was forced in. Before the assailant kidnapped his victim camera evidence shows him pulling up on the street and parking his car before carrying out the kidnapping. The digital evidence showed when he arrived at the scene, when the kidnapping occurred and when the assailant left the scene of the crime. Since investigators had this digital evidence they were able to obtained the license plate number on the vehicle and connect it to a suspect. Investigators were able to find out who the car was registered to and was able to track it using the GPS system that was installed in his car by the dealership because of Barnes poor credit. The GPS system was essential for this investigation because without it they would not have been able to find the suspect and victim in a matter of 72 hours. After investigators tracked down the vehicle and they found the victim alive and the suspect Delvin Barnes was apprehended. Even though the GPS system was very crucial in finding the victim, the surveillance camera provided a foundation for solving the case. Without the camera’s timestamped digital evidence investigators would not where and when Carlesha was kidnapped or be able to obtain information about the vehicle used in the crime so quickly. This case shows the importance of why we need time stamped digital sources in our communities because crime can happen anywhere and anytime time of day and if investigators has the crime taking place on camera, so many more cases can be solved in a quicker manner.
Digital devices have become an essential to everyone’s lives and even though a lot of them are useful and convenient, it can provide incriminating evidence against people who misuse it. Next to DNA evidence, Digital evidence is becoming more prevalent in solving crimes as the use of technology increases over time. As more security methods are installed such as surveillance cameras throughout neighborhoods the more investigators get insight on a crime that was committed without even being presence at the time it was happening.