Crimes Against Children Conference 2019 Recap Part II: Digital Evidence On Multidisciplinary Teams

By Christa Miller, Forensic Focus

Our first article in this two-part series focused on the technology associated with crimes against children: mobile peer-to-peer software; cryptocurrency used to buy and sell child sexual abuse material (CSAM); the virtual worlds where abuse might take place; and how technology can help reduce investigators’ vicarious trauma.

In Part II, we focus on how the data you capture can be leveraged to work together with forensic interviewers and prosecutors to corroborate evidence and build cases. It’s very much a team effort, where the work you do supports multiple aspects of an entire investigation.

Digital Evidence Use In Forensic Interviews

One of the first ways that digital evidence, such as photos and text messages, has value to an investigation is for forensic interviews. 

Dallas Children’s Advocacy Center forensic interviewers (FIs) Chelsea Zortman and Jessica Parada joined Michael Hernandez, a detective with the Cedar Hill (Texas) Police Department, for a lecture about how to address social media, chat rooms, apps and other digital communication technology during interviews. Separately, Stacey Kreitz, a forensic interview specialist with HSI, also spoke about facilitating forensic interviews of cybercrimes.

Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.

Parada said the value of forensic interviewing is to build trust with victims as a means toward building the right evidence for a case. At the same time, though, forensic interviewers may not have a strong command of how digital evidence works, yet need the information to conduct a legally sound interview. A multidisciplinary team (MDT) approach ensures that everyone has what they need to move forward with a case.

Rescuing a survivor is often only the start. Hernandez said FIs have to know what sites the victims are on — whether these are the most popular ones, or less well-known sites like the ASMR community, Care2, GirlsAskGuys, DeviantArt, and others. Classified ads and the dark web can also come into play.

Parada added that children like to know things adults don’t know, so FIs need to be able to tell them what they’ve learned and offer them a safe place to talk about their experiences. However, she added, this requires an FI to have confidence in their knowledge.

How digital forensic examiners can help:

Build relationships with forensic interviewers. Parada acknowledged that these conversations are likely to be difficult; even more so under the pressure of trying to ensure a child’s safety.

Know what protocols the FIs are working under and how their strategy drives what’s needed for evidence. For example, a research-based method like the Prepare and Predict protocol, developed by Homeland Security Investigations (HSI), makes decisions defensible regarding how and why evidence was introduced into the interview.

Know what the team strategy for the interview is going to be, and how it might change. Evidence needs to be prepared in a legally sound way prior to the forensic interview, so the team needs to discuss their strategy before the day of the interview. To facilitate the conversation, MDT and advocacy center should already have a protocol established regarding whether or not images will be sanitized and/or how they will be sanitized. However, federal and local recommendations make it best practice for the images not to be sanitized. This accomplishes two things:

  • The interviewer doesn’t risk establishing an environment where the child feels ashamed about their body.
  • The unsanitized images allow a child to remain in an honest environment with the interviewer and be presented with accurate evidence.

Protect both the team and the evidence by maintaining chain of custody of unsanitized images. Images must be printed by the detective in possession of the evidence, and only for interview purposes. FIs can’t receive the material through email or on a flash drive, and they have to give it back once they’re done.

Provide data prior to the interview. The FI’s role isn’t to interrogate a child or put them in a position to incriminate themselves, but they do need a truthful interview. To that end, an FI can discuss the evidence (data, images, chat logs, etc.) with the child, but only if they have the knowledge that it exists and the ability to review it. Therefore, an FI needs to be familiar with language relating to an app or device used in the allegations/disclosure.

Make sure FIs know what you can and can’t retrieve. With apps like Snapchat, FIs need to know that even if there is limited or no content, the metadata and logs can give them critical timeline and contact information. Zortman pointed out that this is imperative for two reasons:

  1. The team needs the information to determine appropriate interview scheduling. If a child is in immediate danger, an interview can take place right away. Otherwise, communication allows investigators to send any needed preservation letters and warrants for evidence that can be used in the interview.
  2. Understanding general data retrieval information also allows the FI to clarify with a child throughout the interview about what may or may not be found on their device(s).

Give interviewers the right terminology. A good example of this, said Zortman, is the difference between “Finsta” and “Rinsta”: “fake” vs. “real” Instagram accounts, each with different purposes. One is public-facing, one private, used among a small group of friends.

Never assume the interviewer already knows what they need to know. Instead, help them with research, keywords, and other information they can use about how the app or device is used. Otherwise, the interviewer won’t know if the interview subject tells them something erroneous. In other words, said Parada, it’s best practice for FIs to stick to their existing protocols. Since technology is evolving so quickly, it is important for each team to do its research and update their protocols to reflect that. 

Help them understand results from your forensic software. For example, chat timestamps could look wrong because the server was in a different time zone. That can make it easier for victims to deny what happened, so be sure that the interviewer is prepared to address this. Other details include who’s who in different chat bubbles, any lingo or acronyms, and so on.

Take direction from interviews, too. Especially in emergencies, your preview may be all an interviewer has to work with. However, the initial interview itself can reveal more, such as communication apps you didn’t know to look for, which you need to conduct a deeper examination to find. Or the interview may reveal additional victims or suspects whose devices will need to be analyzed.

Another perspective on what forensic interviewers need from digital evidence came from Jessica Tigert, a forensic interviewer with the 23rd Judicial District of State of Tennessee, who joined Cellebrite’s Brendan Morgan, VP Training Ops for the Americas and Keith Leavitt, Manager of Technology for a talk about preparing to testify to digital evidence in child exploitation investigations.

Drawing on her experience interviewing 2000 children in six years, Tigert talked about making it a goal to reduce the likelihood of a child having to testify. To that end, she said, the more evidence is available to bring to the interview, the better. Part of her method is to work closely with investigators and digital forensic examiners, asking questions about the evidence to get a better sense of what it is, where it came from, how it got there, and why it’s relevant.

For example, a preview exam can help a forensic interviewer understand what type of contact a suspect had with a child victim. In turn, this information helps them work out how to structure their interview.

When it comes to preparing for court, digital forensic examiners have additional responsibilities above and beyond those listed above:

  • Understand your role and update your curriculum vitae (CV) to reflect it. Leavitt said generally, CVs shouldn’t be any longer than two pages.
  • Understand your tools and how they keep evidence forensically sound; be able to demonstrate your process of recreating and validating findings.
  • Validate your tools, using known datasets to ensure that dates and timestamps are correctly reported, and logging the results. Morgan recommended doing this every six months. The extra work, he said, can save time on the other end.
  • Prepare copies of all reports, notes, emails, and supplemental documents related to the examination. This way, you can provide assistance with exhibit creation, address possible defense expert theories, and even practice for cross-examination.
  • Get your work peer reviewed by colleagues. This ensures accuracy and that protocols were followed, making your work harder to challenge. Leavitt and Morgan also recommended finding local mentors, for instance through a regional US Secret Service Electronic Crimes Task Force (ECTF).
  • When testifying, keep things as simple as possible. Defense attorneys’ job is to try to cast doubt, so while you might be tempted to get very technical to show your understanding, this could backfire and bore the jury. You may even need to draw diagrams to explain something.

Tigert, Leavitt, and Morgan all agreed that working with attorneys means developing positive relationships with prosecutors. Understanding their perspective, including why they ask you to do some things and gathering information on their needs — their timeline, strategy, trial prep schedule, objectives, and so on — can help you to offer creative solutions to build the case.

While personality differences can make this challenging, Morgan acknowledged, it can be a great way to add value to legal teams. To that end, Leavitt advised scheduling proactive “lunch and learn”’ type meetings that can help investigators, interviewers, child or victim advocates, and attorneys figure out best ways to work together far in advance of trial.

Leavitt advised attendees to “start prepping for trial as soon as you start your case.” A heavy caseload doesn’t mean you can’t dot your i’s and cross your t’s; in fact, when you get to discovery, being able to show due diligence means the case is unlikely to go to trial.

Cellebrite Academy offers a form of peer review because of its implementation of proctored exams and other strategies. 

Legal Aspects Of Digital Evidence

Joseph Remy, an Assistant Prosecutor with the Burlington County Prosecutor’s Office, and Matthew Osteen, Cyber and Economic Attorney & General Counsel for the National White Collar Crime Center (NW3C), provided an overview of digital forensics for prosecutors.

This talk stressed the need for communication between forensic examiners, who are skilled at handling digital evidence, and prosecutors, who may or may not understand the many technical details involved in digital evidence. Even if the prosecutors do understand these details, judges and juries often don’t, so the better equipped a prosecutor can be to make a case in terms civilians understand, the easier trials will go.

Many of the takeaways from this talk involved “101” level details that many forensic examiners may take for granted in the course of their everyday work, but could end up being the first time an attorney, judge, or juror has had to consider them.

For example, when deciding whether to go to trial, prosecutors need to understand how you maintained evidentiary integrity. Documenting not only chain of custody and which tools you used on a forensic copy, but also whether you found the device damaged or destroyed — and any changes you yourself made — can be crucial particulars. Likewise the methods you used to isolate a device, preview content in the field, or authenticate evidence.

It’s also wise to document any tool testing protocols you use. Preferably involving multiple tools and multiple extraction types, prosecutors will want to know how you ensure tools acquire and parse what they say they do. (Hint: part of qualifying you as an expert witness in the United States may involve asking about processes and protocols like this.)

Locked devices may require you to ask for phone number(s), passcode(s), and/or biometrics. Osteen cautioned that, while biometric unlocks can be compelled, US case law goes “back and forth” on compelling passcodes. It’s best to check with a prosecutor in your jurisdiction before attempting this, and to be aware of technology methods such as brute-force and dictionary attacks, GrayKey, and Cellebrite’s Advanced Investigative Services (CAIS) — though changes to operating systems and device security, Osteen added, could inhibit those tools.

Prosecutors are integral to securing search warrants, yet enumerating the “places to be searched and the things to be seized” according to US law can be complex when it comes to digital devices. “Places to be searched” could include synchronized devices and accounts like computers, cloud accounts, and even vehicles, while “things to be seized” could encompass a range of data that may or may not be evidentiary.

To simplify this for the judges signing the warrants, it can help prosecutors (and therefore, forensic examiners) to analogize digital evidence to drugs and guns. For example, a digital device, if properly defined in a warrant, can be likened to a film case used to hide drugs. The point is to show that digital evidence can be found in a location’s smallest crevice, requiring a detailed search.

That detailed search, however, involves devices’ bits and bytes. Unlike drugs, digital storage doesn’t go stale. It’s more volatile, of course, but artifact fragments usually persist, and can potentially include evidence of more than one crime. That’s why the “places to be searched” must be spelled out, the search itself properly limited to a specific crime or crimes, and a new warrant obtained for evidence of each new crime. These practices should ensure the defensibility of the warrant(s).

Everyday analogies are also useful to describe abstract processes when you’re preparing to testify. For example, Remy said, the difference between a physical and a logical extraction can be explained by comparing a search of an entire house, with the rooms inside. Terms that are common to you, like “SQLite databases” and “plists,” also need to be explained to juries and attorneys, even if forensic tools present them in an understandable, “pretty” format.

These issues become even more pressing when it comes time to describe evidence acquired from the cloud. Remy said prosecutors need to know the differences between file storage, host websites, streaming, on-demand software, and data analysis. While the US Clarifying Lawful Overseas Use of Data (CLOUD) Act offers some guidance, in general, where data is stored can present a challenge, making the relationship between investigators and prosecutors more important to cultivate.

Cloud evidence was also the topic of a lecture given by Justin Fitzsimmons, Director of High Tech Training Services at SEARCH Group, Inc. This session, oriented to law enforcement and prosecutors, focused on legal process to use when approaching internet service providers (ISPs) like Google, Amazon, Facebook, Snapchat, and others for data related to user accounts, locations, and specific content.

Fitzsimmons stressed familiarity with different ISPs’ — and third parties’ — terms of service and privacy policies when preparing legal process. Companies like Facebook and Amazon have made important acquisitions in recent years that puts data under their umbrellas, so it’s important to consider other potential data sources and their correlations.

When requesting data, Fitzsimmons reiterated the need to show a nexus: why you believe that data will prove your case or identify an offender, including user attributes (and how you define them) that will put a subject behind a device.

During his presentation, Fitzsimmons shared a video showing how Google process search warrants. If a provider attempts to limit a warrant, he said, you should consider judicial remedies, or add language to the warrant to bolster the nexus between the data you seek and the evidence of the crime.

Fitzsimmons described the data that Apple, Snapchat, and other service providers do retain in the name of user convenience, which could be more than you might realize. Changes to their policies do take place, so it’s important for investigators to stay on top of terms of service and other policies: don’t discount obtaining data just because it hasn’t historically been retained.

SEARCH is most known for its ISP List, but it also offers a wide range of free investigative resources including training, podcasts, technical and legal guides, and even limited technical assistance. Visit for additional information. 

Technology is complicated and growing ever more so, and the high stakes of child exploitation investigations can put pressure on everyone. What the common threads across all these talks show is that great communication — both documentation and relationship-building — can relieve a lot of the burden in correctly interpreting digital evidence.

How do you connect and collaborate with other investigative team members in your jurisdiction? Head to the Forensic Focus forums to discuss; join our LinkedIn group; or get in touch with us on Twitter or Facebook!

Leave a Comment

Latest Videos

Digital Forensics News Round-Up, May 22 2024 #dfir #computerforensics

Forensic Focus 22nd May 2024 6:03 pm

Podcast Ep. 85 Recap: AI-Powered License Plate Reading With Amped DeepPlate #dfir #digitalforensics

Forensic Focus 21st May 2024 1:57 pm

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feeds settings page to add an API key after following these instructions.

Latest Articles