The Potential of Digital Traces in Providing Evidence at Activity Level

Hello. My name is Hans Henseler from the University of Applied Sciences Leiden. I’m going to present about ‘The Potential of Digital Traces in Providing Evidence at Activity Level’. This presentation is based by work together with professional report.

So the investigation that you perform depends on the case, how do we search the evidence in cases with a story and the suspects, then we search for evidence that can confirm the story.

But if you have a story with no suspect, we can search for evidence that’s going to identify the suspect for the complete story. But if you have no story, no suspect, we have to search for evidence that’s going to assist in the reconstruction and verification of the story. So how do we build the story? Basically, we can do that by answering the “the 7 w-questions”.

So who was involved? What happened? Where did it happen? When did it happen? With what did it happen? How or in what way did it happen? And finally, why did it happen?

The important step is that traditionally forensic investigation has primarily focused on determining the source of the trace. So who left the trace, but more recently forensic investigation has also started addressing the question, how traces will lift and if traces are related to the crime.


Get The Latest DFIR News!

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

So how do we derive activities from traces? Well, here’s a simple example where somebody is holding a knife and cutting vegetables. If somebody is standing with a knife, it’s clearly a different way of holding the knife, the fingerprints will be different. So, the question changes from ‘who left the source of the trace’ to ‘what activity led to the deposition of the trace’.

It’s important, somebody can have their fingerprints on the knife but they might’ve been doing something completely different instead of stabbing anybody, the victim, for example.

So, how about digital evidence at activity level? Digital evidence contains more information about the different physical traces. So they are quite interesting for investigating the activity level.

Information about exact moments in time, sequence of events, and location can be derived from digital evidence and sometimes communication information contains both content as well as activity. For instance, the nature of a conversation or if you find search terms that were entered, that can be placed in time.

And experiments are needed to investigate how and where activities are registered and leave digital traces. So this is a nice example that we found that we reported about, the case of the ‘murder on the Bûterwei’. A body was found in a meadow in Friesland. It is called the Bûterwei. The victim was identified as a 37 year old man and the conclusion was that he was killed in a crime.

So we’ll show three examples of scenarios. In this first scenario, the suspect claims not to have left on the evening before the murder, but the prosecutor states otherwise. They say around 10:00 PM the suspect has driven her car to a nearby village, drives a bit further, stops at the side of the road, turns around and drives home. And actually, this is supported by the Google timeline data from the Google cloud that was extracted using the password that was recovered from the suspects phone.

The second scenario, the suspect claims that the phone was switched off because the battery was dead. And it was suspicious that the phone was switched off because she was looking for her husband. The prosecutor says that she manually turned off her phone and evidence shows that the logfiles did not show any sign of the ‘throttling status’, meaning that the iPhone battery was not empty.

And the third scenario, the suspect said that she asked the victim to meet her at the Bûterwei because she was going to pick him up after the festival. When the suspect arrived at the agreed meeting place she couldn’t find him and she returned home.

However, the prosecutor says, no, the suspect did ask the victim to meet her at the Bûterwei but she met the victim and walked with him into the field where he was subsequently murdered.

Now the evidence clearly states that the Google cloud data indicates that the phone of the victim was still moving at 0:27 am, at 0:40 am the orientation of the phone’s contents changes considerably, at 0:43 there is no further movement in the phone. The phone was found at the location where the victim was found the next morning. Location data furthermore shows that both phones were within a distance of 15 to 20 meters.

So this is typically what you can find digital evidence for and there’s many examples. Here’s an example, what was searched for and when. You can find the search terms, you can find the dates of the search queries. There’s many more examples.

So in conclusion, yes, digital traces can provide evidence about activity level events and help evaluate scenarios. But in turn, scenarios can also help in selecting and prioritizing digital traces, and also very important, detectives and forensic experts must have a basic understanding of digital evidence when they evaluate scenarios.

Thank you for your attention, and I’ll be available for questions later in this conference. Have a nice day.

Leave a Comment

Latest Videos

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles

Share to...