Author: Rob Walensky

Case Study: Hidden Gems in Call Logs

Posted on | by Rob Walensky

A call log is just a call log, right? To the majority of professionals in the criminal or civil world, you’ll discover that they believe that a call log is a simple, straightforward piece of the puzzle.  I am here to tell you that there are many hidden gems in call logs, and it is up to you to find them – if you really want to discover the real truth, that is.

In many cases that I have been involved with relating to cellular devices, I often see professionals in legal cases capturing call log data by simply taking photographs of the cellular device’s screen. To further aggravate this decision, the professionals pick and choose the timeline of the call log that they believe would be most relevant to their case.  Historically, this practice has been allowed in many courts – but this method is not recommended.  To acquire the full story, a forensic examination and acquisition of data from the cellular device is required. 

To fully understand my point, I have provided a case study from one of my past cases; fictious names and events have been substituted.  While there are many more complex issues that can arise in cellular examinations by untrained or inexperienced people, the following example highlights one specific problem that can occur. 

  • Jimmy is an accused drug dealer.  He was arrested on January 16, 2021, with 16 ounces of cocaine in the trunk of a vehicle he was operating. At the time of his arrest a cellular device was seized from his person. 
  • Upon doing a lawful search of the cellular device seized from Jimmy, there were 10 text messages located during a manual search of the device by law enforcement that seemed to be related to a drug transaction on January 15, 2021, with a subject identified in the message as ‘Kim-stepmom.’  Rather than wait for a forensic expert to examine the device, it was decided that photographs would be taken of the 10 text messages deemed relevant since it involved minimal time and effort. 
  • The cellular device was then returned to the owner upon his release on bond, as the evidence from the device had been “collected.”
  • The police know that Jimmy’s step-mother is Kim, and she resides with his father in the same town where Jimmy lives and was arrested.  The police interview Kim and she denies involvement in the drug transaction with Jimmy, but admits she does use cocaine on occasion.  Kim is not forthcoming with any other information, but is not uncooperative.  The police suspect she is not being honest about the drug transaction with Jimmy, but do not have enough to arrest her or charge her in the case with Jimmy.
  • Due to court delays, Jimmy not appearing for court and leaving the state after a warrant is issued for him, the case does not proceed to trial until two years later in March of 2023.  Kim is subpoenaed to testify regarding the text messages between her and Jimmy that are incriminating to Jimmy and show that he is a drug dealer.  Kim denies ever sending the messages. 
  • Jimmy then details to his attorney how his drug source was a guy named Billy, but in the contacts of his device he put ‘Kim-step-mom’ as the name pairing it with Billy’s cell phone number to throw the police off if they ever obtained his cell phone. 
  • The photographed text messages do not show the telephone number in the texts, only the programmed name – ‘Kim step-mom’ – and the content of the messages.  Though the content of the messages are still incriminating as it relates to Jimmy being a drug dealer, the attorney raises the issues with this information in court and shows that the police did not do their job during the investigation related to the cellular device.  The attorney also uses this information to call into question the ineffective investigative work by local law enforcement, which makes for an uncomfortable experience for the police testifying in the case.      

In the example, a forensic examination of the cellular device would have uncovered the phone number alongside the contact name associated with the incriminating text messages. If you want to test this theory for yourself, look at your text message list in your texting application and identify a thread.   Next, go to your contact list and change the person on the thread’s contact name to something else.  Lastly, go back to the text message thread in the message application and notice that the entire thread’s contact name has been updated.  This trick works for several cellular devices – it is literally that easy to associate a fictitious person with a phone number to create confusion.

A forensic expert with the proper training, experience, and software could have easily performed a forensic examination on this device and produced a report detailing the facts and preserving evidence. Forensic examinations can help streamline investigative efforts and eliminate potential suspects, saving time, money, and frustration. Perhaps this approach would have led local law enforcement to quickly eliminate Kim as a suspect and allow them to focus their efforts on Billy, the source of the drugs. 

So when you discover that a call log is so much more than a call log, it’s time to consult a digital forensic expert and let them handle the digital forensic work!

Don’t Overlook the Importance of Vehicle Forensics in your Criminal Investigations

Posted on | by Rob Walensky

In my previous career in law enforcement, I specialized in criminal investigation – specifically drug and death investigations.  As I become more familiar with the benefits of vehicle forensics, I often think back about the important information that I missed when investigating past cases.  Most law enforcement investigators, me included, have not been educated on the vast amount of information and impact that forensic from vehicles can contribute to a case.  Most of us think that information from vehicles is limited to crashes, tire tracks, hidden compartments and other simple ideologies.  What most law enforcement investigators don’t realize is that maybe, just maybe, vehicle forensics can help them find the missing link in their case – the amount of data that is collected, stored, and transmitted by vehicles is astounding.

When I look back on my past cases, I realize that intent would have been much easier to prove, had I been privy to vehicle forensics that showed events such as rapid braking, collision information, opening and closing of doors, or rapid acceleration.  Imagine if you could access and gather information related to a driver using the navigation system or pairing their device with the vehicle.  These dreams have now become a reality and are helping investigators, prosecutors, and defense attorneys build their cases. 

The average vehicle generates over 1TB of data each day, and under normal driving conditions, uses over 150 Electronic Control Units that must collectively execute millions of lines of code daily.  Electronic Control Units, commonly referred to as ECU’s, are computers for specific purposes made for the automobile industry.  The ECU’s execute specific functions in a vehicle and vary in complexity.  Some of the more complex ECU’s in a vehicle are the Engine Control Module (ECM), Automatic Braking System (ABS) and the Airbag Control Module (ACM).  The ECU’s continuously communicate with each other over multiple networks in the vehicle and one ECU may record data from another ECU on the same network within the vehicle.  As an investigator, or someone concerned with the data from a vehicle, it is necessary to think of a vehicle as a collection of various systems with each possibly containing information that may be relevant to the investigation or case.  Thinking about what is possible, and knowing how to obtain the information, and who can assist, is important for Investigators.  A vehicle that contains data and evidence must be thought of immediately as a volatile item of evidence – even after seizure of a vehicle (or at the time of seizure), actions by law enforcement, tow truck drivers, citizens or just about anyone with access to the vehicle can change or destroy evidence stored in vehicle systems.  These actions have the potential to overwrite some of the data that exists in the vehicle, resulting in data lost if the vehicle is not handled appropriately.

As Investigators, it is important to have a general understanding of what information a vehicle may contain and understand that the vehicle is an important and highly underutilized piece of evidence in many investigations.  Once secured, seek the assistance of someone with training, education and experience in vehicle forensics to consult with and assist in the acquisition of information from various vehicle systems.

What happens if what you are looking for is right in front of you, but you can’t find it? 

Posted on | by Rob Walensky

Cellular phone forensics is a complex subject and can often be intimidating; especially to those who don’t work in the cellular realm every day.  However, on a daily basis, there are several self-declared experts in this field who have never attended a training – they have simply possessed a cell phone and felt confident in its use and associated data functions.  Matter of fact, these experts can be found in any law enforcement department around the Country.  It is simply bewildering the number of law enforcement investigators who jump at the opportunity to conduct their own cellular examinations of their evidence, often under the pretense that they know what they are looking for and can easily access it, saving their departments time, money, and resources – effectively being good stewards of taxpayer dollars. I mean, honestly, why would you pay for something that you could easily do yourself? 

This decision, though often made with good intentions, can also backfire.  Let’s compare this very same scenario to DNA evidence.  Investigators are trained to collect DNA evidence and then send it off to the experts in the labs to process, identify, and report back any findings.  Why would this same process not be adopted for cellular examinations – or any type of digital forensic examination? The role of the law enforcement officer in regards to digital evidence should include: (1) collecting the evidence (in this case cellular devices), (2) writing effective search warrants that will support a lawful and thorough examination of a cellular device by qualified personnel, (3) knowledge of handling procedures to include packaging and shipping the device to a forensic examiner (the scientist of the digital world), and finally, (4) allowing the expert to examine the evidence in a sound forensic manner and environment.

What happens if what you are looking for is right in front of you, but you can’t find it? 

Self-declared forensic experts, aka law enforcement investigators, arise from the unknown.  These unknowns range from the associated data retrieval costs of involving an expert; uncertainty that the expert can actually recover any data – and if not, the cost associated with the attempt; and the length of time it takes an expert to extract, interpret, and report on the data.  And for good measure, let’s throw in the fact that law enforcement investigators have finite resources and limited time frames – and many times – a supervisor that doesn’t fully understand that an expert can help uncover the answers, or in the very least, eliminate any false assumptions.

In most cases I’ve helped with, I find that law enforcement simply stop their investigations at the tip of the iceberg, because they are not familiar with the sheer amount of data that could be retrieved from cellular devices.  Most investigators focus their sights on data elements such as contact information, call logs, text messages and photographs. I’ve witnessed this time and time again, especially in cases involving narcotics trafficking and unlawful gun crimes. 

For most drug investigators, they are hoping to find a single text message from the drug source to the drug buyer stating that the 2kg of cocaine was delivered to a specific location at a specific date and time, accompanied by a photo of two bricks of cocaine with 2kg written on them; and let’s throw in a picture of a gun for good measure.  To wrap up the case, a secondary text message is sent from the buyer to the seller saying “I’ll meet you there.”  The cherry on the top would involve the investigator seeing this information before the exchange happens so he could be there to witness the crime.

We all know it isn’t that simple, but yet, law enforcement continues to limit their possibilities by digging for the answer themselves.  I am here to inform you that cellular phone forensics can and will uncover a slew of unknown activity that the investigator may or may not have known about.  In addition to the common data elements that investigators focus on, I’ll provide a short list of data elements often forgotten:

  • Call log information (outgoing and incoming)
  • Instant messaging
  • GPS locations associated with photographs
  • Google searches for the meeting locations or hundreds of other locations
  • Chats
  • Contacts
  • GPS locations associated with the device itself or events done on the device
  • Emails
  • Installed applications (identification of accounts, cash apps, other sources of communication, etc.)
  • Instant messaging
  • Passwords
  • Social media
  • Web history (searches of places, events, map locations, etc.)
  • Wireless networks
  • Video from various sources (video taken from device, video received from others, video from security systems the phone is synced with, etc.)
  • Timelines of events from the device

Though this list is not all inclusive, it gives you a picture of the rapidly changing digital forensic world.  Law enforcement run a risk when they decide not to include a digital forensic expert, such risks include – loss of data, altered data (inadvertently or not), and skipping over pertinent data. These issues could render any data inadmissible in court.

It is understandable when law enforcement attempts to do more with less. Over the past few decades, officers have been asked to take on many new roles and tasked with ever-changing responsibilities.  Handling, extracting, and interpreting digital evidence should not be one of them – tasks like this should be left to the experts who have extensive training and knowledge in this field.