Authors: Dr. J. Henseler (University of Applied Sciences Leiden) and Prof.dr. C.J. de Poot (Amsterdam University of Applied Sciences, the Police Academy, and VU University of Amsterdam)

DFRWS USA 2020

Abstract

Physical and digital traces play an important role in forensic science. In investigations it is quite common to examine traces at the source level. However, this is often insufficient to relate a suspect or object to a crime. It is important to also determine the activity that left the trace. In the forensic expertise fields of DNA, fibres, glass, paint, gunshot residues and fingerprints, the evaluation of the evidence given activity level propositions is already being studied. However, in digital forensic science, this topic is not yet explored. Smartphones and smart devices contain a variety of digital traces that can be used to create, adapt and validate hypotheses. These traces have become more personal because of biometric access control, active social media accounts and sophisticated time trackers that can be used to monitor unconscious behavior. Now that both volume and nature of digital information is growing, successful search strategies go beyond reading emails, documents and chats or watching photos and videos. In contrast to physical evidence, digital evidence often contains information regarding the precise moments in time and exact order in which traces were created. Moreover, in cases where digital evidence contains communication information not only the activity itself but also the contents of the communication (e.g. nature of a conversation, search terms that were used) can be put in a timeline. This makes digital evidence not only useful in answering questions on source level, it can also assist in assessing evidence on activity and offence level. In cybercrime investigations, e.g. hacking and phishing, digital traces may be the only evidence for creating scenarios for a crime that was committed in cyberspace without any physical traces or eyewitnesses. But also for traditional criminal cases digital traces have great potential, because these traces can often link different questions about persons (who), activities (what), places (where) and times (when). We illustrate this potential by presenting an analysis of three Dutch criminal cases and their corresponding court rulings. For each case we have selected a number of activity related propositions that were suggested by the defense and by the prosecution. We describe how digital evidence assisted in determining the most likely proposition and illustrate in detail how digital traces of activities appear in modern Android and iPhone smartphones.

Downloads