Computer Forensics in the Courtroom

After more than eight weeks in trial, and more than two years in preparation for trial, Cary computer engineer Brad Cooper was found guilty of first degree murder in the death of his wife Nancy Cooper. Many in Raleigh and the Research Triangle were captivated by the salacious details – marital infidelity, rumors, and gossip – that took up a good part of the trial. WRAL reported had more than 22,000 comments on news articles it posted on its website.

More important, however, was the centrality of computer-related evidence in the trial. People who watched heard about routers, WiFi, packet injection, WEP and WPA encryption standards, MFT tables, SIM cards, EnCase, Forensic Toolkit (FTK) and the like. For people who simply plug in a computer to get on FaceBook or use their cell phones to send the occasional text, this was all gobbledygook.

However, this evidence was crucially important because the most damning piece of evidence the State had was the Google maps search purportedly conducted 12 hours before Ms. Cooper’s body was found, showing the location of her body. If Brad Cooper did in fact search that site before his wife’s body was found, then that would be highly suspicious. But the defense contended that such evidence was either faked or planted.

The trial highlighted how, in a digital age, evidence from cell phones, FaceBook accounts, and computers will become crucial, especially in cases where there is no direct evidence of a crime. And that’s what the Cooper case was.

There are multiple issues related to computer evidence in a trial, but let’s focus on three:

First, digital evidence is highly volatile, meaning that it can every easily be tampered with or be subject to inadvertent destruction. Where police seize computer equipment, but do not first shut it down, such equipment may run for days or weeks on battery power, which means that evidence can be potentially accessed, deleted, or modified long after it left the suspects home. In addition, because digital evidence is so transitory, it can easily be overwritten, or planted, and such overwriting and planting may be very difficult for computer technician to trace.

Second, people have tremendous amounts of personal information on their phones and computers and on services like FaceBook, GMail, Hotmail, MySpace, Twitter. The volume of information may simply overwhelm not only police agencies, but also underresourced defense lawyers. Police agencies can usually command the resources – whether by calling in the FBI or the State Bureau of Investigation – to conduct an investigation. But a defense attorney is usually a single lawyer who may or may not know anything about how computers even work. Consequently, a defense lawyer may be completely outmatched in terms of resources to defend his client, even though the FBI or SBI’s investigation may have been shoddy.

Third, there are a number of cultural and generational divides that make the use of technological evidence at trial difficult to manage. Many people who are 40 or over really have no clue about how computers work (that’s true of many people under 40, but at least they may be familiar with what FaceBook or an mp3 player is). Judges and most senior lawyers tend to be over 40 and, consequently, unless they’ve devoted considerable time to learning the technology, may be complete befuddled by the presentation of evidence. Sometimes lawyers and judges who know nothing about these technologies may even take pride in their ignorance – “I don’t even have a FaceBook account” – which is particular disturbing.

Such ignorance can make judges ill-equipped to rule on evidentiary motions, and can make defense lawyers incapable of responding to the evidence.

In addition, there is a cultural divide between the courtroom and computer technologists. The courtroom makes a great deal of certifications. If someone has been certified by some agency as an expert in, say, EnCase, they are presumed to be an expert. Consequently, the FBI, whose computer forensic people may or may not be very good, focuses on sending them to certification courses, knowing that getting admitted as an expert in a court is the most important thing.

In the computer world, however, the best experts – the people who really know their stuff – don’t rely on certifications at all. You can spend thousands of dollars and hundreds of hours getting a Microsoft certification, or you can actually learn how to use the software and equipment. Computer people – the ones who make a good living at this stuff – tend to simply learn the software and equipment. Consequently, they usually find it harder to get admitted as an expert on a court of law because while they may have far more skill than the FBI computer expert, they lack the proper certifications because such certifications are usually worthless in the real world.

These problems are going to continue to plague our criminal justice system for decades.

Damon Chetson

Damon Chetson is a Board Certified Specialist in State and Federal Criminal Law. He represents people charged with serious and minor offenses in Raleigh, Wake County, and the Eastern District of North Carolina. Call (919) 352-9411.