Get Started

Two Cases Utilizing Extraction

A. Prosecution

A woman was found dead from an apparent suicide in her home. Sleeping pills were found by the bed as well as a note.  Four years later, her husband was taken into custody for her murder. If not for some general suspicion and digital evidence, the woman’s death would forever have been ruled a suicide. Her case was reopened several months after her death, after her parents shared information that shed suspicion on her suicide.

Investigators seized the husband’s hard drive from his job as a minister at the church and another computer server from a youth center he worked at. Through a physical extraction, digital forensics experts discovered searches for “overdose on sleeping pills,” pharmaceutical website visits, pornographic websites, and sites for married individuals looking for affairs. This evidence also revealed that the husband was having an affair, and that woman became a vital piece of the case against him. She testified to being told everything he did to murder his wife, including slipping her the pills and suffocating her with a pillow. 

This evidence combined built a case against the husband for the murder of his wife. He was sentenced to 65 years in prison.

B. Defense

The case begins with one person accusing another person of sexual assault and presenting a video as evidence to the police. The accuser testified at a grand jury that they had been looking through the accused’s phone and found videos of the accused assaulting them while they were unconscious from several months prior. The accuser claimed to send the videos to their device, then delete the message from the original device so the accused could not see that the video had been discovered.

Upon initial examination, the defense team noticed the file names did not adhere to the original iOS naming standards. For example, one file is entitled IMG-1234.MOV. However, the standard naming guidelines would have named the file IMG_1234.mov. Furthermore, the imagery name suggested it was created outside the timeline described by the accuser. Because of this, the defense was sure that the video presented to the prosecutor’s office was not the original and could not be verified. 

The prosecutor’s office then produced two more videos and two screenshots of the videos. The defense then examined the new evidence and compared the two visually similar videos. They both had non-standard file names and had different hashes.  At this stage the defense conducted a full file system extraction of the accused’s device. They discovered a missing primary key associated with a text message. The message could not be recovered, but it allowed them to identify a time range the message was sent. The imagery provided by the DA’s office showed screen shots of the videos with a date timestamp of when they were received by the accuser. This allowed the defense team to pinpoint the exact deleted primary key on the defendant’s device. 

This led the defense to assume that they were looking at altered evidence. At the next evidence hearing, the defense challenged the evidence. The judge then ordered the accuser to produce the device containing the evidence for examination by law enforcement and the defense examiner.

Digital forensics experts were then able to determine the time and date of one of the videos. The message the accuser had sent to themselves with the video files was timestamped for 5 hours after the videos were taken. This was the first usage of the phone after the alleged incident.  This showed a big problem in the accuser’s story. The accuser had told investigators that they discovered the video files months after they were allegedly taken on the accused’s phone. In reality, the video files were sent to the accuser’s phone just 5 hours later.

This evidence combined showed direct contradictions to the accuser’s story, which eventually led to exonerating the accused.