top of page
Abstract Background_edited_edited.jpg
ProactiveDiscovery

Skeletons in Your Client’s “Digital Closet”

Updated: Mar 6, 2023

Legal proceedings often rely on human memory for events and the sequence of those events. Studies have shown that individuals are notoriously bad at remembering details about past events. Without replenishment or review of perceptions, neural traces in the brain degrade and information is lost. Digital forensic investigations have played a pivotal role in many highly publicized cases and those same forensic techniques can be applied to recreate seemingly routine events that humans typically forget. This article will examine how the use of digital forensics can aid the legal profession with fact finding to support or refute eye witness testimony involving details of events.

The decay curve, that models the human mind related to the amount of forgotten facts, is an initially very steep logarithmic function and shows how many natural processes, such as radiation, diminish with time; it is ubiquitous throughout science. [1]

Eye-witnesses typically forget over 77% of the facts within 3 days...

Digital devices, however, are very good at “remembering” such otherwise forgotten details. A modern analysis of digital devices is commonly overlooked as a source of important and case-changing information. Because of the quick loss of potentially valuable facts, attorneys, law enforcement, and investigators must sometimes use a forensic digital examiner to tap into digital devices and retrieve critical information. Digital capability is explored herein after the human remembering ability is briefly reviewed and modeled.

The Basic Hypotheses

Psychologists have approached the subject of forgetting in various ways. Psychologist Donald O. Hebb first applied a decay curve formula to memory loss.[2] Memories certainly fade over time, but how quickly the details about past events fade differ from individual to individual. Several studies support this rapid-loss-of-information model. [3],[4],[5] Among many hypotheses, two fundamental representations exist to determine the decline in recollection of events. The first considers that there is no correlation between the amount of information or number (N) of facts learned and the time frame (t) over which it is forgotten.[1] According to the first model, it does not matter if someone is given 10 or 20 items/facts (N) to remember — the rate by which it is forgotten remains constant.

The second hypothesis asserts that the amount of original information learned does indeed have an effect on how quickly information is forgotten over time.[6] I n the example above, the 20-item learning set typically, yet counter-intuitively, results in a longer memory retention period than the 10-item set. In this article, the second hypothesis is accepted and used.



Figure 1:

Hypothetical forgetting curve based on Geoffrey R. Loftus (1985) paper “Evaluating Forgetting Curves” [4]













As Figure 1 shows, the loss of information happens exponentially from the time an event occurs.[7] In this example the item set (N) of 20 and a delay of 3 days (t) is assumed. The result is a loss of 77.7% of facts (P) since the time an event occurred 3 days prior. What is especially interesting is that there is a significant memory loss happening within the first 5-6 days.

Only 5 out of 20 facts are remembered by eye-witnesses after 3 days...

How does this relate to an investigation or legal matter? Consider for a moment the time that transpires before a client seeks counsel or initiates a conversation about an event. Taking such delays into account, it is obvious that crucial information might be missed when relying only on human memory. Furthermore, studies have shown that eyewitness accounts are extremely unreliable and sometimes even produce misleading information.[8],[9] The combination of rapid decline of details in memory and unreliable eyewitness reports seems to make it incredibly difficult to obtain factual data.

The Digital Device Model

As mentioned earlier, digital devices such as computers and cell phones are very good at “remembering” past events and should be used more often for such purposes. Using the same decay formula as in Figure 1, Figure 2 shows a hypothetical scenario of events that digital devices may have recorded, yet are overlooked by a client or fact-finder.


Figure 2:

Hypothetical events recorded by digital devices and forgotten by a client after only 3 days
















In only 3 days, a series of events took place that a person may have already forgotten, yet are conveniently stored in digital devices. Although this example reflects a small number of events (20), it can be assumed that over such 3 days, a significantly larger number of data points were recorded. One other consideration might be that various applications on mobile devices record GPS (global positioning system) locations as the device is being used. Such activity may happen without the user’s knowledge. This process of “geo-tagging” information is covered later in this article.

The Significance

Digital devices do not forget information, even if they are “forced” to delete it by their operator. Deleted information frequently retains artifacts that have references to prior original records. Additionally, today’s digital devices, especially cellular phones and tablets, record much more information than the user might expect. Service providers and operating system creators such as Google™, Microsoft™, Apple™, and so on, want to know why, what, where and how the users are interacting with such devices. This “background intelligence” is typically not visible or known to the end-user, yet may hold invaluable clues that can be accessed through digital forensic analysis.

Digital devices do not "forget" information... and should be considered during investigations...

It is important to understand that, compared to human information retention, this intelligence will likely provide a more complete sequence of events that took place days or weeks earlier. For both plaintiffs and defendants, the correct superposition of events in the interpretation of interview and other discovery information is paramount to success in court. Such computer-generated facts have extreme accuracy from the perspective of date, time, and sequence. Not knowing information that falls into the “forgotten facts” segment of Figure 2 may cause unnecessary challenges during litigation and may adversely affect a legal strategy.

Those who work in the legal profession need to know that digital devices record more information about a particular action or event than just the event itself. For example, there could be a correlation between multiple applications on one or more devices. GPS coordinates may not be embedded inside a photograph taken with a smartphone; however, if the photographer’s cellular phone simultaneously sent its GPS coordinates to a third-party application checking to see whether friends are nearby, then it is possible to connect the date and time the photograph was taken to the third-party application that did record date and time. The forensic examiner can fill in missing facts forgotten or not known by the user.

The “Digital Closet”

Because this article cannot discuss all facets of information created and stored by various operating systems running on computers and mobile devices, the following list serves as a reference of what might be recovered from computers.

  • File download activity

  • Program executions

  • USB hard drive connectivity and usage

  • Internet browsing history

  • File creation, modification, and open activities

  • Data destruction activity

  • User account history

  • Previous versions of files

  • Installation information of software

Extremely useful information can be extracted from smartphones and tablets; however, they inherently cause more challenges during data acquisitions and analyses due to their vastly different architecture and security features. Each of these fact-based “data points” provides a wealth of information that supports the efforts of preparing a more complete time line surrounding historical events. The following represents a partial list of information that can be recovered from a mobile device.

  • Call logs (dialed, received, missed)

  • Contact List

  • MMS (multi-media-system) messages (including deleted [10])

  • SMS (short-message-system) messages (including deleted [10])

  • Email

  • Voicemails (including deleted10)

  • Native installed applications

  • Third-party applications (Facebook™, Snapchat™, Dropbox™, etc.)

  • Pictures (including deleted10)

  • Internet history

Each and every single one of these data points can provide a wealth of information on its own and support the efforts to prepare a more complete time line surrounding historic events by using fact-based data.

Conclusion

Accurate recollection of events and facts by humans is unquestionably subjective, fragile, ephemeral, distortable, and fallible. This includes eyewitness accounts. The standard exponential decay-curve clearly shows how quickly a significant amount of information is forgotten by humans. By effectively utilizing digital evidence, it is possible to narrow the “fact-gap.” Digital evidence contains many attributes and sequences that allow forensic examiners an objective method to make fact-based comparisons and decisions. The method may provide more comprehensive and robust information that facilitate attorney-client discussions and their trial preparations. Due diligence means not leaving relevant factual information on the table; if information is available through forensic examination, it can and should be accessed.

With data being all around us, it might be worthwhile to ask the question: “Who else might gain access to this digital information and what would they find?”






References:

[1] A. D. Baddeley, Working Memory (Oxford: Oxford University Press, 1986).

[2] Jennifer Bothamley, Dictionary of Theories (Canton, Mich., Visible Ink Press, 2002), 137.

[3] N. J., Slamecka, B. McElree, “Normal forgetting of verbal lists as a function of their degree of learning,” Journal of Experimental Psychology: Learning, Memory and Cognition 9 (1983): 34-397.

[4] R. C. Atkinson, R. M. Shiffrin, “Human memory: A proposed system and its control process,” in The Psychology of Learning and Motivation, vol. 2, eds. K. T. Spense and J. T. Spence (New York: Academic Press, 1968).

[5] B. B. Murdoc Jr., C. D. Cook “On fitting the exponential,” Psychological Reports 6 (1960): 63-69.

[6] Geoffrey R. Loftus, “Evaluating Forgetting Curves,” Journal of Experimental Psychology: Learning, Memory, and Cognition 11, no. 2 (1985): 397-406, http://faculty.washington.edu/gloftus/Downloads/LoftusForgettingCurves.pdf.

[7] In the decay curve formula, “e” represents the natural logarithm or Naperian log, which is a constant equal to 2.718. The units of time do not have to be days. Time could be hours, weeks, or months, and is independent of the unit used.

[8] Hal Arkowitz, Scott O. Lilienfeld, “Why Science Tells Us Not to Rely on Eyewitness Accounts.”, http://www.scientificamerican.com/article/do-the-eyes-have-it/.

[10] The ability to recover deleted information varies and depends on, yet is not limited to, factors such as phone model, service provider, operating system, application used, and available acquisition method.

27 views

RESOLUTE is a fully-managed cyber risk mitigation service that helps boutique and SMB (small to medium-size business) organizations protect, mitigate, and prepare against constantly evolving cyber threats.

bottom of page