The presentation discusses how sensor data and connectivity through devices like cameras, phones, vehicles, and appliances can provide evidence through the "Internet of Evidence" in legal cases. This sensor data, also called the "Internet of Things", is growing exponentially and can support determining timelines, identities, intentions, conditions, and knowledge in legal matters. However, precautions must be taken to properly preserve, analyze, and apply this data as potential evidence. Two case studies are provided as examples.
5. The “Internet of Evidence™”
Little Brother Is Watching You – And
He’s Taking Notes!
Wayne B. Norris
2534 Murrell Road, Santa Barbara, CA 93109-1859
805-962-7703 Voice 805-456-2169 FAX
Wayne@WayneBNorris.com http://WayneBNorris.com http://TheInternetOfEvidence.com
Using the Vast and Ever-Growing Array of
Sensors and Data recorders to Assist in
Establishing Truth, Justice, and the
American Way [with apologies to Superman]
6. Sensors Are Devices That Detect
[and often record] Data
Modern digital cameras record time, date, and often GPS
coordinates INSIDE picture files, in what is known as the Exif
Header: http://en.wikipedia.org/wiki/Exchangeable_image_file_format
In addition, that data is written to the file system of the camera
Mobile phones report their location to the carrier several times
per minute: http://en.wikipedia.org/wiki/Mobile_phone_tracking
Computer browsers such as Chrome and IE report multiple data
back to Google and Microsoft frequently
Social media and mobile applications, from FaceBook to the
Starbucks Coffee app on phones, record constantly
Both iOmniscient and General Electric have developed
behavioral analytic software for surveillance video analysis
1/11/2016The Internet of Evidence(tm) - Little Brother Is Watching You – And He’s Taking Notes!
6
7. Sensors Are Devices That Detect
[and often record] Data (cont.)
Cars have Event Data Recorders [EDRs] that
even record items including SEAT POSITION:
http://media.mgnetwork.com/blackbox/
Sensor data can be stored locally or in
distributed fashion
“Smart” appliances such as refrigerators,
microwave ovens, door locks, and HVAC
systems report data to servers.
Servers from iTunes to Amazon to Cox to
Comcast to Facebook preserve data sent and
received on computers and mobile devices.
1/11/2016The Internet of Evidence(tm) - Little Brother Is Watching You – And He’s Taking Notes!
7
8. Toll bridges and toll roads, many traffic lights,
and police department stolen car units –
AND PRIVATE COMPANIES – scan license
plate data at entry points and also in cities
at large.
Many modern vehicles transmit useful information TO OTHER
VEHICLES in the upcoming “V2V” formats.
Workplace computer systems are often required to journal
emails, and in some cases, web references, for several years.
Traditional E-Discovery is the springboard. The Internet of
Evidence is the extensionof E-Discovery to everyday life.
1/11/2016The Internet of Evidence(tm) - Little Brother Is Watching You – And He’s Taking Notes!
8
Sensors Are Devices That Detect
[and often record] Data (cont.)
9. The Net Effect Is That Sensor Data
Is Exploding
No less a player than IBM is paying great attention to this
phenomenon, in a 1-hour Webcast, “Solving the Big Data
Challenge of Sensor Data”
http://www-01.ibm.com/common/ssi/cgi-bin/ssialias?infotype=SA&subtype=ST&htmlfid=IMV14323USEN
The phenomenon will only grow larger
with time. 37 billion divices will be Internet
connected by 2020. Thought leaders refer
to this as the “Internet Of Things” [“IOT”]
http://en.wikipedia.org/wiki/Internet_of_Things
There is even…
The “Internet of Everything” [“IoE”]
http://www.qualcomm.com/solutions/ioe
1/11/2016The Internet of Evidence(tm) - Little Brother Is Watching You – And He’s Taking Notes!
9
10. The Net Effect Is That Sensor Data
Is Exploding (cont.)
The legal system has no choice but to incorporate this flood
of sensor data into its practice.
We now truly have the “Internet of Evidence™”
1/11/2016The Internet of Evidence(tm) - Little Brother Is Watching You – And He’s Taking Notes!
10
11. The Internet of Evidence Is As Ground
Breaking as Fingerprinting or DNA!
The sensor data and the Internet of Evidence™
support:
Determination of time lines
Identities of actors
Alibis
Intent of actors
External and environmental conditions
Who knew what, and when they knew it
1/11/2016
The Internet of Evidence(tm) - Little Brother Is Watching You – And He’s Taking Notes!
11
12. The Internet of Evidence Is As Ground
Breaking as Fingerprinting or DNA! (cont.)
Just as with physical evidence, Internet of
Evidence™ is subject to:
Requirements for discovery, seizure, chain of
custody, and accurate transcription
Possible tampering, forgery, and counterfeiting,
and
Intentional or inadvertent
loss or destruction.
1/11/2016
The Internet of Evidence(tm) - Little Brother Is Watching You – And He’s Taking Notes!
12
13. Case Study Number 1 – The Data
Collection That Didn’t Happen
<Case name withheld at request of subject attorneys>
California Criminal case – molestation of underage
female victims by 17-year-old male, July 2011
A family event with parents, defendant, two younger
brothers, older married sister, two nieces [6 and 8],
and a family friend [11]
Defendant was professionally
employed as a paparazzi
photographer
1/11/2016The Internet of Evidence(tm) - Little Brother Is Watching You – And He’s Taking Notes!
13
14. Case Study Number 1 – The Data
Collection That Didn’t Happen (cont.)
While sister [nieces’ mom] went shopping,
Defendant was asked to:
Take paparazzi photos of 3 girls using Canon EOS 60D DSLR
Download music from iTunes to sister’s laptop
“RIP” some music CDs to sister’s laptop
Sister was gone for 45 minutes
Family barbecue went on as planned
11-year-old reported molestation to girlfriend after
starting 7th Grade in September
1/11/2016The Internet of Evidence(tm) - Little Brother Is Watching You – And He’s Taking Notes!
14
15. Internet of Evidence™ Involvement
Alibi consisted of testimony that the Defendant was
too busy doing digital tasks to have committed any
crime.
Victim interviews done by male investigator with no
specialized training in this area. Psychological
evidence is not discussed in this Webinar
Zero digital evidence was preserved,
at the discretion of the investigator.
Investigator testified there would be
nothing of value.
1/11/2016The Internet of Evidence(tm) - Little Brother Is Watching You – And He’s Taking Notes!
15
16. Internet of Evidence™ Involvement (cont.)
Internet of Evidence™ consisted of:
Laptop hard drive
Time / Date stamps of all relevant files
Non-File Area [NFA] data from potential deleted files
Canon memory card
File system data
Exif header data
iTunes transaction data, with time tags
Potential Internet Service Provider packet data
Potential geo-reference data from any cell phones
Other data?
1/11/2016The Internet of Evidence(tm) - Little Brother Is Watching You – And He’s Taking Notes!
16
17. Internet of Evidence™ Involvement (cont.)
Analysis should have included:
Reconstruction of activities needed to
achieve the digital results shown by the
evidence
Some potential operations could be
“batched”, but some could not
Potential reconstruction of rooms visited by
the relevant parties
1/11/2016The Internet of Evidence(tm) - Little Brother Is Watching You – And He’s Taking Notes!
17
18. Resolution
Trial lasted for about 15 days
14 counts = Life Without Parole, due to age of alleged
victims and multiple victim enhancement
Family split – sister on one side, parents siding with
Defendant
Nieces recanted testimony
Acquittal on 6 charges; Hung jury on 8 charges; DA
deciding whether to re-file
1/11/2016The Internet of Evidence(tm) - Little Brother Is Watching You – And He’s Taking Notes!
18
19. Analysis
What should have been done:
Impound all Internet of Evidence™ data immediately
Create perfect copies using NIJ-approved passive copy apparatus
Subpoena relevant records from Internet Service Provider, iTunes
and/or other vendors
Once Internet of Evidence™ data is secure, THEN determine if
data has probative value [it may not!]
If probative value cannot be ruled out, analyze data using
qualified experts
If no experts on staff, LOOK ON THE INTERNET! There are
specialists all over.
1/11/2016The Internet of Evidence(tm) - Little Brother Is Watching You – And He’s Taking Notes!
19
21. Case Study Number 2 – The Text
Message from Who Knows Where
<Case name withheld by request of subject attorneys>
California Criminal contempt case – Wife received text messages
on her cell phone with husband’s cell number as callback, in
violation of no-contact order
Husband is a business owner, wife is a divorce attorney, disputed
custody of 6-year-old daughter
Husband alleged wife knew his cell phone provider password;
she or a co-conspirator could have logged into the web
account and forged husband’s identity in sending of message
Husband took voluntary polygraph test, registered NDI
1/11/2016The Internet of Evidence(tm) - Little Brother Is Watching You – And He’s Taking Notes!
21
22. Analysis
Internet of Evidence™ issue: If such a forgery were
perpetrated via a Web login instead of an actual cell
phone, is such a forgery detectable from either the
receiving cell phone or from the web record?
Interestingly, no. Text message formats do not retain
path data [“Envelope data”]].
Cell phone provider records have
envelope data and can be
subpoenaed, but are retained for
only 10 days, and then are erased.
Retrieval actions came TOO LATE.
1/11/2016The Internet of Evidence(tm) - Little Brother Is Watching You – And He’s Taking Notes!
22
23. Resolution
Text message charge dropped.
What should have been done:
Impound all Internet of Evidence™ data immediately
Create perfect copies using NIJ-approved passive copy
apparatus
Subpoena relevant records from cell phone provider before
destruction date.
THEN analyze to see if data is relevant
1/11/2016The Internet of Evidence(tm) - Little Brother Is Watching You – And He’s Taking Notes!
23
24. Summary
The Internet of Evidence™ is potentially as much of a
game changer to civil and criminal jurisprudence as
fingerprinting and DNA analysis were in their day.
Internet of Evidence™ information exists literally
everywhere in many contemporary legal matters
Such data may have profound consequences.
[Of course, such data is not magic, and may not exist
in all cases. And it may not have probative value.]
1/11/2016The Internet of Evidence(tm) - Little Brother Is Watching You – And He’s Taking Notes!
24
25. Summary (cont’d)
The safest course is to follow the standards for E-Discovery and
evidence in general:
Identify where evidence can possibly be. Time is of the essence
Preserve it - Impound [or at least write-protect] all Internet of
Evidence™ data immediately
Subpoena relevant records from Internet Service Provider and/or
vendors while it is still available
Preserve writeable media such as hard drives from being overwritten
Gather it - Create perfect copies using NIJ-approved passive copy
apparatus
Process it – this might mean forensic recovery or other measures
Review and analyze it to determine what is relevant
Produce it for the Court or for Opposing Counsel, as required
1/11/2016The Internet of Evidence(tm) - Little Brother Is Watching You – And He’s Taking Notes!
25
26. Summary (cont.)
Once Internet of Evidence™ data is secure, THEN determine if
data has probative value
If probative value cannot be ruled out, analyze data using
qualified experts
If no experts are on staff, LOOK ON THE INTERNET! There are
specialists all over.
The field is so large that no one individual can be an expert on
all areas.
Individual specialists may need to research highly case-specific
questions.
For large or complex cases, one expert may need to function as
a Lead Investigator.
1/11/2016The Internet of Evidence(tm) - Little Brother Is Watching You – And He’s Taking Notes!
26
27. Final Words
The Internet of Evidence™ has only recently arrived, but it is
here to stay
There were, literally, ZERO cell phone photos or movies from
inside the Twin Towers. Such devices are now the most
common platforms for watching NFL games, after TV!
When a new fleet of helicopters arrived with an aviation unit
at a base in Iraq, some soldiers sent pictures of the flight line
to some “pretty girls” in Sweden with whom they were
corresponding... From these photos , Al Qaeda operatives
posing as the girls were able to determine the exact
location of the helicopters inside the compound and
conduct a mortar attack, destroying four of the AH-64
Apaches. http://www.army.mil/article/75165/Geotagging_poses_security_risks/
1/11/2016
The Internet of Evidence(tm) - Little Brother Is Watching You – And He’s Taking Notes!
27
28. Final Words (cont.)
“During Israel’s 2006 war in southern Lebanon with Iranian-
backed… Hezbollah, Iranian SIGINT professionals tracked signals
coming from personal cell phones of Israeli soldiers to identify
assembly points of Israeli troops that may have telegraphed the
points of offensive thrusts into Lebanon.
“http://defensetech.org/2012/03/15/insurgents-used-cell-phone-geotags-to-destroy-ah-64s-in-iraq/
http://petapixel.com/2012/12/03/exif-data-may-have-revealed-location-of-fugitive-billionaire-
john-mcafee/
1/11/2016The Internet of Evidence(tm) - Little Brother Is Watching You – And He’s Taking Notes!
28
29. How to Reach Me
Wayne B. Norris
2534 Murrell Road, Santa Barbara, CA 93109-1859
805-962-7703 Voice 805-456-2169 FAX
Wayne@WayneBNorris.com
http://wayneBNorris.com
http://TheInternetOfEvidence.com
1/11/2016The Internet of Evidence(tm) - Little Brother Is Watching You – And He’s Taking Notes!
29