Screenshots captured on mobile devices are commonly used as evidence in today’s culture. However, these screenshots are often misinterpreted as original digital evidence. Primeau Forensics’ image expert, Michael Primeau, along with the computer and mobile experts at Garrett Discovery, performed digital image authentication of screenshots used as evidence in the criminal case detailed here.
An Introduction to the Case
Primeau Forensics’ client was charged with violating a personal protection order; a charge that came in the form of a felony. Screenshots were presented as evidence to local law enforcement, showcasing email communication between our client and her ex-husband. Not only did law enforcement fail to authenticate these screenshots, but they were negligent in preserving the mobile devices, original emails, and texts supposedly sent by our client as well. Subsequently, Primeau Forensics examined our client’s mobile phone, laptop, and multiple email accounts to determine if the messages were truly sent from her devices. With the help of Brian Bowman at Garrett Discovery, Michael Primeau forensically examined these devices and assisted the trier of fact at trial to better understand what the screenshots used as evidence represented. Here, Michael walks through the procedure.
Examining the Chain of Custody
We began the investigation by examining the chain of custody provided by our client’s first representation, a court-appointed attorney out of Wayne County in Michigan. Examination of the police reports would show that the law enforcement agency failed to collect digital information from actual emails. Rather, only screenshots provided by the ex-husband were used as evidence. Find the screenshots used in the police report featured in Figures 1-5 below:
Digital Evidence Integrity Best Practices
According to the U.S. Dept. of Justice Special Report, “Forensic Examination of Digital Evidence: A Guide for Law Enforcement”:
Digital evidence, by its very nature, is fragile and can be altered, damaged, or destroyed by improper handling or examination. The examination is best conducted on a copy of the original evidence. The original evidence should be acquired in a manner that protects and preserves the integrity of the evidence.
When dealing with digital evidence, the following general forensic and procedural principles should be applied:
- Actions taken to secure and collect digital evidence should not affect the integrity of that evidence.
- Persons conducting an examination of digital evidence should be trained for that purpose.
- Activity relating to the seizure, examination, storage, or transfer of digital evidence should be documented, preserved, and available for review. Through all of this, the examiner should be cognizant of the need to conduct an accurate and impartial examination of the digital evidence.
Image Authentication of Emails Used as Evidence
These best practices provide an acceptable methodology for digital forensic experts to ensure evidence is accurately interpreted to the trier of fact. The law enforcement agency in question failed to collect the emails used as evidence from the device that received them. Had they done so, a forensic technician or investigator would have had the opportunity to authenticate them. Moreover, our entire investigation was built upon the fact that this critical step was overlooked.
“About anyone can fake an email and send it to someone. To the receiver, it is near impossible to tell whether the email has been faked without analyzing metadata within the file using sophisticated forensic tools. Never trust printouts or screenshots.” – Brian Bowman, Garrett Discovery Forensic Expert
Garrett Discovery’s email analysis identified:
- Date & time created
- Date & time sent
- The IP address of sending server or relay
- Whether or not the email was spoofed using a computing device not registered to the domain
- Which program created the email
In the event that such evidentiary text messages would need to be printed, reincubate.com offers thorough guidance on proper preservation and presentation. Explore the organization’s suggested techniques in the linked support article.
Digital Image Authentication
We carried on our investigation of the screenshot using image authentication methodology. The original police report shows the screenshots were scanned and submitted in paper form. The fact that the original digital image was missing is another indication of misinterpretation. This being the case, the integrity of the evidence was compromised because there was no original screenshot image for authentication testing.
Because digital images are easily manipulated with online software, tools like email spoofing can be used to deceive an investigator’s perception of what is represented. In order to authenticate digital imagery, it is important to have access to the digital original. Without the digital original, there is no data to authenticate the nature to which a digital file of any kind was sent or received. Therefore, without that data, integrity is significantly reduced. Below you will find best practices to follow for digital image authentication according to Scientific Working Group on Digital Evidence (SWGDE).
SWGDE Best Practices for Image Authentication
Image authentication is the application of image science and domain expertise to discern if a questioned image or video is an accurate representation of the original data by some defined criteria, and/or the determination of the original source of the image.
In addition, practitioners of authentication techniques must be knowledgeable not only in photographic and analytical techniques but should be equally knowledgeable about techniques used to manipulate or create imagery. Common manipulation techniques include:
- Alteration – The changing of image features through artistic means.
- Compositing – The duplication and combination of elements from one or more images, including, but not limited to, techniques of cloning and cut-and-paste.
- Morphing – The automated transformation of components of one image onto those of another, involving a sequence of intermediate images demonstrating incremental change. Morphing is a combination of alteration and compositing.
- Image creation – The creation of image content entirely through artistic means. One example is the creation of virtual humans using 3-D modeling software (e.g., computer-generated).
Because no digital original was maintained in this investigation, image spoofing or image creation was very possible. I have personally tested the spoofing service SpoofBox.com and a sample of the interface is featured in Figures 6 and 7 below:
While reviewing the screenshot images used as evidence in Figures 1-5, I noted several observations that raised authenticity concerns. One particular observation was the lack of a cellular provider identifier noted in the upper left-hand corner. This immediately raised authenticity concerns because most spoofing services do not supply cellular information within the fake texts or emails that they send from a mobile device. Figure 8 is a screenshot I captured on my mobile device.
Above all, I only provide my opinion in court if I am confident in the science applied to the investigation. Another expert could use this exact science and arrive at the same results; results which assist the trier of fact in making determinations about the evidence. Learn more about the processes Primeau Forensics’ follow during expert witness testimony by following the link. And so, my opinions on this investigation are outlined below.
- Firstly, the digital imagery supplied as evidence was not an authentic representation of the events as they naturally occurred.
- Secondly, the digital imagery supplied as evidence was not maintained properly by the law enforcement agency that investigated them.
- Thirdly, the digital imagery supplied as evidence could not be relied upon to make observations about the emails that were allegedly sent from my client’s devices.
- Fourthly, the digital imagery supplied as evidence was in fact NOT an accurate representation of an email.
- And finally, the analysis of my client’s devices and email accounts did not reveal any evidence that those emails were sent from her or her devices.
Expert Witness Testimony
Furthermore, authentication investigations can be quite lengthy. An image forensic expert or forensic investigator can continue to gather detail to scientifically support their position. However, this can complicate the case when it comes time to communicate opinions in court. I provided testimony about my investigation at the Frank Murphy Hall of Justice in Detroit, Michigan. As a matter of fact, this was my first time testifying in this court.
Days before trial, the prosecutor asked what I was going to be testifying about. Details about this investigation came as a shock to him. The fact that the law enforcement agency did not do their due diligence was a big issue for the authentication of the evidence. However, no blame should be placed on these law enforcement investigators. They simply were not trained in the image or digital forensic analysis.
I provided my data and opinions to the court during trial. Body language and eye contact confirmed that I had their undivided attention and understanding. Questioning from my client-attorney, Chris Kessel of Chris Kessel Law, provided further explanation that the images used as evidence were unreliable. In fact, I received five sperate rounds of questions from the jury once I had completed my testimony. One of the most honorable moments of my career, I felt that I had truly assisted the trier of fact by providing a clearer understanding of what the evidence represented.
In conclusion, the charges against my client were dismissed. It was rewarding to hear that I helped the court make key observations and, ultimately, a decision based on critical evidence.