I recently had an experience that unnerved me. Being a competent lawyer today requires a deep understanding of evidence, especially when the prosecution does not. During plea negotiations, I was informed that the prosecution intended to open an additional investigation on my client, claiming he was surveilling law enforcement and posed a danger. I was shocked and asked why. They told me they had found pictures on his phone to support this activity. The phone’s contents had been produced to me, so I decided to take another look.
Cell phones are typically examined by law enforcement using a program called Cellebrite. This program allows them to download the contents of a phone. It’s crucial to understand what is being selected for download, how it's downloaded, and other options to have a basis for what you will see. In this case, though, most of that didn’t apply, as I was told these were pictures my client had taken.
This intrigued me as I was driving and thinking about the quick scan I’d done of the UFED reader that had been produced. A UFED reader is the standard tool that an attorney wants to use because it allows for more interaction than relying on the PDF or HTML output from a cell phone download (dump). I remembered highlighting some phone numbers, but there were no texts, chats, or any real images (other than thousands of icons on phones). I was surprised, but maybe I’d missed something.
I booted up my Windows laptop, which I had bought specifically to run the Windows-only Cellebrite. It’s a powerful gaming computer, which is needed for some phone dumps, but this was a burner phone and had hardly anything on it. Once again, I looked, but I didn’t see anything in the photos library. I sorted by size and didn’t find anything relevant in the 3,115 images on the phone.
So I asked, “What are you talking about? Can you send me the picture?” Sure enough, she sent two pictures. I searched the title of the photo in the UFED reader. The pictures lacked metadata (information about location, phone used, etc.) and were located in //searches/google. I wasn’t entirely sure what that folder was, but it was not in the photo area.
So I dropped the first picture into Google (you can search for an image by dropping it on the icon on the right) and got the following result: it was from the Customs and Border Patrol website. The second image was from a KTSM news article. I haven’t told the prosecutor that she’s mistaken, as it’s not helpful at this point. But it highlighted how dangerous a little knowledge can be. Did the agent point this out trying to get a jab in? Did she find it and just not know what she was doing? Or did she actually know what she was doing and was trying to strong-arm something? Ultimately, it didn’t matter, but “the more you know” was a phrase from TV when I was a kid, and it’s something to make sure you’re competent.
This was not a complicated case. However cellular phones are now present in every case I have, and prosecutors are still clueless, I think….