SANS Digital Forensics and Incident Response Blog

No obligation higher than the truth

In a recent criminal case the defendant admitted he was under the influence at the time of arrest. However, the prosecutor overreached, charging the defendant with attempted kidnapping. According to the defendant, an officer took statements at the scene using mobile recording equipment. These recordings were said to contain exculpatory evidence.

photo courtesy of justinbaeder at flickr.comphoto courtesy of justinbaeder at

The defense wanted to review the statements taken at the scene, but law enforcement could not produce them. Conflicting testimony was given about whether the recordings had ever been made so a judge agreed that an expert could investigate.

Given that the arrest had been made nearly two years earlier, I informed the defense attorney that the data may be unrecoverable, but that there may be an audit trail of recordings made that day, by whom and at what time. If those recordings were uploaded to a server, that server may have a record of it. If the recordings were deleted, that also should have been logged.

After months of wrangling with the maker of the system, I received limited information about how the system worked, met with law enforcement and the prosecution and ran through my list of questions about the department's policies and procedures for handling recordings, who had access to the server, who could delete recordings, what logging was done, retention periods, the capacity and behavior of the system in the vehicles and what happened to the recordings made on the day of the arrest.

The department had no written policies or procedures. Answers were inconsistent and some questions could not be answered due to lack of information. Their lack of policies, procedures and understanding of the system opened them up to questions of incompetence.

During my initial visit, I was not allowed to touch the server. I reported my findings and asked to get hands on the server to look at the logs. Shortly after the judge granted permission the prosecution dropped the charges.

I had mixed feelings about helping a known substance abuser with priors. But I believe that there should be a presumption of innocence, that everyone is entitled to due process and that part of due process should be uncovering and presenting all the facts, not just those that help one side.

In helping the defense, I hope I helped law enforcement see the value of having policies and procedures and in understanding the technologies they employ. I hope in helping the defense, I have improved law enforcement and prosecution.

Dave Hull, GCFA Silver #3368, is an aspiring maker and technologist specializing in information security. He is the principal consultant and founder of Trusted Signal.