Tag: digital evidence

Audio ForensicsComputer ForensicsCrisis ManagementOnline Reputation ManagementSocial Media

Deepfake: Its Role in Law, Perception, and Crisis Management (Part 2)

on April 14, 2021

Welcome to Part 2 of Experts.com’s Deepfake Blog Series! In case you missed it, check out Part 1. The focus for Part 2 is to delve into the legal ramifications and perceptive dangers of deepfake videos, along with solutions for individuals and organizations who have been negatively affected by deceptive content. Continued insight from Audio, Video, and Photo Clarification and Tampering Expert, Bryan Neumeister, and new knowledge from fellow Experts.com Member and Online Reputation Management Expert, Shannon Wilkinson, will be included in this post.

Due to the relatively new concept and technology of deepfake content, the legal ramifications are not concrete. In fact, admitting deepfake content as evidence in some criminal and civil court cases can be a precarious endeavor because of metadata. According to the Oxford Dictionary, metadata is “information that describes other information.” Think of metadata as information found on a book. Listed is the author’s name, summary of the author, synopsis of the book, the name and location of the publishing company, etc. Metadata answers the same inquiries about videos and photographs on the internet. It has even been used to solve crimes. For example, in 2012, law enforcement found John McAfee, a man who ran from criminal prosecution for the alleged murder of his neighbor, using the metadata from a photo VICE Media, LLC released in an interview with the suspect (NPR). “The problem with metadata is when you upload any video to YouTube or Facebook, the metadata is washed because the user gives up the right to the video,” a statement by Bryan Neumeister. Reasons vary as to why metadata is removed. Some platforms have policies to disregard metadata to expedite the download time for such images and videos. However, it raises concern for those interested in preserving intellectual property (Network World). In addition to the numerous reposts a photo or video acquires, finding the original author of a post on major social media platforms poses a problem for litigants.

Entering evidence into court becomes a Chain of Custody issue (702, 902) through the Daubert Standard, which is a set of criteria used to determine the admissibility of expert witness testimony. Part of Mr. Neumeister’s expertise is to sift through the components (time stamp, camera, exposure, type of lens, etc.) of digital evidence via computer software systems to determine its authenticity or modification. One of the many techniques he uses is to look at the hash value of digital evidence. According to Mr. Neumeister, “Hash values are referred to in Daubert 702 as a way to authenticate. Think about a hash value as a digital fingerprint.” Without this set of numerical data, the most vital piece of proof needed to discern an original from a fake photograph or video, the digital evidence should be ruled as inadmissible by Daubert standards, as there is no chain of custody to a foundational original. Because deepfakes are difficult to track, and perpetrators are mainly anonymous underground individuals with limited assets, prosecuting these cases is a long-term investment without the return. From a moral perspective, justice should be served. With little or no recourse, the frustration is overwhelming for people whose character and financial future have been put in jeopardy.

Deepfakes may be complicated in the legal arena, but in the world of public perception, its role is much more forthright. In recent years, perception has become reality, and this notion rings resoundingly true regarding deepfake content. People who create and publish deceitful content have three main goals: to tarnish a person or company’s reputation, change a narrative, and ultimately influence the public. “Deepfakes are not usually done by big corporations. There is too much at stake. They are usually done by groups that have an intent to cause misdirection,” a direct quote by Mr. Neumeister. The truth about events regarding politicians, or any other public figure, has now become subjective. Like most viral posts, once a deepfake video is released, unless a user participates in research and finds other sources that confirms or denies deceptive material, people will believe what is shown on social media. There are two reasons for this: 1) it confirms an already ingrained bias, and 2) some people would rather trust the information instead of actively looking for sources that contradict the deepfake due to lack of will or information overload. Studies have shown it takes just a few seconds to convince people who are leaning the way a deepfake video is portraying a situation to believe the content. Even if there is a source that has been fact-checked and proves the contrary, the damage to a public figure’s perception has already been done.

For instance, one of the most popular types of deepfakes are centered around pornography. As discussed in Part 1, the General Adversarial Network (GANs) generated deepfake videos have a specific algorithmic structure that accumulates multitudes of any footage and mimics the desired output data. However, its blatantly realistic and high-quality footage is too exaggerated to be an authentic video. To further augment the illusion, people use techniques such as adding background noise, changing the frame rate, and editing footage out of context to make the video more “realistic.” According to Mr. Neumeister, “The more you dirty it up, the harder it is to tell … and then you’ve got enough to make something convincing that a lot of people won’t fact check.” This unfortunate reality, the emergence of different types of deepfake content can ruin the reputations of individuals and businesses across the board. Fortunately, there are methods to managing public perception.

A positive public image is one of the driving forces for success, trust, revenue, and a growing client base. For this reason, malicious and manipulative material found on the internet is threatening. The internet allows everyone to become an author, which gives users the power to post a variety of content ranging from true stories to false narratives. When businesses and organizations find themselves in a fraudulent crisis, “it can impact shareholder value, damage an organization’s reputation and credibility in the eye of consumers and customers, and result in the dismissal or stepping down of a CEO, board members, and/or other key leaders,” stated by Shannon Wilkinson, an Online Reputation Management Expert. Individuals who have less of a digital presence than organizations are more at risk for facing defamatory content. It begs the question, what types of crisis management strategies can business and individuals use to defend themselves against deepfake content?

One of the reasons why crisis emerges for organizations and public figures is due to the lack of proactiveness. Luckily, Ms. Wilkinson has provided numerous tips on how to prioritize reputation management and crisis response to build a “powerful digital firewall.” For reputation management, Ms. Wilkinson recommends:

  • Understanding how one’s business and brand appears to the world.
    • “Each Google page has 10 entries, discounting ads…The fewer you ‘own’ – meaning ones you publish… – the less control you have over your online image,” according to Ms. Wilkinson.
  • Customizing LinkedIn and Twitter profiles.
  • Publishing substantive and high-quality content related to one’s field of expertise or organizations (white papers, blogs, articles, etc.).
  • Scheduling a professional photography session.
  • Creating a personal branding website (ex: http://www.yourname.com).

As for crisis response options, there are two key components businesses and individuals must consider before crafting a recovery plan:

  • Possessing an online monitoring system alerting when one’s brand is trending on social media (ex: Google Alerts and Meltwater)
  • Seeing conversations in real time to augment one’s social presence within those digital spaces.

Below are the recommendations regarding the actual response to a crisis:

  • Social media platforms like Facebook and Twitter seem to be the more popular spaces to respond to deepfake content.
  • Updating current and existing information is a vital strategy to counter attacks.
  • Avoid engaging with anonymous commentors and trolls.
  • “Video is an excellent tool for responding to situations that result in televised content. A well-crafted video response posted on YouTube will often be included in that coverage. This strategy is often used by major companies,” a direct quote from Ms. Wilkinson.

The why behind creating, manipulating, and posting deepfakes for the world to see seems to be a moral dilemma. The motives behind uploading such misleading content are different for those who participate but nefarious, nonetheless. Legally, it remains an area of law where justice is not always served. Thanks to our Experts.com Members, Bryan Neumeister and Shannon Wilkinson, the what, when, how, and where aspects of deepfake content have been explained by people who are well-versed in their respective fields. In the height of modern technology and the rampant spread of misinformation, our Experts advise all online users, entrepreneurs, public figures, and anyone with access to the internet adequately fact-check sources encountered on the web. Those associated with businesses or happen to be public figures should prioritize developing crisis management precautions. In Mr. Neumeister’s own words, “People can destroy a city with a bomb, but they can take down a country with a computer.”

Computer ForensicsDemonstrative EvidenceEvidenceSexual AbuseUncategorized

The Jeffrey Epstein Trial: Expert Witness Commentary on eDiscovery and Forensics

on August 7, 2019

Last week, The Daily Beast reported the Jeffrey Epstein criminal trial will have a million pages of evidence, which will include materials seized from several devices.

A million pages of evidence makes for a great headline. It feels overwhelming! However, after reading the article from The Daily Beast, I began to wonder if a million pages of evidence is a lot or a little? How many files are stored on a standard laptop or cell phone? How will the prosecution and defense identify those files admitted into evidence? These questions, obviously, got me thinking about digital forensics and eDiscovery issues present in the Epstein sex abuse trial.

Now, if you read the blog post from last week, you’re probably wondering if I’m going to constantly write about sex abuse issues. The answer is, no. However, when these topics fill our news and I have the ability to reach out to qualified expert witnesses to provide insights on issues of public import, I’m going to do so.

As of this writing, the Florida Governor has ordered a state criminal probe into the handling of the 2008 Jeffrey Epstein investigation. This new probe was reported by The Miami Herald, yesterday afternoon. Some credit for Epstein’s current predicament, is due to the “Perversion of Justice” exposé series, from Miami Herald reporter Julie K. Brown. She detailed the 2008 sex trafficking investigation and settlement. The series is worth a read!

Now, back to the million documents of evidence. I’ve been working with digital and ediscovery experts for nearly 10 years. That said, I’m a novice on their areas of expertise. I’m able to issue spot when an attorney needs a particular type of expert. With that said, I posed some foundational questions to one of our members.

Questions & Answers for expert witness C. Matthew Curtin, CISSP:

C. Matthew Curtin, CISSP, founder and CEO of Interhack Corp., is a Certified Information Systems Security Professional. An expert in computers and information technology, Mr. Curtin and his team at Interhack help attorneys and executives use data and computer technology in high-stakes situations.

NR: According to The Daily Beast article, the Epstein trial will have more than 1 million pages of evidence, found on multiple devices. How will the prosecution and defense retrieve all of these documents and collate them into usable evidence?

CMC: One million pages of computer evidence is no big deal. Consider that in a typical computer system you’re looking at anywhere from 100,000-500,000 files, including all of the software, operating system, and user data. By the time you get through to the things being used by the prosecution and defense as evidence, the vast majority has been thrown out, but if you’ve got a phone or two, a couple of computers, and a few online services, it’s pretty easy to get into those numbers. Ultimately it depends on how they’re counting, of course: Are these bates numbered pages for presentation, or are they the raw input? If these are the results that are turned into exhibits and so on, that’s pretty big but not huge.

NR: What is the process for identifying the usable documents from those that are unrelated to a litigation?

CMC: Finding relevant documents and conducting a forensic examination are two fundamentally different processes. Finding relevant documents is typically a matter of “indexing” (reading the files for their contents) and then making “queries” of the “index” to return the documents and pages that are responsive to the search. Typically an attorney will then look at the responses and make a decision as to whether something is material. It’s basic data processing: data in, data out for a lawyer to use.

In the case of a forensic examination, the raw data will be subjected to various tests and analysis, ultimately resulting in reports that will be submitted as evidence. For a phone, a complete “extraction report” can easily produce a 5,000 page PDF document, and many get much, much larger. In any case, all of these things will wind up going into some kind of expert report that will outline opinions and findings that might be challenged and should be subjected to scrutiny. This is expert data analysis, where the data processing is performed to be consumed by an expert to form a technical opinion or finding.

NR: How much time would it take a forensics expert to comb through multiple devices to determine which documents are appropriate for discovery and evidentiary purposes?

CMC: Methodology and the size of the source matter for how long it takes. Generally speaking, I tell people to figure that to run through a forensic image of a raw computer hard drive and prepare it for human review, you’re looking at three days if you want to recover deleted files, compute the mathematical “hash” values that allow us to distinguish among files, and so on. A human will then need to go through the results and that can take anywhere from another day to another week or more, depending on what’s found, and how much work needs to be done without automated tools to manage the process. In some cases, no one cares about deleted files. In other cases, they’re critical. The only rule of thumb that applies generally is that the time it takes to do the job is between two and eight times what a lawyer thinks it should take.

NR: Is a million documents a lot of digital documents for a trial? Or is that common when dealing with digital files?

CMC: I addressed this a bit in my first answer, but one million computer files isn’t a big deal.

NR: I’m sure many of my questions are rudimentary, please feel free to provide any additional information you think the public should know about digital forensics and e-discovery in this type of matter…

CMC: Something to add: when conducting forensic examination, we often see a law-enforcement view put forth: Suspect that X happened, so go search for evidence of X. Fail to find X, and you add “tampering” to the list of charges. The reality is, though, that it isn’t sound scientific process to go in search of confirmation of what you think is already happening. Various cognitive biases interplay to create serious problems with the results extracted this way. Far better to construct tests to look for the “null hypotheses,” the things that would disprove what you think is happening. At the very least, alternate theories of the case deserve exploration and there are plenty of cases that would not take the time and money put into them if they were given greater scrutiny.

For example, if someone is suspected of having illegal pornography on a computer—that is, possessing the material, knowing the character of its content—law enforcement will typically reconstruct deleted files, look at thumbnail image databases, and loose files found in caches and elsewhere on the disk managed by the computer operating system rather than the user directly. If they find material that looks like what they thought was there, in many places a prosecutor will go forward with charges. On the other hand, what if someone did get the files and not mean to have them? What other course would there be but to delete the material? If the material has been deleted, why would it be brought up in a prosecution? There are cases where it can be relevant to a legitimate legal question but we’re only in the last few years starting to see some sophistication in consuming these results and moving forward sensibly with discretion informed by understanding.

A huge thanks to C. Matthew Curtin for taking time to provide us with these excellent answers. Please check out his company at http://web.interhack.com/.

Criminal JusticeCriminal LawExpert Witnesslegaltech

Fingerprints Lifted from Social Media Photo: Expert Evidence and Impact on Criminal Defense

on April 23, 2018

Friday morning, I read a really interesting article from the FindLaw Technologist blog (their legal technology blog). The headline grabbed my attention because it was about drug dealers’ fingerprints being lifted from a photo on social media application, WhatsApp. This was news to me. I had no idea law enforcement could obtain digital fingerprints or that they could be used for an arrest. In hindsight, it seems perfectly reasonable that fingerprints could be obtained this way because the cameras in our cell phones are so advanced.

Probably, like many laypeople, I thought law enforcement had to access latent fingerprints left on a physical object (doorknob, weapon, cell phone, etc.). Based on my years of watching police procedural television shows and documentaries, I assumed the fingerprints had to be dusted by an evidence technician, input to a database, and then compared to other prints in the database. Today, however, I discovered that’s not the only way to do it.

As the Findlaw article explained, “Law enforcement arrested members of a drug ring using fingerprints on a cell phone photograph. Investigators didn’t even need the suspects’ cell phone because the photo was posted on the messaging application, WhatsApp.” The photo showed a male hand holding a bag of drugs. The agency’s forensics team uploaded the photo to a fingerprint data base and they found a match. The article specifically states the officers “acting on other information” located and arrested the man.

My assumption was the officers needed additional evidence in order to make an arrest.  Authorities can likely use the image as an investigative lead and then they have to go find additional evidence to establish probable cause for an arrest.

Alas, these were only my assumptions. It’s been a long time since I spent any time on criminal procedure. As such, I have asked for some input from Walter M. Reaves, Esq. Walter is a friend and colleague I’ve met through the LegalMinds Mastermind Group. He is a criminal defense attorney located in Waco, Texas. To find more about his practice, visit waco-criminal-attorney.com.

Input from Criminal Defense Attorney Walter Reaves:

Walter jumped on the questions I asked and elaborated on the entire concept of using digital and social media photos. Here is what he said:

“Given the way cell phones have taken control of all our lives, it’s not surprising that they are being used as evidence in criminal cases. For several years, the police have been obtaining cell tower location to place a suspect (or at least their phone) in a certain location. Evidence found on cell phones has also been used – for some reason, dope dealers seem to like taking pictures with their stash. And of course, there’s always text messages.

A new technique may be lifting fingerprints from phones. The process would utilize a picture on the phone of someone’s hand and fingers, and attempt to match that like you would a latent print developed at a crime scene. The process may be no different from what is being done now. Latent prints are placed on a card, and pictures are taken. The digital photos are what are used for comparison.

If a fingerprint on a cell phone is used, you can expect challenges from defense lawyers. The prosecutor will have to convince the court the process for making the comparison is reliable, which may be a problem.

For starters, there could be problems with manipulating the photos in order to get something to use for comparison. The photos will probably need to be enhanced in some way, and you can expect defense lawyers to challenge the way that is done. Some adjustment will have to be made for the photo itself, since no camera produces an exact representation of what it is capturing. Establishing the admissibility of the photo of the fingerprint will therefore have to be the first hurdle the State will have to meet.

Even if the State can establish the identification is reliable, I seriously doubt this is going to be a common practice. I can’t imagine many situations where it would be relevant. Maybe if someone is holding dope, and all you can see is their hand, the fingerprint could be used to establish possession. I can’t think of many other situations though. In most cases, you would think if a picture is being taken, you could identify who was in the picture. You also might have problems with identifying location, and time, if that’s important.

There will be an even bigger problem when you are trying to use the photograph to prove possession of a controlled substance. The problem is proving what the substance is. If you don’t have it, there’s no way to test; it could be baking soda just as easily as it could be cocaine.

So, it’s an interesting concept, but don’t expect it be coming to a courtroom near you anytime soon.”

Based on reading this information from Walter, I stand by my contention this is an investigative tool for law enforcement. However, such images are unlikely to be used as evidence in court. It seems there will be problems with relevance, reliability, and authenticity. These hurdles may in time be overcome as technology advances.

Input from Photographic Evidence Expert Witness Dr. James Ebert:

For a more in-depth understanding of this practice, I reached out to Experts.com member and expert witness Dr. James Ebert. Dr. Ebert is a forensic photogrammetrist who is regularly called to interpret and testify about photographic and mapped evidence in civil and criminal matters. You can learn more about Dr. Ebert’s expertise and practice by visiting his website ebert.com.

Dr. Ebert’s comments left me feeling behind the times when I heard about the use of digital photos as a law enforcement tool. Here is what he had to say:

“It has been widely known and discussed on the web for a decade or more that identifiable fingerprints can be recovered from photographs for good or bad purposes, given that the photos are of sufficient resolution, lighting, focus, and that enough of the fingerprint can be seen to allow a match to be attempted.  Faces published on the internet can, of course, also be identified through photo matching services like TinEye reverse image search, or facial recognition software.  Both fingerprints and faces can, for instance, be run on the FBI’s new Next Generation Identification system by law enforcement agencies around the country.  This does not insure false positive results as are common with all automated fingerprint or facial identifications.  I have never attempted to make identifications of fingerprints in my practice as a forensic photogrammetrist, but are certainly possible and they should be just as reliable as are those done with fingerprint or facial data collected in other ways.  I am often, however, called upon to do facial identifications from photographic evidence. Whether such fingerprints and facial identification are ethical clearly depends on whether they are done for ethical purposes.  Identification of possible criminals from fingerprints by law enforcement is an example of a good use of technologies, and if done for purposes like hacking or harassment it’s not.”

Based on Dr. Ebert’s comments, it appears this practice has been considered and possibly utilized for some time. As Dr. Ebert mentioned, there is potential for abuse in matters of hacking and harassment. I cannot speak for Walter, but I imagine he would think there is potential for abuse by law enforcement as well.

Technology is changing so rapidly that it is difficult to keep up with all the advancements. What we’re doing with this blog is trying to discover how technology impacts the criminal justice system. If you have any suggestions for future  posts on technological advancements in criminal or civil justice, please comment below.