I was recently contacted by a reporter from a local news channel. He wanted to discuss a couple of the issues that have recently been the center of attention in court. One of the allegations by the defense in the Jodi Arias case is that data from the computer of Mr. Alexander was alleged to be either lost or altered by law enforcement personnel or the prosecution during their investigation. I do not have access to the documentation which should have been prepared during the course of the investigation. What I do know is that proper computer forensics procedures would require that specific documentation be maintained starting at the moment that computer was taken into custody. Hopefully, procedures were followed and documents are available to answer the allegations of the defense.
When processing evidence, digital forensic examiners should first make a verifiable unaltered copy of the hard drive. Typically, once that copy has been made, the examiners would then make a second copy which can be used for analytical purposes. So, there should be at least one exact copy of the original hard drive in the possession of law enforcement and likely a second, working copy. Also, other documentation would include photographs, serial numbers of the computer and hard drive, and validation that the copy is complete through MD5 and/or SHA1 hash. MD5 and SHA1 hash algorithms provide a digital fingerprint of the evidence. Matching hashes from the original and copy means that they are exactly the same. The likelihood of matching two hashes that are not exactly the same is about the same as finding a few dozen people with the exact same fingerprints as you! Not likely, right? This would have been a way to verify that the copy the defense received was the exact same as the original, complete with all files and deleted data.
The normal process of booting up a computer alters the data within it. In most forensic cases, the original would not have been touched in a nonforensic manner. The best procedure for every case is to image original evidence using a write blocker, which prevents writing to the evidence. If it was necessary for the computer to be booted, a write-blocked image of the drive could have been made and that image could have been put into the computer and booted. This would preserve the original evidence drive. When the parties in this case decided to boot the computer, documentation should have been created demonstrating that all parties acknowledged that the action of booting the machine would absolutely alter time/date stamps and potentially alter important evidence on the computer. In this way, years later, when booting the computer turns into a major issue, such as it has now, that document could be produced, thereby avoiding finger-pointing.
If what I am seeing on the news is correct, there appears to be an astonishing lack of written documentation on the processes followed, who touched the evidence, and when. The chain of evidence should be documented from finding the machine at the residence of Mr. Alexander, through the complete time that the computer was in the possession of law enforcement. These documents should be requested by the defense. If proper procedures were followed, there should be no need for guesswork. In addition, each forensic examiner that touched the computer should have their own documentation and chain of evidence.
The police department should be able to provide documentation that an unaltered copy of the original hard drive exists. The first defense expert should also be able to document his or her handling of the computer or evidence provided to them.
We must keep in mind that, thus far, there are only allegations that data was altered. I am not privy to all of the information and documentation in this case and certainly do not contend that any party is right or wrong. As a digital forensics expert, the goal is to preserve and process the evidence and report on the facts that the evidence provides us. Each side should be able to validate and verify the contentions of the other party through repeatable scientific forensic processes.
