Forensic Issues Blog

The topics presented below are of interest to me and may also be of interest to others who are involved in forensic science or related disciplines. The opinions expressed are mine. If you would like to comment on any topic, please send me an email:

June 4, 2012

I read a recent analysis of the D4 v. D800 with interest. I agree with essentially everything that was said.

I have sold my D3 and currently use a D4 as my "work" camera.

Here are some of the reasons I use a D4:

1. 16MP files are plenty big. Often I shoot fine JPEG's, along with selected RAW's (see below). 36MP files are overkill most of the time.

2. I need to describe many of the photos when I take them. Recording a wav file that is linked to the photo saves a lot of note taking and is more accurate.

3. The easy transition to video and then back to stills. Video is why I replaced the D3 with a D4.

4. Nikon left out the ability to assign a function button (e.g. the Fn button) to the Shooting Menu Bank (the option is: SHOOT) for all cameras except the D4. I need to quickly switch shooting banks. (e.g. Bank A shoots RAW, Bank B shoots JPEG to a different card, Bank C is optimized for video)

5. The two toggle switches are very convenient when properly programed.

6. I have looked through the viewfinders of both camera: The D4's is much better.

7. Although I am not an action photographer, taking a burst of several handheld macro shots usually means that one of the shots will be usable.

8. For some reason, that is not obvious to me, the D4's focusing system results in a higher percentage of in-focus photos.

September 29, 2011

If you have ever wondered how long wireless carriers keep data on their subscribers, this AP article will be of interest to you:

NEW YORK -- A document obtained by the ACLU shows for the first time how the four largest cellphone companies in the U.S. treat data about their subscribers' calls, text messages, Web surfing and approximate locations.

The one-page document from the Justice Department's cybercrime division shows, for instance, that Verizon Wireless keeps, for a year, information about which cell towers subscriber phones connect to. That data that can be used to figure out where the phone has been, down to the level of a neighborhood. AT&T has kept the same data since July 2008.

The sheet is a guide for law enforcement, which can request the information from the carriers through legal channels. The North Carolina section of the American Civil Liberties Union obtained it through a Freedom of Information Act request, the ACLU said. reported earlier about the document, which is dated Aug. 2010.

The document was released by the ACLU Wednesday, but has been hiding in plain sight on the website of the Vermont public defender's office. It can be found there through a Google (GOOG) search, but only if the searcher knows the exact title of the document.

A few data points from the sheet were known outside law enforcement circles, but wireless carriers have not been open about their policies.

They aren't required to keep the data, and they keep the same information for varying lengths of time. Some don't keep data at all that other companies store. For instance, it says T-Mobile doesn't keep any information on Web browsing activity. Verizon, on the other hand, keeps some information for up to a year that can be used to ascertain if a particular phone visited a particular website.

According to the sheet, Sprint's Virgin Mobile brand keeps the text content of text messages for three months. Verizon keeps it for three to five days. None of the other carriers keep texts at all, but they keep records of who texted who for more than a year.

The document says AT&T keeps for five to seven years a record of who text messages who and when, but not the content of the messages. Virgin Mobile only keeps that data for two to three months.

The carriers don't have recordings of calls, but keep information about calls that are made and received for at least a year.

The ACLU said it believes people have a right to know how long phone companies keep records of their activities.

Although the sheet is dated August 2010, Tom Slovenski, a private investigator specializing in cellphone data, said it is still accurate.

Sprint spokesman Jason Gertzen said he couldn't comment on the specific figures in the sheet. Normally, he said, a subpoena, court order or customer consent form from a recognized law enforcement agency is necessary for the carrier to hand out data. However, Sprint also responds to emergency requests, as in missing persons cases, if the police can document their need, he said.

The Department of Justice did not immediately respond to a request for comment.

A bill in Congress would force wired Internet service providers to keep records of the network addresses assigned to each subscriber for 18 months. That would help investigators link online activity to specific homes. But the bill doesn't apply to wireless links. A series of such bills have been proposed over the years, but haven't passed.

Here is the actual chart that the ACLU received:

ACLU Chart


July 19, 2011

I have installed the newest version of the BlackBag Technologies computer forensics program, Blacklight. This version supports Encase (E.01) images and several iPhone and iPad images. This means that if prosecution provides an image of an iPhone or an iPad, I will now be able to analyze the data that they have recovered much more easily.


July 8, 2011

This video is a little dramatic, but the slow motion sequences of the operation of a semiautomatic rifle and pistol are first rate. Also notice near the end that the target is destroyed before the cartridge casing in fully ejected. Here's the You Tube link.


July 6, 2011

The Las Vegas Metro Police Department has admitted that they made a DNA typing mistake that caused a man to be wrongly imprisoned for four years. What is interesting is that they have released a You Tube video that describes the error in detail. Watch it here. The error was the kind that, given the extensive procedures that are mandated in order for a crime laboratory to become ASCLD/LAB accredited, should not occur - a sample switch. In reality, such errors continue to be made.



July 5, 2011

The issue of the validity of the blood/breath partition ratio has been around for many years. There is now a decision that avoids the partition ratio issue, but does take into account the possibility of human variation. See this link. This decision also discusses the use of Preliminary Alcohol Screening (PAS) devices.



July 1, 2011

The issue of whether the crime lab analyst who actually did the work (or issued the report in question) has to personally testify in court, has been decided by the US Supreme Court. Well, it actually was apparently only sort of decided. See this Scotusblog link. That's the "Bullcoming" case. Another case, Williams v. Illinois, which involves a similar issue, will be decided in the upcoming term.

Here is a link to an analysis of the Bullcoming case by Michael Chamberlin, an attorney with the California Department of Justice


June 17, 2011

Please check out my updated page on viewing computer search results; the link is here.


June 4, 2011

I have purchased and begun using three new computer forensics programs from BlackBag Technologies: BlackLight, MacQuisition, and SoftBlock.

These programs allow me to comprehensively examine data from all Apple computers, the iPhone and the iPad.

I have tested the software (luckily, I own five Macintosh computers, an iPhone and an iPad) and found that all three programs work as advertised.

The MacQuisition hardware/software combination allows me to acquire images of all these Apple devices without having to dis-assemble them. As you may know, Apple products are stylish, but not easy to work on (or even open up).

SoftBlock is a software-based write-blocker that is designed for use with Apple products. It prevents any alteration to the data of the target device.

BlackLight is the main computer forensics program. It is similar to two other programs that I also use: Encase, and Forensic Tool Kit. The difference is that it is Apple-specific, and so can easily find data on target devices that is essentially impossible to find using the Windows-based programs: Encase and Forensic Tool Kit.

Apple now has a 17% share of the personal computer market and an even larger share of the smart-phone (iPhone) and pad (iPad) market. That percentage is even higher in the Bay Area.


June 1, 2011

Here is an interesting and inexpensive flashlight that can be useful when looking at evidence and at crime scenes.

It is the CyberTech Laser UV Flashlight available at

It has three modes, controlled by pushing the on-off button: UV, Visible, and Red Laser. (Only one mode is active at a time.)

The UV mode is quite powerful; stains and trace evidence are easily visualized.

Why does anyone else want this flashlight? It turns out that scorpions fluoresce in the UV.

UV Flashlight


May 29, 2011

Guidance Software is introducing a new version of Encase. I own the previous versions of this software, so I was invited to a preview on June 2nd.

Then I was “dis-invited”. It seems that this event was being jointly sponsored by Guidance Software and the High Tech Crime Investigators Association (HTCIA, a private organization).

The HTCIA told Guidance that they would not allow anyone to attend this event who did work for the defense in criminal cases.

In a show of corporate "courage", Guidance Software agreed with the HTCIA and told me I couldn’t come to the event. They had already sent me an admission ticket, but that apparently didn’t matter.

Luckily, there are now many vendors who sell computer forensics software, much of it better than Encase.


May 20, 2011

Apple has removed the ability to track your whereabouts by looking at certain iPhone backup files on your computer.

However, you have to download a new version of the iPhone software in order for this change to take place. Computers seized before this patch was available will still contain this information.

May 15, 2011

Five staff members of Forensic Analytical Services (Hayward, CA) have resigned. This includes the laboratory director Celia Hartnett.

They are setting up a new laboratory:

National Forensic Science Laboratories

Celia Hartnett, Director