The reason for this is chain of custody. They should be able to prove that from the time that the person last had the device until the point when the evidence was collected, no one modified it. And from the point where the evidence was collected, until when its presented to the court, no one modified it.
But these type of vulnerabilities present a problem, in that reading the device could/would modify timestaps of the data captured. The solution is to not use Cellebrite, there are lots of forensic analysis tools. To be effective Signal would need to exploit the major vendors equally.
Most forensic analysts use write blockers when capturing an image of a device to ensure data integrity (no tampering). If Cellebrite altered something during extraction, investigation, etc. it would be easy to go back to the original image (collected with the aid of a write blocker) or the device itself to show that discrepancy.
A point of contention as someone who uses write blockers and forensic tools... write blockers protect the connection of dumb storage to a computer but a phone is not a dumb storage device (it's not a SATA drive), it's actually a full device which manages it's own storage.
For mobile forensics, it's actually done through the built-in backup systems included in each of the major OS providers (Android/iOS).
This is a back and forth that has been ongoing since we began moving away from Hard Disks, as SSDs tend to manage their own internal state so an image of "an SSD" can change even if the underlying media hasn't changed as the SSD cell balancing can actually shift around deleted data or delay to clear certain cells.
If you'd like to know about the current issues around mobile device acquisition, you can check this out (https://ieeexplore.ieee.org/document/9116458) which contains the last paper I wrote on the latest issues on iOS and Android acquisitions.
Although I'd love to blame the big bad Cellebrite and the big bad police departments for junk science, computer forensics is quick to dismiss scientifically unsound items so I would expect a response from Cellebrite soon.
The modified content would be on the Cellebrite system. And the investigator may not notice until much later. The write blocker has no effect when the reader is exploited.
You are correct that the source system would not be modified. But the content you are presenting and analyzing via Cellebrite would.
Exactly, but it could be easily proven that the data was tampered with as you still have the original/clean image and the device itself. So if they are altering data, it can be shown.
I'm not a lawyer, but my understanding is the best time to present exculpatory evidence is after the prosecutor has prepared their case. In theory, if the investigator doesn't notice the tainted data and the case is built around the tainted data they could argue that everything from that source (system/lab/department) should be thrown out and that the experts who collected it can't be trusted anymore due to incompetence. Sounds like a prosecutors worst nightmare.
Right and if they have a file or group of files that are central to the case, all the accused has to do is say, "those were not on my phone" and then the 'experts' go back and look at the read-only image to verify.
If the phone could have been altered to add data before a forensic image was acquired in a way that looks like it was via normal use (reasonable timestamps, browser logs, etc.) then we'd have a real problem. Cellebrite potentially being used to do this as it reads the image is not that problem.
This doesn’t apply to mobile devices, since it’s not feasible to remove the internal storage device and take a bit-perfect image of it using another computer. You need to plug the device into a Cellebrite kiosk, trust Cellebrite to send read-only commands over the USB interface, and trust the device firmware not to write data when it receives those commands.
> trust Cellebrite to send read-only commands over the USB interface, and trust the device firmware not to write data when it receives those commands.
So most of these suites really just automate the backup extraction process and the automated analysis piece.
In the real world, you don't interface down at the USB interface other than just to kick off a backup (think an iTunes or adb backup) of the device and just grab it via USB then extract it on your computer and analyze it.
> To be effective Signal would need to exploit the major vendors equally.
Maybe they could, and that would be the problem. Cellebrite's case now raises the issue of what will happen to those decisions where Cellebrite's products were used. This can void those court decisions retroactively, which could also happen to any major vendor in the next couple of years.
In any case, I doubt that this will make them stop using their products.
Actually, we do not fully trust the police to handle evidence, which is why evidence bags with tamper-evident seals are supposed to be used, along with chain-of-custody records. There have been problems in the past with evidence tampering and sometimes it results in large numbers of cases being retried or verdicts being overturned because the invalidated evidence was so central to the prosecutor's case that a retrial would not be worth it. The problem here is that the "tampering" may not even involve the people handling the evidence, which allows a defense attorney to cast plenty of doubt on the evidence without having to challenge police procedures at all (after all, it could be that the evidence was corrupted by some random third party that has nothing to do with the case -- so why should the jury pay any attention to it?).
I don't think this analogy works. I think it is more akin to police opening a folder and seeing paper evidence, but having no idea who put the paper there, when it was last opened/modified and unable to determine if the evidence is legitimate.
For me, this story isn't about fear that police could leverage the bugs to manipulate a case. It's about the constant fear that laymen rely on unverified "experts" to put people behind bars for years.
Since the bug allows for arbitrary code execution, it's more akin to the officer reading the piece of paper and by doing so, he becomes the subject of some sort of curse that completely controls his actions.
Yes, but you can’t join (“intersectionality”) your campaign against ad tech companies with a campaign against the police if you’re this busy being intellectually honest.
I'm not sure you can draw parallels here. Who are the people "handling it", Cellebrite, the police?
The vulnerability allows any device plugged in to the "kiosk" with a malicious file to do anything it wants to any existing report on the "kiosk" as well as plant code for future execution in order to do anything else it wants.
Let's assume the device which does this does so silently, at what point are the police or Cellebrite supposed to know nothing in the kiosk can be relied on, ever?
With a piece of paper on the other hand, the other sheets in the folder don't suddenly rot when you add a maliciois sheet of paper, although this does sound like an interesting and potentially novel attack vector.
> The vulnerability allows any device plugged in to the "kiosk" with a malicious file to do anything it wants to any existing report on the "kiosk" as well as plant code for future execution in order to do anything else it wants.
It is not clear from the article that analyzing a phone with malicious files will trigger the issue, unbeknownst to the operator. (E.g. it says "it is possible to execute code that...", etc.) However, I'll take your word for it and assume it was poor reporting in this case.
That does change things, thanks for the clarification.
Clearly we are entering a time of Low Trust Society, and the institutions have only themselves to blame as they have abused the populations trust for decades only now with free flow of information are regular people able to directly see the abuse that has existed for a very very long time.
We used to have a High Trust society, not because the people in power were trust worthy but because the people in power directly controlled the information.
This is no longer the case, and as that power is shifting we are now seeing the people that control information today looking for ways to retain that control and instead of allowing it to flow freely inject their own filters into the streams.
There's still a lot that is obscured. For example, most states restrict complaint information against judges to the point that even if it contains exculpatory evidence they are still allowed to keep it secret. The reason they give for keeping it secret is to maintain the integrity and public trust. Transparency only threatens that objective if the system is inappropriately dealing with the complaints.
you have it almost exactly backwards. we haven't lived in a high trust society (as you defined it) since before the protestant reformation, when the printing press liberated information that had been previously monopolized by the church.
we're returning to a high trust society out of necessity because of economic forces that incentivize information asymmetry.
I love that you are considering things on that scope but there are still many high trust areas in the US. Small towns that are culturally and ethnically homogenous with fewer transients are almost always high trust.
It's pointless to steal someone's car in a town of 30 families. everyone would know exactly where it went. You also know exactly who you are doing harm to so your sense of sympathy kicks in making you less likely to do it.
These tight knit low population towns seem to naturally create a high-trust honor culture. Small towns have a higher level of social integration so wronging someone creates repercussions that flow back to the perpetrator through every one of their social bonds.
> I love that you are considering things on that scope but there are still many high trust areas in the US. Small towns that are culturally and ethnically homogenous with fewer transients are almost always high trust.
Some places are higher trust than others but the developed world is based exclusively on a high level of trust. An actual low trust society is so starkly different from what most of us on HN are used: it practically enforces a feudal, subsistence farming society.
Living in the US, I don't remember the last time I had to show my receipt at the fast food counter or show any sort of identification when picking up food that I had paid for online. I've never once paid for a major/emergency medical operation or auto repair ahead of time. Hell, I left the dealership with my last car a full week before they received the check from my bank (in the Seattle area, so definitely not a small town). I don't think anyone has ever really verified my income or finances beyond a cursory credit check and some PDF that could be easily faked by anyone with a little computer literacy. Most mortgages are paid back over thirty years! In my old country, most people don't fully trust that the currency will even last that long.
The systems reinforcing social behavior in larger groups are more complicated and easier to game, but they are definitely still part of a system based on high levels of trust.
In the small tight knit towns? I have seen some, but in my experience usually the occurrence goes up as the size of the town goes up. Rumors of any kind can spread rapidly in small towns. That can come back to bite the people (and their family) doing it.
In my experience, corruption is worse in tight-knit communities, but because the community is so small it winds up having a tiny impact / nobody cares. You can see an example right now in the Matt Gaetz case -- he is under investigation only because a corrupt county tax collector had been under investigation; that tax collector was under investigation because he took taxpayer money and bought a bunch of servers that he planned to use for some cryptocurrency side hustle, and then wound up burning down his office (apparently did not understand wiring and started an electrical fire). To put it another way, had it not been for a fire, the fact that this tax collector was embezzling the county's funds would have gone unnoticed, as would his involvement in the sex trafficking of teenagers (which is where the story with Gaetz starts).
People only pay attention when things are happening at a scale they consider worthy of their attention. The reason corruption is less common at the higher levels is that people are focused on higher level officials; meanwhile, the fact that their local officials are breaking this rule or that rule goes unnoticed, unreported, or worse, happens with everyone's full knowledge and just gets shrugged off.
Gaetz is a US House representative. How is that local corruption or abuse of power? Did he actually use his position, or was it just that he committed a private crime while in power?
Also you mention a county tax collector. I wouldn't consider that a tight knit small town. I think there is a lot more corruption at a county level than a small town (from what I've seen).
I sort of get your point about more eyes watching someone the higher they go. Some of it is also the position of those watchers and their opportunities. In many small towns, people know a pot about you and you have plenty of nosy (for lack of a better term) neighbors. Arguably, they make for better watchers.
Not continuing the argument, just wanted to point out the the reason I mentioned Gaetz is that the whole investigation into him started with the investigation into a corrupt local official, not that I was calling him a local politician (he obviously is not).
Is there a meaningful distinction? I have lived in four states, in everything from a huge city to a small town, and in every case "county" officials were as local as politicians can be (in NYC the county officials i.e. borough president and staff are actually less powerful than the mayor, but obviously that is the exception). Personally I divide the US system into three levels, federal, state, and local, with "local" including all county offices. Is there a reason to view things differently?
"...and in every case "county" officials were as local as politicians can be"
I would be interested to learn more about this. I have also live in multiple states and this doesn't sound like any of them. Municipalities always have some form of one of the following: mayors, councils, school boards, constables/police, magistrates, etc.
"Is there a reason to view things differently?"
Yeah. I see way more corruption at the county level than the local level. Most of the circumstances and scenarios I laid out in previous comments would not apply to county level officials, nor even to large municipalities. I was strictly speaking about small towns. The most important part is how information is gathered and spread. Small towns are notorious for information being found out and spreading rapidly. That oversight would not be the same in other settings. These mechanisms don't exist at the county level. They are far enough removed from their constituents that they can operate without the same watchful eyes.
It’s pointless to steal a car and keep it in town, but small towns still have petty theft.
Everyone from a small town has a tale of “that family of thieves” who you know to watch when they come in your store. Sometimes they are legit thieves, sometimes it’s just bias.
Government is increasingly transparent compared to past history. You can see that in things like right to know, freedom of information, etc. There are still information issues in both discovery and presentation. The public trust is still very low.
Pretty sure the difference of opinion between the last two comments comes down to differing understandings of the word 'trust', and very different time scales.
From my understanding, police could scan phone A, if phone A had the malicious code then the scanner is infected, now when scanning phone B the results are invalid, it could always show a "All OK" message or it could plant evidence. There was a news on the first page a few days ago where many postal workers were put in jail because of a software bug - so we know for sure if a computer says X the "experts" will confirm it.
The first thing this Celerbrite dudes need to do is to guarantee that the device gets a full reset before each use.
We as society we need to force our police and government to use only open source software, otherwise we don't know what backdoors or shit this guys put in, we could evaluate the code and see if we are wrongfully convicted by a shitty algorithm and transparency would also prevent (hopefully) people selling some open source software with a logo and a python script for milions.
> if phone A had the malicious code then the scanner is infected, now when scanning phone B the results are invalid
I think it was more insidious. Police scans phone A and stores a log. Police scan phone B with said code on it, which infects the scanner. This code not only tampers with the logs for phone B, but goes back and tampers with the logs for phone A. There is thus no log that one can definitively say represents the true state of any scanned phone at the time it was scanned.
> Is this really different from the police taking a physical file folder and adding or removing pieces of paper?
I wish we would stop trying to come up with analogies to computing concepts.
But since you insist: this is like the file folder came from Harry Potter and could be possessed by an evil spirit that could change the contents without your knowledge.
We can't stop using analogies. It helps us to bridge the information and use it as a reference to get a better understanding of it.
Analogies help those people are not familiar with the jargon or the field of study. You may be an expert in the computing concept, but the rest of us are not an expert in that field. Analogies is where it helps to understand it better.
So the answer is no, we can't stop using analogies.
Sorta. Here's what's actually going on, sticking to your folder analogy: This would be more like if, upon an officer reading the paper, some arcane force caused them to die, or change what was on the paper, or add or remove some papers. Or _literally anything else in the cops scope of power_.
Because that's what this does, it lets the data on a suspect's device potentially cause the software to run arbitrary code with elevated permissions, practically, you could use this to craft a packet of data that, when read by Cellebrite's software, simply shuts off the machine, or kills the Celebrite software, or, worse, connects to the internet and downloads some other payload to do something else. Cause there's no way these machines aren't connected to the internet at some point since the software validates its license that way.
The problem is that in this case, is that the act of collecting that piece of paper can cause other pieces of paper to appear or disappear not only in this file, but in every file in the building and you won't know if it happened or not.
At that point, you cannot trust any of the files in the building.
It's not a matter of operator error. This exploit works during normal operation of the software in question, it depends on the software being operated in a typical fashion.
It's not a choice of the person running the software. The only choice is to stop running the software.
It also calls into question all evidence ever collected by this program because we can't know if some other company already figured this out or not.
Imagine you opened the folder and made a Xerox copy of the documents, but the words or dates in the copies never match the original documents.
The crazy thing about this attack, is the person making the copy may never know until its presented in court and challenged. Then everything from the folder has to be thrown out.
It is more like opening a folder to look for evidence and encountering a spring-loaded creme pie that hits you in the face and knocks the contents and all the folders in the room onto the floor in one big mixed-up pile.
Couldn’t you always claim that malware caused the offending clicks/placed the illegal files on your disk and is hiding/obfuscating itself so well that it’s not detectable by forensic methods? What’s the logic here to still get the criminal?
Yes, and it’s not an uncommon defence in child pornography cases. Similarly, you can always claim that the police framed you by lying about the device being found in your possession, or not being tampered with between seizure and forensic analysis. It is up to the jury to decide whether the defence gives rise to a reasonable doubt.
Social media is way less influential than the local news media in this regard. That’s a long running problem – think about how many cases have been covered based on police statements which turned out to be completely fictitious — and social media tends to amplify those stories more than it contributes original coverage.
There's a game, Judgment, which opened my eyes to this. Because a core part of the backstory of the game is that the main character won a case as the defense which is seen as a huge deal. He's like one of the few defense attorneys to have ever gotten to not guilty.
The game takes place in a slightly fictionalized version of Japan and is made by a Japanese game developer noted for making games steeped in contemporary Japanese culture. I guess that's important to note.
Which is exactly why nobody should encourage trying to get out of jury duty: the legal system depends on everyone doing their civic duty so juries represent the community.
If you jokingly imply that jury duty is for suckers, you’re undercutting the system and supporting bad outcomes. For example, one of the few checks on the drug war or bad policing has been juries refusing to accept bad police work.
My experience is that you have to "play dumb" not to get kicked off. The last time I was impaneled, the prosecutor asked if I, as a juror, would be comfortable if the injured party (an assault case) did not testify. I said, sure, since the prosecution wasn't representing them.
I didn't mean to be glib, but it got me dismissed immediately. It seems to me that any knowledge of law or procedure will get you dismissed.
point is, if you want to be on a jury, work hard NOT to give away any knowledge of the legal system.
I would take it a step further -- if you want to serve on a jury, you need to pretend to have no education at all. The last time I was called up for jury duty, all I did was (truthfully) state that I was a PhD student during voir dire, and that was that, I was out.
I had the opposite experience for a sexual assault case. I demonstrated knowledge of legal procedure and general intelligence and was selected immediately.
I was asked about possible conflicts of interest and indicated that my father is an attorney who practiced in the same state. Asked for my profession, I replied that I am a bioinformaticist and was asked to explain the term. I said "I write computer code to help biologists analyze and use their data." This was in a university town. The prosecutor opined that I must be "pretty smart" and that she expected I came with an understanding of biology and biotechnology, all of which I affirmed. She asked if I would use that knowledge to assess DNA evidence that could be presented during the trial. I responded "No, I would limit my interpretation to only what was provided by testimony or otherwise affirmed during the trial." The prosecutor looked momentarily surprised at the precision with which my answer addressed the legal burdens required of a finder of fact, and then simply replied, "Ok, thank you." I was then immediately named to the jury.
Perhaps your attitude or delivery got you dismissed, or perhaps your choice of words suggested the opposite of what you imply here - a fundamentally flawed perception of the role of the prosecution? It's certainly technically correct that the prosecutor represents the state, not the victim, and that victim representation is its own ball of wax. Your reasoning, however, seems suspect. Paraphrasing: "Because the victim is not represented by the prosecutor, I have no problem with his not testifying." That's a non sequitur; the antecedent in no way implies the consequent. I could see the prosecutor rejecting you for appearing to be trying to impress (and failing) with your grasp of legal reasoning, fearing that you might not faithfully execute the court's instructions.
Then again, there are probably plenty of attorneys that just don't trust smart people.
Thank you. People who treat jury duty as a burden and a job for suckers are playing the game that they will never be in a trial where a jury will decide their fate.
And while that's likely a game you win, I also wear my seatbelt despite not betting on crashing my car.
...or maybe it is time to reconsider jury trials, especially as cases become more technically complex. The fact that lawyers reflexively kick highly educated jurors off during voir dire speaks volumes about a typical jury's ability to understand technical details. There is a good case to be made that a diverse panel of judges is better able to decide the facts of a case (and before anyone asks, it is trivial to have a separate judge or panel of judges determine sentencing).
It’s a bit moot though. Even if you’re ra-ra wild about jury duty, the chance that you actually get selected isn’t especially high.
I think most people know this and figure they’re just going to have to waste a few hours only to be sent home (or worse, get selected and then sent home after settlement).
> “Those who say there’s no corroborating evidence are thinking very narrowly,” Victor Vieth, the founder of the Gundersen center, told me. “They’re thinking of hair, DNA, the things you see on television dramas. I’ve never worked on a case of child abuse where, if you look hard enough, you won’t find corroborating evidence.” Vieth invited me to imagine a child who describes that his or her assault occurred in a room painted blue. Police should obtain a warrant and visit the room. Were its walls blue? If so, that was corroborating evidence.
This is of course not corroborating evidence that a sexual assault was committed. But sure, it corroborates that the room exists, and why would a child know what color the walls inside a room were unless they had been the victim of a sexual assault there?
"Your honour, I think you'll find that someone broke into my house and planted drugs"
This type of logic has been used plenty in court, it being in your possession, digital or not, is sufficient.
The claim here is that due to the vulnerabilities Cellebrite has, the offending item may never have been on your device. This is more similar to saying that the images the police took in your house of drugs were kept on an unsecured server, there are recorded vulnerabilities for it, and therefore the images could have been digitally edited to show drugs where none were present.
claiming that porn on your device isn't yours is not the problem. the theoretical problem is if you received porn via Signal on 04/01/2020 2:23AM but Cellebrite says you received it on 04/26/2020 5:34PM (while in custody). Or 12/23/2019 at 2:00PM (before you bought the phone). If the dates on the data in Cellebrite can't be aligned to the dates of the actual events AND the last modification of the device was AFTER you last had control of it, nothing can be trusted from it.
The problem is that a report about a phone scanned on 2020-02-01 can be altered by a phone scanned on 2020-05-01 to say that there was porn when there wasn't. Oh, and that scan left a running program which will cause 5% of the phones scanned after that to randomly also claim porn that is not on the device.
Therefore if a single phone with Signal was scanned at the kiosk, NOTHING from that kiosk can be trusted.
This is a problem, but I don't think Moxie would do this as it could make him liable for evidence tampering. If the protection mechanism applies to the device being scanned, its a defensive measure, if it is applied to unrelated devices, it looks like a malicious destructive action.
If the USER could select the action, for research purposes, that might a different story.
Moxie might or might not have done so. But he made it clear that he could have, and went out of his way to create reasonable doubt about whether he did.
If he winds up in court, I'd love it if he sticks to his, "the files are there for artistic effect".
Since after all, Cellebrite claims their device doesn't alter evidence on the way through. If that claim is true, Moxie's artistically-beautiful files obviously can't affect it.
Saying those decorative files tampered with evidence is equivalent to admitting that everything the Cellebrite claims to do, it doesn't do and never has done.
The vulnerabilities allow for code execution in the context of the Cellebrite application via the parsing of a video file. It doesn’t matter what the application was designed to do, you can now make it do anything you want just by getting it to scan a phone with a malicious video on it.
Yes. So Cellebrite should be writing the data to write-once storage prior to performing any analysis of the content.
In absence of write-once media, they are betting that the hashes they capture will be the same every time they image the device because they never modify the device.
I was on a jury in the US for a case where the prosecution used text messages as a large chunk of how they tried (very badly) to make their case. Screenshots taken from one party's device, with sporadic timestamps, no indications whether messages could have been deleted. It was a farce, I'd disbar someone who tried to make a case on such a flimsy reed.
Lawyer here. I’d hope the Defense lawyer raised a slew of objections. There are serious foundation, authenticity, and chain of custody issues here.
On top of that, another way around this is under the confrontation clause. The accused has the right to question any witnesses against them. So I’d demand to cross examine the “tech” that ran the scan and make it apparent that no one knows how the box works (that’s the whole point; it’s proprietary). And then ask them simple questions like “cookies images have been placed on my clients device if no one knows how the box works?”
The real advantage of these celebrite boxes, for law enforcement, that they give them leads to otherwise admissible evidence. So that’s why I’m shocked to hear that they actually tried to use information from the phone.
You would hope that if there were other messages which said the same story differently, the defence would have brought them to court.
Unfortunately, I don't have faith in all defence lawyers to do this kind of thing - some "free because you're poor" lawyers might spend only 20 minutes per case...
In many cases investigators don't look very hard for evidence which makes their case fall apart.
Imagine a murder case where the accused claims he was at the cinema at the time. Often the police won't go to the cinema and get CCTV tapes to back up the claim - they'll just use blurry footage from the murder scene and claim "looks kinda like the same guy ish".
I suspect there are a lot of cases of innocent people in prison simply because evidence of them being innocent was deliberately overlooked or not collected.
We had a case in Brazil that was both sad and absurdly silly.
A woman was found murdered in a cemetery. She was in town for a university-related festival/party, and was staying temporarily with some other students.
The police suspected the other students first, and went to their house, and found out:
1. One was an RPG player, had RPG books.
2. The other was a heavy metal fan and had heavy metal-related posters.
3. The other guy was into literature and had some 'dark' literature.
So conclusion of the officers: it was a satanic cult, and the woman was killed in a "RPG Satanic Ritual"
The prosecutor's office at first went with it too.
Later, already mid-trial, the prosecutor changed, the new prosecutor found a lot more formerly-useful now useless evidence that the police seemly deliberately ignored:
1. The police had in evidence storage some bloodied clothes that they never ran DNA tests on, the DNA was now useless (it has been years since the actual murder). Also the evidence was probably contaminated, the storage consisted of stuffing all the evidence in trash bags and leaving them in a random room in the police station.
2. People told the police multiple times, that the woman had drug debts, but they were ignored.
3. A known drug dealer was seen on the day past the murder, riding a bike around town, with his t-shirt having red stains on it, police even seen the guy themselves, and didn't bother stopping him and checking his t-shirt.
The new prosecutor despite seeing all this, had hands tied and just went along with what the police wanted, and tried to prove in court that they were "satanists".
The ruling was this (the judge was quite upset at it too):
1. The prosecution failed to prove they were satanists, evidence pointed out to the accused living there by coincidence, and their hobbies being "dark" or "fantasy" were coincidence too, only one of them was an RPG player, only one of them was a heavy metal fan, and so on, they didn't shared their hobbies with each other.
2. And even if they WERE satanists (they weren't), in Brazil being a satanist is not a crime.
3. For some reason the prosecution provided zero evidence that was actually related to the murder, they only tried to prove the accused were satanists and presumed this would be enough to know they were the murderers, but they never tried to link the accused with the crime scene, didn't even tried to explain when they would been at the cemetery.
Off-topic, but Boy Einstein couldn't have created the puzzle like exactly described with those cigarette brands, because some of them were introduced much later in his life...
"In many cases investigators don't look very hard for evidence which makes their case fall apart."
I recently witnessed a case where a trooper charged the wrong statute. How can you make a thorough investigation if you don't even know the elements of the offense because you are looking at the wrong statute?
He made about 5 other mistakes too, even lying to the judge. The system doesn't care. The investigation into the lie was found to be a "just a misunderstanding" eventhough that same report also notes that the statement was false and that he made the correct version of that statement 10 minutes prior to that.
To be fair, the amount of effort involved in verifying every little detail a witness/victim/subject provides is astronomical, not to mention the potential for a defense case based on the lack of effort to verify one fact when other facts were verified.
In my old agency, we were required to do that type of thing. For example, we had a rape case where the rape occurred in a short-stay house (kind of like a hotel, but for families that require room for multiple kids/pets, etc). The subject only rented the house for one night, and the rape occurred in one of the bedrooms. By the time we got to the house, there had already been another guest for the night between him checking out and us arriving. We went to housekeeping and interviewed the staff who cleaned the room, we dug through the trash to verify the drinks the victim claimed to have drank, we got camera footage from the gas station where he bought alcohol (she was also underage). There's a ton more that was done to verify key facts, most of which were essentially meaningless, but we did them because we are required to.
Now, imagine if a victim tells you a story that includes 10 things that could be independently verified (through searching a location for CCTV, pulling receipts, whatever) and you only look for 7 of those things. This opens up the defense to make an argument that you intentionally skipped looking for those other 3 things because they were exculpatory. It's impossible to think through all the different details that could be verified, along with their probative value to a case, and organizing them by how long you have until the evidence is no longer available (there's no standard timeframe for how long before a given store's CCTV recycles).
I'm not saying investigators shouldn't do this ground work, but I am saying that it's a shitload to ask of them and potentially opens up the prosecution to a very bad-faith defensive argument that certain seemingly-obvious factors weren't considered during evidence collection.
In your murder example, sure, they could say "looks kinda like the same guy ish" and hope that's good enough for a jury, but the defense can (and should) tear that to shreds. If a subject told us they were at the cinema at the time of a murder, my first thought would be to ask them to provide any evidence they themselves have (social media check-in, location data from their phone, receipts/credit card statement, etc), but I would also absolutely be checking the cinema for video evidence. If I can prove he lied, that's a huge win for the prosecution. Alternatively if he's telling the truth that he has a verifiable alibi, then the real killer is stacking up time while evidence entropies.
The reality is that cops are burdened enough that the only evidence that's persistently worth verifying are usually statements made by subjects. This is where case where it's worthwhile to talk to cops: if there is potentially verifiable evidence of innocence that stands a good chance of diminishing as time goes by. Giving specific details like the place and time that you saw a movie at a theater along with any receipts or ticket stubs, would be a huge factor in preventing future law enforcement / prosecutor interactions.
> This is where case where it's worthwhile to talk to cops: if there is potentially verifiable evidence of innocence that stands a good chance of diminishing as time goes by.
Might want to think twice about that, you might be replacing one allegedly innocent suspect with a suspect you know for a fact is innocent, yourself.
>> Giving specific details like the place and time that you saw a movie at a theater along with any receipts or ticket stubs, would be a huge factor in preventing future law enforcement / prosecutor interactions.
This is only true if the cops are actually looking for the Truth, not just a way to close the case as fast as possible.
You seem to have faith that the cops / prosecutors are attempting to find the truth, unfortunately I do not share your faith in the system. So the better plan, for your own personal safety, is to NEVER TALK TO THE POLICE [1]
"Another possibility is that the investigators fail to share evidence as required."
They also don't maintain good Gugilo records. You can request that information, but they won't give it to you because they don't keep good records of the past issues, on purpose. I had a trooper contradict himself in court and official reports 3 or 4 times. The prosecution still found him to be a reliable witness. Anyone else would have their testimony thrown out.
Because they don't keep good records of these contradictions, I guarantee future cases requesting this information will not get it.
This is largely true. Especially when it comes to knowing and understanding the system. A public defender is so comfortable in that role that it gives them a huge advantage. But we also have to recognize the reality that the PD jobs are generally low paying and tend to be sought out and filled by less qualified graduates (to the extent we equate good grades with qualifications, which is obviously a heck of a logic leap).
You are just as much a part of your defense as your attorney. If you have knowledge that will help your attorney, then start sharing. This also has the benefit that this info would then be familiar to the attorney for future clients.
Some of the exchanges seemed rather nonsensical, to my mind, like there were pieces missing.
It's not like the default Android SMS app indicates that messages have been deleted. And there was no provenance information provided as to where or when they were collected.
This is a difficulty that comes with most law enforcement interactions with victims, now. For example, the military is required to offer an attorney to a victim before conducting an interview. Often, these attorneys jump straight to "you can't have any evidence from my victim" without a detailed description of what you're seeking. This usually means we can only get screenshots from his/her phone of conversations between victim and subject, along with any contemporaneous conversations with other witnesses.
I hate this, because screenshots come out looking like trash and it's very difficult with most messaging apps to show the timestamps for all messages. Eventually, this pendulum is going to swing (when cases start getting thrown out for this lack of timestamps/evidence of deleted messages, etc) and law enforcement (at least in the military environment) will have a bit more support in pulling relevant (and only relevant) data from victim devices for the purpose of evidence collection.
One additional thing about screenshots: They can be totally faked, and the "contact" can't be validated from conversation screenshots. For example, if you buy a burner phone, you can create a whole conversation as though the burner phone is the assailant, then change the contact's number to the real assailant. Some chat apps keep the whole conversation, despite the number change, in the same chat and make it impossible to tell which number sent the messages. Cellebrite indicates the number (assuming we're talking about SMS here) where the message came from, even if the contact changes.
Military law enforcement is going to have more leeway to conduct warrantless searches of the devices of people who haven’t even been accused of a crime? On what basis? I’m skeptical, but if you’re right that’s horrifying.
That's not what I'm saying. The problem is that a victim might ordinarily be willing to give cops her phone because it would help us to gather evidence early on that we can take action on quickly. With the "Special Victim Counsel", military cops often get turned down for reasons like "well we don't want all of her photos and other conversations to be used against her by the defense". This forces our hand to the point where all we're allowed to obtain are screenshots of the victim's messages or select content that she and her attorney decide on. By itself, limiting the conversations to just the specific, probative ones between her and the subject would be great, but when we also end up with only the content we can screenshot and send ourselves, it really makes the resulting exhibits seem shoddily-obtained.
My preference would be a process whereby cops run the Cellebrite extraction, then produce a report that's limited to the content the victim and her counsel agree to, like conversations between her and Bob, and conversations between her and Sally, but nothing more. This way, at least we have some data that is verifiable and detailed (would show the to/from numbers, contact info, times, etc).
These are consent-based searches, not warrantless.
Because military law is fundamentally separate from US law, most civil rights are suspended for members of the uniformed services during their service period. Off the top of my head the 1st, 4th, 5th, 6th, and 8th (to an extent) amendments do not apply to those under the Uniform Code of Military Justice. Servicemembers can be compelled to what would be considered unreasonable search and seizure by their commanding officer, it doesn't even require a judge.
I think that's an unfair exaggeration. Military law still respects members' rights. In fact, the 5th Amendment is even more "in favor" of the military member than the general public when it comes to law enforcement interactions, because case law mandates that military cops consider the member to always be "in custody".
The 3 points to Miranda rights are cops, custody, and questioning(provided the questions would reasonably illicit a criminal response).
For example, if I am a cop and I walk up to you on the street and ask you questions, your 5th amendment only applies if I'm not letting you go (custody). There's some ambiguity on the custody part, but it's usually revolving around the idea that you're under arrest. For the military, since you're always "Subject to the code(UCMJ)", the custody part of Miranda means that the only factors that matter for cops (and this is more broadly inclusive of authority figures or anyone who is a "mandatory reporter", meaning someone who must report criminal activity/statements to military law enforcement) and questioning (so, is the subject being asked questions that would elicit a criminal response). If I (a cop, commander, supervisor, whatever) I a subordinate a question that I know is likely to elicit a criminal response, that response (and the fruits of it) are inadmissible in court and cannot be used to further a criminal investigation. So, I can ask Private Dump "Hey Dump, what did you do this weekend?", and be fine, but if I ask "Hey Dump, how much Cocaine did you snort off that stripper's chest Saturday?", I would be eliciting a criminal response (assuming that I have reason to believe he was engaged in criminal drug activity on Saturday).
This tends to work in favor of the subject of an investigation, though, because they a) can't incriminate themselves without a rights advisement unless they willingly volunteer incriminating information in response to a question that wasn't likely/designed to elicit it and b) they have to waive their rights before asking these kinds of questions, so they know they are being investigated (and what for, since Article 32 advisements are WAY more thorough than Miranda).
As for your point about this and other amendments being mute for military, there are a couple ways to think about it. If a military superior or law enforcement conducts a search without search authorization or consent, the results cannot be used against you criminally, on administratively. Effectively, they could kick you out (but not with any of the negative flags, like a dishonorable), but they can't prosecute you. This applies to searches, asking questions without Art 32 advisements, etc. Effectively, your rights are still being respected and they're interacting with you like an employer, just with a bit more authority.
IT is also know in the forensics community. that on older burner style phones. cellebrite can fail to retrieve all messages. No tool is perfect and frankly Forensics tools are tested for repeatability not for potential exploits. Zip bombs would crash FTK until version 2 came out.
Blog post from moxie: https://signal.org/blog/cellebrite-vulnerabilities/