In this episode of Real Talk, KJK Student Defense Attorneys Susan Stone and Kristina Supler are joined by Greg Kelley, a pioneer in the field of digital forensics, with over 2 decades of experience and the founder of Vestige Digital Investigations. They discuss digital evidence and its relevance to legal cases. The conversation includes what digital forensics is, what type of digital activity can be tracked on computers and social media, and if a child gets involved in a legal case what parents should do with their child’s digital devices.
Links Mentioned In the Show:
- What does forensics involve in the digital age? (02:49)
- The secrets that digital forensics can reveal (05:16)
- Why your digital activity can’t lie (07:41)
- Why nothing on social media is actually private (09:29)
- Newsflash: Snapchat photos almost ALWAYS leave a trace (11:48)
- Can deleted files actually be recovered? (13:55)
- How deleting files can actually cause more harm than good (16:57)
- Why parents need to confiscate their children’s devices when their kids get in trouble (17:37)
- Monitoring your children’s devices with Google and Apple (19:25)
Susan Stone: Welcome back to Real Talk with Susan and Kristina. And in case my listeners out there, missed CSI last night, we’re going to bring real-life CSI to you all through our special guest, Greg Kelley from Vestige and Greg is going to talk about computer evidence and how it relates to cases.
Susan Stone: Kristina, why don’t you introduce our colleague, Greg?
Kristina Supler: Sure. So Greg, thank you so much for joining us. Greg is a founder of Vestige Digital Investigations, and Greg’s been working in the digital forensics field since 2000 or so. And really for the past 15 years, he’s helped vestige become one of the leaders in the area of comprehensive digital forensic investigations. Greg and other employees at Vestige work on criminal cases and civil cases, and really cases in courts that deal with a variety of issues from cyber intrusion, intellectual property, theft fraud, other sorts of illegal online activities. Greg testifies in court, both in the state of Ohio as well as federal courts.
Kristina Supler: And we are pleased you’re here today, Greg. Thank you.
Greg Kelley, Vestige Digital Investigations: Thank you for having me. And, you know, with your, your count on CSI as a, as a side note, my business partner actually consulted for a while on the I think it was the CSI cyber series that was on. It’s kind of Stephanie brought that up.
Greg Kelley, Vestige Digital Investigations: Yeah. He hooked up with a couple of directors. I forgot how it was, but. Yeah, he’s got a couple of posters and t-shirts in his office. He’s, he’s pretty proud of that. So
Susan Stone: very cool. That’s really cool. And the real, the reason Greg, we wanted you to talk to families because as you know, Kristina and I are dedicated to representing students, is that almost every case, if not every case has a component of what is or is not on a cell phone or a laptop or some device.
Susan Stone: And what do we need to find from the other side for a defense? What do we need to provide? What do we not want to give? What’s here? What’s there? What’s erased? What’s deleted? And it’s confusing. And every day, Kristina and I are learning about a new software, a new chat room, a new social media app. And it’s hard to keep up with it. And so we’re hoping you can boil down these fancy, scary words like forensics and computer and cybercrime and make it meaningful.
Greg Kelley, Vestige Digital Investigations: Yeah, we’ll give that a try. So let let’s talk about forensics. The way I like to describe it, um, forensics to someone in general is, we’re looking at, a computer, a cell phone.
Greg Kelley, Vestige Digital Investigations: Let’s call them a digital device. Something that has digital information on it and we’re examining it. We’re looking at it. We’re pulling messages from it and pictures and web history. We’re doing all of that in such a way that’s going to be admissible in court. So that means that we can do, we can take the same device.
Greg Kelley, Vestige Digital Investigations: Performing the same type of search and analysis multiple times, and we get the same results over and over. And likewise too, we can explain it to someone else who’s technical like us, and they can repeat the same processes and get the same results as well at the end of the day. Now their opinion on what they found versus what we found may differ.
Greg Kelley, Vestige Digital Investigations: And that’s, that’s an opinion, but at least at the end of the day they can find the same messages, the same, artifacts is another word that I’m sure I tell you guys a lot about. You can find the same artifacts as well. And an artifact so as not to, get too technical here is, is really something that’s left over after an action is performed. So really simply, your web history, everybody knows about web history on your computer. You go to websites, you look at pictures, you read articles and so on, and everybody knows that web history is stored on your computer. Well, that history is an artifact. It’s something that’s left behind after you performed an action. Your action was you went to a website. You read an article. Well, part of that website was cached on your computer. That history was cached and that’s the artifact. So, so that’s what we’re doing. We’re examining devices and, helping people understand what happened.
Susan Stone: So that’s why everyone out there, my computer knows that I like to shop. Is that right?
Greg Kelley, Vestige Digital Investigations: That would be why. That would be what Google knows you like to shop. Apple knows you like to shop. By if you’re on Facebook, Facebook, like know that you like to shop. Everybody knows you like to shop. So
Susan Stone: Everybody knows.
Kristina Supler: Let me ask you actually on that. And that’s a good segue. Susan loves to shop and she’s getting blasted with these ads in her Facebook feed and she goes on Google and they’re ads on banner ads and what nots. Tell us what’s what type of information can be uncovered. What sorts of artifacts, I guess, to use the phrase you referenced or the term?
Kristina Supler: Excuse me, can you learn through doing a computer or I guess digital forensic exam.
Greg Kelley, Vestige Digital Investigations: Yeah. So what can you learn? You’re going to learn about someone’s habits. You’re gonna learn about someone’s habits, their likes, their dislikes. You look at my computer, you’re going to find articles about football, Chicago Bears, and beer. And it’s going to be as simple as that.
Greg Kelley, Vestige Digital Investigations: So you’re going to understand someone’s habits. What they did when they did it. Even where they did it from. Give you, give you a for instance, is, is we’re working on a case right now involving a family dispute over a business. And come to find out we were able to discover that, our client was really worried that the other side had information that they shouldn’t have known about.
Greg Kelley, Vestige Digital Investigations: Well, the way they had it. And we found evidence was the other side actually was logging into our client’s Gmail account. And performing searches in his mailbox. And the way we found that out was because we were able to grab our clients, Gmail or Google history and see that, someone got into his mailbox from a location that he wasn’t in. Our, our client was in a completely different state.
Greg Kelley, Vestige Digital Investigations: And here we find out that someone from Ohio. It’s actually getting into his mailbox and doing all sorts of things. So, going back to your question, what can you find out? You’re finding out information, not just about someone’s shopping habits or about their likes and dislikes. But what they’re doing when. Searches that they’re conducting online, to give an extreme how to hide a body, something like that. But you see things like that and it’s, it’s when that took place.
Greg Kelley, Vestige Digital Investigations: And it’s also to, from where that took place as well, too. The reason why you may find that you get a lot of advertisements like on your computer for something you did on your cell phone is because we signed into these devices with the same credentials.
Greg Kelley, Vestige Digital Investigations: I’m an Android user. So on my cell phone, I’ve got my Gmail, my Google account is signed in there. And I signed into my Google account on my computer. And so the history gets intermixed. The activity gets intermixed. And so that’s beneficial to someone like me doing an investigation. And it also can be sometimes too, a little, difficult, cause you have to weed out, who’s doing what, when and where, you know, where were they?
Greg Kelley, Vestige Digital Investigations: Cause things you can do that are appropriate maybe at home may not be appropriate at work. So you got to kind of weed that out as well, too.
Susan Stone: Greg, can you ever, use evidence that you take from a cell phone to prove that something didn’t happen?
Greg Kelley, Vestige Digital Investigations: Yeah, you can. What you’re talking about there is the phrase proving a negative.
Greg Kelley, Vestige Digital Investigations: And so in order to prove that something didn’t happen, you got to look anywhere and everywhere for where that occurrence may have taken place. And rule it out. But you know, you certainly can. And we’ve been asked to do that at times. And, and, and the way we go about doing it is basically saying, we looked here, we look there, we looked at all these different places and we didn’t see the evidence of it.
Greg Kelley, Vestige Digital Investigations: We didn’t see messages. Um, what what’s, oftentimes what someone’s asking us is can you prove that this message was never sent? You get a screenshot of someone else saying I got this message. And John sent Betty this message. And Betty says, this message came through and John says, no, it never did.
Greg Kelley, Vestige Digital Investigations: And what you’d like to be able to do is look at John’s phone, uh, where the message would’ve come from and see that not only did we not find that message to Betty, but we find all sorts of other messages and other activity around that time that shows the phone was being used. And we have this, this rich amount of information, but yet we’re not finding that message.
Greg Kelley, Vestige Digital Investigations: Quite often, it’s not that case. But yeah, you could still go about using digital devices to say something didn’t happen. It’s just, it’s, it’s a more difficult process cause you have to check off all the boxes to make sure you’re not seeing it from, all these different locations.
Kristina Supler: So I have another question.
Kristina Supler: I mean, we know that virtually every teenager in America has an iPhone, some sort of an Android, some sort of smartphone. And there are and a constantly evolving array of social media apps and platforms available. So for particularly cases involving students in social media, what type of forensic analysis can be done on social media accounts?
Greg Kelley, Vestige Digital Investigations: Yeah. So with social media accounts, it’s all a matter of whose account we’re trying to get at and what kind of access do we have? The best type of access is that we actually get that individual’s credentials. And then we can go into their social media account and see all the things that they’re posting, all the things they’re sharing, private messages sent and received and so on.
Greg Kelley, Vestige Digital Investigations: And again, we may have other information around that such as where was that person when they made that post? Where was that person when, when they sent that message? And then of course the when. You know, the when is always important to. Absent of that for instance, like on, on Facebook, if we’re investigating someone’s Facebook account, maybe we don’t have that person’s actual credentials. But someone that’s a friend of theirs on Facebook as long as you use their credentials to look at the look at the suspect’s account.
Greg Kelley, Vestige Digital Investigations: So we can gather some information that way as well, too. And what we’re looking for all depends on the nature of the case. If it’s like a, a matter where someone’s claiming they slipped and fell and their diabilitated.
Greg Kelley, Vestige Digital Investigations: And, and we go on their Facebook page and see that they’re skiing out in Colorado. And it kind of contradicts the idea that someone slipped and fell. With school matters, it’s going to be things such as you know, who was where and when, and who knows whom? Do we have pictures on someone’s Instagram or someone’s Facebook wall that shows them being a friend or an acquaintance of another important person in a case.
Greg Kelley, Vestige Digital Investigations: And so that might be, important to someone such as you, when you’re working on these student matters. Who knew whom and when? And where were they on certain on certain evenings?
Susan Stone: So, Greg, I’m going to get a little juicy here from our cases.
Susan Stone: We have a lot of cases where we defend students who receive naked snapchat messages. And they either receive or send nude pictures, which is a crime. But these students tell us time and time again, they sent it via Snapchat and they thought it disappeared. And of course we know that other students capture the Snapchat and send it around.
Susan Stone: But let’s say that didn’t happen. Is it true that snaps really disappear forever? Or can you uncover something about that nude photo?
Greg Kelley, Vestige Digital Investigations: So obviously, to start with, when you’re taking the photo in Snapchat, quite often, a copy of the photo may be saved on the phone itself. Before being attached to a Snapchat and sending along. It all depends on the method by which.
Greg Kelley, Vestige Digital Investigations: That photo was taken in a sense, but if you’re just talking about the stamp being sent between two people that information, if, if neither party saves, it decides to save it as a snap, it’s going to be gone. It’s most likely it’s going to be gone. And I think most likely, because we’ve seen in the past where.
Greg Kelley, Vestige Digital Investigations: Snapchat changes their software code and things may linger around a little bit longer than, than anybody intended. At the very beginning, Snapchat said, yes, all of the pictures and all the snaps are gone and come to find out that was, that couldn’t be any more wrong. Things were left behind and we were able to do it and they cleaned up their accents that time.
Greg Kelley, Vestige Digital Investigations: But there’s always the possibility. Some things left behind and so on. But in general now, I mean, w w if two people send a, if one person sends a snap to the other and neither saves it, neither takes a screenshot of it. It’s it’s going to be gone as a know with, with that time, once that time. Is, is done.
Greg Kelley, Vestige Digital Investigations: That Snapchat goes away.
Susan Stone: You can never be sure that it’s not going to be,
Greg Kelley, Vestige Digital Investigations: You can’t be a hundred percent sure. Right, right. You can’t be a hundred percent sure. What we will often find though, is still, maybe not the picture itself, but evidence and proof that a snap took place between two people, a specific time.
Greg Kelley, Vestige Digital Investigations: We don’t have the content of it. We don’t have the picture. But sometimes that may be evidentiary enough for an attorney to get the results they’re looking for. Yeah. Correct. The artifact. Yep. It’s the artifact that’s left behind. We don’t have the picture, but we have, we have other things.
Kristina Supler: Let’s just talk about computers in general.
Kristina Supler: And I guess it would still include smartphones because smartphones are in a sense mini computers, but let’s say something is deleted an email, a word documents, a PDF, whatever you name it. If something on an electronic device is deleted, is it gone forever? Can a forensic exam recover it?
Greg Kelley, Vestige Digital Investigations: Yeah, it most likely there’s going to be the ability to recover that document.
Greg Kelley, Vestige Digital Investigations: But I will, as I often tell all of my clients is, is the honest answer, then the full answer. It depends, it depends on the situation. For instance, let’s take your example of an email. If I am just using my Chrome browser or Mozilla or internet Explorer to view my emails. And I delete an email, chances are that email’s not going to be recoverable.
Greg Kelley, Vestige Digital Investigations: We might get a snippet of it, a piece of it, but that email’s not going to be gone. If I’m using something like Outlook or a Thunderbird, or window, I’m sorry, a Mac mail. And I delete a message. Uh, I delete an email then it can be recovered. So there’s two scenarios there where we’re talking about recovering the same item and it comes back to, it depends.
Kristina Supler: Let me ask you this. Sorry to interrupt, but I just had a thought. Someone deletes something and then use the software to try to cover up what they did. Yeah.
Greg Kelley, Vestige Digital Investigations: If it’s done properly, it’s going to be gone. If it’s done properly. I will say we, we just did one where an individual, deleted everything from a USB drive, but it ended up in their recycle bin.
Greg Kelley, Vestige Digital Investigations: They didn’t dump the recycle bin. But they used a piece of software to try and erase everything and it completely neglected the recycle bin. So everything they tried deleting and covering up was sitting there in the recycle bin. If used properly those tools definitely work. They will work a hundred percent of the time.
Greg Kelley, Vestige Digital Investigations: You’re really not going to know what was, what was deleted. Absent of a situation that, you’re, you’re not expecting. Let’s go back though, to your comment about deleting and can you recover things. And back to my point about it depends because we get this a lot.
Greg Kelley, Vestige Digital Investigations: Someone comes to us, especially in situations like yours. Someone comes to us and says, I have this picture. It was on my phone. And for some reason, whatever they deleted. You’re not going to recover, deleted pictures from the cellphone. Especially in iPhone. With the technology involved. And I can get real, real techie here, but I’ll, I’ll avoid it.
Greg Kelley, Vestige Digital Investigations: You’re not going to get that picture back. So if somebody has well, okay, so now it depends. Did they synchronize it with the cloud? If they synchronize it with the cloud? Sure. But not everybody does that on their iPhone. A lot of the iPhones we deal with they might use the cloud. They might use their iCloud account for some things. But, but not, not always.
Greg Kelley, Vestige Digital Investigations: So if it’s not synchronized with the cloud and don’t just assume that because I have an iPhone and, and even if I’ve signed into my iCloud account, you still have to make sure you enable synchronizing of pictures or synchronizing with documents or your calendar, your contacts, and so on. Which nine times out of 10, when someone comes to us, that’s not the case.
Greg Kelley, Vestige Digital Investigations: You know, they just had a picture on the phone. They deleted the picture and it’s not going to be recoverable, uh, on a
Susan Stone: phone. We tell our clients. Be careful don’t delete because there could still be evidence that you deleted and that could get you in trouble.
Greg Kelley, Vestige Digital Investigations: Well, yeah, well, certainly most certainly because of that picture was tagged to a message of some sort we may, the picture could still rely on the message. If they delete the message, we can recover the message, not the picture, but we’ll have a name of the picture. And show that a picture was sent with this type of message between these people and at a certain point in time.
Greg Kelley, Vestige Digital Investigations: It’s a tough thing because when someone is in a position that they’re in before they come to an attorney, such as the two of you, they freak out and they just start deleting things left and right.
Greg Kelley, Vestige Digital Investigations: I know your viewpoint is usually the more evidence, the better, because you know, what you’re up against, and to probably defend your client. But also to, there’s going to be some evidence there that’s going to help them. There’s gonna be something there that’s, that’s going to help them.
Greg Kelley, Vestige Digital Investigations: So, to the parents out there listening, if their child gets in a situation, and they get into trouble, the best thing you can do is probably just grab all their digital devices, physically get them in your hand. And get them away from the child. Don’t let the child be tempted.
Greg Kelley, Vestige Digital Investigations: And I say child, it’s usually a teenager, but don’t let that person be tempted to start deleting things. And get advice from an attorney and decide the best way going forward. Hopefully you you’ve seized, those devices quick enough before they can start, deleting things.
Greg Kelley, Vestige Digital Investigations: So because otherwise it’s, it’s, it’s tough. There’s always three sides of the story. There’s there’s person a and person B, and then there’s the truth. And the problem is, is that each person is only going to keep what they want. And, and when you’re trying to defend someone, there’s probably not gonna be that evidence left around if they, if they’ve deleted it.
Greg Kelley, Vestige Digital Investigations: So
Susan Stone: Did you hear that parents out there? If your kids get in trouble, take their devices. I assure you they’re not going to die just because they have to go sometime without a smartphone. There was society pre smartphone.
Greg Kelley, Vestige Digital Investigations: Exactly. Exactly. And if they need their smartphone for, for work or communicate, You take the SIM card out of the old of the, out of the phone, which has the evidence, and you put that SIM card into some other phone you’ve got laying around her or go to the Apple store and get into another phone or something like that.
Greg Kelley, Vestige Digital Investigations: You know, you can transfer their phone number with, with just swamping that SIM card. But yeah, take, take their devices. Sometimes I’d like to take the devices away until someone reaches the age of 21 or 25, but that’s a whole other conversation.
Kristina Supler: Greg, what advice do you have for parents, who want to monitor their children’s devices or online activity for whatever reason?
Kristina Supler: I mean, are there any tips or suggestions you have for that.
Greg Kelley, Vestige Digital Investigations: Yeah, certainly. One of the things we do in our household, my kids both have a couple of old Android phones. And, my wife has them on a Google family plan with her. So she knows any apps that they installed. She can also see their usage on the phones and so on.
Greg Kelley, Vestige Digital Investigations: So she’s able to monitor that. And now my kids are 10 and 13, so that’s along the younger side. In the iPhone world, apple also has like family, apple IDs. But the other thing that I’ve seen people do as well is you can take the same apple ID that you have on your phone. And sign that into your kid’s phone.
Greg Kelley, Vestige Digital Investigations: And then you see everything that they’re doing. Again, you see all those purchases they’re doing and so on. If your child wants to do something like Instagram or, or Tik TOK or something like that request that you become their, their friend or their follower, and they let you see everything that you may post. You’re not going to look at it.
Greg Kelley, Vestige Digital Investigations: But you have that ability. You can, you can see it, you see what they’re doing. There’s applications like, uh, net. That you can install on a device and you can watch what the person’s doing, see who they’re texting. Things like that. That, that’s another way. I know some homes, not some people are familiar with what are called wireless mesh mesh networks, where basically everybody’s homes wireless.
Greg Kelley, Vestige Digital Investigations: And, and if you’re just relying on your one cable box, that’s not going to be good enough. So instead, you set up like a, what’s called a mesh network. And there’s a lot of them out there. We use, amplify and, and I know there’s a, or B and, and Google nest and so on. Those systems often have the ability to record web traffic. The web traffic that’s going through that network. They don’t keep it for a long period of time. So if that’s, if, if you have one of those devices, and you want to use it for that purpose, you should really look into how much of that traffic is being captured, and how long it stays around.
Greg Kelley, Vestige Digital Investigations: Don’t assume that, everything is captured and everything’s out there and everything’s done, you know, all the time. And, it’s always recoverable because that’s not always the case. Except well with the Google world again, if you have, that’s the only thing you can do as well as on computers or even on, on phones, sign in with a known Google account and onto your child’s devices. And then when you want, you can just do, what’s called a Google Takeout and get all and get all of their, web activity that.