This case involves the alleged secretive filming of female students at a large university. A female student first noticed what appeared to be an additional clothing hook in the shower of the shared bathroom of her dorm building. She thought that it was odd, but did not report it. The following week, the hook was gone, and it appeared in the room of another female student on the floor. The student opened the hook and found a covert, motion-activated recording device. The plaintiffs tried to view the footage on the camera but could not access any. They believed the footage had already been downloaded by the perpetrator by the time they discovered the device. The plaintiffs informed the university of this invasion of privacy expecting swift corrective action but the university did not undertake any efforts to perform a thorough search to identify the source of this covert device. The plaintiffs repeatedly went back to the university to request an investigation. However, the university contended that because there were no security cameras near the plaintiff’s sleeping quarters, there was no evidence of illegal recording. An expert familiar with forensic data recovery was sought to speak to the potential capability of recovering this data and opine on the theoretical ability to view this downloaded video and to test if it had been downloaded on campus.
Question(s) For Expert Witness
- 1. Please briefly describe your familiarity with forensic data recovery as it relates to a case like this.
- 2. Can you speak to the potential downloading and uploading of this data?
- 3. Are you familiar with tactics to monitor the potential appearance of this video on the internet?
Expert Witness Response E-020691
I routinely work on cases where forensic data recovery based upon file signature analysis and “file carving” is necessary to help prove or disprove a claim. Video and/or picture files are generally stored in one of several common formats, which is defined by file headers and other file metadata accompanying the particular files. Generally speaking, unless the digital media storage device on which the images were stored has been wiped (not deleted), the images would be recoverable. Downloading or uploading of the data would require two basic components: hardware and an internet connection. The hardware which was used to upload the images would likely contain trace evidence of the storage media on which the images were stored. The hardware may also contain evidence of the internet connection (IP address) that was in use at the time of the upload. There may also be trace evidence of the specific image files, either deleted or undeleted, on the memory storage of whatever device was used to upload the images. Time is a crucial component in recovery of this data. The more time that has passed since the incident without a forensic image (copy) being made of the original hardware devices suspected to be used, the greater the likelihood that some or all of this data will not be available. I am familiar with open source investigation and intelligence techniques that would help monitor the potential appearance of this video on the open internet.