10 www.DFInews.com SUMMER 2014
computers and mobile devices, the following list serves as a
reference of what might be recovered from computers.
• File download activity
• Program executions
• USB hard drive connectivity and usage
• Internet browsing history
• File creation, modification, and open activities
• Data destruction activity
• User account history
• Previous versions of files
• Installation information of software
Extremely useful information can be extracted from
smartphones and tablets; however, they inherently create
more challenges during data acquisitions and analyses due
to their vastly different architecture and security features.
Each of these fact-based “data points” provides a wealth of
information that supports the efforts of preparing a more
complete timeline surrounding historical events. The fol-
lowing represents a partial list of information that can be
recovered from a mobile device.
• Call logs (dialed, received, missed)
• Contact list
• MMS (multi-media-system) messages (including
• SMS (short-message-system) messages (including
• Voicemails (including deleted10)
• Native installed applications
• Third-party applications (Facebook™, Snapchat™,
• Pictures (including deleted10)
• Internet history
Each and every one of these data points can provide a
wealth of information on its own and support the efforts
to prepare a more complete timeline surrounding historic
events by using fact-based data.
Accurate recollection of events and facts by humans is un-
questionably subjective, fragile, ephemeral, distortable, and
fallible. This includes eyewitness accounts. The standard
exponential decay-curve clearly shows how quickly a sig-
nificant amount of information is forgotten by humans. By
effectively utilizing digital evidence, it is possible to narrow
the “fact-gap.” Digital evidence contains many attributes
and sequences that allow forensic examiners an objective
method to make fact-based comparisons and decisions.
The method may provide more comprehensive and robust
information that facilitate attorney-client discussions and
their trial preparations. Due diligence means not leaving
relevant factual information on the table; if information is
available through forensic examination, it can and should
With data being all around us, it might be worthwhile
to ask the question: “Who else might gain access to this
digital information and what would they find?”
1. A. D. Baddeley, Working Memory (Oxford: Oxford University
2. Jennifer Bothamley, Dictionary of Theories (Canton, Mich., Visible
Ink Press, 2002), 137.
3. N. J., Slamecka, B. McElree, “Normal forgetting of verbal lists
as a function of their degree of learning,” Journal of Experimental
Psychology: Learning, Memory and Cognition 9 (1983): 34-397.
4. R. C. Atkinson, R. M. Shiffrin, “Human memory: A proposed
system and its control process,” in The Psychology of Learning and
Motivation, vol. 2, eds. K. T. Spense and J. T. Spence (New York:
Academic Press, 1968).
5. B. B. Murdoc Jr., C. D. Cook “On fitting the exponential,” Psychological Reports 6 (1960): 63-69.
6. Geoffrey R. Loftus, “Evaluating Forgetting Curves,” Journal of
Experimental Psychology: Learning, Memory, and Cognition 11, no.
2 (1985): 397-406, http://faculty.washington.edu/gloftus/Down-loads/LoftusForgettingCurves.pdf.
7. In the decay curve formula, “e” represents the natural logarithm or
Naperian log, which is a constant equal to 2.718. The units of time
do not have to be days. Time could be hours, weeks, or months, and
is independent of the unit used.
8. Hal Arkowitz, Scott O. Lilienfeld, “Why Science Tells Us Not to
Rely on Eyewitness Accounts.”, http://www.scientificamerican.com/
9. http://www.innocenceproject.org/understand/Eyewitness-Mis-identifi cation.php.
10. The ability to recover deleted information varies and depends
on, yet is not limited to, factors such as phone model, service provider, operating system, application used, and available acquisition
Martin Siefert is a digital forensic examiner and the founder
of Proactive Discovery, LLC, a Colorado-based digital forensic
company specializing in hi-tech crime investigations involving
digital devices. Proactive Discovery, LLC, 16890 E. Alameda
Pkwy., #470129, Aurora, CO 80017; (720) 432-1419;
Extremely useful information can be
extracted from smartphones and tablets;
however, they inherently create more
challenges during data acquisitions and
analyses due to their vastly different ar-
chitecture and security features.