, , , , , ,

Digital Forensics and the Aftermath of the U.S. Capital Riots

digital forensics and law enforcement

Written By

Michael Neher

The team at Capsicum is well acquainted with the important impact computer forensics and eDiscovery can have on litigation strategy for corporate and civil legal disputes; over the past weeks, we have all seen firsthand the impact the same techniques can have on the outcome of major political and social events. Authorities looking to prosecute the mob who overran the U.S. Capitol have a wealth of actionable insight at their fingertips as a result of cellphone records, facial recognition tools, closed-circuit cameras, social media posts, and other technologies.

Following the siege of the Capital and the resulting deaths of five people, law enforcement began investigations into those culpable for unlawful activities. Over the following days, local and federal authorities arrested dozens of people across the nation for their involvement. Many of these arrests would not have been possible without the wealth of contextual information afforded to law enforcement via social media, video streaming services, text messages, phone calls, and wearable technologies.  

Many rioters posted on various social media and video streaming platforms throughout the chaos, capturing and sharing images and videos of themselves and the people in their company. Both government agencies and private citizens set to work amalgamating footage of various incidents, as seen in the public affidavit of FBI Special Agent Samad D. Shahranit. Even if the users tried to remove their posts, media outlets and other users have already duplicated the images and videos, sharing them widely and submitting them to the FBI for preservation

With the advantage of having violent criminal activity captured and recorded from multiple vantage points, authorities began homing in on the identifying indicia of the criminal actors, most notably the members of the crowd responsible for the injuries to members of the Capitol Police. Arrests were made much simpler in many cases where people openly posted their unlawful intentions on publicly available sites and forums

Another source of incriminating information came from cell phone location data. Smartphones maintain a repository of metadata that tracks our behaviors in a concrete and constant fashion. Pictures, messages, and other application data are embedded with geolocation information, and phone calls “ping” nearby towers during calls. All of this data can be collected from a device with the proper authorization and access. 

In an attempt to subvert the evidence existing on mobile devices, wrongdoers naturally assume that performing a factory reset or otherwise deleting data would conceal the evidence of their involvement. However, as perhaps best illustrated by the publicly filed complaint in U.S v. Priola, law enforcement has access to supplementary information preserved not only by cell phone providers but by other processes embedded in a phone's operating system: 

“During a subsequent search of PRIOLA’S Apple iPhone on or about January 12, 2021, agents were unable to recover data for photos, chats, or messages from approximately January 4 through January 7, 2021. Agents also were unable to recover device location data for January 6, 2021, from 5:40 AM to 4:17 PM. At the same time, agents were able to recover device location data for January 6, 2021, at 4:23 PM. This data indicated that the device was utilizing a WiFi system located at GPS coordinates (38.892002,-77.006646). According to Google Maps, these coordinates correspond to a location just northeast of the U.S. Capitol building.”  

Digital forensic analysis of data can establish indisputable evidence. Just as law enforcement is using a strategic and repeatable process for analyzing information to identify criminal offenders, so too does our team of experienced law enforcement professionals. A skilled digital forensics partner can help you focus on the specific data that is critical to an investigation or dispute, while also looking deeper into parallel repositories such as alternate storage locations, metadata, activity logs, and other triangulation techniques.