Though the jury in the Anthony Garcia murder trial heard a digital forensics expert claim that investigators contaminated phone evidence, it found the defendant guilty on four charges of first degree murder.
In fairness to the expert, the defense faced a daunting challenge in this case. The phone only representing a key turn in the investigation. By mining the data, the police were able to connect Garcia to a revenge killing of four people resulting from Garcia being fired from his job at the Creighton pathology department in 2001.
However, the challenge made by the defense at trial raises a question for digital forensics experts. What standard procedures should be implemented to ensure data integrity when examining evidence during an investigation? What is the best method for demonstrating that data was accurately mined without compromising it?
In 2001, Garcia was fired from the Creighton pathology department by Dr. Roger Brumback and Dr. William Hunter. In 2008, Thomas Hunter, the 11-year-old son of Dr. Hunter and Shirlee Sherman, the family’s housekeeper, were murdered. Then Roger and Mary Brumback were murdered in their Omaha home in 2013.
The 2008 case had gone cold until the detective assigned to it viewed the Brumback murder scene five years later. Immediately they recognized the pattern and began to wonder if a serial killer was on the loose. It did not take long for police to connect Garcia with the murders since he had history with the victims.
Upon investigation, Creighton wasn’t the only place where Garcia had been fired. His troubled work history spanned his career. The first murders occurring mere weeks after Garcia had been terminated at LSU. The Brumback murders occurred shortly after Garcia was denied a permanent medical license in Indiana based upon a letter written by Brumback.
And, of course, there was the almost cliché confession that Garcia made to a stripper who was breaking up with him because he was too good for her.
Digital Forensic Evidence
Police gained access to Garcia’s iPhone and tablet. The investigators downloaded information from Garcia’s iPhone 4 and put it into a wiped iPhone 3 with a SIM card. They discovered that Garcia had performed a Whitepages search for the Brumback home on the day before the bodies of the Brumbacks were discovered. In addition, Garcia had mapped the home.
Defense Digital Forensic Expert Testimony
The defense called its expert and began asking about the procedures used to access the information. He followed up by asking the expert if there was a “Whitepages search for Roger Brumback on May 12th or May 13th.” (See a transcript of the expert’s testimony here.)
The expert denied the existence of such a search. Defense counsel even put on a search in front of the jury and it returned no results.
The prosecution cross-examined the expert and quickly established that the expert had not seen all of the raw data. The prosecution went on to establish that in the raw data such searches were found. When pressed on the issue, the expert admitted to the existence of such a search according to a report but testified that he could not validate it. He went on to say that despite its existence on a form, the investigators failed to follow procedures.
In extracting and searching data, digital forensic experts differ in their opinions of the appropriate procedures to employ. This case points out that because of the lack of standardization, any expert can always argue to a lack of standards. Some absence of protocol.
I’m interested in hearing from you what procedures you think should be adopted to clarify for all the correct way to investigate, process and preserve data.
Author: Chris Semones, CEO, Expert Witness Network.