Chapter 25: Digital Forensics: Computers, Phones, and the Evidence You Can't Delete

"We leave traces of ourselves everywhere — and nowhere more completely than on the devices we carry. The hard part was never finding the evidence. It was proving we hadn't changed it." — constructed teaching epigraph, in the voice of a working digital-forensics examiner [labeled constructed line]

Overview

For most of this book the evidence has been physical: a stain on a doorframe, a fracture in a skull, a pollen grain on a floor mat. This chapter is about evidence that has no physical form at all — a deleted text message, the hidden timestamp inside a photograph, the record a cell tower keeps of which phones reached for it and when. It is the newest kind of forensic evidence and, increasingly, the most decisive. A modern smartphone knows where you went, whom you spoke to, what you searched for at three in the morning, and how many steps you took getting there. Twenty years ago a homicide investigation reconstructed a suspect's movements from gas receipts and eyewitnesses. Today it reconstructs them from the phone in the suspect's pocket, which kept a more honest diary than the suspect ever would.

That power comes with two warnings, and this chapter is built around both. The first is that digital evidence is everywhere and almost impossible to fully erase — "delete" rarely means gone, and people who believe they have covered their tracks usually have not. We will see why. The second warning runs the opposite direction and is the one that makes this chapter different from a technology demonstration: some digital evidence is far weaker than it sounds in a courtroom, and the worst offender is the one juries find most persuasive. Cell-site location data — the records that supposedly "put the phone at the scene" — does nothing of the kind. At best it places a phone somewhere inside a tower's coverage area, which can be miles across. For years, prosecutors and even some experts described it as if it were a GPS pin dropped on a map. It is not, and people went to prison on the difference. Section 25.5 is the heart of the chapter's honesty: a method that is genuinely useful and routinely overstated, in the same breath.

We begin at the scene — because a phone is physical evidence before it is digital evidence — and move through the two ideas that make digital forensics a science rather than a magic trick: imaging (taking a perfect copy so you never touch the original) and hashing (proving, with mathematics, that the copy is perfect and unaltered). Then we go looking for where the evidence hides, into the phone as a life-logger, into the real limits of cell-site data, and finally into the law — warrants, encryption, and privacy — that now governs every search of a device.

In this chapter, you will learn to:

• Define digital forensics and digital evidence, and explain the paradox that makes digital evidence both abundant and fragile.
• Explain how forensic imaging, a hash value, and a write blocker together prove that what the lab analyzed is exactly what was seized — integrity established by math, not by trust.
• Find evidence where it hides — in metadata, in deleted files, and in the unallocated space that file carving reconstructs — and state what each does and does not prove.
• Read a smartphone as the most complete behavioral record routinely admitted into evidence, and know its limits.
• State exactly what cell-site/location data can establish (a phone in a coverage area) and refuse the overstatement that it pins a person to a place.
• Place the search of a device inside the warrant, encryption, and privacy framework, and connect it to chain of custody (Chapter 2).

Learning Paths

This chapter matters to every reader, because nearly every modern case now has a digital thread. Here is how the four paths run through it:

🔎 Investigator/CSI: A phone is physical evidence first. §25.1 is yours — how you seize, isolate, and document a device without destroying the very data you came for (airplane mode is not enough; you will learn why a Faraday bag is). The chain-of-custody discipline from Chapter 2 applies in full. 🧪 Lab analyst: §25.2 and §25.3 are the bench. The imaging-and-hashing workflow is the digital equivalent of the sterile collection you learned in Chapter 4; carving and metadata are your daily craft. Note every limit stated — black-box extraction tools have them. ⚖️ Law/courtroom: §25.5 and §25.6 are where this evidence is won and lost. The single most important thing in this chapter for you is the gap between what cell-site data shows and what witnesses have said it shows. Learn to attack and to defend it honestly. 👥 General reader/juror: All of it concerns you, because all of it is about your own devices. §25.5 is the antidote to a specific courtroom illusion: that the phone "was at the scene." Learn what that sentence really means before you ever have to weigh it.

25.1 The digital crime scene

Start with a correction to the mental picture. When people imagine digital forensics they picture a screen — code scrolling, a progress bar, an analyst typing fast. But the digital crime scene begins as a physical one, and the first decisions made about a device, often by an officer who is not a specialist, determine whether the evidence inside it survives at all. A phone is an object you can drop, wipe, lock, or contaminate, and everything the lab can later do is capped by how it was handled in the first ten minutes — exactly the lesson Chapter 2 taught about the cabin on Mill Creek Road, now transposed to a four-inch slab of glass.

Let us define the field plainly. Digital forensics is the application of scientific methods to the identification, preservation, acquisition, examination, and interpretation of data stored on or transmitted by digital devices, in a manner suitable for use as evidence in a legal proceeding. The data itself — any information of evidentiary value stored or transmitted in digital form — is the digital evidence: the text messages, photographs, emails, location records, browsing history, app data, documents, call logs, and the vast layer of automatically generated records the user never sees. The defining feature, and the source of every difficulty that follows, is that digital evidence is intangible and effortlessly changed. A bloodstain, once collected, does not silently rewrite itself. A powered-on phone does — it checks for messages, updates timestamps, runs background tasks, and, if it receives the wrong signal, can erase itself entirely.

🔬 At the Bench The single most important reflex at a digital scene is isolation from the network. A seized phone that remains connected to a cellular or Wi-Fi network is a live wire: it can receive a remote-wipe command, sync new data that overwrites old, or update records and change the very timestamps you need. The field tool is a Faraday bag — a pouch lined with conductive mesh that blocks radio signals, the same physics as a microwave oven's door screen. Airplane mode is not a substitute, because a suspect may have configured the device to ignore it, and because toggling settings on a live device is itself an alteration you would have to explain on the stand. The discipline: photograph the screen's current state, note whether it is powered on and locked, bag it without interacting with it, and document the time. If the device is on, keep it on and charged in the bag; if it is off, leave it off. Powering a phone up or down both change its state, and the wrong choice can lose data or trigger encryption.

The decision tree at a digital scene is genuinely hard, and honest practice acknowledges the dilemmas rather than pretending they have clean answers. Pull the plug on a running computer and you lose everything in volatile memory (open files, encryption keys, running programs) but freeze the disk; shut it down properly and you may trigger cleanup routines that destroy evidence. Leave a phone on and it may sync away the past; turn it off and it may demand a passcode you do not have when it powers back up, because modern devices encrypt themselves at rest. There is rarely a risk-free move. What there always is, is a documented move — a record of what state the device was in, what you did, and why — so that the defense's inevitable question ("how do we know you didn't alter it?") has an answer written before the question is asked.

This is also where the chain of custody from Chapter 2 reappears, unchanged in principle and harder in practice. A phone passes through more hands and more transformations than a blood vial — seized by an officer, logged into evidence, imaged by an examiner, analyzed by another, perhaps sent to a third-party lab for a locked device — and at each step the question is the same: can you prove this is the same evidence, unaltered, from seizure to courtroom? For physical evidence the answer is a signed log and a sealed bag. For digital evidence the answer is the same log plus something physical evidence never had: a mathematical fingerprint that proves the data did not change. That fingerprint is the subject of the next section, and it is the closest thing forensic science has to a genuine superpower.

25.2 Forensic imaging and hashing: integrity by math

Here is the problem digital forensics had to solve before it could be a science at all. Every other kind of forensic analysis can, in principle, leave the original evidence intact — you photograph the stain before you swab it, and the swab is a sample, not the stain itself. But to examine a computer you have to read its disk, and the naive way of reading a disk changes it: opening a file updates its "last accessed" timestamp, booting the operating system writes hundreds of changes, simply browsing the contents leaves fingerprints. If the act of examining the evidence alters the evidence, no defense attorney should ever trust the result. The entire field rested on a single question: how do you analyze a thing without touching it?

The answer is two ideas working together. The first is forensic imaging: creating a complete, bit-for-bit copy of a storage device — every sector, including the empty and deleted regions the operating system normally hides — so that all analysis happens on the copy while the original is sealed away, never examined directly. This is not "copying the files." Copying files in the ordinary sense grabs only the data the system currently lists as live, and skips exactly the deleted and hidden material that is often the whole point. A forensic image captures the entire physical contents of the medium, live and deleted alike, as one faithful duplicate. The original goes into an evidence bag and ideally is never read again; if the analysis on the image is ever challenged, you can re-image the untouched original and start over.

To make the imaging itself trustworthy, the examiner uses a write blocker: a hardware or software device placed between the original drive and the examiner's computer that permits data to be read out of the evidence drive but physically blocks any command that would write to it. It is a one-way valve. Connect a suspect's hard drive directly to a computer and the operating system may helpfully write to it — indexing it, creating hidden system files, updating timestamps — silently contaminating the evidence before anyone has looked at a thing. The write blocker makes that impossible, so the examiner can prove the original was read-only throughout acquisition.

But imaging and write-blocking only get you a copy. They do not, by themselves, prove the copy is perfect or that nothing changed afterward. For that you need the second idea, and it is the one worth slowing down for, because it is what lets a digital examiner say something no fingerprint or firearms examiner can ever say: I can prove, mathematically, that this evidence has not been altered by even a single bit.

A hash value is a fixed-length string of characters produced by running data of any size through a one-way mathematical function called a cryptographic hash algorithm (common ones are named SHA-256 and, historically, MD5). Think of it as a digital fingerprint for data. The function has three properties that make it forensically priceless. First, it is deterministic: the same input always produces exactly the same hash. Second, it is extremely sensitive: change a single bit anywhere in the input — flip one pixel, alter one character, toggle one timestamp — and the output hash changes completely and unpredictably. Third, it is practically impossible to reverse or to forge: you cannot work backward from a hash to the data, and you cannot feasibly construct different data that produces the same hash. (For the older MD5 algorithm, researchers have demonstrated ways to engineer collisions; this is why courts and labs have moved to SHA-256, and why the chapter names the distinction rather than glossing it.)

Put those properties to work and you get integrity by mathematics. The examiner hashes the original drive, then hashes the forensic image. If the two hash values are identical, the image is a perfect copy — provably, not as a matter of the examiner's word. From then on, anyone can re-hash the image at any time; if the value still matches, the data has not changed since acquisition. If a single byte had been altered — by accident, by tampering, by a corrupted file transfer — the hash would no longer match, and everyone would know. This is why the honest digital examiner can withstand the cross-examination question that wounds every other discipline. Ask a fingerprint examiner "how do we know your comparison is right?" and the honest answer involves error rates and human judgment (Chapter 14). Ask a digital examiner "how do we know this is the same data you seized, unaltered?" and the honest answer is a number that either matches or does not.

🔬 Read the Evidence

text FIGURE 25.1 — "Two hashes, one verdict" [constructed teaching example] THE ITEM A 256-gigabyte laptop solid-state drive seized under warrant, and the forensic image made from it. Each has been run through the SHA-256 hash algorithm, producing a 64-character hexadecimal value. THE CONTEXT The original was connected through a hardware write blocker, imaged, then sealed into evidence. The hash of the original was recorded at acquisition; the image was hashed immediately after, and again on the morning of testimony, eight months later. WHAT IT SHOWS Acquisition hash of original: 3f7a...e91c Hash of the image (day 1): 3f7a...e91c (identical) Hash of the image (month 8): 3f7a...e91c (identical) All three values match to the character. WHAT IT DOESN'T The matching hash proves the data is *unaltered*. It says nothing about what the data *means*, who created any file, or whether any file is true. Integrity is not the same as authenticity or authorship — a perfectly preserved forgery still hashes consistently. THE INFERENCE The analyzed evidence is provably identical, bit for bit, to what was seized, and has not changed in eight months of custody. That is the strongest integrity guarantee in all of forensic science — and it is a guarantee about the *container*, not the *contents*. THE LESSON Hashing answers exactly one question — "did the data change?" — and answers it conclusively. It does not answer "is the data true?" Keep the two questions apart, and you will neither over-trust nor under-trust digital evidence.

The figure above carries the section's whole argument, so walk through it slowly. The three identical hashes establish a fact that physical evidence can only ever approximate: not "we were careful with this," but "this is provably the same data, unchanged." That is a real and rare power, and digital examiners are right to lean on it. But read the WHAT IT DOESN'T field again, because it is where overconfidence creeps in. A hash proves the data was not altered; it says nothing about whether the data is authentic (genuinely what it claims to be) or true (an accurate record of the world). A fabricated message, planted on a phone before seizure, will hash just as consistently as a real one. Integrity, authenticity, and truth are three separate questions, and the mathematics that answers the first so beautifully is silent on the other two. We will return to this distinction in §25.6 and again in the courtroom chapters; for now, fix the discipline in mind — hashing proves the evidence didn't change, not that it's true.

⚖️ In the Courtroom Hashing is one of the few places in forensic science where an expert can testify to something close to certainty without overstating, and good examiners use it as an anchor. The testimony is narrow and clean: "I verified that the forensic image is an exact, unaltered copy of the seized drive, because the cryptographic hash values match." Where examiners get into trouble is extending that certainty beyond what the hash covers — letting the jury hear "the data is verified" as "the data is true" or "the defendant wrote this." A sharp cross-examination concedes the integrity point immediately (there is no use fighting the math) and then drives the wedge: You can prove this file was not changed since you seized it. You cannot prove who created it, when it was really written, or whether it was placed on the device by someone else — correct? The honest examiner answers yes to all three, and the jury learns the limit of an otherwise airtight method.

25.3 Where the evidence hides: metadata, deleted files, file carving

A device is not a tidy filing cabinet where the evidence sits in labeled folders. The most valuable digital evidence is usually the data the user never sees and often does not know exists — generated automatically by the system, left behind after deletion, or hidden in the structure of files themselves. This section is a tour of the three richest hiding places, and of the honest limits of each.

Metadata: the data about the data

Metadata is data that describes other data — information about a file rather than the file's visible content. Every digital object carries it. A photograph taken on a phone embeds, in a standard block called EXIF data, the make and model of the camera, the date and time to the second, the camera settings, and — unless the user has disabled it — the GPS coordinates where the picture was taken. A word-processing document records when it was created, when it was last modified, who the registered author is, and sometimes a revision history. Every file on a disk carries system metadata: timestamps for when it was created, last modified, and last accessed (the forensic shorthand is "MAC times").

Metadata is forensically powerful precisely because the user is usually not curating it. People lie; the timestamps they did not know were recording rarely do. A suspect who claims a document was written last spring can be contradicted by the file's own creation date; a photograph offered as an alibi can be undone by the GPS coordinates baked into it. This is the section's first lesson in the chapter's larger theme: digital evidence is hard to fully erase because so much of it is generated automatically, behind the user's back.

But metadata has limits that matter, and overstating it is a real failure mode. Timestamps record events on a device, not the actions of a person — a file's "last accessed" time tells you the file was accessed, not who accessed it or why; an automated process can touch a file with no human involved. Timestamps can be wrong: a device's clock may be misconfigured, set to the wrong time zone, or deliberately changed, and time-zone handling is a notorious source of error that has shifted apparent timelines by hours. And metadata can be altered by anyone who knows how, which means it must be evaluated, not simply believed. The discipline is the same as everywhere in this book: metadata is evidence to be weighed, often strong, never automatically conclusive.

Deleted files: why "delete" rarely means gone

Here is the fact that surprises everyone, including suspects who count on the opposite. When you "delete" a file and empty the recycle bin, the data is almost never erased. The operating system simply removes the file's entry from the index — the table of contents that says where the file lives — and marks the space it occupied as available for reuse. The file's actual contents remain physically on the disk, intact, until the system happens to write new data over that exact space. Until then, the "deleted" file is fully recoverable. It is the difference between tearing a chapter's listing out of a book's table of contents and actually ripping out the pages: the listing is gone, but the pages are still there, waiting to be found.

This is why digital evidence is the evidence you can't delete — the chapter's title and one of its load-bearing claims. People who believe they have destroyed incriminating data have usually only delisted it. Deleted text messages, deleted photos, deleted browser history, deleted documents — all routinely recovered, sometimes months later, because deletion is an act of bookkeeping, not destruction. The space marked "available" may not be reused for a long time, especially on a large drive with room to spare.

The honest limits, stated plainly: recovery is not guaranteed. If the space has been overwritten by new data, the original is genuinely gone — overwriting, unlike deletion, destroys. Solid-state drives (the storage in modern phones and laptops) complicate this further, because a background process called TRIM can actively erase deleted blocks to keep the drive fast, sometimes putting deleted data beyond recovery faster than older spinning disks did. And recovered fragments may be partial or corrupted. So the discipline is to recover what can be recovered and to report honestly what was found, what was fragmentary, and what is simply unknown — never to imply that the absence of recovered data proves nothing existed.

File carving: reconstructing files from raw space

When even the index entry is gone and the system no longer knows a file ever existed, one technique can still pull it back: file carving — the recovery of files from raw, unallocated disk space by recognizing the internal structure of the files themselves, independent of any filesystem record. Most file types begin and end with characteristic byte patterns (called headers and footers — a JPEG image, for instance, starts and ends with specific signature bytes). A carving tool scans the entire unallocated region of a disk, ignores the filesystem entirely, finds these signatures, and reconstructs the file that lies between them. It is, almost literally, reading the deleted regions of the disk as though they were an archaeological dig, recognizing the shape of a buried artifact and lifting it out.

Carving is powerful exactly because it does not depend on the filesystem's cooperation — it works on data the system has completely forgotten. But its limits are real and the examiner must state them. A carved file recovered from unallocated space usually has no metadata — no original filename, no reliable timestamp, no folder context — because all of that lived in the index that is gone; you recover the picture but not the story around it. Carved files are frequently fragmented or partial, because the deleted data may have been split across non-contiguous regions or partly overwritten, yielding half an image or a corrupted document. And carving can produce false reconstructions when signature patterns appear by coincidence. So a carved artifact is genuine evidence, often valuable, but it arrives stripped of context — and the responsible examiner reports both the artifact and the missing context together.

🧠 Cognitive-Bias Watch Digital examinations generate enormous volumes of data, and the examiner almost always knows what the investigators are hoping to find — "we think he deleted texts about the insurance." That expectation is a quiet contaminant. When you are searching a phone for "evidence the suspect planned this," ambiguous fragments get read in the direction of the theory: a deleted message stub becomes "incriminating," a search-history entry becomes "intent." The safeguards are the same ones Chapter 31 will name in full: keep the analysis as blind to the desired conclusion as the workflow allows, document search terms and methods before running them, and report what was not found as carefully as what was. The danger is amplified by sheer volume — in a million files, a motivated examiner can almost always find a handful that, read uncharitably, support any theory. Quantity is not corroboration.

25.4 Mobile forensics: the phone as a life-logger

If the personal computer made digital forensics important, the smartphone made it decisive. To call a modern phone a "telephone" is a historical accident of naming; it is a high-resolution sensor package and continuous recording device that its owner carries against the body for sixteen hours a day and sleeps beside at night. It logs location, motion, and orientation. It records every call and message, every app interaction, every search and browse. It holds photographs with embedded times and coordinates, health data counting steps and heartbeats, payment records, and the accounts that connect to still more data in the cloud. No diary, no wiretap, no surveillance team in the history of investigation ever produced a record this complete of one person's daily life. The honest way to describe a smartphone in evidence is not "a phone" but a life-logger — and a remarkably truthful one, because most of what it records, it records automatically, without the owner deciding to.

What can mobile forensics extract? In rough order of how directly the user controls them:

• Communications. Calls, SMS texts, and messages from apps — including, as §25.3 promised, many that the user deleted. Group chats, attachments, contact lists, and the timing of every exchange.
• Location history. Not only cell-site records (the subject of §25.5) but, far more precisely, GPS-derived location logs the phone keeps for its own mapping and "places you've been" features — these can be accurate to a few meters, a different and much stronger thing than cell-site data, which is why the distinction in the next section matters so much.
• Media with metadata. Photographs and videos carrying the EXIF timestamps and GPS coordinates of §25.3 — frequently the most concrete placement evidence on the entire device.
• App and account data. Social media, navigation history, ride-share and delivery records, banking and payment apps, search and browsing history, notes, calendars — each a window onto intent, movement, and relationships.
• Sensor and health data. Step counts, movement patterns, and sleep data that can corroborate or contradict an account of someone's physical activity at a given time, sometimes with startling specificity.

How the data comes off the phone is a craft of its own, and it has a hierarchy that the examiner must understand and disclose. A logical extraction copies the active, user-visible data through the phone's normal interfaces — fast, but it misses deleted and hidden material. A physical or full-filesystem extraction aims at a complete bit-level image, including the deleted regions, but on a modern encrypted phone it may be impossible without the passcode or a specialized tool. Much of contemporary mobile forensics depends on commercial extraction tools sold to law enforcement, and this is where the lab-quality theme from Chapter 4 returns with force.

🔬 At the Bench Most mobile extraction in practice runs through proprietary, commercial tools — sophisticated systems that can sometimes bypass or brute-force a lock and pull data a manual examination never could. They are genuinely powerful, and they introduce a genuine problem: they are black boxes. Their internal methods are trade secrets, not published and peer-reviewed; the defense cannot fully audit how a given artifact was produced; and like all software they have bugs, version differences, and parsing errors that can misattribute or mis-timestamp data. The disciplined examiner treats the tool's output as a starting point to be verified, not gospel — corroborating critical findings by hand, documenting the tool and version used, and being candid on the stand that the extraction rests partly on a method that cannot be independently inspected. This is the same validation demand Chapter 4 made of every forensic method (§4.4); a tool being expensive and widely used is not the same as its being validated, and PCAST's logic (Chapter 6) applies to software as much as to bite marks.

The limits of mobile forensics are not mainly technical — they are interpretive, and they are the same limit that has run through this entire book. A phone's activity is not the same as its owner's activity. A device records what the device did; people share phones, lend them, leave them at home, and are not always the ones holding them. A message sent from a phone was sent from that phone — but proving who held it when it was sent is a separate inference, often supplied by other evidence, never by the phone alone. A photograph's GPS coordinate places the phone at that spot, not necessarily its registered owner. This is the digital version of a distinction the book has insisted on since Chapter 1: the evidence associates a device, and connecting the device to a person is an additional step that must be argued, not assumed. Hold that line and mobile evidence is among the most powerful in forensic science. Forget it, and you have quietly converted "the phone was there" into "the suspect was there" — which is precisely the error the next section dissects.

🔍 Check Your Understanding 1. A photograph on a suspect's phone carries an EXIF GPS coordinate at the cabin and a timestamp at 11:40 p.m. What does this establish, stated at honest strength — and what does it not establish about the suspect? 2. Why is a phone's own GPS-derived location log (its "places you've been") a fundamentally different and stronger kind of evidence than the cell-site records discussed in the next section?

25.5 Cell-site location and its limits

This is the section the chapter has been building toward, because it is where the most persuasive-sounding digital evidence turns out to be the most overstated. Read it twice.

When a phone is powered on, it periodically communicates with the cellular network's antenna sites — connecting to a tower so it can receive calls and data. The carrier keeps records of these connections: which tower (and often which directional sector of that tower) a phone used, and when. This is cell-site/location data — historical records, maintained by a cellular carrier, of which cell towers and sectors a given phone connected to, and at what times, used to infer the general geographic area in which the phone was located. Investigators obtain these records and use them to place a phone, roughly, in space and time: the phone connected to the tower covering the north side of town at 11:14 p.m., so the phone was somewhere in that tower's coverage area then.

Notice the careful words in that definition — general geographic area, roughly, somewhere in that coverage area — because the gap between those words and how this evidence has been described in court is where the damage lives. The honest scientific statement is narrow: cell-site data places a phone within the coverage area of a particular tower sector. It does not provide a GPS-style point. It does not tell you the phone was at a specific address, in a specific building, or at a specific clearing in the woods. A tower's sector can cover a wedge that is hundreds of meters across in a dense city and miles across in rural terrain — and the cabin on Mill Creek Road is in exactly the kind of rural terrain where sectors are largest. The phone could have been anywhere in that wedge.

To see why, you have to understand how a phone "chooses" a tower, because the popular intuition — "it connects to the nearest tower" — is wrong often enough to be dangerous. A phone connects to a tower that gives it a usable signal, which is usually a nearby one but frequently is not. Signal strength depends on terrain, buildings, foliage, weather, network congestion, and the height and orientation of antennas. A phone may connect to a more distant tower because the nearest one is busy, or because a hill blocks the closer one, or because the antenna geometry simply favors the farther site at that spot. The relationship between "which tower the phone used" and "where the phone physically was" is therefore loose and probabilistic, not the tidy circle drawn around a tower on a prosecutor's map.

FIGURE 25.2 — "What a cell sector really covers"        [constructed teaching example]
                                  (schematic; not to scale)

                          .  .  .  .  .  .  .  .  .
                     .  '                           '  .
                  .'         SECTOR  COVERAGE            '.
                .'        (the phone is SOMEWHERE              '.
               /              in this whole wedge)               \
              |                                                   |
              |          × cabin            × suspect's           |
              |                                home (2 mi away)   |
               \                                                 /
                '.            ▲ TOWER                          .'
                  '.        (sector points                   .'
                     ' .      this way)                  . '
                          '  .  .  .  .  .  .  .  .  '

   Legend:  ▲ cell tower / antenna     × a location of interest
            the wedge = the sector's approximate coverage (can be miles across, rural)
   What the record says:  "phone used THIS tower, THIS sector, at 11:14 p.m."
   What that means:       the phone was somewhere in the wedge — NOT at any single × in it.

Walk through Figure 25.2 deliberately, because the picture is the argument. The record establishes one fact: the phone connected to this tower's sector at this time. The sector is the entire shaded wedge — and in rural terrain that wedge can be miles across. Inside that wedge sit both the cabin and, two miles away, a suspect's home. A record showing the phone used this sector is equally consistent with the phone being at the cabin and with its being at the suspect's house, or anywhere else in the wedge. What the record cannot do is what a courtroom map too often pretends it does: shrink the wedge to a point and drop that point on the spot the prosecution favors. The phone was in the area. That is the whole of the honest claim.

⚠️ Junk-Science Alert For years, historical cell-site analysis was presented in courtrooms with a precision it does not possess. Witnesses drew tidy circles around towers, testified that a phone was "at" or "near" a specific location, and let juries hear coverage-area data as if it were GPS tracking. Some testimony claimed to pinpoint a phone to a particular building or to distances the underlying records cannot support. This overstatement has been the subject of sustained criticism from scientists and courts, has figured in appeals and at least one widely discussed wrongful-conviction controversy (see Case Study 25.2), and led the U.S. Department of Justice to circulate internal guidance cautioning its own experts against overstating what historical cell-site data can show. The validated claim is modest: the phone connected to a tower whose coverage area includes the location of interest, which is consistent with the phone being there and also consistent with its being elsewhere in that area. The discredited claim is the confident pin on the map. When you hear cell-site testimony, listen for which one is being sold — and note that this method's reputation, like the pattern methods of Part III, outran the science that was supposed to support it.

So is cell-site data worthless? No — and this is the balance the chapter insists on. It is genuinely useful when used honestly. It can place a phone in a broad area at a time, which is real information. It is most powerful in the negative, in the book's favorite mode: if a suspect claims to have been a hundred miles away and the records show the phone connecting to towers near the scene across the relevant window, the records are strongly inconsistent with that alibi. Excluding an account is exactly the kind of thing forensic evidence does best (Theme 1). What cell-site data cannot do is the affirmative pinpoint — it cannot place a person at a precise spot, and it cannot, by itself, place the owner (as opposed to the phone) anywhere at all. Used to broaden or break a claim about location, it is sound. Used to pinpoint, it is overstated. That single distinction — area, not point; phone, not person; consistent-with and inconsistent-with, never "proves" — is the most important thing in this chapter for anyone who will sit on a jury.

⚖️ In the Courtroom A competent cross-examination of cell-site testimony does not deny that the phone used the tower — the records are the records. It attacks the leap from sector to spot. The questions write themselves once you understand the method: How large is this sector's coverage area in this rural terrain? Could the phone have connected to this tower from two miles away? From the suspect's own home, which is also inside this sector? Did you account for terrain, congestion, and the fact that phones don't always use the nearest tower? Can your records distinguish the cabin from any other point in this wedge? Each honest answer shrinks the certainty the jury was invited to feel. The same questioning, run by the other side, is how you keep a fair use of cell-site evidence (placing a phone in an area, contradicting an alibi) from collapsing under a defense that wants the jury to think the evidence is worthless. Honesty cuts both ways: the method is neither a GPS pin nor nothing.

25.6 The legal frame: warrants, encryption, and privacy

Digital evidence is the most powerful investigative tool of the century, and for that reason the law has spent two decades deciding how far the state may reach into the devices that now hold the most intimate record of our lives. This section frames that legal terrain — not as a lawyer would, exhaustively, but as a forensic practitioner must, because the science is useless if it is gathered in a way that gets it thrown out.

The governing principle in the United States is the Fourth Amendment's protection against unreasonable searches, and the courts have steadily concluded that a modern phone is not just another container. In Riley v. California (2014), the U.S. Supreme Court held unanimously that police generally must obtain a warrant before searching the digital contents of a cell phone seized from an arrested person — recognizing, in the Court's own framing, that a smartphone holds "the privacies of life" in a quantity and kind that a wallet or a pocket never did. In Carpenter v. United States (2018), the Court held that accessing historical cell-site location records is itself a search requiring a warrant, because the government's ability to catalog a person's movements over time implicates a reasonable expectation of privacy. The thrust of both decisions is the same: the very abundance that makes digital evidence so valuable to investigators is what makes it so sensitive, and the law has responded by raising the bar for reaching it. For the examiner, the practical lesson is blunt — evidence gathered without the proper legal authority can be excluded no matter how probative it is, and a brilliant extraction from an unlawfully searched phone may never reach a jury.

⚖️ In the Courtroom The forensic and the legal are inseparable here, and the examiner who ignores the legal frame can destroy a case from the technical side. A search must stay within the scope of its warrant: a warrant to search a phone for evidence of insurance fraud does not license a fishing expedition through every photograph and message for unrelated matters. Evidence found outside the authorized scope can be suppressed, and an overbroad search can taint more than the stray file. The disciplined practitioner works hand in glove with the legal team: get the warrant, read its limits, document that the examination stayed inside them, and preserve the chain of custody (Chapter 2) and the hash-verified integrity (§25.2) so that what is recovered is both lawfully obtained and provably unaltered. Either failure — unlawful or unverified — and the evidence is worth nothing.

Then there is encryption, which has changed the contest fundamentally. Modern phones encrypt their contents by default: without the passcode (or a biometric, or a sophisticated and uncertain bypass), the data is mathematically scrambled and, in the strong case, genuinely unrecoverable. This is the same mathematics that protects everyone's banking and medical data, and it does not distinguish between a thief and an investigator. The result is a real and unresolved tension. Investigators encounter devices they cannot open even with a valid warrant; the warrant grants permission, not capability. This has produced hard legal questions — whether a person can be compelled to provide a passcode, how that interacts with the right against self-incrimination, what obligations device makers have — that courts are still working through and that this book will not pretend are settled. The forensic reality is simpler to state: strong encryption means that "we can always get into the phone" is false, that some lawfully seizable evidence is genuinely beyond reach, and that the commercial bypass tools of §25.4 are an uncertain, version-dependent answer rather than a guaranteed one.

Underneath the doctrine sits the deeper issue the whole chapter has circled: privacy. The reason these cases keep reaching the Supreme Court is that a phone is a different kind of thing to search than a drawer or a car. It does not hold a few items; it holds, in the Riley Court's words, the privacies of life — years of messages, every place visited, every search and worry, the data of family and friends who never consented to anything. Digital forensics is therefore conducted under a constraint that most of the book's earlier methods did not face so acutely: the tension between the investigative power of total recall and the civil-liberties cost of a state that can reconstruct anyone's life from the device in their pocket. A forensic practitioner does not get to ignore that tension as someone else's department. Working within the law's limits — warrant, scope, the honest acknowledgment that encryption sometimes wins — is not an obstacle to good digital forensics. It is part of what makes the resulting evidence trustworthy enough to convict on, and the chapter's reform themes (Chapter 38) will return to it. We will revisit how images and video are authenticated under this same framework in the next chapter (Chapter 26), where "enhance it" turns out to be mostly a television lie.

🗂️ The Case File

The Mill Creek file — the digital thread. Two phones now enter the investigation: Marcus Diallo's, recovered from the cabin (Chapter 3's inventory), and Roy Keller's, obtained under warrant after the soil, pollen, DNA, and document threads (Chapters 24, 13, 8–9, 18) drew investigators toward Diallo's business partner. Everything below was done by the book: each device isolated in a Faraday bag, imaged through a write blocker, hash-verified, searched within the scope of a warrant, and chain-of-custody documented from seizure forward (§25.1, §25.2, §25.6).

Diallo's phone establishes the victim's last hours. Its last outgoing texts, on the evening of 17 October, are routine — a message about materials, a reply about meeting at the cabin. Its GPS-derived location log (§25.4, the strong kind) places the phone at the cabin through the evening and then static, consistent with the autopsy's finding that Diallo died before the fire (Chapter 11). This is timeline, not accusation: it tells us when and where the victim's phone went quiet, nothing about who silenced it.

Keller's phone is where his account begins to fail. Keller told investigators he was at home, an hour away, across the entire relevant window. Two findings sit against that. First, deleted messages were recovered (§25.3 — deletion is bookkeeping, not destruction): message fragments, carved and recovered from the device, between Keller and Diallo in the days before the fire, concerning the property, money, and the insurance — messages Keller had deleted and evidently believed were gone. Second, the historical cell-site records place Keller's phone in the coverage area that includes the cabin during the relevant window — not at his stated location an hour away.

Now state it at honest strength, because this is the whole discipline of the chapter. The cell-site data does not pin Keller's phone to the cabin; it places it within the sector's coverage area, which includes the cabin and other locations (§25.5, Figure 25.2). What it does do is land squarely against his alibi: a phone he said was an hour away was connecting to towers near the scene. The evidence is therefore consistent with Keller's phone being in the area of the cabin and strongly inconsistent with his stated alibi — and it is the phone, not provably the man, though Keller is its registered owner and offered no account of lending it out. It is not proof he was at the cabin, and it is not proof he killed anyone. The recovered messages establish communication and topic, not act.

Honest status after this chapter: Keller's alibi breaks. His own deleted words contradict his account of his dealings with the victim, and the location records contradict his account of where he was. He remains a named person of interest, not a convicted man; the science here removes his alibi and corroborates his presence in the area — it does not, and the responsible examiner will not, claim more. (Log this in Appendix I: the deleted-message recovery and the cell-site finding, each entered at its true strength, with the limits of cell-site location written beside it in your own hand. Resist, even now, the pull to convert "his alibi is gone" into "he did it." Those are different sentences, and Chapter 39 is where the whole file — not this one thread — is finally weighed.)

Conclusion

Digital forensics is the youngest discipline in this book and, in a growing share of cases, the most consequential. It rests on two ideas that no earlier chapter could offer. The first is integrity by mathematics: through forensic imaging, a write blocker, and a hash value, a digital examiner can prove — not assert, prove — that the evidence analyzed is bit-for-bit identical to what was seized and has not changed since. That is a power the rest of forensic science can only envy. The second idea is the one that keeps this from becoming a chapter of pure triumph: digital evidence is abundant and nearly impossible to fully erase, because deletion is bookkeeping and metadata is generated behind the user's back — which is exactly why the phone has become the most honest witness in the modern courtroom.

And then there is the warning that makes this chapter belong in this book rather than a manual. The most persuasive digital evidence to a jury — the cell-site record that "puts the phone at the scene" — is the most overstated. It places a phone in a coverage area, not a person at a point, and real people have suffered from the difference. The discipline you carry out of this chapter is the same one you carried out of Chapter 1, now sharpened on new tools: separate integrity from truth, separate the device from the person, separate the area from the point, and reserve "proves" for the rare claim that has earned it. Hashing has earned a near-certainty; cell-site pinpointing has earned nothing of the kind.

In the next chapter we stay in the digital world and turn to images and video — the cameras that now watch nearly everything, the truth about "enhancement," and the deepfakes that are making authentication a forensic discipline of its own.

Key Terms

• Digital forensics — the application of scientific methods to the identification, preservation, acquisition, examination, and interpretation of data on or from digital devices, suitable for use as legal evidence.
• Digital evidence — information of evidentiary value stored or transmitted in digital form (messages, files, location records, metadata, app data, and the automatically generated records a user never sees).
• Forensic imaging — the creation of a complete, bit-for-bit copy of a storage device, including deleted and hidden regions, so that all analysis is performed on the copy while the original is preserved untouched.
• Hash value — a fixed-length string produced by a one-way cryptographic function that acts as a digital fingerprint of data; identical inputs always match, any single-bit change alters it completely, and it is used to prove data has not been altered.
• Write blocker — a hardware or software device that allows data to be read from an evidence drive while physically preventing any write to it, ensuring the original is not altered during acquisition.
• Metadata — data that describes other data (a file's timestamps, author, and, for photos, embedded camera settings and GPS coordinates); often forensically powerful because it is generated automatically, but it records device events, not necessarily a person's actions.
• File carving — the recovery of files from raw, unallocated disk space by recognizing the files' internal structure (headers and footers) independent of any filesystem record; recovers content but usually strips its original metadata and context.
• Cell-site/location data — historical carrier records of which cell towers and sectors a phone connected to and when, used to infer the general geographic area of the phone — a coverage area, not a GPS point, and not a person.

Spaced Review

1. (From Chapter 23.) SEM-EDX and GC-MS turn "looks like" into "is" by confirmation. How is hashing's role in digital forensics analogous to confirmation in the chemistry lab — and how is it different (what exactly does a hash confirm)? (§25.2; Chapter 23)
2. (From Chapter 24.) Soil on Keller's boots was class evidence tying him to the cabin's distinctive soil — "consistent with," not "individualizes." Compare that to what the cell-site data establishes about Keller's phone. Which honest verb applies to each, and why is neither "proves"? (§25.5; Chapter 24, §1.3 class vs. individual)
3. (Older — Chapter 2.) Chain of custody was first defined for a blood vial and a sealed bag. Name two things a digital examiner must do, beyond a signed log, to maintain chain of custody for a seized phone — and say which one physical evidence never needed. (§25.1–25.2; Chapter 2)
4. (Validity spectrum.) Where do (a) cryptographic hashing and (b) historical cell-site pinpointing sit on the NAS 2009 / PCAST 2016 validity spectrum, and why are they at opposite ends despite both being "digital"? (§25.2, §25.5; the spectrum from Chapters 1 and 6)
5. (Cold case.) State, in one honest sentence each, what Keller's recovered deleted messages establish and what the cell-site data establishes — and one thing neither establishes. (The Case File; §25.3, §25.5)