Chapter 25 — Further Reading

Grouped by the book's three citation tiers (see _style-bible.md §7). Tier 1 = verified canonical sources we stand behind. Tier 2 = real ideas/literatures attributed honestly without a pinned-down exact citation. Tier 3 = illustrative/constructed material used for teaching. Annotations say what each is good for and, where relevant, its limits.

Tier 1 — Verified canonical

  • National Research Council (National Academy of Sciences), Strengthening Forensic Science in the United States: A Path Forward (2009). The field's reckoning, and the chapter's yardstick. Although the report predates much of modern mobile and cell-site forensics, its core demand — that a method's claims be matched by demonstrated, validated reliability — applies directly to digital evidence, and especially to black-box extraction tools and to cell-site pinpointing claims that outrun their data.

  • President's Council of Advisors on Science and Technology (PCAST), Forensic Science in Criminal Courts: Ensuring Scientific Validity of Feature-Comparison Methods (2016). Sharpens the validity question into foundational validity — has the method been shown, by well-designed studies, to do what it claims, with a known error rate? Use its logic to see why hashing (testable, near-certain) and cell-site pinpointing (a coverage area sold as a spot) sit at opposite ends of the spectrum despite both being "digital."

  • Riley v. California, 573 U.S. 373 (2014). The U.S. Supreme Court's unanimous holding that police generally must obtain a warrant before searching the digital contents of a cell phone seized incident to arrest. The decision's framing — that a smartphone holds "the privacies of life" — is the doctrinal heart of §25.6 and the reason digital searches are governed more strictly than searches of physical containers.

  • Carpenter v. United States, 138 S. Ct. 2206 (2018). The Court's holding that acquiring historical cell-site location records is a Fourth Amendment search requiring a warrant, grounded in the privacy implications of cataloging a person's movements over time. Essential reading for the legal frame around the very records §25.5 dissects.

  • The National Registry of Exonerations (University of Michigan / Michigan State / others), case record for Lisa Roberts and related exonerations involving overstated cell-phone location evidence. The Tier-1 basis for Case Study 25.2. Valuable for seeing, in a documented real case, how a phone routed through a distant tower was treated as placing a person at a scene — the §25.5 overstatement with a human cost. The Registry is also the canonical source for the wrongful-conviction patterns Chapter 34 surveys.

  • The public record of the BTK / Dennis Rader investigation and 2005 guilty plea (Wichita, Kansas). The basis for Case Study 25.1. Useful for the clean demonstration that metadata embedded in a digital file can carry an identification the file's visible content does not — and that a digital lead was corroborated by an independent method (DNA) before it became an arrest. Treat popular retellings with care; rest on the documented core facts.

  • The Innocence Project (innocenceproject.org), case and policy record. Background for the book's wider validity-and-wrongful-conviction argument. Increasingly relevant to digital evidence as overstated cell-site testimony and unvalidated extraction tools draw scrutiny; useful context for why §25.5's caution is not hypothetical.

Tier 2 — Attributed, specifics unverified

  • The standard digital-forensics methodology literature on imaging, write-blocking, and hashing. A mature professional and standards literature (including guidance associated with NIST and with law-enforcement digital-evidence working groups) establishes the bit-for-bit imaging, write-blocker, and hash-verification workflow as accepted practice. We attribute the existence and consensus of these procedures without pinning a specific standard document; any applied case should follow current, validated agency procedure and document the tools and versions used.

  • The cryptographic-hashing literature, including the move from MD5 to SHA-256. The properties relied on in §25.2 (determinism, the avalanche effect, practical irreversibility) are standard results in cryptography. The documented existence of engineered MD5 collisions — and the consequent professional shift toward SHA-256 for forensic integrity — is attributed here in general terms; the chapter names the distinction rather than treating all hash algorithms as interchangeable.

  • Research and professional commentary on the limits of historical cell-site analysis. A substantial body of legal scholarship, forensic commentary, and appellate litigation documents that historical cell-site data places a phone in a tower's coverage area (which can span several square miles or more), that phones do not always connect to the nearest tower, and that pinpoint testimony overstates the records. We attribute this consensus and its direction without citing a specific paper; the magnitude of coverage areas is terrain- and network-specific and should be established case by case.

  • Reported U.S. Department of Justice internal guidance cautioning against overstating historical cell-site evidence. It has been widely reported that the Department circulated internal guidance warning its own experts not to claim more precision than cell-site records support. We attribute the existence and thrust of such guidance in general terms; the chapter's lesson does not depend on the exact wording or document.

  • The mobile-forensics extraction-tool literature and its black-box critique. Commercial tools that acquire (and sometimes bypass locks on) mobile devices are real, widely used, and proprietary. The critique that their closed, unauditable methods raise validity and disclosure problems — and that their output should be independently verified — is attributed here as a recognized concern in the field, consistent with the validation demand of Chapter 4 and the foundational-validity logic of Chapter 6.

  • The literature on metadata reliability and timestamp pitfalls. That file timestamps depend on device clocks and time-zone configuration, that automated processes can alter access times, and that metadata can be edited, are standard cautions in digital forensics. Attributed in general terms; any timeline built on timestamps should state and test these assumptions.

Tier 3 — Illustrative / constructed

  • The Mill Creek cold case (Figures 25.1–25.2 where they touch the case, the Case File, and Appendix I). Diallo's and Keller's phones, the recovered deleted messages, and the cell-site finding are constructed teaching material, used to practice stating digital evidence at its true strength — "consistent with," "inconsistent with the alibi," never "proves" or "pinpoints." Clearly fictional; the persons of interest are invented. The chapter's repeated insistence that "Keller's alibi breaks" is not "Keller did it" is itself a teaching device for honest framing.

  • Figure 25.1 ("Two hashes, one verdict"). A constructed teaching example. The 256-GB drive, the abbreviated 3f7a...e91c hash, and the eight-month custody window are illustrative; the point — three matching hashes proving integrity but not truth — is the real content. Do not treat the abbreviated hash as a real value.

  • Figure 25.2 ("What a cell sector really covers"). A constructed teaching schematic, explicitly not to scale. The wedge, the tower, the cabin, and the two-mile-distant home are illustrative geometry chosen to make the area-not-point lesson visible. Real coverage areas vary enormously with terrain and network; the figure teaches the shape of the inference, not specific distances.

  • All worked details of the imaging/hashing workflow and the extraction hierarchy in §25.2 and §25.4 (logical vs. physical extraction described generically). Presented to make the procedure intelligible; real casework follows current validated agency procedure with documented tools and versions.

Where to go next in this book

  • For the chain-of-custody and scene-documentation discipline that governs seizing a device, see Chapter 2.
  • For the lab-quality, validation, and accreditation framing that applies to extraction tools as much as to any method, see Chapter 4 (§4.4 method validation).
  • For the Daubert/foundational-validity gate that a novel or contested digital technique must pass, see Chapters 5 and 6.
  • For how images and video are authenticated under the same legal and integrity framework — and the truth about "enhancement" and deepfakes — see Chapter 26.
  • For the bias safeguards (context management, blind analysis, sequential unmasking) that should govern a high-volume digital examination, see Chapter 31.
  • For how an expert presents hash-verified integrity and hedged cell-site findings without overstating, see Chapter 30; and for the capstone assembly of every thread, including the digital one, Chapter 39.