Chapter 25 — Key Takeaways
A scannable one-page card. For the full argument and the worked figures, see
index.md.
The core claims
- Digital evidence is everywhere and hard to fully erase — but easy to alter. The same qualities that make it powerful (abundance, persistence, automatic metadata) make it fragile (intangible, effortlessly changed). A powered-on phone rewrites itself; "delete" rarely means gone. Both halves of the paradox matter.
- A device is physical evidence first. The digital scene begins as a physical one. Isolate from the network (a Faraday bag, not just airplane mode), document the device's state, don't interact with it. Chain of custody (Chapter 2) applies in full, with one extra power physical evidence never had: a mathematical integrity proof.
- Integrity by math. Forensic imaging copies a device bit-for-bit (including deleted/hidden regions); a write blocker keeps the original read-only during acquisition; a hash value proves the copy is perfect and unaltered. Matching hashes = provably the same data, unchanged. This is the strongest integrity guarantee in forensic science.
- Hashing proves the data didn't change — not that it's true. Keep three questions apart: integrity (did it change? — hashing answers this conclusively), authenticity (is it genuinely what it claims?), and truth (does it reflect the world?). A planted forgery hashes consistently. Integrity ≠ authenticity ≠ truth.
- The evidence hides in three places. Metadata (data about data — timestamps, EXIF GPS) is powerful because it's generated behind the user's back, but it records device events, not a person's actions, and can be wrong (clocks, time zones) or altered. Deleted files usually survive (deletion delists; only overwriting destroys). File carving recovers files from raw space by their structure — but usually strips filename, timestamp, and context.
- The phone is a life-logger. It records location, communications, media-with-metadata, app/account data, and sensor/health data more completely than any prior form of evidence. But device activity ≠ owner activity: connecting a phone to a person is a separate inference. Commercial extraction tools are powerful black boxes whose output must be verified, not trusted (Chapter 4, §4.4).
- Cell-site data is AREA, not POINT — and PHONE, not PERSON. It places a phone in a tower sector's coverage area (miles across in rural terrain), because a phone doesn't always use the nearest tower (terrain, congestion, geometry). It is legitimately powerful to broaden or break an alibi; it is overstated when used to pinpoint. Historical cell-site testimony has been wrongly presented as GPS-precise, and people were convicted on the difference (Case Study 25.2, Lisa Roberts).
- The law has raised the bar. Riley (2014): warrant generally required to search a phone. Carpenter (2018): warrant required for historical cell-site records. Searches must stay within the warrant's scope. Strong encryption means a warrant grants permission, not capability — some lawfully seizable data is genuinely beyond reach.
The method-validity verdict (NAS 2009 / PCAST 2016)
| Method | Core claim | Validity verdict | Honest verb |
|---|---|---|---|
| Cryptographic hashing | This data is unaltered since acquisition | Near-certain — pure, testable mathematics; the field's strongest integrity tool | "is provably unaltered / bit-for-bit identical" |
| Metadata analysis | A file was created/modified/located thus | Sound but contextual — strong when corroborated; clocks/time zones/automation are real confounds | "the device recorded… (subject to clock/authorship limits)" |
| Deleted-file / carving recovery | This (deleted) content existed on the device | Sound — but recovery isn't guaranteed (overwriting, TRIM), and carved files lack context | "this content was present on the device" |
| Phone GPS-derived location log | The phone was here (to meters) | Strong positional evidence for the device (not the person) | "the phone was at… (to within meters)" |
| Historical cell-site PINPOINTING | The phone (person) was at this spot | Overstated / weak — data give a coverage area, not a point; pinpoint testimony has caused wrongful convictions | (pinpoint: do not say) |
| Historical cell-site AREA / alibi check | The phone was in this tower's coverage area | Legitimate — real information; strongest in the negative (breaking an alibi) | "consistent with the phone being in the area / inconsistent with the alibi" |
Where they sit: hashing is at the top of the spectrum (testable, near-certain math) — alongside DNA in rigor for the narrow thing it proves. Cell-site pinpointing is near the bottom, with the overstated pattern methods, because its core claim (a spot) outruns what the data support. Two methods, both "digital," at opposite ends — the chapter's sharpest illustration that "digital" is not a validity rating.
What you can honestly say on the stand
- Hashing: "I verified that the forensic image is an exact, unaltered, bit-for-bit copy of the seized device, because the cryptographic hash values match. That proves the data has not changed since acquisition. It does not establish who created any file, or that any file is true."
- Metadata: "The file's embedded data indicates it was created on the device at this time. I cannot, from the metadata alone, establish who created it, and timestamps depend on the device's clock and time-zone settings being correct."
- Cell-site (the cold case): "The historical cell-site records are consistent with Mr. Keller's phone being in the coverage area that includes the cabin during the relevant window, and they are inconsistent with his stated alibi of being an hour away. They do not place the phone — or Mr. Keller — at the cabin specifically; a tower sector covers a broad area, and a phone does not always use the nearest tower."
- What you must NOT say: that a hash proves a file is true or authored by anyone; that cell-site data pinpoints a phone or places a person at a spot; that absence of recovered data proves nothing existed; that a device's activity is the owner's activity.
The cold-case line
Keller's recovered deleted messages establish communication and topic with the victim about the property, money, and insurance (deletion is bookkeeping, not destruction). His cell-site records are consistent with his phone being in the cabin's coverage area and strongly inconsistent with his alibi — a phone in an area, not a man at a spot. Honest status: Keller's alibi breaks. Not "Keller did it." Different sentences; Chapter 39 weighs the whole file.
The themes this chapter advanced
- Exclusion over proof — cell-site data's honest power is negative (breaking an alibi); recovered deleted messages and metadata narrow and contradict, they don't prove; reserve "proves" for hashing's one narrow claim.
- The validity spectrum — hashing (top, near-certain math) and cell-site pinpointing (bottom, overstated) are both "digital" yet at opposite ends; the chapter places every method and states each limit.
- (Also advanced: cognitive bias — the volume of data lets a motivated examiner find "support" for any theory, §25.3 Cognitive-Bias Watch; and the CSI effect — the courtroom illusion that the phone "was at the scene," §25.5 and Case Study 25.2, is credulity toward weak evidence.)