This article was posted as original content on the ACEDS Blog, and written by Gavin W. Manes.
Something identified in the course of normal eDiscovery often turns a case into a forensics investigation. On a recent webinar, we examined several case studies, and here we dive a little deeper into one of the examples discussed by Dr. Gavin Manes and Lance Watson of Avansic, and Craig Ball of Ball in Your Court.
First, a brief history of the case: State of Oklahoma v. Kevin Bernell Warrior, District Court Tulsa County CF-2014-5106. In March 2016, a jury convicted Kevin Warrior of first-degree murder. He was sentenced to life in prison with the possibility of parole. In May 2017, a motion was filed to ask for a new trial, and the case was remanded to Tulsa County District Court for a hearing. In January 2018, the court vacated Warrior’s convictions and ordered a new trial. Three months later, the prosecution filed new charges against Mr. Warrior, and in October 2019, the prosecution dismissed the charges against him.
Attorneys that represented Mr. Warrior sought to find additional evidence beyond what was reviewed before the original trial. This included finding new evidence using digital forensic techniques and methods.
As Mr. Watson discussed in the webinar, he was engaged to determine the location of Mr. Warrior’s cell phone on the day of the murder, and to determine this, Mr. Watson looked at the phone’s Mobility Usage Reports. These contain information regarding phone calls, text messages, and aggregate data use of a phone. In many cases, they can also include the location of the cell tower that a phone is using at any given time. Note that it must be specifically requested from the carrier to obtain tower information and that Mobility Usage Reports are typically obtained by subpoena.
Mr. Watson (of Avansic) examined the Mobility Usage Report related to Kevin Warrior’s cell phone on the day of the murder, up to his surrender to police the next day. Examination of these records showed that Mr. Warrior was not at the location of the homicide at the time in question. While his exact whereabouts were not obtainable, the mobility usage report allowed Mr. Watson to place him at another location a minimum distance of many miles from the location of the homicide. This coincided with testimony from Mr. Warrior regarding his whereabouts at the time. When this information was brought to the prosecutor’s attention, a decision was made to release Mr. Warrior from custody and not pursue the murder retrial.
This is one of the three pillars of the geolocation of a device. As discussed in the webinar, there are two others beyond carrier location. Third-party app providers may know location based on security settings. Devices may have data on them that can place it in a specific location; for example, caching map data, caching location data, or simply taking a picture that records location and time. For location app data, the most common source is Google Maps historical timeline (a demonstration of this was given during the webinar). It is important to understand that although all three of these sources aren’t necessary to locate a device, they individually provide compelling evidence.
Want to hear more case studies about eDiscovery moving over to forensics? Read a blog post on a “man in the middle” attack where a savvy eDiscovery reviewer discovered improperly threaded email – and it led to a breakthrough in a fraud case. We also talked about document authenticity and what to look for, which you can learn more about in the on-demand webinar.