The key pieces of information in an alibi are time and location.

When an individual does anything

involving a computer or network, the time and location is often noted, generating digital evidence that
can be used to support or refute an alibi. For example, telephone calls, credit card purchases, and ATM
transactions are all supported by computer networks that keep detailed logs of activities. Telephone
companies keep an archive of the number dialed, the time and duration of the call, and sometimes the
callers number.

Credit card companies keep records of the dates, times, and locations of all purchases. Similarly, banks
keep track of the dates, times, and locations of all deposits and withdrawals. These dates, times, and
locations reside on computers for an indefinite period of time and individuals receive a report of this
information each month in the form of a bill or financial statement.

Other computer networks, like the Internet, also contain a large amount of information about times and
locations. When an e-mail message is sent, the time and originating IP addresses are noted in the
header. Log files that contain information about activities on a network are especially useful when
investigating an alibi because they contain times, IP addresses, a brief description of what occurred, and
sometimes even the individual computer account that was involved. However, computer times and IP
addresses can be manipulated, allowing a criminal to create a false alibi.

22.1 INVESTIGATING AN ALIBI

When investigating an alibi that depends on digital evidence, the first step is to assess the reliability of
the information on the computers and networks involved.

In some situations, interviewing several individuals who are familiar with the computer or network
involved will be sufficient to determine if an alibi is solid. These individuals should be able to explain
how easy or difficult it is to change information on their system. For example, a system administrator
can usually illustrate how the time on a specific computer can be altered and the effects of such a
change. If log files are generated when the time is changed, these log files should be examined for digital
evidence related to the alibi.

In other situations, especially when an obscure piece of equipment is involved, it might be necessary to
perform extensive research reading through documentation, searching the Internet for related
information, and even contacting manufacturers with specific questions about how their products
function. The aim of this research is to determine the reliability of the information on the computer
system and the existence of logs that could be used to support or refute an alibi. If no documentation is
available, the manufacturer is no longer in business, or the equipment/network is so complicated That
nobody fully understands how it works, it might be necessary to recreate the events surrounding the
alibi to determine the reliability of the associated digital evidence.

By performing the same actions that resulted in an alibi, an investigator can determine what digital
evidence should exist. The digital data that are created when investigators recreate the events
surrounding an alibi can be compared with the original digital evidence. If the alibi is false, there should
be some discrepancies. Ideally, this recreation process should be performed using a test system rather
than the actual system to avoid destroying important digital evidence. A test system should resemble
the actual system closely enough to enable investigators to recreate the alibi that they are trying to
verify. If a test system is not available it is crucial to back up all potential digital evidence before
attempting to recreate an alibi.

It is quite difficult to fabricate an alibi on a network successfully because an individual rarely has the
ability to falsify digital evidence on all of the computers that are involved. If an alibi is false, a thorough
examination of the computers involved will usually turn up some obvious inconsistencies. The most
challenging situations arise when investigators cannot find any evidence to support or refute an alibi.
When this situation arises, it is important to remember an axiom from Forensic Science absence of
evidence is not evidence of absence.

If a person claims to have checked e-mail on a given day from a specific location and there is no
evidence to support this assertion, that does not mean that the person is lying. No amount of research
into the reliability of the logging process will change the fact that an absence of evidence is not evidence
of absence. It is crucial to base all assertions on solid supporting evidence, not on an absence of
evidence. To demonstrate that someone is lying about an alibi, it is necessary to find evidence that
clearly demonstrates the lie.

An interesting aspect of investigating an alibi is that no amount of supporting evidence can prove
conclusively that an individual was in a specific place at a specific time. With enough knowledge and
resources, any amount of physical and digital evidence can be falsified to fabricate an alibi. Therefore, a
large amount of supporting evidence indicates that the alibi is probably true, but not definitely true. For
this reason, it rarely makes sense for a defense attorney to spend time and resources searching for
digital evidence that supports a clients alibi. No amount of evidence will prove that the alibi is true and
the more the alibi is examined, the more likely it is that an inconsistency will be found that could
weaken the attorneys ability to defend the client.

22.2 TIME AS ALIBI

Suppose that, on March 19, 1999, an individual broke into the Museum of Fine Arts in Boston and stole
a precious object. Security cameras show a masked burglar entering the museum at 2000 hours and
leaving at 2030 hours. The prime suspect claims to have been at home in New York, hundreds of miles
away from Boston, when the crime was committed. According to the suspect, the only noteworthy thing
he did that evening was to send an e-mail to a friend. Sure enough, the dates and times in the header do
not match, indicating that the e-mail message was forged on the afternoon of March 20. The suspects
alibi is refuted. The investigators obtain the related log entries from the two mail servers that handled
the message (mail.newyork.net and mail.miami.net) as further proof that the message was sent on
March 20 rather than on the night of the crime. Additionally, the investigators search the suspects e-
mail and discover messages that he sent to himself earlier in the week, testing and refining his forging
skills. Finally, to demonstrate how the suspect sent the forged e-mail, the investigators perform the
following e-mail forgery steps, inserting the false date I am sitting innocently at home with nothing to do
and I thought I would drop a line to say hello.

After being presented with this evidence, the suspect admits to stealing the precious object and selling it
on the black market. The suspect identifies the buyer and the object is recovered.

22.3 LOCATION AS ALIBI

Suppose that the same precious object was stolen again when the burglar from the previous scenario
was released from prison a few months later. This time, however, the burglar claims to have been in
California, thousands of miles away, starting a new life. The burglars parole officer does not think that
the suspect left California but cannot be certain. The only evidence that supports the suspects alibi is an
e-mail message to his friend in Miami.

Though the suspects friend is irritated at being involved again, she gives the investigators the following
e-mail:

I have moved to California to start afresh. You can send e-mail to me at this address.

The investigators examine the e-mail header, determine that it was sent while the burglar was in the
museum, and find no indication that the e-mail was forged. The suspect claims that someone is trying to
frame him and assures the investigators that he has no knowledge of the crime. The following month,
when the Museum of Fine Arts received its telephone bill, an administrator finds an unusual telephone
call to California on the night of the burglary. The investigators are notified and they determine that the
number belongs to an ISP in California (california.net). Unfortunately, the ISPs dialup logs were deleted
several weeks earlier and there is not enough evidence to link the suspect to the telephone call. The
investigators search the suspects computer but do not find any incriminating evidence.

Investigators are stumped until it occurs to them to investigate the suspects friend in Miami more
thoroughly. By examining the friends credit card records, the investigators determine that she bought a
plane ticket to Boston on the day of the burglary. Also, the investigators find that her laptop is
configured to connect to california.net and her telephone records show that she made several calls from
Miami to the ISP while planning the robbery. Finally, investigators search the slack space on her hard
drive and find remnants of the e-mail message that she sent from the Museum of Fine Arts during the
robbery. When presented with all of this digital evidence, the woman admits to stealing the precious
object and implicating the original suspect. This time a different buyer is identified and the object is
recovered once again.

As noted in previous chapters, many sources of digital evidence can reveal the location of an individual,
including their mobile telephone.