Casey Anthony Murder Trial: The Computer Evidence (Part 3)

In part 1 and part 2 of this series, I discussed some of the computer evidence introduced into the highly publicized trial where mother Casey Anthony has been accused of first degree murder for the death of her toddler, Caylee Anthony. In my previous articles I summarized the testimony of the three computer forensic experts that were used by the prosecution: Detective Osborne, Detective Sergeant Stenger, and Mr. John Bradley. I left off on the suggestion that the prosecution’s computer forensic expert witnesses were potentially technically strong, but the presentation required to explain such concepts to a jury of laypersons may have been lacking. I would like to discuss this concept at greater length in this article. I hope to show you some simple methods I have personally used during Federal criminal trials that I believe the prosecution’s witnesses could have used to make their point more effectively and been more persuasive.

In my last article, I discussed how Mr. John Bradley testified about the internet activity history for a computer system Casey Anthony purportedly used. Bradley was given a 3.2MB file by Detective Sergeant Stenger from the Anthony computer system that reportedly contained Firefox (version 2) internet activity. Bradley was provided this file because he developed the tool named Cacheback, one tool of many a computer forensic examiner can use to reconstruct internet activity, and it crashed when Stenger used it to decode the internet history in this case. Cacheback is able to reconstruct the activity from web browser internet history files and outputs a report of the contents in a human readable format.

Bradley testified that he was able to fix the bug in his tool that caused it to originally crash on this file for Stenger. Then, almost immediately, Bradley started discussing the websites visited and when they were visited, almost verbatim from the Cacheback report. Bradley did not describe what a URL was, how the data looks in a web browser to the user, how the data was stored, why the data was stored, or anything else they jury may have found useful to digest his testimony. In fact, Bradley did not even define what a URL was until he was deep into his testimony even though he had been using the term liberally throughout.

I feel that it would be difficult for a layperson to understand Bradley’s testimony without the basic understanding of what he was talking about, and moreover it was difficult for even a seasoned computer forensic examiner to understand the testimony because Bradley was basically reading the output of Cacheback out loud, which was designed for a computer forensic examiner to read. For an example, go to minute 20 in the following video from Mr. Bradley’s testimony on 6/8/2011 and watch the discussion:

http://www.myfoxorlando.com/dpp/news/060811-john-bradley-testifies

Bradley begins by discussing the header of the Cacheback report, because the report from Cacheback is a table. Bradley gives an explanation of every column in the table. An example of how Bradley explained a column was how the “URL ID” is a “primary key database value that corresponds to the actual file that now houses the decoded results”. He also explains that there is a column in the table for the “URL, Universal Resource Locator, or web address which relates to the record entry”.

My question is this: how is a layman supposed to conceptualize these aspects of a Cacheback report, which is primarily designed for a computer forensic examiner? How is this unexciting explanation beneficial for them to understand his opinion? In my opinion, much of this was unnecessary; it was dry, and it was difficult to understand unless you already had an understanding of these concepts in the first place. I would argue that anyone trying to learn a subject, such as the jury in this case, does not want to work this hard to understand it. I would also argue that it could be laid out more effectively for the jury without using jargon such as “primary key database value”, “houses the decoded results”, “Universal Resource Locator”, or “web address which relates to the record entry”. The jury presumably does not consist of computer forensic examiners and in my opinion should not be spoken to like they are. If you do not choose to watch the video of Bradley’s testimony, trust when I tell you that most of his testimony sounds this complicated when in fact it does not need to be. It is a relatively simple computer forensic concept he is attempting to explain.

If you continue watching the video, Bradley carries on with this complicated sounding testimony as he discusses a large number of rows in his Cacheback report. At approximately minute 24:50 of the video presented above, Bradley begins to dissect a Google search URL in lengthy testimony without the use of anything other than the computer forensic examiner’s Cacheback report and the vocabulary he can conjure up as needed. He also discusses items in the long Google search URL that are unrelated to what the jury needs to know, such as in what language the Google search was performed. Instead, the jury needed to know three simple items from the data: what website did the user go to (or what keywords were searched at Google), when did it happen, and how many times did the user do it. Bradley’s testimony was not that simple.

Instead, for a moment, imagine what Bradley’s testimony could have been with the aid of some simple pictures and concentrating on just what the jury needs to know. First, I propose explaining to the jury what web browsing is (we can’t assume everyone on the jury is intimately familiar with the Firefox web browser and Google). We do that by discussing what a web browser is, what Firefox is, discussing Google, how you can use it to search for relevant web pages, and how we can use it to search for the specific phrases such as “Neck Breaking” that would be relevant later in his testimony. Bradley attempted to explain how Google works at approximately minute 23:30 in the above video, but his lengthy explanation is limited to the words he can conjure up while on the stand and may have gone over the jury’s heads. Instead, we complement our explanation by using the following PowerPoint slideshow and by showing what a simple search for “Neck Breaking” actually looks like at Google. (Note, I agree the jury cannot be shown news from the trial, but when I made this example this trial was the top news on Google that day. A prepared set of slides for testimony would not include this.)

Casey Anthony Slide 1

Next, we highlight the URL for the jury in a bold red box:

Casey Anthony Slide 2

After noting the big red box highlighting the URL we explain what a URL is, and we put it into layman’s terms for the jury: “This is the website you type into your web browser. However, after you search for ‘Neck Breaking’ at Google, the URL is much longer than just ‘www.google.com’ and information about your search is encoded in it. Let’s take a look at the whole URL that is in your web browser…”

Casey Anthony Slide 3

At this point we show that this is the website the user visited. We discuss how Firefox stored this information in an internet history file, such as the 3.2MB file Mr. Bradley examined, along with the time it was visited. We also tell the jury that this activity increments a counter showing how many times this site was visited. We then explain to the jury that you can easily tell what keywords were searched at Google because it is encoded into the URL. In fact, we tell the jury that we will red highlight the Google query for them in the next slide:

Casey Anthony Slide 4

Just to make it very clear for the jury, we expand the keywords that were searched at Google in the next slide:

Casey Anthony Slide 5

At this point we will tell the jury that the actual keywords the user searched at Google are highlighted in the big red letters and that the spaces are represented in the URL by the plus symbol.

Didn’t that explain a Google search from a computer forensic standpoint much more concisely than just using your words on the stand? Don’t you think they jury might be a little closer to being empowered to look at Mr. Bradley’s Cacheback reports and be able to make the same determination as to what keywords were entered into a Google search?

From this point forward, Mr. Bradley should have put away the Cacheback report, which again, is designed for computer forensic examiners, and pulled out a table consisting of the following three columns:

  1. Website Visited
  2. Date
  3. Number of Visits

When Mr. Bradley spoke of Google searches from this point forward, assuming he used what I proposed above, he should not display the full URL unless it was absolutely necessary. Instead, he should place “Searched for ‘Neck Breaking’ at Google.com” in the “Website Visited” column. He could have used a similar method for other websites. His testimony potentially would have become much more understandable, interesting, and might have helped highlight the importance of computer evidence in this case. As I discussed in my previous articles, this was the only evidence I have seen throughout the trial that could clearly show premeditation, a requirement for a first degree murder charge.

I do not blame Mr. Bradley for the delivery of his testimony. What he testified to seemed technically strong, as I do not have the evidence in front of me to analyze in order to say otherwise. I also do not blame the prosecutors. They may have had only limited experience trying cases with computer evidence. However, I believe between the two of them they could have tested this testimony on non-computer literate people outside of their prosecution team. This would have allowed them to quickly detect that a relatively common and easy to understand computer forensic concept was quickly becoming unintelligible due to the presentation style.

I will leave you with an example from a different expert witness that impressed me. If you watch the testimony from Dr. Garavaglia (a.k.a. “Dr. G”) during her cross examination, you will see that she constantly pulls the defense attorney “out of the weeds” and brings the jury back to the big issues that helped her form her opinion. At approximately minute 25:30 of the video below, you will see Dr. Garavaglia give an impassioned answer that nearly anyone, even those of us without medical degrees, can digest and agree with her on.

http://www.myfoxorlando.com/dpp/news/061011-dr-jan-garavaglia-testifies-part2

At approximately minute 29, Dr. Garavaglia says “[the parent] has a legal, moral, and ethical obligation to care for a child, not reporting that child missing, the fact that it was tossed into a field to rot, in bags, is a clear indication that the body was trying to be hidden… and the fact that there was duct tape anywhere to that child’s face was, to me, a clear indication of a homicide” will most likely be the key phrases the jury takes back to the deliberation room at the end of this trial. The prosecution may have missed the boat having the computer evidence make the same impact.

Read the fourth part of this series here:  Casey Anthony Murder Trial: The Computer Evidence (Part 4)


Submit to Delicious Submit to Digg Submit to Facebook Submit to Google Bookmarks Submit to Stumbleupon Submit to Twitter Submit to LinkedIn
© 2012 Jones Dykstra & Associates, Inc.
5850 Waterloo Rd, Suite 140, Columbia, MD 21045
P:(410) 480-7190 F:(410) 480-7191
contact@jonesdykstra.com