Problem
The End of the Investigation and The Case Against Matthew Weaver
Special Agents from the FBI also extracted data from the hard drive of Weaver's computer. Despite the fact that Weaver had deleted multiple files, the investigators were able to recover two files of great interest:
First, a PowerPoint presentation dated to January which he gave to fellow members of his fraternity, Tau Kappa Epsilon. He proposed that he run as president and his fraternity brothers run as vice presidents and other officials-with each titleholder receiving an annual stipend of $1,000 to $8,000. If they won, Weaver and his brothers would control the student-government budget.
Second, a spreadsheet (the one visible in the video footage) in which he had recorded the usernames and passwords of 740 students. (Students have to use the username and password to access the college computer systems and internet).
How did detectives recover deleted files? Think of a file system as a book with an index. When you delete a file all you are in fact doing is removing the index entry in the book for that page or chapter, the page or chapter still stays there. When your computer writes more data to the disk it may, or may not, overwrite the previously 'deleted' file. If it is overwritten, then the file is gone, if not the file still remains on the hard disk. Just turning your computer on, or browsing the Internet will cause new information to write to your hard drive. This means that the more time passes from the time the file was deleted, and the more the computer is used after the file was deleted, the higher the chances of the file being overwritten.
As the lead digital forensic scientist on this case, you are called into the trial to provide expert testimony. Summarize what your testimony would likely include. Make sure to answer the following questions:
i. How does the digital evidence uncovered from the deleted files help the case against Matthew Weaver?
ii. Based on the previous scenes in this case, explain how the IP address evidence and the internet history file support the case against Matthew Weaver.
iii. Matthew Weaver claimed that his privacy was violated when the computer in the computer lab and his own computer were used to provide evidence of his internet use and communications. His lawyer protested that the Fourth Amendment states an individual has a reasonable right to privacy of electronic information stored on devices under that individual's control. Using the procedures of digital forensic investigation you learned in this lesson, explain to the jury how the computer forensic investigation would have proceeded and how computer examiners (technicians) ensure that only information covered by a search warrant is extracted for use. Use the terms digital evidence, computer forensic science, search lead list, and flash memory in your answer.