Whistleblower in George Zimmerman prosecution highlights digital evidence challenges

The George Zimmerman trial was rich in spectacle, but amidst the dialog about race and guns, there was a digital evidence drama that got lost.

Florida State Attorney Angela Corey fired her IT director after he testified during a pre-trial hearing that her discovery report omitted evidence he had recovered from Trayvon Martin’s cell phone. Ben Kruidbos will shortly file a whistleblower suit, according to his attorney.

Kruidbos says he recovered a large volume of digital evidence the police missed when they examined Martin’s phone. He included the evidence in his report, but was surprised when he discovered the final report omitted photos and text messages that might have been meaningful.

Digital forensics is a new and very specialized practice.  Law enforcement does not always have the training or the tools to find it all.  Ironically, neither do IT personnel, who are often called upon to do it anyway, because they are viewed generically as “the computer guys” – and non-technical managers wrongly believe that the computer guys know how to do every task in the digital realm.

Kruidbos appears to have been rather unique in his field, finding “thousands” of additional photos and text messages.

Only the local press had the institutional knowledge to give political context to the story, which is the story of an agency enduring IT chaos. Ben Kruidbos delivered the hidden data from Martin’s phone, but there were extraneous political and personnel issues in the office that clouded his performance.

Kruidbos seemed also to have a unique sensitivity to discovery protocol. Habeas Hard Drive finds that IT personnel – even those employed in law firms – aren’t always attuned to legal imperatives, but operate instead on technical imperatives. (Understandably, since that is their job.)

None of this is to criticize IT professionals. Habeas Hard Drive has great respect for skilled IT people, who are often valuable partners in the work we do. But in most cases, examination of digital devices should be turned over to a digital forensics professional, who is certified in digital data recovery, and trained to develop an evidence strategy with the attorney, and then extract the pieces most likely to become relevant. 

In a politically-charged environment, some distance from the key players may also be prudent.

Sidenote: The Jacksonville paper includes the detail that Kruidbos, as IT director, had been given reduced access to the computer network in the Florida Attorney’s Office after investigation of a security breach earlier this year.  For the record, an IT director without full access to the computers is not an IT director. This preposterous arrangement suggests incompetent management – or some kind of HR intervention that prevented either immediate termination for Kruidbos after the investigation, or full clearance if he was not implicated in the breach. Those are the only two logical options for the employee who holds the keys to the digital kingdom.

This might also shed light on the reason Kruidbos hired an attorney when he realized all the evidence was not turned over to Zimmerman’s defense counsel.  He says he feared personal legal consequences, which may indeed have been a concern if he was already marginalized within the organization.

Finally, we note that Judge Debra Nelson ruled the cell phone evidence inadmissible when defense finally received it, because there was no assurance that Trayvon Martin had taken the photos or written the texts on his own phone. Should all evidence on handheld devices be called into question unless there is an eyewitness to its production?  A topic for another time.

by Ira Victor, G2700, GCFA, GPCI, GSEC, ISACA CGEIT CRISC. Ira Victor is a digital forensics and data security analyst.  He is a contributor to HabeasHardDrive.com, The SANS Computer Forensics Blog, and CyberJungle Radio. He holds US patents in email security and authentication. He President of Sierra-Nevada InfraGard, and a member of The High Tech Crime Investigation Association (HTCIA). Follow Ira’s digital forensics and data security tweets: @ira_victor

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s