In early December 2008, Clifford Lambert, a retired Los Angeles art dealer, received a call from a New York estate lawyer with news that surely made his 74-year-old heart leap. Lambert was due to inherit some valuable artwork, the man said, from the estate of May Department Stores Co. heiress Florene May Schoenborn, who had died—curiously—in August 1995.
Lambert arranged a meeting to discuss the purported details. Days later, three men arrived at Lambert’s home and stabbed him to death in the kitchen of his posh, 4,300-square-foot Palm Springs, Calif. home. They buried his body in the nearby desert.
Six people were ultimately convicted in Lambert’s murder, which was financially motivated. (The man on the phone, as you might expect, was no lawyer.) Much of the evidence against them was found inside their mobile phones. That’s where Jonathan Zdziarski, a digital forensics researcher better known as the hacker “NerveGas,” came into the picture.
Hired by prosecutors, Zdziarski’s job included analyzing the phones of the defendants for proof that they participated in the plan to rob and murder Lambert—even as several of them vehemently denied it.
The job wasn’t easy. For instance, 30-year-old Daniel Carlos Garcia was one of the last two defendants to be tried. “Garcia decided to represent himself, and he made sure he got Starbucks, even in prison in the middle of the trial,” Zdziarski recalls. “He made a ridiculous argument accusing the police of inserting texts on his phone. ‘The cops framed me’ was his story, and it was a whole dog-and-pony show.”
The case’s complexity and Hollywood antics have inspired at least one book. “The stuff I had to deal with in those cases was crazy,” Zdziarski says. Still, he was able to probe the digital evidence in the devices owned by Garcia and the other defendants to determine that there was no tampering. Instead, he uncovered a 21st century smoking gun: orders to commit murder.
Garcia was convicted on Sept. 7, 2012.
‘The whole world opened up’
Forensic analysis has long been a central part of criminal investigations. (Even Archimedes practiced it in the third century B.C.) But it’s only recently that computers and digital devices have come to be a common component of the practice. The Florida Computer Crimes Act of 1978, for instance, included legislation against the unauthorized modification or deletion of computer data; the Comprehensive Crime Control Act of 1984 included some provisions for the inclusion of computer activity in modern crimes; the Computer Fraud and Abuse Act in 1986 expanded that considerably.
Despite the legislation, it wasn’t until 2007, when a gunman killed or wounded dozens of people on the campus of the Virginia Polytechnic Institute, that digital forensics became a top consideration, says Joe Caruso, founder and chief executive of Global Digital Forensics.
“This was the really big, eye-opening event when people thought about digital forensics,” Caruso says. “This kid killed a lot of people. Everyone was talking about his state of mind and his thinking. Then they grabbed his computer and a whole world opened up. A whole psychological profile could be built from his personal computer.”
Afterward, law enforcement officials began to more seriously consider the value of the practice, Caruso says. “When they used to go into a murder scene, they tagged everything, took the computer and fingerprinted it, and that was it,” he says. “After Virginia Tech, the computers got analyzed.”
Today, digital forensics isn’t just used to zero in on direct evidence of a crime. It’s also used to determine who did what and why, confirm alibis or statements, and authenticate documents. According to the market research firm IBISWorld, the U.S. digital forensics industry is expected to grow at an average annual rate of 6.7% over the next five years, from $1.2 billion in revenues today to $1.7 billion by 2019.
The practice has become “an integral part of many criminal cases,” says Gordon Shyy, a spokesman for the San Francisco Police Department. Though Shyy declined to explain in detail the particular methods San Francisco police use for fear of compromising the department’s investigations, he did say that the prevalence of smartphones today has made forensics increasingly critical.
“There may be information regarding criminal activity conducted by the suspect,” he says. “All of this is helpful.”
The devil’s in the details
There are two main components to digital forensics: data preservation and data analysis. Data preservation is the process of collecting and preserving digital evidence from media such as hard drives and mobile devices, and “the most robust way to preserve evidence is to create a forensic image,” says James Aquilina, executive managing director and head of the digital forensics practice at Stroz Friedberg.
It’s a task that commercial software can accomplish. “The software creates two bit-by-bit copies, then it compares them using an algorithm to make sure the hash values match,” Aquilina explains.
The second component, data analysis, focuses on answering a question. “Typically, the question relates to being able to find and document one action in relation to other activities,” he notes. This could include data created by the user, generated by the computer’s software, or received over the Internet. “We look at all this to determine what happened, or what happened vis-à-vis something else,” Aquilina says.
A frequent concern in the cases Stroz Friedberg handles is spoliation, or the alteration of digital data. “We’re often asked to basically piece together whether and the extent to which data was destroyed and who did it,” he says.
E-forgery is another. For example, Paul Ceglia brought a lawsuit against Facebook and its CEO Mark Zuckerberg in 2010 claiming partial ownership of the company, but “forensics revealed that the contract he claimed existed was actually forged,” Aquilina says.
File system metadata—that is, data that holds information about other data—is often a key piece of evidence in these kinds of cases. Common applications such as Microsoft Word embed metadata in the documents they create. One type is what you see when you click on the document’s “Properties,” for example. File system metadata is far less conspicuous and less well-known, and is equivalent in many ways to a hidden trail of digital “footprints” because it is created by the file system within the computer’s operating system each time a file is created, modified or accessed.
“We had a case where unretouched and unprocessed raw images of a famous celebrity taken by a famous photographer were leaked onto the Internet,” Aquilina recounts. “We were hired to find out who leaked the photos. We pulled them down and started analyzing the metadata.” Included were details about the camera used to take the photos, the date on which the photos were taken, the devices on which the photos were stored, and which software accessed the files along the way. “The fields ranged from A to ZZ in the spreadsheet—that’s how much data was stored,” Aquilina says.
Armed with all that information, Stroz Friedberg determined that the leaker of the photos was a temporary worker employed by the photographer.
‘Every client has some kind of digital fingerprint’
Caruso has similar tales. His company is often hired by corporations to go through the computers, mobile phones, and other devices of employees or former employees looking for information they may have transferred outside the company.
“It’s becoming more and more a standard practice for companies to create backups and forensic images, depending on the level of access the employee had,” he says.
What turns up can be surprising. “We had a case of a teacher that the school board suspected and had complaints about,” Caruso recalls. “Students had seen him looking up porn in his classroom. We went in, gathered up his Internet history, and found that he was uploading of images of himself naked to homosexual dating sites.”
When the teacher alleged that the board was simply prejudiced against his sexual orientation and that his activities hadn’t had any impact on the school’s children, however, “we started to look at the metadata in the pictures, which were taken with an Apple iPhone,” Caruso says. “In all of them, the geolocation data said they were taken at the school itself. The school then had enough evidence to go to the union and say, ‘We’re going to terminate this guy.'”
We are all being tracked by our technology all the time, Caruso adds, even with so-called ephemeral technologies like Snapchat or services that seem anonymous like Whisper and Secret. “Almost every client today has some kind of digital fingerprint,” he says. “We take the artifacts and put them together into a scenario.”
This summer, the U.S. Supreme Court ruled that police must have a warrant to search the mobile electronic devices of criminal suspects. Meanwhile, growing adoption of cloud computing and software as a service, for which most data is stored on a centralized server owned by another company and often in another location, has added a new wrinkle for digital forensics investigators. (A recent draft report from the National Institute of Standards and Technology identifies no fewer than 65 related challenges.) That can make things “a lot more difficult,” Aquilina admits. “But here’s the good news: Often it’s just a logistic issue, just about getting access, and a lot of times you can.”
Computer forensics used to be something of a “black art,” Caruso says. Not anymore. “Today, there are programs in colleges,” he says. “Now everybody is all over forensic analysis. I think it’s a good thing.”
If you liked this story, you’ll love our new newsletter. Don’t wait—sign up to receive FORTUNE Data Sheet.