Defence critical of digitial evidence handling in Manchester fraud trialSunday, October 06, 2019
BY JONATHAN MORRISON
PORUS, Manchester — Attorneys representing defendants in the Manchester Municipal Corporation multimillion-dollar fraud trial are critical of an expert witness's gathering, handling and custody of digital evidence before the court.
The witness, Andrew Anderson, a former police constable who was a digital forensic examiner with the Major Organised Crime and Anti-Corruption Agency (MOCA), faced day-long cross-examination from four defence lawyers on Wednesday in the Porus division of the Manchester Parish Court before Judge Ann Marie Grainger.
Two cellphones and a modified SIM card are among the exhibits before the court and were the focus of Wednesday's proceedings. According to the witness in previous testimony, the items were seized during police operations at the homes of two of the accused — Sanja Elliott and David Harris, both former senior employees of the Municipal Corporation. The witness had said that an analysis of the devices revealed a conversation between Elliott and Harris which he extracted and transferred to compact discs (CDs).
The others on trial in the alleged conspiracy to defraud the corporation of amounts of up to $400 million are Elliott's wife, Tasha Gay Goulbourne-Elliott; his parents Edwardo and Myrtle Elliott; an employee of Sanja Elliott, Dwayne Sibblies; Kendale Roberts, a former works overseer of the corporation; and Radcliffe McLean, a former bank employee.
In the defence's cross-examination of the expert witness, a list of concerns about his role in the investigation was put to him, which inclided the integrity of his methods in procuring the exhibit phones, the extracting of a conversation, and the custody and transportation of the exhibits.
In response to defence counsel's suggestions of breaches of integrity, Anderson said the phone he took from accused David Harris (whom he pointed out in court) was duly recorded in his (Harris's) presence, on an attribution form which the accused signed.
He said the absence of abstraction information in respect to Harris's phone “may have been an oversight”. He told the court he was not aware of any Jamaica Constabulary Force (JCF) regulation requiring that all the information extracted (from an electronic device) be disclosed (in evidence). He stated that although all the data was extracted from the phone in question, only the conversation was required in the investigation.
The witness said he had no knowledge of the software he used to extract the conversation being hacked twice in recent years, and denied a suggestion that the software itself was a hacking tool.
Anderson admitted that he “may have taken” a mobile phone from another member of the Harris household, but said that the phone was not examined in the investigation. In addition, he was not aware that the phone was still with the JCF, and to verify whether he had returned the phone to his superiors, he would need to consult the attribution form that recorded such information. The witness, however, agreed that as a certified forensic examiner it was his responsibility to ensure the safe custody of items seized.
Anderson said that when he served the JCF he was not aware of police force orders that had a “chain of command” in dealing with exhibits and denied that the chain of custody of the exhibits was breached. He said further that he was not aware of procedures set out by the Forensics and Cybercrime Unit to handle (electronic) devices and that exhibit devices must be stored with the unit. He told the court that no particular person was in charge of the exhibit log, adding “we all accounted”. He further stated that there “was no emphasis on logging”.
Anderson said the bag in which he transported the exhibits (to court) was not his, but the property of MOCA.
In the area of technical information related to the mobile phone exhibits, Anderson, in his response to defence counsel's cross-examination, told the court that he was not aware of any software to alter WhatsApp conversations and text message or to modify the binary data (of computerised devices), but that “there may be several available”.
In other responses, Anderson said he was not of the view that the social media platform WhatsApp could communicate with Hangout, a similar digital communication platform. He said he could not respond to the defence counsel's suggestion that training in Cellebrite technology — the software used in the extraction of the information — “does not make you an expert”.
Anderson disagreed with the defence that his method of accessing the information on the phone — by the use of a keyword — rendered the message extracted “disjointed and incomplete”. He agreed that there were anti-forensic techniques, but could not say whether these techniques could be used in the “manipulation of forensic tools such as Cellebrite”. He told the defence that it was a “difficult question”.
The prosecution, in its re-examination of the witness, sought to clarify some of his responses to the defence. In answer to questions from Crown Counsel Channa Ormbsy, Anderson told the court that he was not aware of any “progressive degradation” of the server (computer programme) of MOCA as suggested by the defence, and in fact the facility had more than one server.
On another issue about which the Crown required clarification, Anderson told the court that accused David Harris may be receiving bills for his phone in police custody, as he may not have closed the account with the phone company.
The trial continues the Parish Court in Mandeville tomorrow.
Now you can read the Jamaica Observer ePaper anytime, anywhere. The Jamaica Observer ePaper is available to you at home or at work, and is the same edition as the printed copy available at https://bit.ly/epaper-login