In the last installment, we explored how a shooting investigation would look using common InfoSec paradigms. Before we jump into how law enforcement would approach that same case, let’s examine how facts evolve from simply being data to being evidence that supports an investigative strategy, and proves a case beyond the shadow of a doubt.
First Detective Lesson
On the way to my first crime scene as a new homicide detective I asked my senior partner what it was I needed to focus on and what I needed to document. He simply said “everything”. At the time I thought that was a good answer; I would be diligent and document everything I saw. Forty-eight hours later it was the dumbest answer I had ever heard, but he was right.
Focusing on the Right Facts
Facts are funny things, particularly in the midst of a complex criminal investigation. Not all facts or data observed have a bearing on the case at hand. Some cases have too few facts, these become “cold cases.” Conversely, too much data and you can potentially develop an investigative strategy built on a false or irrelevant facts. You might have a great case with great evidence, but there is only one piece of evidence missing and that piece is so important that without it you can’t “prove” the case. Just because it’s a fact, doesn’t mean it’s useful fact. Just because its related, doesn’t mean its pertinent. At some point you will have to narrow your scope and create an investigative strategy that is supported by the emerging fact pattern, which must only contain facts of evidentiary value. This requires using the right facts, not any and all facts just because they exist.
In a long and complicated case, losing situational awareness of which facts are simply data and which facts are of evidentiary value, will result in documenting and presenting conflicting evidence in court. It’s okay early on in a case to develop an incorrect investigative strategy, but once you realize it is incorrect, every effort must be made to now disprove what you were once attempting to prove.
It helps to define what a fact may or may not be. Facts should be viewed as merely being data. Every case has some data to sort through, some relevant and some not, but by relying on previously established facts and assuming some investigative risk by using assumptions that support your investigative strategy, you can narrow down what facts you should focus on. Early on in an investigation you don’t know which facts will prove useful, hence the need to document “everything”. The goal is to work through the investigative process and produce a fact pattern that only contains facts of evidentiary value. The assumptions you used along the way will have either been validated as facts or proven false.
Before a fact becomes evidence it must pass through the process of being a lead or a clue. This is where we first start to consider if a fact may be of evidentiary value. The life span of a lead is determined by the amount of investigative effort required to prove that it is, or is not, relevant to the case and if it is of evidentiary value. A fact may be true, but have no bearing on your case. For example, the sidewalk on which the crime occurred was made of cement. This may be factual, but it does nothing to prove the suspect shot the victim. You need not prove every fact either; if the crime occurred in daylight, there is no need to prove the sun came up that day. Sometimes you will need to prove a fact is false. It is not uncommon for a homicide detective to put an inordinate amount of time into disproving a fact. For example, facts that present themselves as “common sense” don’t always align with the truth. It must be clear to a jury that although this particular “fact” makes sense, it is does not illustrate the truth. In the end, leads that are proven to be relevant and factually supportive of your investigative strategy become evidence.
Evidence Evolves to Incidents
As you gather more and more evidence typically a pattern will develop; If A is true, then B is true, which means C is connected to D and D proves that X committed the crime. Evidence can be allusive and arbitrary, but usually evidentiary facts will group themselves into a series of incidents. For example, there was an incident in the bar prior to the incident in the parking lot, which lead to an incident involving cars in the intersection which lead to the final incident at the gas station in which the victim was stabbed. Grouping these facts into their respective incidents allows you to work multiple aspects of a case at once, which facilitates being able to quickly close a case. For example, if a witness from the car in the intersection incident contacts you and wants to provide facts of evidentiary value, do you ask them to call back later because you are currently only focusing on the parking lot incident? Of course not. By grouping your evidence you can more effectively multi task, focus your investigative effort more broadly and maintain situational awareness on all aspects of the case . This will facilitate getting bad guys off the streets in a timely manner, but more importantly it will allow you to quickly identify if your suspect is on a crime spree.
Incidents to Crime Sprees
The sooner you develop the evidence you need to identify your bad guy or threat, the sooner you can stop him. This holds true for both criminal investigations and InfoSec. Case resolution is always important, but becomes even more important when your bad guy is actively committing additional crimes. For a homicide detective, speedy case resolution can literally save lives when the suspect is a serial killer. For InfoSec time is clearly of the essence as well.
The key difference between a series of incidents and a crime spree is that each incident within a crime spree is crime. It could be the same crime over and over again (serial murder) or a case in which the suspect commits a bank robbery, steals a getaway car, kidnaps a hostage, and ultimately commits a murder. Link analysis and link charts are great tools for maintaining situational awareness in such cases. Understanding and labeling your facts correctly and maintaining situational awareness of your developing fact pattern will provide clarity and effective resolution in most any environment, including information security. In the next installment, we’ll look at how law enforcement handles evidence.
This is part 3 of a 5 post series. To read the other posts, please see the links below: