That one artifact: Metadata’s role in a complex child exploitation case

In this series, Chad Gish, CID/SISU Detective, Metropolitan Nashville Police Department will delve into some noteworthy cases in his 26-year career, focusing on investigations that were either completely solved or significantly aided by a critical piece of evidence—what he calls “that one artifact.”

In some cases, physical evidence can be so limited that solving the case becomes nearly impossible. Without eyewitnesses, videos, fingerprints, or DNA, digital evidence can be pivotal in solving crimes and achieving justice.

This case study is the latest installment in my “That One Artifact” series. Previous articles have explored how evidence can be concealed in Apple Notes, how a single Bluetooth connection can crack an otherwise unsolvable homicide, or how overlooking a cloud account might have allowed a child predator to escape justice.

In this installment, we examine how even a small piece of metadata from a single device can significantly advance a case that initially seems unsolvable.

Finding a flash drive in a coffee shop

A flash drive was discovered under a table at a local coffee shop. An employee of the coffee shop, intending to return the drive to its owner, connected it to their laptop to search for identifying information. To their shock, they found horrific photos and videos of young children being sexually abused. The police were contacted immediately, and the drive was seized for investigation. However, with no witnesses, physical evidence, surveillance footage, or information on when the drive had been left behind, there were no leads. A search warrant was obtained, and the drive was submitted to our digital forensic lab for analysis.

During analysis, I found that the images and videos were likely from the internet or dark web sites. Unfortunately, there was no personal information linking the content to any individual. The videos were among the most disturbing I have encountered, indicating that the owner of the drive may have escalated their activities to directly harming children. Despite an exhaustive review of every file, including deleted media recovered from unallocated space, I was unable to establish a direct connection between the content and any specific person or place. There was no metadata, valuable EXIF data, personal photos, or files – nothing that could provide additional context or clues.

Forensic examinations are often a marathon, not a sprint

Following a detailed checklist of analysis techniques is essential to ensure that no data is overlooked. In digital forensics, the discovery of ‘that one artifact’can be pivotal, often serving as the catalyst for uncovering additional evidence. This chain reaction can be crucial in disproving a suspect’s statements or revealing significant details, just as it did in this case.

This investigation took place before Magnet Forensics introduced its artifact-first approach, which revolutionized the field of forensics. At the time, recovering deleted files involved writing custom scripts to target specific file types. While understanding manual file recovery is crucial, today’s large data sets and limited number of examiners make manual data recovery increasingly challenging.

Perpetrators involved in crimes against children often keep their illicit materials separate from their personal data. However, they often become complacent over time and inadvertently mix their illegal activities with their personal information.

Finding metadata in a Word document

Knowing that the coffee shop was located near several universities and frequented by college students, my next step was to recover any deleted Word documents or PDF reports. Although none were found to be allocated, I hoped to uncover deleted files that might contain valuable metadata, such as a college essay, that could provide personal information and potentially lead to a breakthrough in the investigation.

The example above is from a Word document and shows various metadata tags. Depending on your software version, select “Info” or “Properties” to view these tags in Word. Although the tags are not immediately visible when you open the document, they are embedded within the file and can be recovered during a forensic examination.

I eventually recovered a Word document from the unallocated space that contained personal information in its metadata. The science paper document provided valuable details: a person’s name was listed in the “Author” section, and the name of a nearby university in the “Company” section.

Also, a “created” date and time stamp showed the document was created two days before the drive was found under the table. This alignment of dates significantly strengthened the case against the individual named in the metadata section as a potential suspect. Further investigation confirmed that this person was a student at the identified university and a frequent visitor to the coffee shop, often sitting where the drive was discovered.

Interviewing the suspect

Search warrants were executed at the suspect’s apartment on the university campus. During the interview, he denied ever possessing the flash drive, leaving it at the coffee shop, or accessing, producing, or downloading such disturbing media. Although a confession was not obtained, it is crucial to ask the right questions to ensure that the suspect or person of interest commits firmly to their statements. Locking a suspect into a statement or timeline is important because digital forensics can reveal the truth and corroborate or contradict their claims. This is helpful to both the investigators and the prosecution.

During the search, the suspect’s laptop was recovered, showing internet activity relating to the sexual exploitation of children. While this internet activity was significant, it remained circumstantial without additional hard evidence to corroborate the suspect’s involvement.

Linking the flash drive

The next step was to analyze whether the flash drive could be directly linked to the suspect.

There are numerous artifacts to examine that can help establish a connection between a removable device, its connection to a system, and user activity between the two. My first focus was on the Windows Registry, particularly the “USBSTOR” key, which logs details about USB devices connected to the system. This key includes the device’s make, model, serial number, and the date and time it was last connected.

I confirmed that the flash drive had indeed been connected to the suspect’s laptop and was last connected the day before the employee discovered the drive. This evidence strengthened the case, providing a concrete link between the suspect and the flash drive.

This is an example of USBSTOR entries as presented in Axiom. For further reading on the significance of the artifacts associated with USB connections, Magnet Forensics has published an informative article: https://www.magnetforensics.com/blog/artifact-profile-usb-devices/

The importance of a solid checklist

At this point, the importance of having a solid checklist becomes clear. By examining the Windows Registry and other system locations, I was able to leverage various artifacts to connect the material on the flash drive to the suspect. The Registry MRU (Most Recently Used) key tracks the most recently accessed files and folders. Several suspect files and folders had been accessed and were listed in the MRU key.

This is an example of the MRU entries as presented in Axiom. For further reading on the significance of MRU artifacts, Magnet Forensics has published an informative article: https://www.magnetforensics.com/blog/what-is-mru-most-recently-used/

The Registry Shellbags key was examined and provided a wealth of evidence confirming recent interactions with the connected flash drive. Shellbags are Registry keys that store information about folders and their view settings within Windows Explorer. As part of the Windows Shell, which manages the graphical user interface, Shellbags records changes in folder views, such as switching from “Details View” to “List View.” Each change creates an entry in the Shellbags key, offering valuable insight into folder access.

In this case, the Shellbags entries predominantly showed changes by switching to the “Icon” view. This suggests that the suspect had switched the view to “Icon” (or thumbnails) for easier browsing photos and images without opening each file individually. Shellbags also revealed a number of deleted folders on the flash drive. Even if folders have been deleted, the information about them can still be present in Shellbags.

This is an example of the Shellbags entries as presented in Axiom. For further reading on the significance of Shellbags artifacts, Magnet Forensics has published an informative article: https://www.magnetforensics.com/blog/forensic-analysis-of-windows-shellbags/

The source of the most important artifacts

However, the most significant artifacts, and one of my favorites for demonstrating user interaction with files and folders, were recovered from LNK files. LNK files are crucial in digital forensics, providing valuable insights into user activity by linking to applications or files recently accessed. They are instrumental in tracing the suspect’s actions, offering clues about the specific files or folders they interacted with.

LNK files include details such as file paths and access times. Similar to the USBSTOR Registry key, which shows a connection between a USB device and a computer, LNK files can include volume serial numbers of connected storage devices. This additional information provides even more context about the suspect’s external devices and enriches the overall understanding of their usage.

LNK files revealed the suspect had hundreds of interactions with the illicit material on the flash drive, most of which occurred the day before the drive was turned over to the police. They also revealed that he accessed normal files with the suspect files, suggesting he was accessing college papers while accessing his disturbing collection of CSAM, often at the same time. This puts the suspect behind the keyboard. Additionally, after a couple of weeks, our search warrant for his bank records yielded another significant piece of evidence: his credit card had been used at the coffee shop during the same period when many of the suspect files were accessed.

This is an example of the LNK file entries as presented in Axiom. For further reading on the significance of LNK file artifacts, Magnet Forensics has published an informative article: https://www.magnetforensics.com/blog/forensic-analysis-of-lnk-files/

The persistence and methodical approach in digital forensics are truly invaluable. It all began with “That One Artifact”—the critical metadata from the deleted document that led to identifying the suspect.

A detailed examination of USBSTOR, MRU, Shellbags, and LNK file artifacts then established a clear and undeniable link between the flash drive and the suspect’s laptop. Combined with his coffee shop receipt, these artifacts provided irrefutable evidence of his interaction with the illegal material. The suspect, a premed student with aspirations to work in pediatrics, was arrested, pled guilty, and received a long prison sentence.