Boise resident Josiah Colt was the sort of Facebook user who would post paranoid conspiracy theories. He claimed the 2020 election was stolen. He posted a link speculating that "concentration camps" were being prepared for those who wouldn't take their COVID vaccine.
And yet, for all that belief in the government's far-reaching power, Colt entered the U.S. Capitol with other rioters on Jan. 6, rappelled down the balcony of the Senate chambers, sat in the vice president's Senate seat, took out his phone and broadcast himself on Facebook bragging about what he'd just done.
"I just got in the Capitol building!" Colt panted on the video, wearing a Trump bandana around his neck. "I was the first one. I hopped down into the chamber."
Colt, as you might expect, was later arrested. Like many observers, Spokane digital forensics expert Josiah Roloff was astonished about how reckless the rioters were with their identities.
"I found it surprising that that many people were in the middle of the Capitol, potentially going to face some sort of investigation from law enforcement," he says, "and still they all brought their cellphones with them, and they videotaped, and they took pictures."
But even if they had kept their phone in their pocket the whole time, it could have incriminated them.
"Just having your phone is enough," Roloff says. "Every single person who brought their phone into that area is going to be known by law enforcement if law enforcement chooses."
Roloff would know. He says the defense teams in about a half-dozen Capitol riot cases have retained Roloff Digital Forensics for his expertise, and many more have reached out.
"Some of the cases that we've been contacted about are not even the people who physically traveled to the Capitol, but the people who communicated about it online with them," Roloff says.
It wasn't just the Capitol riot. Attorneys representing clients being prosecuted for their actions at Black Lives Matter protests turned to him as well.
"With some of these protests, people wearing masks and joining large groups made people feel anonymous," Roloff says. "But if they brought a mobile device tied to their identity, they're not."
For 18 years as a digital forensics investigator, Roloff has been hired by prosecutors, defense attorneys and private investigators to legally hack into computerized devices, analyze what he finds and occasionally testify in court. But as the devices have become more powerful and more omnipresent — and all the data less decentralized — the sheer quantity of information on any given person has become more and more overwhelming.
"I think that the Capitol riot is going to be maybe a little bit of a wake-up call to the public about just how much information is out there just by simply having your phone in your pocket," Roloff says.
It's not just something for accused criminals to worry about — it's a concern for journalists who receive leaks of confidential information or for protesters in Hong Kong being tracked by a tyrannical government.
All the data sources, when put together, Roloff says, "can show where the person lives, where the person works, where they go to church, who their friends are, what coffee shop they stop at every other day. ... That's probably one of the scariest things."
It may seem odd for a digital forensics company to remain located on the sixth-floor of a downtown Spokane office building rather in a tech hub like Seattle, San Francisco or Portland.
Credit Fairchild Air Force Base, Roloff says. A major chunk of their business comes from the Department of Defense, and being close to such a facility is key. In July, he'll be traveling to an air base outside London, where he's partnering with the DOD as it prosecutes an airman on multiple allegations of sexual assault.
But when he first got into this business in 2003 — before Mark Zuckerberg launched Facebook or Steve Jobs introduced the world to the iPhone — digital forensics was relatively simple: It was about digging into a computer's hard drive. A computer may have had a login password, but it didn't matter.
"From a digital forensics perspective, it does nothing to stop us from getting access to that data," Roloff says.
He could bypass the login screen entirely and just comb through the raw data. Not only that, but he'd find the spot where the password was located, translate it from computer code, and try the password in other places like the user's email account.
The door may be locked from the outside, in other words, but he can metaphorically break in through a window, snag the key ring from a bowl in the kitchen and then try to use it to unlock the car in the driveway.
These days, smart users will encrypt their data, making it a lot trickier to crack without a password. But Roloff only has to get lucky once.
"Say we get 10 devices, nine of them are encrypted or strongly protected," Roloff says. "But someone forgets about their old device they're not using anymore and then we take that, we dump the data, and then we decrypt all the different passwords that the person's been using."
And these days, they don't even necessarily need the computer.
"We're getting data from so many sources. Third parties are capturing it and storing it in the clouds," Roloff says. "The sheer volume of all the places you can go to see what someone has done, said, thought — that has changed also."
On one one of his three computer screens in his office, he pulls up a map of cellphone towers and big red blotches representing the cellphone tower's combined reach.
Whenever someone makes a phone call, you can use the data about which cell towers that call pings — and from which direction — to get a general idea of a person's location at the time of the call. That's been around for a while.
"The data a decade ago was way more sparse, less accurate, less known and less understood," Roloff says.
But today's smartphones can give you so much more detail. Phones pinpoint your location data through GPS. They log every Wi-Fi network in your vicinity, even if you have your phone's Wi-Fi turned off. Your phone itself may not keep that data very long. But the apps on your phone — like Facebook, Yelp, even weather apps — harvest that data constantly to serve you ads.
"I work a lot of cases where we get this information from Google, Facebook, and this is not information they get rid of because they monetize this information," Roloff says.
Take all that data and overlay it together, and entire patterns of movements and habits emerge.
"It's an amazing story that it can tell you," he says.
And it doesn't matter if your phone is encrypted or not. As long as you've got your location turned on in any app, you're bleeding out data that can be subpoenaed.
Maybe you're smart enough to leave your phone at home or turn it off when you go to commit a crime, attend a protest or meet with a confidential source. But that itself can be a damning bit of evidence. You want to tell me you carry your phone with you for 364 days a year, but the one day the investigator is scrutinizing, you just happened to leave it at home?
"It's the one time it's left behind and not following its pattern," Roloff says. "That can be very glaring."
"The sheer volume of all the places you can go to see what someone has done, said, thought — that has changed also."
tweet this
If digital data is that incriminating, it may seem like Roloff would be of limited use to a defense team. Yet, Roloff just got back from Portland, where he's working with the defense teams of three homicide cases.
He says he helps those teams understand what kind of digital evidence has been collected, what might be still out there, and what might be deceptively incomplete. And then he analyzes it.
Defense attorneys want to know "what pitfalls might be out there" for their case, he says, and "what landmines not to step on."
Sometimes, he ends up investigating the bad behavior of the government. Take the case of Eddie Gallagher, the Navy Seal who was on trial in 2019 for war crimes he'd allegedly committed in Iraq.
Someone was leaking information to the media in violation of a gag order. So government prosecutors sent out confidential emails, Roloff says, containing a web image hosted on a site that they controlled. And so as soon as anyone — whether they be on the defense team or a member of the media — loaded that image, it would tip off the prosecutors to a bunch of details about who had opened the email: their browser, their operating system and their I.P. address, the unique identifying address of a computer's internet connection.
After Roloff testified about what the government had done, Gallagher was temporarily released from custody. (Gallagher would later be convicted, but was ultimately pardoned by President Donald Trump.)
"It's a wild world that we're in," Roloff says. "And it's the wild, wild west for digital evidence."
And the west just keeps getting wilder. In recent years, he's tapped into a whole new form of data collection: the Amazon Echo. Since the Echo is always listening in for your commands, it's always recording.
"You have lots of audio recordings that have never had anything to do with a valid command," Roloff says. "It still has that recording, in kind of an unstructured area of memory for a period of time."
And the more things become digital, the more they become connected to every area of our lives.
"We're gonna at some point be collecting data from people's fridges," he says. ♦
