Criminal Defense Investigation: Theory, Practice, and Methods

Do you want a physical copy of this book? You can purchase a copy through Amazon.

Recommended citation:

Pennington, Jeremy. Criminal Defense Investigation: Theory, Practice, and Methods. Ironton: Pennington & Associates Ltd., 2016


Model Construction

A map is needed to navigate an effective criminal defense investigation; this is referred to as a “model.” A criminal defense investigator is faced with an overwhelming amount of information during complex investigations. In many cases, handling these types of investigations is similar to wandering in the fog. You do not find anything unless you trip over it. Unfortunately, this is the approach of many investigators. Their idea of an investigation is to start turning over every rock until they find something of interest, which the investigation then focuses on. This approach is based on tradition and not logical reasoning. In many cases, the traditional approach is highly effective in promoting a single hypotheses. In most cases, this is how the defendant ends up paraded in front of the gallows. The criminal defense investigator must surpass the traditional approach to adequately support the responsible criminal defense attorney.

The information encountered during a criminal defense investigation is similar to a box full of papers with no logical arrangement to ease the discover of the information needed. Often, this is literally the case during a criminal defense investigation. The criminal defense investigator is provided a box full of papers, known as the discovery file. Approaching this file can be akin to utilizing a dictionary out of alphabetical order and being unaware of the meaning of any word in the English language. Many questions immediately arise when considering this box of papers. What is important? How is each document connected? What does each document represent regarding the alleged crime? Typically, sorting and interpreting information contained in the box is based on the experience and intuition of the investigator. Simply stated, this leaves a considerable amount of possibilities to chance.

This book proposes an alternative to the traditional approach of processing information by investigators: the use of a “model” for processing information and knowledge creation or extraction. A model is a representation of an idea, real world conditions, or a system in the world. In many cases, a model describes how a system in the real world will behave. In general, models are used by investigators to interact with, instead of addressing the real system or real world conditions. A model is of special importance to the criminal defense investigator from the standpoint of collections and analysis. A model can be generated in a wide array formats. A model can be generated as a physical model, a tangible representation, a conceptual model, or a mental theoretical concept. A criminal defense investigator will find utility in all types of models depending on the issues faced in each respective case. The subtype of these models can vary widely and are beyond the scope of this book. Generally, considering collection and analysis issues, a conceptual model that is descriptive with components having deterministic, stochastic, and dynamic qualities is extremely beneficial to the criminal defense investigator.

A descriptive model simply describes an idea or concept. For a criminal defense investigator, a descriptive model would describe an alleged crime, a peer-to-peer network, or an investigative methodology. The model can have deterministic or stochastic properties. In some cases, the model may exhibit both properties. Deterministic properties are known relationships within the model. Stochastic properties are attributes of uncertainty. These two types of properties are common in any model utilized by a criminal defense investigator. For example, an alleged crime will always entail an initial known relationship established by the State. The alleged crime will also include relationships or variables that are unknown or denied by the State. On the other hand, all criminal defense investigations are dynamic in nature. Information always undergoes change over the lifetime of the investigation. This is due to the dynamics at play during an investigation, which vary widely from denial and deception to changes in investigative tasks. As a result, any model utilized by a criminal defense investigator will be dynamic in nature. The investigator will add and subtract information from the model over the lifespan of the investigation. A single change in the model will effect the whole model.

The criminal defense investigator utilizes a model in two different respects. First, a model is used to guide the investigator through information collection. In any investigation, the challenge is always determining what information is important enough to allocate investigative resources too. A model can be utilized as an explicate guide in initial collection operations. Second, after the criminal defense investigator has built the model, knowledge extraction can occur. For example, a peer-to-peer network model can be utilized to identify supporting and possible hostile relationships. Without the model, this knowledge would be elusive, but with the model this knowledge can be extracted. Thus, a model assists an investigator during collection operations and during knowledge extraction.

A Model for Criminal Defense

A map is needed to navigate an effective criminal defense investigation; this is referred to as a “model.” A criminal defense investigator is faced with an overwhelming amount of information during complex investigations. In many cases, handling these types of investigations is similar to wandering in the fog. You do not find anything unless you trip over it. Unfortunately, this is the approach of many investigators. Their idea of an investigation is to start turning over every rock until they find something of interest, which the investigation then focuses on. This approach is based on tradition and not logical reasoning. In many cases, the traditional approach is highly effective in promoting a single hypotheses. In most cases, this is how the defendant ends up paraded in front of the gallows. The criminal defense investigator must surpass the traditional approach to adequately support the responsible criminal defense attorney.

The information encountered during a criminal defense investigation is similar to a box full of papers with no logical arrangement to ease the discover of the information needed. Often, this is literally the case during a criminal defense investigation. The criminal defense investigator is provided a box full of papers, known as the discovery file. Approaching this file can be akin to utilizing a dictionary out of alphabetical order and being unaware of the meaning of any word in the English language. Many questions immediately arise when considering this box of papers. What is important? How is each document connected? What does each document represent regarding the alleged crime? Typically, sorting and interpreting information contained in the box is based on the experience and intuition of the investigator. Simply stated, this leaves a considerable amount of possibilities to chance.

This book proposes an alternative to the traditional approach of processing information by investigators: the use of a “model” for processing information and knowledge creation or extraction. A model is a representation of an idea, real world conditions, or a system in the world. In many cases, a model describes how a system in the real world will behave. In general, models are used by investigators to interact with, instead of addressing the real system or real world conditions. A model is of special importance to the criminal defense investigator from the standpoint of collections and analysis. A model can be generated in a wide array formats. A model can be generated as a physical model, a tangible representation, a conceptual model, or a mental theoretical concept. A criminal defense investigator will find utility in all types of models depending on the issues faced in each respective case. The subtype of these models can vary widely and are beyond the scope of this book. Generally, considering collection and analysis issues, a conceptual model that is descriptive with components having deterministic, stochastic, and dynamic qualities is extremely beneficial to the criminal defense investigator.

A descriptive model simply describes an idea or concept. For a criminal defense investigator, a descriptive model would describe an alleged crime, a peer-to-peer network, or an investigative methodology. The model can have deterministic or stochastic properties. In some cases, the model may exhibit both properties. Deterministic properties are known relationships within the model. Stochastic properties are attributes of uncertainty. These two types of properties are common in any model utilized by a criminal defense investigator. For example, an alleged crime will always entail an initial known relationship established by the State. The alleged crime will also include relationships or variables that are unknown or denied by the State. On the other hand, all criminal defense investigations are dynamic in nature. Information always undergoes change over the lifetime of the investigation. This is due to the dynamics at play during an investigation, which vary widely from denial and deception to changes in investigative tasks. As a result, any model utilized by a criminal defense investigator will be dynamic in nature. The investigator will add and subtract information from the model over the lifespan of the investigation. A single change in the model will effect the whole model.

The criminal defense investigator utilizes a model in two different respects. First, a model is used to guide the investigator through information collection. In any investigation, the challenge is always determining what information is important enough to allocate investigative resources too. A model can be utilized as an explicate guide in initial collection operations. Second, after the criminal defense investigator has built the model, knowledge extraction can occur. For example, a peer-to-peer network model can be utilized to identify supporting and possible hostile relationships. Without the model, this knowledge would be elusive, but with the model this knowledge can be extracted. Thus, a model assists an investigator during collection operations and during knowledge extraction.

A Model for Criminal Defense
The General Criminal Defense Investigative Model (GCDIM) is applicable to all forms of alleged criminal activity. This model assists the criminal defense investigator to search for and assess information. In general, this model initially acts as a blank template at the onset of a defense investigation. As the defense investigation progress, an actionable model is developed and utilized to extract knowledge.

At the foundation of GCDIM is the Criminal Activity Equation, which is as follows:

Criminal Activity = Intent + Opportunity + Ability

This Criminal Activity Equation demonstrates specifically what variables must exist for an individual to commit a crime. However, the equation does not prove an individual is guilty because they possessed the intent, opportunity, and ability to commit the crime. However, all these variables must be in place for an individual to have committed an alleged crime. In simple terms, if these variables are not in place than the individual is innocent. On the other hand, if these variables are in place, the individual may be guilty. Generally, the alleged presence of these variables is the arena where criminal defense investigations take place.

Intent is a core element of most criminal statutes. This variable is by far the most difficult one to document and measure with a high degree of certainty. In many cases, an individual’s intent is measured through physical actions. For example, premeditated murder in most jurisdictions is evident by the accused bring or retrieving the murder weapon throughout the alleged crime. On the other hand, the accused’s internal thoughts are measured through statements made to witnesses, in personal writings, and in public outbursts. Thus, intent is a variable that simply refers to what the person intended to accomplish.

One of the most common robust defenses counters is the alibi. This eliminates the opportunity variable. If the accused individual was not in the location of the crime, how did they commit the crime? Simply put, they could not have. However, most criminal defense investigation are by no means this simple. The matter of opportunity can reach levels of complexity far exceeding any Hollywood script. Determining opportunity is a complex process of assessing temporal and geospatial information. Nevertheless, opportunity is simply whether the individual was at the alleged crime scene at the specific time that the crime was committed.

The ability variable is complex and often overlooked during complex criminal cases. The accused’s physical ability is directly measured through this variable. For example, could the accused have hid the three-hundred-pound victim’s body in an attic? This is a simple scenario but illustrates how this variable directly impacts findings of innocence or guilt. However, “ability” is not limited to the accused’s physical ability, it also takes into account access to physical items, geospatial limitations, and specialized knowledge. Thus, the variable of ability simply refers to whether the accused had the means to commit the alleged crime.

The Criminal Activity Equation is useful as a high-level theoretical lens for assessing criminal activity. However, in practice, it holds limited utility in the area of structured analysis. In general, the primary drawback to the equation is its overly simplistic nature. For example, when considering the Criminal Activity Equation, what specifically should the criminal defense investigator focus on during an investigation? Moreover, what are the primary collection needs for use in analysis? After assessing these questions, the equation’s clear lack of utility emerges. Thus, a detailed model is need to provide actionable utility to the Criminal Activity Equation.

The author developed GCDIM to add actionable utility to the Criminal Activity Equation. Actionable Utility is not easily achieved. No “off-the-shelf” models exist and any models purporting simplistic solutions would fail. In general, one persistent issue arises with criminal acts. Every criminal act, and every human act in general, is a completely unique event in time. In theory, a specific criminal act will only occur once in human history. This is why attempts to utilize statistical studies of criminal acts have failed to provide any real actionable utility. In criminal investigations, the generalization of criminal behavior has no real actionable use to criminal investigators or criminal defense investigators.

The lack of an effective “off-the-shelf” model does not preclude the utility of more complex, adaptable models. Because every criminal act is a completely unique event in time, a model needs to be rebuilt and rebuilt with each alleged criminal act. This need to “rebuild” the model on the fly is critical and is fulfilled by using a multipurpose model that is presented as a template, i.e., the model has no data. This form of model presents two advantages. First, the model’s empty data structure allows the criminal defense investigator to collect the necessary information to meet the model’s data needs. Second, when the criminal defense investigator utilizes the model, the resulting data extraction is based upon information specific to the alleged crime rather than a simplistic generalization. Thus, the model has actionable utility.

GCDIM is based on the Criminal Activity Equation and further expanded with temporal, geospatial, topical, and network data. For clarity, a tree structure is utilized to illustrate GCDIM.
The simplest of forms can be illustrated as follows:

Criminal Act

Intent or Opportunity or Ability

  • Temporal
  • Geospatial
  • Topical
  • Network

This simple model illustrates how information is utilized across the model. With each indentation, a subcategory of the tree is established, which equals a more granular level of detail. However, this simple mode is not very useful as a template. What is needs is a model of explicit information demands. For example, the following underdeveloped model illustrates this approach of explicit information demands:

Alleged Criminal Act

Opportunity

Temporal

  • What date and time did the criminal act start?
  • What date and time did the criminal act end?
Geospatial

  • Where did the criminal act originate?
  • Is the criminal act limited to one location?
  • Where did the criminal act terminate?
Topical

  • What was the social setting of the criminal act?

Based upon the above example, a model can demand information, which the criminal defense investigator responds to by systematically collecting information to answer each listed question. This example illustrates how actionable utility is generated using a model.

General Criminal Defense Investigative Model

GCDIM is used through the same methodology of responding to a model’s information demands. But, how is this model used to exploit information? In general, once the model has been populated to the degree of reflecting real world conditions, which at times will be limited, the information contained in the model is processed through structured analysis. Information exploitation, previously termed “knowledge extraction,” is discussed in depth in later chapters.

The model is not intended to be all-encompassing but rather as a template for real world use by a criminal defense investigator. This model is meant to be used from the onset of an investigation until its completion. In many cases, the model will be expanded throughout the investigation’s lifecycle. This process of expanding the model is discussed in detail within the discussion on diagnostic analysis presented in later chapters.

The abstract context of a criminal defense investigation requires a model that is scalable based upon the needs of the investigation. The need for scalability is directly tied to the unforeseeable number of witnesses, physical evidence, and many other forms of information that vary from case to case. This scalability is resolved by utilizing a model comprised of components that can be duplicated on an endless scale. Moreover, the components can be organized to represent the underlining network between real-life individuals, locations, and physical evidence. Using these components, a scalable and networked model is possible. The GCDIM is made up of seven distinct yet interdependent components. These components are depicted in Figure 10.1.

The date/time component (DTC) represents all dates and times documented within the GCDIM and includes temporal data. Moving to the bottom of the model’s visual representation, the location component (LC) holds geospatial data. Climbing further up the model, the physical evidence component (PEC), witness component (WC), natural event component (NEC), record component (RC), and analysis component (AC) represent topical data. All of these components combined represent network data. The visual representation is organized to show the interdependency between the components. Essentially, it depicts the components as stacked blocks with the exception of the DTC, which is set vertically, representing the strong date/time aspect that relates to all components. All other components are stacked based upon their theoretical network relationship.

The GCDIM could be made more complex by including an abundance of further components. For clarity and scalability, it has been reduced to its core components. For example, a component representing individual physical actions could be used; however, this has been incorporated in the WC component. Why? Because physical actions can only be made by an individual. Having a separate component would only add unwanted complexity to the model.

For clarity, the GCDIM components are explained in the following descriptions:

Date / Time Component (DTC)
The DTC is an extremely important component. The cause and effect of time on any alleged crime are always intensely examined. The DTC is meant to document all known temporal data. The temporal data will be derived from all forms of information, from witness interviews to telephone records. The key is that the temporal data must have a degree of certainty. If an accurate time is not available, generalized times should be utilized. Typically, one- or two-hour blocks of time should be used. However, all reasonable efforts should be made to reduce these timeframes to a level that has actionable utility. In some cases, however, this may not be possible.

Location Component (LC)
The LC is probably the second most important component of the GCDIM. Generally, geospatial data is viewed in a general sense, for example, the address of a residence. To a limited degree, this is completely adequate. However, when geospatial data is involved, the level of accuracy should be carefully considered and at the forefront of the criminal defense investigator’s mind. The difference between where an alleged crime occurred and the location of physical evidence in the alleged crime scene illustrates this need. In some cases, a mere six inches can spell the difference between the evidence proving guilt or innocence. As a general rule, a criminal defense investigator should ensure the highest level of accuracy in geospatial data, when possible. The key is not necessarily where a location is represented by geospatial data but the location in relation to another location point. Thus, the LC is not a physical place but a construct used to determine where a location is in relation to its surrounding environment.

Physical Evidence Component (PEC)
The PEC represents a wide array of information, from trace evidence to large physical items. Essentially, if something exists in the physical world, it is documented through the PEC. For the novice investigator, this is concept can seem abstract. For example, is a dent in a car door physical evidence? Which is the evidence: the car door or the dent? The car door itself is the physical evidence, which by description has a dent. This is an important distinction. Physical evidence is descriptive in nature. In simple terms, the physical item is not important, but its physical condition is important and can only be communicated through a clear description. This is why photographs are so powerful in communicating physical evidence. Thus, the PEC is meant to describe the physical world.

Witness Component (WC)
The WC represents all witnesses involved in the alleged crime. Witnesses include all defendants, alleged victims, law enforcement officers, other first responders, and any other individuals who can provide some level of testimony regarding the alleged crime. The possibilities can vary from eyewitnesses to the medical examiner.

Natural Event Component (NEC)
The NEC is a component that is overlooked during many criminal defense investigations. It will typically not have an impact on an alleged event, but when it does come into play, considerable actionable utility can be gained. The NEC includes any form of weather conditions, the level of light, natural events causing a social impact, space weather or other forms of natural events. Natural events causing a social impact refers to floods, earthquakes, tornados, and hurricanes. Space weather is an under-considered variable, but it does cause an impact on the Earth’s surface, specifically, radio communication and other electrical disturbances.

Record Component (RC)
The RC covers a vast amount of possible information. Typically in the area of criminal defense investigation, records are collected from automated systems such as security cameras and telephone records. With limited verification, automated records hold a considerable amount of credibility. On the other hand, the RC also includes records generated by law enforcement personnel, government employees, private companies, and private individuals. These records require robust verification and may be deemed to hold no credibility at times.

Analysis Component (AC)

The AC component may not be present in all criminal defense investigations. The AC deals directly with evidence interpretation by the criminal defense investigator, private entities, and governmental organizations. This includes a wide array of information, from lab reporting to formal analytical products produced by a criminal intelligence analyst or a criminal defense investigator.

General Criminal Defense Investigative Model

GCDIM is a networked model. Each component is connected to other components dependent on the interdependency (network) of the information that defines an alleged crime. This networked aspect of GCDIM is another layer of information from which knowledge can be extracted. The components of the GCDIM are enumerated below. Each facet of information that could represent a connection to another component is represented by the symbol “—>” pointing to the specific component.

General Criminal Defense Investigative Model

At first glance, utilizing the GCDIM can seem overwhelming. However, the model is not meant to be utilized in the form presented above. The application of GCDIM will vary from one criminal defense investigator to the next. The model can be built into a paperwork system or a database. Ideally, the model should be represented in two forms. First, it should be represented in the narrative reporting generated by the criminal defense investigator, which is used by the criminal defense investigator and the criminal defense attorney. Second, the model should be represented in a network chart. Although, all facets of information cannot be illustrated in this chart, the network itself should be represented in a simple visual depiction. No matter the how GCDIM is applied, the documentation generated through the use of GCDIM should be usable and complete in a manner that meets the criminal defense investigator’s personal work preferences. The information contained within GCDIM is meant to be utilized in structured analytical techniques. Thus, the ability to retrieve information from GCDIM is critical.