Electronic Evidence in Family Law
Perry Mason Goes Digital
ABA Annual Meeting, Boston, MA.
August 8, 2014
Presented by Sharon D. Nelson, Esq.
and John W. Simek
President and Vice President
Sensei Enterprises, Inc.
703-359-0700
[email protected]
[email protected]
PostsfromtheblogRidetheLightningbySharon
Nelson
May 01, 2014
How Do You Cover Your Electronic Trail When Having an Affair?
Part II
This is the last in my series of posts answering questions we were asked by
family lawyers in a recent Las Vegas conference. I am still shocked that so
many lawyers are being asked by clients to help them conceal affairs and
wonder about the ethical implications of giving such advice in those states
where adultery is illegal. I suggest any lawyer giving that sort of advice
consult their state's Bar Counsel, Ethics Hotline, etc.
Here are some thoughts about what we were asked (and hat tip to my
forensics staff again for their research):
Hal Pomeranz, a digital forensics investigator who is a SANS instructor,
suggested using a bootable CD so nothing is written to the hard drive. He
also mentions using a pre-paid disposable phone and using pre-paid gift
cards bought with cash for purchases.
One person asked us about the app TextMe. We have found artifacts from
that app - and here is an in-the-weeds article about getting information from
that app. This app is more about "free texting" than privacy, though it has
some privacy features.
We have not run into Ashley Madison yet in our cases, but it is a site for
"married dating" (sad reflection on our society). You have to be married - I
guess so that you both have skin in the game. It has a "Panic" button which
will immediately take you to a family friendly site - presumably if you are
stupid enough to be using it when your spouse (or boss) is around. It also
offers anonymous billing.
It has a Blackbook app for private communications - more about that may be
found in a ZDNet post which refers to it as the "worst pitch of the month."
Not exactly the right target market for this sort of thing, though I did smile
because, after all, it did result in a story and lots of publicity.
Some 18 million people use Ashley Madison (so the site claims) which
makes it surprising that we haven't seen it yet in our lab. Here is an FAQ
from the site which made me laugh:
"Does Ashley Madison encourage infidelity?
No, Ashley Madison does not encourage anyone to stray. In fact, if you are
having difficulty with your relationship, you should seek counseling.
However, if you still feel that you will seek a person other than your partner
to fill your unmet needs, then we truly believe that our service is the best
place to start."
Yes, a site built for straying certainly does not encourage anyone to stray.
Good grief.
OK, I have now done my best to answer all the questions we were asked and
feel like I've been swimming in a sewer. I am delighted to say that this
happily married woman had never seen these sites. I am delighted that this
brow-scorching research is now over!
April 29, 2014
How Private is Private Browsing?
I am sure the guys in my forensics lab are hoping not to receive any more email "homework" from their boss. They have been very patient as I attempt
to answer questions from CLE audiences. One recent question was about
how effective private browsing is, so I asked my forensics technologists to
do some testing.
Their testing included IE, Chrome and Firefox using a unique list of search
terms to run in each browser with private browsing enabled. They ran our
usual browser history tools across the drive. In the test environment, there
was limited recovery of artifacts.
However, as they pointed out to me, previous experience has shown us this
is not always the case and they do sometimes recover web history from
private browsing sessions. In short, while features like “InPrivate Browsing”
(IE), “Incognito Mode” (Chrome) and “Private Browsing” (FireFox) usually
leave much less behind than a standard configuration, artifacts are often still
recoverable in locations like pagefile.
So it is obviously better to use private browsing than not if you want to
protect your privacy, but don't think it is a silver bullet.
If you want to learn more, here is one good article describing Firefox's
Private Browser and what can be recovered. It also links to articles with
similar information about the other two browsers.
April 28, 2014
How Do You Have an Affair and Cover Your Electronic
Tracks?
We lectured last Friday at the 2014 AICPA/AAML National
Divorce Conference in Las Vegas. Great conference and a great
time, including great seats with friends at Elton John's Million
Dollar Piano concert.
The session had an overflow crowd and boy, were they engaged.
But they surprised us. We have given the presentation "Perry
Mason Goes Digital: Electronic Evidence in Family Law" many
times. Typically, we get a lot of questions about how lawyers can
get access to electronic evidence. But this audience asked a lot of
questions - no other audience has ever done this - about how to
keep your electronic trail hidden when having an affair.
Apparently, this is what clients are now asking their lawyers. Who
knew?
They wanted to know about SnapChat (bad idea) and asked about
TextMe and Ashley Madison, whose tagline is "Life is Short. Have
an Affair." They were quite clear that clients expected advice on
keeping these affairs private.
So we are curious - do readers have thoughts about some of the
products designed to hide extramarital affairs? Every product we
have ever seen leaves a digital trail - one way or another. But we're
always learning - so weigh in if you have information to share. As
I promised the audience, having debunked the notion that
SnapChat is safe (that one we've dealt with), we will check out
other common software used to conceal the electronic tracks of
lovers.
This is the sort of research that scorches the eyebrows, but having
promised the audience, we will soldier on
A new phone that you will certainly see used in family law as time
goes on.
March05,2014
AreYouGettingaBlackphonetoProtectYourPrivacy?
There was an interesting article in The Telegraph yesterday. Many of you
have undoubtedly been following the development of the Blackphone.
The Blackphone, which launched at Mobile World Congress 2014, is the
result of a joint venture between Silent Circle and Geeksphone. It claims to
be the world's first smartphone which places privacy and control in the
hands of its users.
Blackphone's operating system, PrivatOS, is built on Android and features
several pre-installed privacy tools, including the Silent Circle suite of apps,
anonymous search, private browsing, VPN from Disconnect; and secure
cloud file storage from SpiderOak. It also comes with a remote-wipe and
device recovery tool.
While there have been high expectations for the Blackphone, Stephen
Bonner, a partner in KPMG’s Information Protection and Business
Resilience team said, “By owning a ‘black phone’ a user could become a
target as it acts as a red flag to criminals, highlighting that there’s something
to hide. As the devices attract and house high value data, attackers will be
inclined to break in.”
I'm not sure that would deter me from buying one, but it might be a valid
point.
The Blackphone, which costs $629, is powered by a 2GHz quad-core
processor and features a 4.7-inch HD screen, 2GB of RAM, 16GB of
storage, an 8-Megapixel primary camera with flash and a 1.3-Megapixel
front camera. It is scheduled to ship to the first customers in June 2014 but
may be ordered now at the Silent Circle website.
Caveat: The Blackphone is a GSM (Global System for Mobile) phone only
so you have to have a carrier that supports GSM. T-Mobile and AT&T do
support GSM.
E-mail: [email protected] Phone: 703-359-0700
http://www.senseient.com
http://twitter.com/sharonnelsonesq
January28,2014
WanttoWatchYourselfHaveSex?There'sanAppforThat.
A new source of electronic evidence in family law.
I see a new source of evidence in family law cases coming at us - courtesy of
a new app called "Sex with Google Glass."
As reported by The Huffington Post, the app allows you to watch and
record yourself having sex and “see what your partner can see." Just say,
“OK Glass, it’s time,” and Glass will stream to you and your partner what
you each can see. When you are ready to stop recording (I couldn't make this
up) you say, "OK Glass, pull out."
The app can be synced up to a smart lamp or home device to control
lighting, music and even lessons from the Kama Sutra -- you just say "OK
Glass, give me ideas." There goes the death of imagination . . .
You can record your sex too - the app (its creators say) will automatically
delete your footage after five hours. This made me chortle. I know we will
end up seeing these recordings in our lab. Just like Snapchat, there will
emerge ways to preserve the recording.
The same developers intend to launch a free iPhone version called "Glance"
in February - ahead of the Google Glass release later this year. Now we
KNOW that we will see recordings from that app.
Want to keep up with all this and be the first on your block to have these
apps? You can sign up here.
I'll let you know when the first recording from one of these apps hits our
forensic lab.
E-mail: [email protected] Phone: 703-359-0700
http://www.senseient.com
http://twitter.com/sharonnelsonesq
October16,2013
Snapchat‐YourRecipientCanSaveYourIncriminatingPhotosForever
Interesting how often young men stammer when I ask them about their use
of Snapchat. Apparently, the idea of sending (in particular) inappropriate
photos that disappear after a few seconds has great charm. Who knew?
For my young friends, male and female, be aware that there are apps which
allow you to log into your Snapchat profile and open photos without a timer.
So long as you open the photos in the app first, you may keep them as long
as you want.
Do I hear a sharp anxious intake of breath? I should, for there are other back
doors into Snapchat as well.
And, if you are not apprehensive enough, consider that Snapchat says it has
given law enforcement about a dozen unopened Snaps when served with law
enforcement search warrants since May of 2013. And Snapchat Stories are
subject to the same treatment.
My recommendation: If you don't want to be forced to "own" inappropriate
photos you've sent, don't send them. Parents of teenagers/young adults who
may be using Snapchat might want to pass this information along.
E-mail: [email protected] Phone: 703-359-0700
http://www.senseient.com
http://twitter.com/sharonnelsonesq
August29,2013
Rest assured that there are still plenty of “black apps” like this one.
BoyfriendTrackerAppRemovedfromGooglePlayStore
Another story for our electronic evidence in family law presentations!
I heard about this story on NBC's Today Show - and then it was
everywhere. We do seem to have an insatiable appetite for the salacious.
The particular app in question, "Rastreador de Namorados" (Portuguese for
Boyfriend Tracker), was removed from Google Play last week, amid
concerns that it could be used for extortion or stalking.
The app requires access to the phone to install it, but once installed, it would
allow a woman to track her boyfriend's location, forward duplicates of text
messages, and even force his phone to silently call hers, so she can listen in
on conversations.
This nasty app was downloaded 50,000 times since it launched about two
months ago. Apparently, there are a lot of jealous girlfriends in Brazil, where
it debuted and spread like wildfire.
Needless to say, using this app is illegal in the U.S. Though supposedly it
was vetted a by a lawyer and found to be in compliance with Brazilian law,
there are arguments about that. There are similar apps, the use of which
would all be illegal in this country.
One interesting exception to the use of illegal apps is "Spy Your Love,"
which allows partners to monitor each other's mobile activity, including
phone calls, texts and Facebook messages. However, in that case the
monitoring is mutual and consensual, whereas Boyfriend Tracker is covert.
Just try getting a cheating boyfriend/spouse to install Spy Your Love. Hah!
Only if they had a second phone . . .
E-mail: [email protected] Phone: 703-359-0700
August27,2013
SocialMediaPostingsSuggestHigherIncomeinChildSupportCase
If you're trying to hide your income, don't put evidence of your professional
success and lavish life style on social media - or your website. That's a
lesson that defendant Jason Duff learned the hard way. A Gibbons law firm
E-Discovery News Alert highlights a recent New Jersey Appellate Division
opinion, Fitzgerald v. Duff. The proceedings involved Duff’s attempt to
modify a previously-entered child support order by submitting his 2011
income tax return, which reported a taxable income of $21,000 from a cash
tattoo business.
The child’s legal custodian filed a certification opposing modification of the
support order, suggesting that much of the defendant’s income was
unreported and that a much higher child support obligation was warranted.
The custodian submitted copies of defendant’s web site, Facebook
photographs, and various social media comments demonstrating his financial
success.
The website indicated multiple locations of the tattoo parlor and plans for its
imminent expansion. It featured three staff tattoo artists and advertised that
defendant provided tattoo services for professional football players.
Facebook photographs showed the defendant throwing $100 bills, his speed
boat, a 2011 Chevrolet Camaro, his elaborate tropical wedding, and
accompanying diamond engagement ring and wedding bands. Comments
from the father’s Myspace page included statements that in four hours he
earns $250, his schedule had “been packed so [he could] pay for this
wedding,” and that he purchased television advertising spots.
Based on this evidence, the Trial Court “imputed” to the father an annual
income of at least $100,000 and modified upward his child support
obligations from $67 to $264 per week. In his motion for reconsideration,
the father argued the Court lacked any competent admissible evidence to
establish a $100,000 income. The father also proffered additional tax returns
to support his contentions, certified that he sold his boat for $1,700, claimed
the Camaro was financed, and alleged his family paid for his honeymoon.
The trial judge rejected the motion, stating he was “just not convinced that
the defendant’s lifestyle and finances are what he purports them to be.”
On appeal, the Fitzgerald court concluded the trial judge’s decision lacked
the fundamental fact-finding required by Rule 1:7-4 and remanded the case
for the trial judge to clearly identify what evidence was accepted and
rejected, and why. Importantly, the Fitzgerald Appellate Court also noted
many inconsistencies with the father’s contentions, and suggested heavy
reliance on the electronic and social media evidence might be warranted.
Mr. Duff will get another whack at proving his income, but my guess is that
the trial judge is pretty well convinced that the defendant is hiding money
(maybe from the IRS as well) and will require clear and convincing evidence
to back up his assertions.
One of our most popular presentations is "Perry Mason Goes Digital:
Electronic Evidence in Family Law." I am always delighted to see cases like
this one make the news - there are so many that refreshing our seminar
content with recent news is a veritable breeze.
E-mail: [email protected] Phone: 703-359-0700
www.senseient.com
http://twitter.com/sharonnelsones
August15,2013
IsYourPet'sNameYourPassword?Shame,Shame.
Talk to your clients about strong passwords!
As a recent post from Naked Security noted, if you want to hack into
someone's account, try "Bella" as a password. Why? It's the most popular
name for cats and dogs in the U.S. and pet names are the most common
passwords.
If you're thinking, "stupid, stupid, stupid," you're right, but a recent survey
by Google Apps had even more depressing news:







67% of us only change passwords when we have to. (sigh, guilty as
charged on that one - and thank you John for making sure I am forced
to change passwords)
21%, or one in 5, people admit to having clicked on spam links
over the past year.
3% of those surveyed write down passwords on a Post-It note that
they then glued around their desks.
48% share passwords with others like so many germ-saturated
hankies.
Only 41% of respondents updated their antivirus software this
year.
19% have walked off and left their computer without logging out
of a service.
15% of Brits admitted to peeking into their partner's emails,
thanks, one assumes, to their partners having sashayed away
without logging out.
Oh, and if you want to hack into the account of a Brit, try "Charlie" - the
most popular pet name across the pond.
E-mail: [email protected] Phone: 703-359-0700
www.senseient.com
http://twitter.com/sharonnelsonesq
June13,2013
DelinquentinChildSupport?Don'tFlashCashonFacebook!
Seriously? You can't pay $150 a month in child support for your three-year
old child (for three years!), but you can flash cash in a Facebook photo?
Christopher Robinson may be rethinking his Facebook posts which showed
him flush with cash. They helped the Milwaukee County District Attorney's
office charge him with failure to pay child support. As you might imagine,
the images were sufficient to allow the district attorney's office to obtain a
search warrant to investigate further, resulting in access to Robinson's
Facebook profile.
Robinson, quite the model of parental concern, was served with an arrest
warrant in February and failed to appear in court. If found guilty on all three
counts, he could serve up to nearly 11 years in prison.
"Think before you post" should have special meaning to some people.
E-mail: [email protected] Phone: 703-359-0700
www.senseient.com
FromtheDixiePigblogbyScottSurovell
Used with his kind permission
Sunday,March2,2014
"Revenge Porn:" A Crime or a Civil Action? Last month, we sent legislation to the Governor about "revenge porn."
Much of the media has focused on legislatures making it a crime, but has
not provided much analysis about this issue.
There's no question that ex-boyfriends or ex-girlfriends posting naked
pictures of each other on the internet is stupid behavior. However,
whether the Commonwealth of Virginia should invest taxpayer resources in
putting people in jail and then housing them for a period of time for that
behavior it is a much more complicated issue.
First, here's what the "revenge porn" statute says:
§ 18.2-386.2. Unlawful dissemination or sale of images of another; penalty.
A. Any person who, with the intent to coerce, harass, or intimidate,
maliciously disseminates or sells any videographic or still image created by any
means whatsoever that depicts another person who is totally nude, or in a state
of undress so as to expose the genitals, pubic area, buttocks, or female breast,
where such person knows or has reason to know that he is not licensed or
authorized to disseminate or sell such videographic or still image is guilty of a
Class 1 misdemeanor....
It is important to remember that the courts review criminal statutes that deprive
liberty and major life consequences totally different than civil statutes. Criminal
statutes must be very precise and carefully drawn. In the civil world, almost
anything is game because the only thing at issue is money.
The first big problem with this statute is that revenge porn situations frequently
involve websites in other states. There are several websites promoting this
material who are the targets of this legislation. Just Google "revenge porn" to get
an idea. This statute makes revenge porn a misdemeanor. In the seventeen years
I've been licensed to practice law, I have never seen a Commonwealth's Attorney
jump through the legal hoops necessary to extradict an accused person for a
misdemeanor.
Because state prosecutions are limited in jurisdiction and procedural tools,
interstate crimes are normally the responsibility of the federal government, not
state government. A state-based misdemeanor charge for this kind of behavior is
not practical - it won't work unless both parties and all of the conduct occurred
within the Commonwealth.
Proving a case like this is challenging. Rules of evidence do not allow the
government to simply put on evidence that something exists on a website
somewhere in the world. The U.S. Supreme Court has repeatedly affirmed that a
criminal defendant has a right to confront their accuser and subpoena witnesses
in their defense. Websites are not automatically admitted into evidence and nor
does the existence of a website prove beyond a reasonable doubt who either
supplied or placed the picture.
The U.S. Court of Appeals for the Fourth Circuit and the Supreme Court of
Virginia have often looked skeptically upon criminal statutes focused that
criminalize speech intended to "coerce, harass or intimidate" because they run
into First Amendment issues. Civil causes of action regarding this kind of
behavior receive less scrutiny, but criminal statutes must be drafted with
sufficient precision to put people on notice of what is illegal.
For example, someone posting a picture of a "plumber's butt" could be
prosecuted under this statute depending upon the person's intent. Picasso's Les
Demoiselle's d'Avignon pictured above could be argued to be revenge porn if his
ex-girlfriend revokes her consent to be displayed in a picture. I'm not sure
whether making fun of something or displaying artwork that the subject later
finds to be unflattering is for purposes of "coercion, intimidation or harassment."
Freedom of the Press is also enshrined in both the Virginia Declaration of Rights
and the U.S. Bill of Rights. In theory, this statute could criminalize a newspaper
publishing a picture of a celebrity in a "cheeky" bathing suit. That probably
would not pass constitutional muster.
The better way to approach this problems is to create a civil cause of action.
Harassment, coercion and intimidation are concepts that are readily approved in
the civil sphere. It is also much easier to sue people across state lines and
judgments are easily enforced in other states. Taking a huge judgment against
some of these revenge porn kingpins will be more likely to change their behavior
rather than a misdemeanor conviction.
Lastly, there has been a propensity to over-criminalize conduct in recent decades
and I always look upon new crimes skeptically. In his last two years, U.S. Senator
Jim Webb introduced legislation to create a commission focused on reducing the
number of crimes on the books and looking at rationalizing sentences.
Criminalizing conduct is expensive and often counter-productive. From my
point of view prosecutors core responsibilities ought to focus on violent crime
and large scale financial crimes that inflict far more harm on our society than
many of the conduct that is the subject of new criminal statutes that gain much
press.
Most "revenge porn" is bad behavior, but enabling our criminal justice system to
go after is not the best deterrent.
Recent Developments:
Family Law and Electronic Evidence
by Sharon D. Nelson, Esq. and John W. Simek
© 2014 Sensei Enterprises, Inc.
Because family law comprises about 25% of our cases, we stay pretty current on
developments involving electronic evidence and family law. Here are some of the latest
developments.
Smartphones
Boy oh boy are we seeing a lot of smartphones. This is the preferred method for
communications between lovers. The phone is usually closely guarded and PIN
protected. Texting is the preferred mode of communication.
In general, the iPhones are rich with data, the BlackBerry is all but devoid of data (don’t
waste your money – you need the computer the device was synced to. All the other
smartphones are somewhere in the middle.
Another thing we’ve seen multiple times in the past year is one spouse “stealing” the
phone of the other in order to get it to us for imaging and analysis. This happens in spite
of the fact that we make clients sign statements that the phone is theirs, that they have the
right to the data, etc. The police seem less than interested in these cases, feeling that it is
“just a domestic matter.” We usually end up halting all work until the attorneys in the
case reach an agreement (or go to court) and we are given instructions on how to proceed.
Never let your client receive a smartphone as a gift. Increasingly, we are seeing spyware
pre-loaded on the gift. Now, that’s a gift that keeps on giving – to the giver of the gift. In
one case, a suspicious husband gave his wife a new iPhone with the iOS 5 operating
system – the phone contained an application called “Find My Friends” designed to help
folks track and meet friends. The app led him straight to his wife at her lover’s house and
gave him powerful evidence in his divorce case. He was quick to post his appreciation to
Apple on a social media site.
SocialMedia
So many cases, so little space to write about them all. A Pennsylvania man was found
guilty of threatening his estranged wife, law enforcement, the FBI and a kindergarten
class because of Facebook postings. He had the temerity to claim his posts were artistic in
nature (sort of like rap, he said) and his lawyer said they were protected by the First
Amendment and phrased in a rhyme setting.
A post to his wife said “Fold up your PFA (protection order) and put it in your pocket. Is
it thick enough to stop a bullet?” We have some difficulty discerning artistic merit in that
or a First Amendment issue. In addition to many other charming posts, he threatened to
go on a rampage at a local kindergarten classroom.
In another Ripley Believe It or Not case, Indiana resident David Voelkert was charged
with intercepting oral communications of his ex-wife. He made his confession on
Facebook to a “17 year old girl” also stating that now he could “find someone to take
care of her and now it will be easier because I know where she is at all times.” He told
her he had a GPS tracking device in her car.
Unfortunately for the wife, David was on to the fact that the 17-year old girl he was
flirting with and confessing to was a phony account manipulated by his wife – and he
knew it. Right after the fake teen made initial contact, David signed a notarized affidavit
saying that he thought from the time of the friend request that it was not a real person but
his ex-wife or someone she knew. He stated his intent to “play the game” to get evidence
of what his ex-wife was doing and said he had no intent to harm anyone. When the
affidavit surfaced, the charges were dismissed.
In November of 2011, a Connecticut judge ordered a feuding couple to turn their
Facebook passwords over the each other’s divorce lawyers. The order was issued after
the husband alleged that there was critical evidence on his wife’s Facebook page that she
was planning to delete. This was, to put it mildly, a highly unusual step that we’ve never
seen before – and it violates Facebook’s terms of service.
In Kentucky, an appellate court affirmed a lower court’s decision to award primary
custody to the father, based in part on Facebook photos showing the mother partying and
drinking against the advice of her mental health providers. Though she admitted the
photos were authentic, she said she had never authorized the postings which were done
by other but “tagged” her by name.
At least a dozen other reported cases involved Facebook, which is obviously the big
kahuna in divorce and custody battles.
As to Facebook in general . . . .
Facebook has once again mucked with privacy settings and even had to sign an
agreement with the FTC agreeing to a 20 year monitoring of its privacy practices. The
lesson here for family lawyers is clients should be advised to post cautiously on social
media and to periodically go through their privacy settings. They should also not accept a
friend request from someone they do not know. They should think of every single post as
potential evidence in a future matter. They should not drink or do drugs and post. They
should not post when they are angry. If in doubt, don’t post.
The year also brought the removal of a child custody evaluator in California after one of
his clients found lewd photos on Facebook and elsewhere – one showed him mooning the
camera and another involved a sexual act. He also apparently promoted illegal drug use,
unprotecting sex and male prostitution. Perhaps not the best person to evaluate who
should have custody.
GPSTrackers
This are still in use and several court cases have now dealt with them. A new case was
decided largely on the basis of the fact that the driver was on public roads with a
diminished expectation of privacy.
In a Minnesota case, a husband was charged with using a GPS tracker to keep tabs on his
wife. A mechanic had found the device magnetically attached to the underside of the car.
Because both parties owned the car, the court found that the use of the tracker was
permissible. This is, in our opinion, precisely what a Virginia court would find.
CanYouCommitAdulteryWithaRobot?
This question might raise eyebrows, but believe us, that question will one day require an
answer and perhaps sooner rather than later. You can’t make this up, so just read on. At
last year’s Adult Entertainment Expo, an anatomically correct, customizable, touchresponsive, personality changing sexbot named Roxxxy was unveiled for the asking price
of $7000.
There were some snarky responses from folks who didn’t believe that anyone would pay
that kind of money for a glorified sex toy. They were wrong. Roxxxy was made by
TrueCompanion, whose founder now has 4,000 pre-orders.
Artificial intelligence expert David Levy, the author of Love and Sex With Robots, (who
knew there was such a book?), says unequivocally that human-robot sex, love and
marriage is inevitable. Robots can, of course, be programmed to be faithful which might
be a welcome change from human partners. To the enormous amusement of author
Nelson, Lefvy also states that male robots may be more emotionally available that the
“typical American human male,” a creature who apparently sets a low bar for emotional
availability.
Blogger and attorney Sonya Ziaja, raises a number of interesting questions. If husband
falls in love and takes off with Roxxxy, can wife sue for alienation of affection? Sue
who? Probably not Roxxxy. Roxxxy’s inventor? The manufacturer?
Is it grounds for divorce? Can it be adultery? Can it be abusive? Should a wife have to
hear, “Enjoy your book dear – I am going to shag Roxxxy for a bit and then I’ll be back?”
If all of this sounds like sci-fi, hang around for a couple of decades and we predict, along
with Mr. Levy, that family laws will have to change to keep up with human-robot
relationships.
The authors are the President and Vice President of Sensei Enterprises, Inc., a legal
technology, information security and digital forensics firm based in Fairfax, VA. 703359-0700 (phone) www.senseient.com
Protecting Your Client From Spying, Hacking and Invasion
of Privacy
About 25% of Sensei’s computer forensics cases involve family law, which means we’ve
seen hundreds of cases over the years, many of them involving spyware, hacking, e-mail
spoofing, etc. Your client has three basic enemies:
1. Himself or herself, for unsafe computing habits
2. The spouse, lover or other party (hackers, etc.) who wants information
3. The IT person who is supposed to protect the home or business computers and the
social media providers and smartphone manufacturers who often fail to provide
adequate security
The law is your client’s natural friend. State and federal wiretap laws prevent the use of
spyware (and exclude it as evidence). State law prohibits cyberharassment, cyberbullying
and unauthorized access to a computer, including access which may exceed authorization
(e.g., you may have physical access to a marital computer, but not the right to view your
spouse’s e-mail). As we are forever explaining, it does not matter who owns the computer
– it is the right of privacy which is protected (the workplace being a notable exception).
But the legal protections afforded by the law do not have many champions. We
constantly hear that a client has attempted to go to the police or to the Commonwealth
Attorney, only to find that law enforcement personnel and prosecutors are not terribly
interested in what they see as domestic squabbles. Truth be told, there is often a
secondary reason – they are not very familiar with electronic evidence and The Computer
Crimes Act. They don’t know how to prove (read: win) these cases so are loathe to
undertake them.
However, we have seen violations of the law, especially of the wiretap acts, be useful.
Though you cannot threaten the other side, a report from a computer forensic technologist
documenting the use of spyware and (often) the e-mail address to which reports were
delivered, is understood to be a threat without further need to underscore the threat.
Those cases usually settle quickly.
The written materials consist of a number of articles we’ve written recently addressing
computer security. Our PowerPoint will extract the key elements from these articles and,
where appropriate, make them specific to family law cases. We are always happy to share
a PDF of our PowerPoints so please feel free to request a copy after the CLE by writing
me at [email protected].
We have included below some of the Virginia statutes most commonly applicable to
these cases.
§ 18.2-152.2. Definitions; computer crimes.
For purposes of this article:
"Commercial electronic mail" means electronic mail, the primary purpose of which is the
advertisement or promotion of a commercial product or service.
"Computer" means a device that accepts information in digital or similar form and
manipulates it for a result based on a sequence of instructions. Such term does not include
simple calculators, automated typewriters, facsimile machines, or any other specialized
computing devices that are preprogrammed to perform a narrow range of functions with
minimal end-user or operator intervention and are dedicated to a specific task.
"Computer data" means any representation of information, knowledge, facts, concepts, or
instructions which is being prepared or has been prepared and is intended to be
processed, is being processed, or has been processed in a computer or computer network.
"Computer data" may be in any form, whether readable only by a computer or only by a
human or by either, including, but not limited to, computer printouts, magnetic storage
media, punched cards, or stored internally in the memory of the computer.
"Computer network" means two or more computers connected by a network.
"Computer operation" means arithmetic, logical, monitoring, storage or retrieval
functions and any combination thereof, and includes, but is not limited to,
communication with, storage of data to, or retrieval of data from any device or human
hand manipulation of electronic or magnetic impulses. A "computer operation" for a
particular computer may also be any function for which that computer was generally
designed.
"Computer program" means an ordered set of data representing coded instructions or
statements that, when executed by a computer, causes the computer to perform one or
more computer operations.
"Computer services" means computer time or services, including data processing
services, Internet services, electronic mail services, electronic message services, or
information or data stored in connection therewith.
"Computer software" means a set of computer programs, procedures and associated
documentation concerned with computer data or with the operation of a computer,
computer program, or computer network.
"Electronic mail service provider" (EMSP) means any person who (i) is an intermediary
in sending or receiving electronic mail and (ii) provides to end-users of electronic mail
services the ability to send or receive electronic mail.
"Financial instrument" includes, but is not limited to, any check, draft, warrant, money
order, note, certificate of deposit, letter of credit, bill of exchange, credit or debit card,
transaction authorization mechanism, marketable security, or any computerized
representation thereof.
"Network" means any combination of digital transmission facilities and packet switches,
routers, and similar equipment interconnected to enable the exchange of computer data.
"Owner" means an owner or lessee of a computer or a computer network or an owner,
lessee, or licensee of computer data, computer programs or computer software.
"Person" shall include any individual, partnership, association, corporation or joint
venture.
"Property" shall include:
1. Real property;
2. Computers and computer networks;
3. Financial instruments, computer data, computer programs, computer software and all
other personal property regardless of whether they are:
a. Tangible or intangible;
b. In a format readable by humans or by a computer;
c. In transit between computers or within a computer network or between any devices
which comprise a computer; or
d. Located on any paper or in any device on which it is stored by a computer or by a
human; and
4. Computer services.
"Spam" means unsolicited commercial electronic mail. Spam shall not include
commercial electronic mail transmitted to a recipient with whom the sender has an
existing business or personal relationship.
A person "uses" a computer or computer network when he attempts to cause or causes a
computer or computer network to perform or to stop performing computer operations.
A person is "without authority" when he knows or reasonably should know that he has no
right, agreement, or permission or acts in a manner knowingly exceeding such right,
agreement, or permission.
(1984, c. 751; 1999, cc. 886, 904, 905; 2000, c. 627; 2003, cc. 987, 1016; 2005, cc. 761,
812, 827; 2009, cc. 321, 376; 2010, c. 489.)
§ 18.2-152.4. Computer trespass; penalty.
A. It shall be unlawful for any person, with malicious intent, to:
1. Temporarily or permanently remove, halt, or otherwise disable any computer data,
computer programs or computer software from a computer or computer network;
2. Cause a computer to malfunction, regardless of how long the malfunction persists;
3. Alter, disable, or erase any computer data, computer programs or computer software;
4. Effect the creation or alteration of a financial instrument or of an electronic transfer of
funds;
5. Use a computer or computer network to cause physical injury to the property of
another;
6. Use a computer or computer network to make or cause to be made an unauthorized
copy, in any form, including, but not limited to, any printed or electronic form of
computer data, computer programs or computer software residing in, communicated by,
or produced by a computer or computer network;
7. [Repealed.]
8. Install or cause to be installed, or collect information through, computer software that
records all or a majority of the keystrokes made on the computer of another without the
computer owner's authorization; or
9. Install or cause to be installed on the computer of another, computer software for the
purpose of (i) taking control of that computer so that it can cause damage to another
computer or (ii) disabling or disrupting the ability of the computer to share or transmit
instructions or data to other computers or to any related computer equipment or devices,
including but not limited to printers, scanners, or fax machines.
B. Any person who violates this section is guilty of computer trespass, which shall be a
Class 1 misdemeanor. If there is damage to the property of another valued at $1,000 or
more caused by such person's act in violation of this section, the offense shall be a Class
6 felony. If a person installs or causes to be installed computer software in violation of
this section on more than five computers of another, the offense shall be a Class 6 felony.
If a person violates subdivision A 8, the offense shall be a Class 6 felony.
C. Nothing in this section shall be construed to interfere with or prohibit terms or
conditions in a contract or license related to computers, computer data, computer
networks, computer operations, computer programs, computer services, or computer
software or to create any liability by reason of terms or conditions adopted by, or
technical measures implemented by, a Virginia-based electronic mail service provider to
prevent the transmission of unsolicited electronic mail in violation of this article. Nothing
in this section shall be construed to prohibit the monitoring of computer usage of, the
otherwise lawful copying of data of, or the denial of computer or Internet access to a
minor by a parent or legal guardian of the minor.
(1984, c. 751; 1985, c. 322; 1990, c. 663; 1998, c. 892; 1999, cc. 886, 904, 905; 2002, c.
195; 2003, cc. 987, 1016; 2005, cc. 761, 812, 827; 2007, c. 483.)
§ 18.2-152.5. Computer invasion of privacy; penalties.
A. A person is guilty of the crime of computer invasion of privacy when he uses a
computer or computer network and intentionally examines without authority any
employment, salary, credit or any other financial or identifying information, as defined in
clauses (iii) through (xiii) of subsection C of § 18.2-186.3, relating to any other person.
"Examination" under this section requires the offender to review the information relating
to any other person after the time at which the offender knows or should know that he is
without authority to view the information displayed.
B. The crime of computer invasion of privacy shall be punishable as a Class 1
misdemeanor.
C. Any person who violates this section after having been previously convicted of a
violation of this section or any substantially similar laws of any other state or of the
United States is guilty of a Class 6 felony.
D. Any person who violates this section and sells or distributes such information to
another is guilty of a Class 6 felony.
E. Any person who violates this section and uses such information in the commission of
another crime is guilty of a Class 6 felony.
F. This section shall not apply to any person collecting information that is reasonably
needed to (i) protect the security of a computer, computer service, or computer business,
or to facilitate diagnostics or repair in connection with such computer, computer service,
or computer business or (ii) determine whether the computer user is licensed or
authorized to use specific computer software or a specific computer service.
(1984, c. 751; 1985, c. 398; 2001, c. 358; 2005, cc. 747, 761, 827, 837.)
§ 18.2-152.7:1. Harassment by computer; penalty.
If any person, with the intent to coerce, intimidate, or harass any person, shall use a
computer or computer network to communicate obscene, vulgar, profane, lewd,
lascivious, or indecent language, or make any suggestion or proposal of an obscene
nature, or threaten any illegal or immoral act, he shall be guilty of a Class 1
misdemeanor.
(2000, c. 849.)
§ 18.2-152.12. Civil relief; damages.
A. Any person whose property or person is injured by reason of a violation of any
provision of this article or by any act of computer trespass set forth in subdivisions A 1
through A 8 of § 18.2-152.4 regardless of whether such act is committed with malicious
intent may sue therefor and recover for any damages sustained and the costs of suit.
Without limiting the generality of the term, "damages" shall include loss of profits.
B. If the injury under this article arises from the transmission of spam in contravention of
the authority granted by or in violation of the policies set by the electronic mail service
provider where the defendant has knowledge of the authority or policies of the EMSP or
where the authority or policies of the EMSP are available on the electronic mail service
provider's website, the injured person, other than an electronic mail service provider, may
also recover attorneys' fees and costs, and may elect, in lieu of actual damages, to recover
the lesser of $10 for each and every spam message transmitted in violation of this article,
or $25,000 per day. The injured person shall not have a cause of action against the
electronic mail service provider that merely transmits the spam over its computer
network. Transmission of electronic mail from an organization to its members shall not
be deemed to be spam.
C. If the injury under this article arises from the transmission of spam in contravention of
the authority granted by or in violation of the policies set by the electronic mail service
provider where the defendant has knowledge of the authority or policies of the EMSP or
where the authority or policies of the EMSP are available on the electronic mail service
provider's website, an injured electronic mail service provider may also recover attorneys'
fees and costs, and may elect, in lieu of actual damages, to recover $1 for each and every
intended recipient of a spam message where the intended recipient is an end user of the
EMSP or $25,000 for each day an attempt is made to transmit a spam message to an end
user of the EMSP. In calculating the statutory damages under this provision, the court
may adjust the amount awarded as necessary, but in doing so shall take into account the
number of complaints to the EMSP generated by the defendant's messages, the
defendant's degree of culpability, the defendant's prior history of such conduct, and the
extent of economic gain resulting from the conduct. Transmission of electronic mail from
an organization to its members shall not be deemed to be spam.
D. At the request of any party to an action brought pursuant to this section, the court may,
in its discretion, conduct all legal proceedings in such a way as to protect the secrecy and
security of the computer, computer network, computer data, computer program and
computer software involved in order to prevent possible recurrence of the same or a
similar act by another person and to protect any trade secrets of any party and in such a
way as to protect the privacy of nonparties who complain about violations of this section.
E. The provisions of this article shall not be construed to limit any person's right to
pursue any additional civil remedy otherwise allowed by law.
F. A civil action under this section must be commenced before expiration of the time
period prescribed in § 8.01-40.1. In actions alleging injury arising from the transmission
of spam, personal jurisdiction may be exercised pursuant to § 8.01-328.1.
(1984, c. 751; 1985, c. 92; 1999, cc. 886, 904, 905; 2003, cc. 987, 1016; 2005, cc. 746,
761, 827; 2010, cc. 489, 529.)
§ 19.2-62. Interception, disclosure, etc., of wire, electronic or oral communications
unlawful; penalties; exceptions.
A. Except as otherwise specifically provided in this chapter any person who:
1. Intentionally intercepts, endeavors to intercept or procures any other person to
intercept or endeavor to intercept, any wire, electronic or oral communication;
2. Intentionally uses, endeavors to use, or procures any other person to use or endeavor to
use any electronic, mechanical or other device to intercept any oral communication;
3. Intentionally discloses, or endeavors to disclose, to any other person the contents of
any wire, electronic or oral communication knowing or having reason to know that the
information was obtained through the interception of a wire, electronic or oral
communication; or
4. Intentionally uses, or endeavors to use, the contents of any wire, electronic or oral
communication, knowing or having reason to know that the information was obtained
through the interception of a wire, electronic or oral communication; shall be guilty of a
Class 6 felony.
B. 1. It shall not be unlawful under this chapter for an operator of a switchboard, or an
officer, employee or agent of a provider of wire or electronic communications service,
whose facilities are used in the transmission of a wire communication, to intercept,
disclose or use that communication in the normal course of his employment while
engaged in any activity which is a necessary incident to the rendition of his service or to
the protection of the rights or property of the provider of that service. However, a
provider of wire communication service to the public shall not utilize service observing
or random monitoring except for mechanical or service quality control checks. It shall not
be a criminal offense under this chapter for providers of wire or electronic
communications service, their officers, employees and agents, landlords, custodians, or
other persons pursuant to a court order under this chapter, to provide information
facilities or technical assistance to an investigative or law-enforcement officer, who,
pursuant to this chapter, is authorized to intercept a wire, electronic or oral
communication.
2. It shall not be a criminal offense under this chapter for a person to intercept a wire,
electronic or oral communication, where such person is a party to the communication or
one of the parties to the communication has given prior consent to such interception.
3. It shall not be a criminal offense under this chapter for any person:
(a) To intercept or access an electronic communication made through an electronic
communication system that is configured so that such electronic communication is
readily accessible to the general public;
(b) To intercept any radio communication which is transmitted (i) by any station for the
use of the general public, or that relates to ships, aircraft, vehicles, or persons in distress,
(ii) by any governmental, law-enforcement, civil defense, private land mobile, or public
safety communications system, including police and fire, readily accessible to the general
public, (iii) by a station operating on an authorized frequency within the bands allocated
to the amateur, citizens band, or general mobile radio services; or (iv) by any marine or
aeronautical communications system;
(c) To intercept any wire or electronic communication the transmission of which is
causing harmful interference to any lawfully operating station or consumer electronic
equipment, to the extent necessary to identify the source of such interference;
(d) Using the same frequency to intercept any radio communication made through a
system that utilizes frequencies monitored by individuals engaged in the provision or the
use of such system, if such communication is not scrambled or encrypted;
(e) To use a pen register or a trap and trace device pursuant to §§ 19.2-70.1 and 19.270.2; or
(f) Who is a provider of electronic communication service to record the fact that a wire or
electronic communication was initiated or completed in order to protect such provider,
another provider furnishing service toward the completion of the wire or electronic
communication, or a user of that service, from fraudulent, unlawful or abusive use of
such service.
C. A person or entity providing an electronic communication service to the public shall
not intentionally divulge the contents of any communication, other than one to such
person or entity or an agent thereof, while in transmission on that service to any person or
entity other than an addressee or intended recipient of such communication or an agent of
the addressee or intended recipient. However, a person or entity providing electronic
communication service to the public may divulge the contents of any such
communication:
1. As authorized in subdivision B 1 of this section or § 19.2-67;
2. With the lawful consent of the originator or any addressee or intended recipient of such
communication;
3. To a person employed or authorized, or whose facilities are used, to forward such
communication to its destination; or
4. Which were inadvertently obtained by the service provider and which appear to pertain
to the commission of a crime, to a law-enforcement agency.
Conduct otherwise an offense under this subsection that consists of or relates to the
interception of a satellite transmission that is not encrypted or scrambled and that is
transmitted (i) to a broadcasting station for purposes of retransmission to the general
public, or (ii) as an audio subcarrier intended for redistribution to facilities open to the
public, but not including data transmissions or telephone calls, is not an offense under
this section unless the conduct is for the purposes of direct or indirect commercial
advantage or private financial gain. Further, private viewing of a satellite video
communication that is not scrambled or encrypted and interception of a radio
communication that is transmitted on frequencies allocated under subpart D of Part 74 of
the Rules of the Federal Communications Commission that is not scrambled or encrypted
when the viewing or interception is not done for a tortious or illegal purpose or for
purposes of direct or indirect commercial advantage or private commercial gain, shall not
be offenses under this chapter.
Violation of this subsection shall be punishable as a Class 1 misdemeanor.
(Code 1950, § 19.1-89.2; 1973, c. 442; 1975, c. 495; 1988, c. 889; 2004, c. 149.)
From the standpoint of federal law, the statutes most commonly applicable are the
Federal Wiretapping Act, the Electronic Communications Privacy Act and the Stored
Communications Act.
Top Security Tips for your Practice and Your Family
Law Clients
By Sharon D. Nelson & John W. Simek
© 2014 Sensei Enterprises, Inc.
Securing and controlling access to confidential client data may keep you up at night.
Attorneys have a duty to protect this sensitive data and rarely do a complete and thorough
job of it. We’ll give you some of our favorite security tips that you can implement in your
practice. You may be doing some of these already, but we’re sure several will be new to
you.
Integrated Protection
Solos and small firms may want to consider a single integrated product to deal with spam,
viruses and malware. Norton’s security suite is a top seller for the single computer
market. We would recommend avoiding the Symantec Norton Internet Security 2012
software at this time. Symantec has addressed their historical performance issues in the
latest product. Even at that, we think there are better, more effective and less expensive
solutions.
We recommend using Kaspersky Internet Security 2013, which contains firewall,
anti-virus, anti-spyware, rootkit detection, anti-spam and much more. Kaspersky is
available directly from the web site, www.kaspersky.com, and costs $79.95 for one year
protection on up to three computers. This is an excellent choice for the small-office
environment.
Integrated Protection for Larger Environments
Trend Micro Worry-Free Business Security is a highly regarded product that is available
in three editions: Standard, Advanced and Hosted. We don’t recommend the Hosted
solution as the entire configuration is set up and maintained by Trend Micro.
All of the editions include anti-virus and anti-spyware capabilities. The software will
protect both your servers and computers from malicious threats, and will automatically
change settings on laptops to set for protection of employees when they are out of the
office. The software will monitor active processes and applications to prevent
unauthorized and harmful changes to your computer. Unlike the Standard Edition, the
Advanced Edition includes anti-spam filtering for Microsoft Exchange Servers as well as
InterScan Messaging Hosted Security. Cost for the product starts at around $40 per
license for the Standard Edition and $60 per license for the Advanced Edition, which
includes technical support and upgrades for a year. This software product is offered in
both 1- and 2-year subscriptions and licenses can be purchased directly from Trend
Micro’s web site (www.trendmicro.com).
Anti-Spam Protection
We have come to use and love a great product for anti-spam protection. Postini is a
lower-cost alternative service for e-mail anti-spam and antivirus than almost any other
implementation. Note that your e-mail flow will be re-routed so that it goes through the
Postini servers before being delivered to your mail server or e-mail client. You can
purchase the Postini service directly or go through a reseller. When you purchase
directly, the costs are lower, but you have to configure and set up the installation yourself
and you do not receive any support. Purchasing through a reseller costs slightly more
money, but you obtain 24/7 support and assistance with the complete operation. Postini
provides a web-based interface to manage the quarantine, where spam messages are held.
Users receive a quarantine message once a day, in which they are provided with a
summary of the e-mail messages quarantined throughout the day. From this message, a
user can choose to release a quarantined message with just a simple click of the mouse.
That’s all you need to do to release a captured “false-positive.” As an option, Postini has
a “mail bag” feature available for an additional charge. The feature spools your e-mail in
the event you lose your Internet connection or your mail server goes down. Once your
connection or server comes back up, Postini will feed you all of the e-mail that it was
holding during the outage. This means that you won’t lose any e-mail, even if your server
goes down for a period of time.
Encryption
If you use a laptop, the data needs to be protected while in transit. Secure mobile
computing must contain some method of encryption to protect the valuable personal and
client data. We prefer whole disk encryption. This means that everything on the hard
drive is encrypted. We don’t have to remember to put files into special folders or on the
encrypted virtual drive. All too often, humans are in a big hurry and may not save the
data in the special protected encrypted areas.
Many of the newer laptops have built-in whole disk encryption. To state the obvious,
make sure you enable the encryption or your data won’t be protected. Also, encryption
may be used in conjunction with biometric access. As an example, our laptops require a
fingerprint swipe at power on. Failure at that point leaves the computer hard drive fully
encrypted. A very comforting thought if laptop thieves, who constitute a large club these
days, make off with your laptop. If you think we are being too cautious, PCWorld.com
reported that more than ten thousand laptops were lost or stolen at US airports per week,
totaling almost 640,000 lost or stolen laptops each year. We mean it when we say, “be
careful out there.”
Smartphone Security
As a minimum, everybody should have a PIN code programmed into their phone to
prevent unauthorized access, along with a fairly short timeout period. It doesn’t do much
good to have an unlocking PIN and then have 30 minutes pass before the phone relocks.
We know it’s a pain to constantly punch in the unlock code, but that will keep your data
from being accessed by prying eyes. Better yet, it will stop someone from installing
spyware on your phone that can effectively trap all of your communications (voice calls,
e-mail, text messages, etc.). Alas, there is just one problem. The PIN is easily bypassed
on all iPhones. Just Google “crack pin on iphone” and you’ll see just how easy it is.
Besides PIN protecting your phone, make sure you encrypt any memory cards or just
don’t store any sensitive data on them. We’re talking about the SD, micro SD, etc. cards
that you can insert into the smartphone to increase storage capacity. There are programs
available for some models that allow you to encrypt the card contents. The point is that
you don’t want any confidential information to be accessible on the card if you lose your
phone. The PIN will protect the phone access, but the “bad guy” will pop out the memory
card and read it from their computer if it is not encrypted.
Wireless Network Security
Wireless networks should be set up with the proper security. First and foremost,
encryption should be enabled on the wireless device. Whether using Wired Equivalent
Privacy (WEP) 128-bit or WPA encryption, make sure that all communications are
secure. WEP is a weaker layer and can be cracked if sufficient data is captured, though
the reality is that hackers will go for unsecured networks before going after any secured
one. Frankly, the Federal Trade Commission and the Canadian Privacy Commisioner
have both found WEP insufficient to secure credit card information, so we suggest it not
be used at all. Recently, WPA using the TKIP (Temporal Key Integrity Protocol)
algorithm was cracked by a group of Japanese scientists in about a minute. This means
that you should be encrypting using WPA with the AES (Advanced Encryption Standard)
or WPA2 only.
Change the Defaults
It doesn’t matter if you are configuring a wireless router or installing a server operating
system. In all cases, make sure you change any default values. The default user ID and
passwords are well known for any software or hardware installation. There’s even a
default network name when you create a Windows network environment. Apple isn’t
immune either, since there are default values for their products as well. The point is that
all default values, especially logon values, should be changed to prevent unauthorized
access.
All of these security tips can be easily implemented. Sleep will come more easily when
you know that your law firm data is secure. As Nike would say, just do it.
The authors are the President and Vice President of Sensei Enterprises, Inc., a legal
technology and digital forensics firm based in Fairfax, VA. 703-359-0700 (phone)
www.senseient.com
Hit the Road Jack: Secure Mobile Computing
By Sharon D. Nelson, Esq. and John W. Simek
© 2013 Sensei Enterprises, Inc.
It’s been several years since we’ve dealt with remote access solutions. Wow, have things
changed fast. Technology advances in this area have come at warp speed. Gone are the
days when you carried around a fifty foot phone cord and kept looking for an analog
phone jack that could be used with the modem in your laptop. Being über geeks, we then
carried along a splitter, coupler and additional phone cords so that we could work
comfortably on the bed or desk while we traveled around the nation. No more. It’s even
difficult to purchase a modern day laptop with a modem. Wireless is the word these days.
More and more hotels, motels, conference centers, coffee shops, book stores, cafes etc.
are offering wireless access solutions.
Software
Before we jump into the boring details, let’s cover some solutions that should be on your
laptop no matter what other technology you use for remote connectivity. It goes without
saying that you should have some sort of anti-virus solution installed on your laptop. It
should be configured for automatic updates and perform a periodic full scan (we do
weekly scans) to catch anything that may have “landed” before the signatures were
updated. It would be just your luck to catch a virus on day one and be the first kid on the
block to suffer the effects. In addition, you should have anti-spyware software installed.
Many of the anti-virus vendors also have anti-spyware capability. Normally the Internet
Suite products will contain both as well as other security features like firewalls, spam
control and anti-phishing. The products are also getting a lot “smarter” and aren’t totally
dependent on signature files. They actually look at heuristics and will block activity that
“acts” like a virus, malware, Trojan, etc.
Encryption
Secure mobile computing must contain some method of encryption to protect the
valuable personal and client data. We prefer whole disk encryption. This means that
everything on the hard drive is encrypted. We don’t have to remember to put files into
special folders or on the encrypted virtual drive. All too often, humans are in a big hurry
and may not save the data in the special protected encrypted areas. Many of the newer
laptops have built-in whole disk encryption. To state the obvious, make sure you enable
the encryption or your data won’t be protected. Also, encryption may be used in
conjunction with biometric access. As an example, our laptops require a fingerprint swipe
to power on. Failure at that point leaves the computer hard drive fully encrypted. A very
comforting thought if laptop thieves, who constitute a large club these days, make off
with your laptop.
Wireless
What’s next? We won’t cover modem access in the traditional sense since dial-up isn’t
desirable or effective these days. Wireless is the rage of all the road warriors. There are
two basic types of wireless access you’ll encounter. The first type is generically termed a
“wireless hot spot” and is what you find at your local Starbucks, Barnes and Noble, hotel
or at the airport. You may or may not have to pay for these wireless connection services.
Many businesses are offering free wireless as a way to attract customers. Most of these
“hot spots” are unsecured. This means that it is possible for your confidential data to be
viewed by the customer at the next table or the one sitting on the park bench outside the
café.
Does this mean you shouldn’t use any of these wireless clouds? If you have a choice, we
would say these clouds are best avoided by those who are technology-adverse and don’t
understand how to operate securely in an unsecured cloud. Read on, and determine
whether you can safely be trusted to do what follows. Here are the precautions you
should take. See if there is an option to have a secure connection to the cloud. This would
be indicated if you use https:// as part of the URL. Typically, the connections are
unsecured and do not provide and encrypted session like the https:// connections do. Be
especially careful if you have to pay for the wireless connection. Be wary when you are
at the screens that have you input your credit card and billing information. DO NOT enter
any of this sensitive information without a https:// connection. Once you’ve established a
connection to the wireless cloud, be sure to use your VPN (Virtual Private Network) or
other secure (https://) access to protect your transmissions.
Some hotels may give you a wireless cloud that is already secured. Typically, these
wireless implementations use WPA (Wi-Fi Protected Access) to secure the data. The
cloud will be visible to your computer, but you will be required to provide a password
before your computer connects. Once connected, your data is encrypted and secure.
AirCard
Another wireless connection method is commonly called an AirCard. These are cards that
are used to connect to the high speed wireless networks of the cellular phone providers.
The major technologies in use today are EV-DO and 3G/4G. Don’t be swayed by the
vendor claims for speed and availability. Make sure that you will be able to have service
in those areas you travel to the most. Reliability is another consideration as well as
whether you already have a cellular plan.
The AirCard itself is a hardware device that you connect to your laptop. They come in
USB or PC Card formats. Since they are an external device, they can be used on any
laptop. Some newer laptops have the electrical circuitry built-in so no additional
hardware is required. The built-in capability means you have nothing to lose, but it is
“married” to the laptop and can’t be transferred between machines. The external devices
can cost several hundred dollars, but most providers offer significant discounts. As an
example, Sprint currently offers a USB antenna for no cost after discounts and rebates.
The service itself can be monthly or daily. The monthly plans measure the amount of data
you transfer over the connection and charge you for any overage usage. Typically, the
data plans limit your usage to 5GB a month and will run about $60 per month. Verizon
offers a day pass, where you can get 24 hours of secure high speed connectivity for $15 a
day.
Obviously, you will want to purchase a monthly plan if you travel a lot or will use the
service for more than 4 days a month. The AirCard is the preferred wireless connection
since the data is secured from the very beginning. You do not have to worry about
whether you have a https:// session or not. The electronic circuitry itself and the cellular
carrier provide a fully encrypted session immediately.
Remote Access
We’ve dealt with some of the more common methods to provide secure communications.
Now that you have the secure connection, what’s next? E-mail access is pretty simple
from most laptops, but what about working on client files? Larger firms will have an
environment where you connect to virtual computers. We have a Microsoft Terminal
Server environment, where multiple users connect to virtual machines. You connect and
login just like you would while you’re in the office. You would then have access to all
your data just as if you were sitting in your desk chair. Citrix is another technology
solution that provides the same function.
Smaller firms typically use something like GoToMyPC or LogMeIn. These products take
control of a remote machine and pass keystroke, mouse movement and screen updates
across the connection. This does require that the remote machine be powered on prior to
you connecting. Be sure that you have a screen saver password set on the computer so
nobody can sit at the keyboard at the office and access your computer. Cleaning crews
are known to do this! These remote control solutions are very cost effective and all
communications are over a secure encrypted connection.
Public Computer Usage
A word of warning here. Be very careful about using a public computer such as those in
the library or business center of the hotel. Even if you are only accessing your web-based
e-mail account, the data is temporarily written to the local hard disk. There is also the risk
that some keystroke logging software is installed on the computer, thereby capturing
everything that you do on the machine.
Does that mean all public computers are off limits? Not at all. We are big fans of the
IronKey hardware encrypted USB flash drive. Besides the drive encryption and secure
management of passwords, the IronKey has portable applications that are intended to be
used with public computers. As an example, there is a specially modified version of the
Firefox browser that doesn’t write any data to the computer. All data stays on the
IronKey, thereby making it secure and keeping it with you when you leave. Of course
this does mean that the computer has to accept the insertion of USB devices. Some
business center machines are locked down and do not allow USB devices to be inserted,
because it is a security risk to the business – USB devices can be used to introduce
malware to the machine or network.
Final Words
The options for secure remote access have certainly changed quickly over the years. Talk
to us in four years and we’re sure the world will have changed again. For now, make sure
that you are aware of all the issues to securely transfer your data and that you are not
relying on “antique” knowledge. You must assume that there is absolutely no protection
of the communication stream between your laptop and your remote device. We’ve seen
hotel networks that didn’t have a firewall so all traffic was allowed to flow through. We
immediately saw probing attacks on our computers, which were stopped by our firewalls
on the laptops. It’s the Wild, Wild West out there and you’re the only marshal in town.
Good luck Wyatt.
The authors are the President and Vice President of Sensei Enterprises, Inc., a legal
technology and digital forensics firm based in Fairfax, VA. 703-359-0700 (phone)
www.senseient.com
Digital Forensics
Best Practices
Sharon D. Nelson
John W. Simek
© 2014 Sensei Enterprises, Inc.
Are there really such things as best practices for computer forensics? Opinions vary, but
there are generally accepted practices in the profession that provide terrific guidance. We’ve
attempted to assemble procedures from varying practitioners considered to be the best in the
industry.
8-1
WHAT IS COMPUTER FORENSICS?
Let’s start at the beginning. What is computer forensics? According to US-CERT (United
States Computer Emergency Readiness Team), “We define computer forensics as the
discipline that combines elements of law and computer science to collect and analyze data
from computer systems, networks, wireless communications, and storage devices in a way that
is admissible as evidence in a court of law.” 1 Computer forensics is also called digital
forensics by some people which is becoming a more popular term. Think CSI with computers
and other electronic media. Computer forensics is the acquisition, authentication, analysis,
and presentation of electronic evidence. It is deeply rooted in the scientific process and
generally accepted practices of the computer forensic community. From a legal perspective, it
is critical that the computer forensic process and presented evidence be repeatable using
various tools and that the outcome be accepted as reliable (Daubert opinion2 and F.R.E. 702 ).
Digital forensics encompasses more than just computers. With the growth of the usage of
mobile devices (smartphones, tablets, etc.), digital forensics is really a more appropriate
term.
Make no mistake about it, if Sherlock Holmes were alive today, he’d be doing
computer forensics.
8-2
CHAIN OF CUSTODY
Of utmost importance in the handling of any evidence is preserving the chain of custody.
Hopefully, “chain of custody” is not a foreign term to you. If so, we’ll explain what chain of
custody is and why it is so important.
Chain of custody pertains to the integrity and handling of evidence as it relates to legal
1Computer forensics, US-CERT, 2008, http://www.us-cert.gov/reading_room/forensics.pdf (accessed July 14,
2013).
2Daubert v. Merrell Dow Pharms., Inc., 509 U.S. 579 (1993).
matters.3 This means that the chain of custody will document the seizure, custody, control,
transfer, analysis and disposition of evidence. The evidence may be in paper or electronic
form and is subject to the same tracking and documentation irrespective of form. The
primary purpose for this documentation is to verify that the evidence was not tampered with
and that only authorized persons had access to the evidence.
Depending on the circumstances, each individual that had access to the evidence may have to
testify as to what occurred while the evidence was in their control. The completed
documentation should be chronologically recorded so as to withstand any legal challenges to
the authenticity of the evidence. The documentation should show the date and time of
evidence transfer, the identity of the evidence handlers, and the duration of the evidence
custody (this can be specifically logged or calculated from the “evidence return” time).
Sometimes the documentation will also indicate the purpose of the transfer. Examples of
purpose could include things such as “analysis review” or “copy made for opposing party.”
8-3
EVIDENCE SEIZURE
A few words need to be said concerning the seizure of electronic evidence. For the most part,
you will not be involved in actually performing a first-response seizure, but the following
points will help maintain the integrity of the electronic evidence and maximize retrievable
data, while minimizing data destruction.
If the evidence is a computer and it is not turned on, do NOT power it up. Document the
entire installation and use digital photographs if required. If the device to be seized is a
running server, do an orderly shutdown using the appropriate commands for the operating
system. Once the server is shut down, pull the power plug and do not power it up again. If
the server contains a redundant array of independent disks (RAID),4 document the RAID
configuration prior to shutting the server down. This information will be useful if the RAID
array has to be virtually “reassembled” during a forensic examination.
Besides computers, consider other electronic devices and media that may contain electronic
information. These can include such items as PDAs, flash memory drives, external USB hard
disks, smartphones, iPods,5 game consoles, CD-ROMs, DVDs, tablets and other storage
devices. No matter what type of electronic device is seized, make sure that the power
adapters and communications cables are also seized. These power adapters may be needed to
keep the device charged so as not to lose any data that may be stored in volatile memory. The
communications cables are important, especially if the device uses a proprietary connection.
8-4
EVIDENCE DOCUMENTATION
Practice Tip:
How do people foul up in digital forensics? Frequently, they are not
careful about maintaining chain of custody or documenting evidence.
Once you receive the evidence, it needs to be documented. There are several steps to the
documentation, depending on what form the evidence is in.
1. In all cases, digital photographs should be taken of all pieces of evidence to document
3Chain of custody, Wikipedia, July 11, 2013, http://en.wikipedia.org/wiki/Chain_of_ custody (accessed July
14, 2013).
4RAID, SearchStorage.com Definitions, June 2007, http://searchstorage.techtarget.com/definition/RAID
(accessed July 14, 2013).
5iPod is a device sold by Apple Computer, Inc. that stores music, video, and sound files for portable playback.
The use of the term ‘iPod’ refers to any portable device similar in nature to the actual iPod itself.
the original condition and configuration (in the case of computers, smartphones, etc.).
Be sure to photograph from multiple angles and even the inside of devices that need to
be disassembled.
2. Assign an evidence number to each piece of equipment or media. These numbers
should be sequential (to help identify if there are any gaps or missing evidence) and be
assigned to each unique piece of information. If there are multiple hard disks in a
machine (for example, a RAID array in a server), each drive should have its own
unique evidence number. It is not uncommon to provide a suffix to the actual evidence
number to denote devices that make up a common system. As an example, 1001-A,
1001-B, and 1001-C may denote the three hard drives in a server.
3. Document each piece of evidence by describing it and noting any unique configuration
or items making up the evidence. As an example, when documenting a computer, be
sure to list the form factor (for example, server, desktop, laptop, tower computer, etc.),
the manufacturer, model number, serial number, and included interfaces and devices.
These interfaces and devices would include such things as USB,6 FireWire,7 serial
communications interface,8 CD-ROM, DVD, CD-RW 9 (for compact disc, rewritable),
floppy disk, NIC10 (network interface card), wireless NIC,11 integrated sound, modem,12
video card, and any other unit or peripheral interface.
4. Document each hard disk that is included in the computer. Documentation should
include the manufacturer, model number, serial number, disk capacity, and interface13
(for example, SCSI,14 IDE,15 Serial ATA,16 etc.). Don’t forget to take a digital picture of
the disk, too, and make sure to capture how the disk is pinned or strapped.
5. Tag loose media with unique identifiers. As an example, you may have a stack of
unlabeled floppy disks as part of your electronic data media. Since they don’t have
labels, you have to find a way to uniquely identify each disk so that you can go back to
the proper piece of media if relevant information is found during the analysis. One way
is to place your own label (sticky paper type) on each disk with the evidence number
clearly identified. This same process can also be done for CDs that are not labeled. In
either case, make sure that the documentation and chain of custody form state that the
6USB, SearchSMB.com, February 2012 http://searchcio-midmarket.techtarget.com/definition/USB (accessed
July 14, 2013).
7FireWire, SearchNetworking.com, April 2007, http://searchnetworking.techtarget.com/definition/FireWire
(accessed July 14, 2013).
8Serial
communications
interface,
Whatis.com,
March
2011,
http://whatis.techtarget.com/definition/0,,sid9_gci962055,00.html (accessed July 14, 2013).
9 CD-RW, SearchStorage.com, September 2005, http://searchstorage.techtarget.com/definition/CD-RW
(accessed July 14, 2013).
10NIC, SearchNetworking.com, August 2006, http://searchnetworking.techtarget. com/definition/networkinterface-card (accessed July 14, 2013).
11 Wireless NIC, Wikipedia, July 14, 2013, http://en.wikipedia.org/wiki/Wireless_ network_interface_card
(accessed July 14, 2013).
12Modem,
SearchMobileComputing.com,
Novembe
2006,
http://searchmobilecomputing.
techtarget.com/definition/modem (accessed July 14, 2013).
13 Hard disk interface, pcguide.com, April 17, 2001, http://www.pcguide.com/ref/hdd/if/index.htm (accessed
July 14, 2013).
14SCSI, SearchStorage.com, September 2005, http://searchstorage.techtarget.com/definition/SCSI (accessed
Julyu 14, 2013).
15IDE, SearchStorage.com, September 2005, http://searchstorage.techtarget.com/definition/IDE (accessed
July 14, 2013).
16Serial ATA, SearchStorage.com, August 2005, http://searchstorage.techtarget.com/definition/Serial-ATA
(accessed July 14, 2013).
evidence was received in an unlabeled state.
6. If any storage device is encrypted, get the decryption passphrase. Encryption is
becoming more and more common, especially where sensitive information is being
handled, such as medical records. You will need to decrypt the data in order to
accomplish any forensic analysis, so knowing what program was used and the
passphrase are very important.
8-5
FORENSIC ACQUISITION
Now that the electronic evidence has been “seized,” what are the next steps? A forensic image
needs to be created. The forensic image is a bit-by-bit verified duplicate of the original
evidence. The following sections will identify some concerns and considerations in obtaining
and processing the forensic image.
8-5.1
On-site Acquisition
Obtaining a forensic image of a hard disk on-site can be one of the slowest and most
expensive of the options. The equipment transported to the field may be less powerful than
that found in the forensic examiner’s lab. This is due to the portability requirements for the
equipment. As an example, most laptops are less powerful than a desktop computer even
though there are some pretty powerful laptops these days. The portable computers also tend
to have less random access memory (RAM)17 available, which also affects the performance.
Recently, hardware imagers (for example, HardCopy III) specifically designed for creating
forensic images have been taking over the on-site role. These devices are very fast (faster
than laptops or desktops) and have additional features such as logging and automatic
verification. They are dedicated devices designed solely for the creation of forensic images
and perform no other function. They cost several thousands of dollars, but are a great
alternative to using a laptop or desktop for acquisitions.
Another cost impact is that the examiner has to be on-site with the equipment during the
entire time that the image is being generated. This may be a very time-consuming process,
depending on the amount of data that is being imaged and the process used. Since the
examiner is “babysitting” the process, the clock continues to run at the examiner’s hourly
rate.
On-site acquisitions can be risky if the computers to be acquired are not well documented or
if the components are not well known. A good forensic examiner will have a lot of adapters,
software, and methods in which to make a forensic image, but it is impossible to travel with
every piece of equipment and software method. Make sure that the examiner is fully aware
of the computer configurations and included peripherals. Consider allowing the examiner to
make a “dry run” visit if you are unsure of the components in the computer(s) to be imaged.
This pre-visit can conserve valuable time and ensure a successful forensic image is possible,
prior to taking the computers off-line and out of business.
Continuation of the business operation is a prime concern when obtaining forensic images.
Under normal circumstances, the computer that is to be imaged is taken “off-line” during the
process. This can be particularly disruptive where servers are concerned, especially if there is
only one server providing the specific function, such as an e-mail server. Powering off the
server and shipping it to a location for imaging probably isn’t practical, hence the
requirement for an on-site acquisition.
Since we want to minimize business impact, speed of the acquisition is another major
17RAM,
SearchMobileComputing.com,
September
http://searchmobilecomputing.techtarget.com/definition/RAM (accessed July 19, 2013).
2005,
concern. There are several things that can be done to make the acquisitions go as fast as
possible. Doing as many simultaneous acquisitions as possible will reduce the overall
downtime of the computers. When creating a forensic image, it is possible to compress the
data so that the target storage size is a reduced size as compared to the original; however,
compression adds to the acquisition time. On-site acquisitions should be done with no
compression, thereby acquiring the data as fast as possible. The images can always be
compressed at a later time in a controlled lab environment, where time is not a major
concern, although with the low cost of hard drive storage, compression is less of an issue
these days. Remember that the forensic acquisition will take whatever time it takes. This is
a matter of physics and you cannot rush or accelerate the process beyond what physics
allows. Once started, it must be allowed to go to completion.
Practice Tip:
Speed of acquisition is important, but don’t ever choose speed over
being careful.
The discussion of on-site forensic acquisitions has revolved around shutting down computers
and removing them from service. This is the normal way of achieving an on-site forensic
image. However, there are now software methods that allow for a forensic image to be
obtained on a live, operating system. In one method, a piece of software called a servlet18 or
agent19 is installed on the machine to be acquired. This servlet or agent acts as a “hook” to
the system, allowing a forensic image to be taken of a “live” system. It is noted that this type
of forensic acquisition is a much more complicated and costly method. Additional hardware
and software are required to accomplish the acquisition, and licensing costs begin in the
hundreds of thousands of dollars.
A recent technological development by one vendor allows the “live” acquisition to take place
in a more cost effective and less intrusive manner. A server is installed at the client site to
act as the repository for the forensic images. The data from the imaged machine is cached so
that the machine does not come to a grinding halt due to the processor overhead. This allows
for a more covert acquisition, where the user doesn’t even know that a forensic image is
being created. It is anticipated that the cost for this solution will begin in the tens of
thousands of dollars.
Another method involves gathering data from custodians in a “near” forensic manner.
Software or hardware devices are installed or attached to the computer and then the drive(s)
or specific folders are acquired. These acquisitions are being performed against a running
computer system. One method is to attach an external USB hard disk that has FTK Imager
Lite on it. FTK Imager Lite is then launched and the resulting forensic image is created on
the external hard disk. Since it is running against a working system, the image will not be
an exact duplicate at a point in time. As long as nobody is actually using the computer, the
majority of data will be forensically preserved. Another interesting device is from HSSK
Forensics.20 It is an encrypted external USB device that automatically launches a user
interface when inserted into the computer. The software gathers information from the user
and then automatically executes a “dd” bit-stream copy of the hard drive. This alternative
allows the user to create the near-forensic image without any technical knowledge.
Finally, several vendors now provide the ability to create logical evidence files in a forensic
manner. This is more a method of preserving the logical files and does not truly capture the
18 Servlet, SearchWebService.com, April 2005, http://searchsoa.techtarget.com/definition/servlet (accessed
July 19, 2013).
19 Agent, Whatis.com, March 2011, http://whatis.techtarget.com/definition/0,,sid9_gci211538,00.html
(accessed July 19, 2013).
20 Remlox, HSSK Forensics, 2009, http://remlox.com (accessed July 19, 2013).
unallocated spaces. The files’ dates, times, attributes, etc. are preserved. While logic evidence
files can be acquired from a running system, they will not correctly preserve any active
databases such as that used by Exchange. The Exchange database must be dismounted in
order to properly preserve it using this method, otherwise the database will be corrupted
when trying to work with the logical evidence file.
8-5.2
Off-site Acquisition
This type of acquisition is done in the examiner’s lab. The forensic lab contains equipment
that is much more powerful and flexible as compared to the mobile field equipment. Also,
multiple drive adapters are normally available to handle the various types of hard disk
interfaces. As an example, a single computer may have IDE, SCSI, and SATA21 hard drives.
This would require a different adapter to deal with the SATA drive and a different process to
acquire the SCSI drive, all of which is easily accomplished in a lab environment.
The other advantage of off-site acquisitions is the reduction in cost. There is no need to
“babysit” the acquisition process once it is started in a lab environment. The lab can be
secured and the acquisition left to run to completion. Normally, this means a much lower
cost since the examiner can go off and work on another case while your evidence is being
acquired. As a result, many computer forensic companies may charge a flat fee for each hard
drive acquisition and not a time-based fee as they would for on-site work. However, there are
companies that charge for computer run time even if a human being is not present during
the acquistion. Make sure you undersatand what you are paying for.
8-5.3
Image Copies
On occasion, you may be able to save even more money by getting a copy of the forensic
image from the other party. This saves time and money, especially since the forensic image
can be validated and a proper chain of custody maintained. So, what do you ask for if
requesting a copy of a forensic image? There are several formats that are typically requested.
One image format is an EnCase22 evidence file format, sometimes also called an .E01 file
because of the file extensions. EnCase is a computer forensic software application developed
by Guidance Software (http://www.guidancesoftware.com). The EnCase file format is a
proprietary format and is commonly used by commercial and law enforcement entities. There
are third-party products that will generate EnCase evidence files, but their usage is not
recommended. The third parties have reverse-engineered the EnCase file format and have
not directly licensed usage. In our opinion, the generation of EnCase files by a non–Guidance
Software product just invites a court challenge to the authenticity and accuracy of the data.
Another very common evidence file format is a bit-stream format. This is a non-compressed
complete bit-by-bit image of the original evidence. The files are also known as “dd” images.
This is because the “dd”23 (data dump) command of Unix is used to create the files. These
days, Linux is a very common operating system used to generate a dd image. The dd image is
also known as a raw image. The hardware-based forensic imagers typically output a raw
image file.
An open source product that is used to create a variant of the dd files is called “dcfldd” and is
available at http://dcfldd.sourceforge.net. “Dcfldd” is an enhanced GNU dd with features
useful for security and forensics.24 Some of the useful features include the ability to do on21 Serial ATA, SearchStorage.com, August 2005, http://searchstorage.techtarget.com/definition/Serial-ATA
(accessed July 19, 2013).
22EnCase, GuidanceSoftware.com, 2006, http://www.guidancesoftware.com/computer-forensics-ediscoverysoftware-digital-evidence.htm (accessed July 19, 2013).
23 dd, Wikipedia, July 14, 2013, http://en.wikipedia.org/wiki/Dd_%28Unix%29 (accessed July 19, 2013).
24 dcfldd, Forensicswiki, June 19, 2011, http://www.forensicswiki.org/wiki/Dcfldd (accessed July 19, 2013).
the-fly hashing, a progress bar of data acquired, verification of the data, and the ability to
split the bit-stream file into smaller chunks. The ability to split the data file into multiple
smaller files means that they can be copied to alternate media such as CDs or DVDs. The
military investigation units (for example, the Office of Special Investigations (OSI)) tend to
use dcfldd as their standard imaging software.
So what does all of this mean? It means that if someone has already created a forensic image,
you don’t have to go through the work all over again and can merely get a copy of the
evidence files. It is not uncommon for an examiner to copy EnCase evidence files to a hard
disk and give them to the other side or for the FBI to copy dd images to a hard disk to give to
the defense expert. This saves a tremendous amount of money, since forensic images do not
need to be reacquired. When receiving copies of evidence files, make sure you also obtain the
hash values for the original drives or other acquired media so that you can validate the
evidence.
8-5.4
Hash Sets
How do you definitively identify data or specific information contained in your electronic
evidence? One method is to use a process called hashing.25 Hashing is the transformation of
characters into a shorter fixed-length value. These values facilitate a much faster search
than to interrogate the original, longer-length data. The shortened hashed value can be
viewed as an index to the original data.
You can create a hash set (or a single hash value) for any desired data. As an example, a
hash set could include the values for all the operating system files included in a specific
version of Windows. Obviously, you want to hash only the files that do not change and not
those that are modified as a result of usage. Once you have identified the non-changing
Windows system files, a hash set can be created to compare to future electronic evidence
files.
Normally, you are not concerned with operating system files. User data files are of much
more import during an analysis. Therefore, if you can identify the operating system files and
filter them out, the amount of data to analyze is reduced. This speeds up any additional
searching and analysis.
A good source for operating system file hash sets and hash sets for specific software
applications is the National Software Reference Library26 (NSRL) project. The NSRL is
designed to collect software from various sources and incorporate them into a reference data
set (RDS). Currently, the NSRL hash files are delivered on four CDs and provide over 32
million unique SHA-1 values for over 109 million files.27 The files are in a compressed form
and will expand to several gigabytes in size.
Another purpose for creating a hash set is to specifically identify user data. As an example,
you could hash the files that represent specific company data. This database of hash values
could then be used to compare against the opponent’s computer systems to determine if your
company data exists on their machines.
Practice Tip:
Think of “hashing” as a digital fingerprinting process. This is how
evidence is authenticated.
25
Hashing,
SearchSQLServer.com,
September
2005,
http://searchsqlserver.techtarget.com/definition/hashing (accessed July 19, 2013).
26 NSRL, National Software Reference Library, July 19, 2013, http://www.nsrl.nist.gov (accessed July 19,
2013).
27 Id.
Finally, the hashing process is also used to authenticate and validate a forensically acquired
image. Typically, a value called a MD528 (message digest 5) hash is used to calculate a value
for the original evidence and compared to the forensic image that is acquired. The MD5 is an
algorithm that is used to calculate a 128-bit value for the specific data being hashed. In the
case of forensic images, the MD5 is calculated for every sector of the original hard disk. Once
the forensic image is created, another MD5 is calculated for every sector of the imaged
evidence. Both MD5 values should be identical, which indicates a forensically sound image.
The MD5 value is also called the “digital fingerprint” for the data being hashed. As
previously mentioned, you want to obtain the hash value for the original evidence if you are
receiving copies of evidence. This is so you can validate that the copy is a true and accurate
representation of the originating evidence.
8-5.5
Child Pornography
It is very unfortunate that we have to be concerned with the existence of child pornography
when considering electronic evidence. Technically, the mere possession of one image of child
pornography is a violation of federal law and a criminal offense. After acquiring any
electronic evidence, the attorney may request that the evidence be scanned for the existence
of child pornography. There are two ways to scan the evidence for child pornography. One is
to use a database of known hash values for child pornography. There are several sources for
the hash sets, but there is limited access to them for the private sector. The major source for
hash set information regarding child pornography is the National Center for Missing and
Exploited Children (NCMEC),29 which is restricted to law enforcement only.
The electronic evidence is compared to any of the child pornography hash sets, and the MD5
hashes are reviewed to see if there are any positive hits. A hit is where the MD5 hash of a
file matches a known value for child pornography. A positive match of an MD5 value means
that the file is known child pornography or suspected child pornography and must be
reported to the authorities.
The second method is to visually scan each image and video file. This is a very timeconsuming process. Several of the computer forensic analysis software applications provide
the ability to place the files into a thumbnail view so that multiple image files are presented
in a gallery fashion. This allows for viewing multiple files at one time. It is still timeconsuming because a single hard drive can contain tens of thousands of image files. The
video files (for example, MOV, AVI, MPEG, etc.) must also be reviewed individually because
they could also contain child pornography. To help facilitate identifying files that may
represent images of people, at least one forensic software application has the ability to detect
skin tones. This helps speed the review process so as to avoid analyzing images of buildings,
vegetation, etc. that don’t contain people. The software is rather effective in correctly
identifying images of people via skin tone and continues to improve with each version
upgrade.
8-5.6
Virus/Spyware Scan
Another preliminary step in the forensic acquisition process is to scan the evidence for the
presence of viruses, worms, Trojans, spyware, keystroke loggers, etc. This scan process will
help identify if the subject’s computer was possibly being controlled by an external entity or
if the computer activity may be due to other causes not user-generated. If you are working
with the original evidence, the simplest way to accomplish the scan is to leave it connected to
the write blocking device and launch a scan against the evidence. Normally, there are two
28 MD5, SearchSecurity.com, September 2005, http://searchsecurity.techtarget.com/definition/MD5 (accessed
July 19, 2013).
29 NCMEC, Wikipedia, July 17, 2013, http://en.wikipedia.org/wiki/NCMEC (accessed July 19, 2013).
types of scans and appropriate software that are used to accomplish these tasks.
Configure your antivirus software to do a log-only scan and select the target as the evidence
drive. Once the scan is completed, save the log file to document any existence of viruses,
worms, Trojans, etc. that may exist. A separate scan is accomplished using anti-spyware
software. Configure the software to do a logging-only scan and save the log file after the scan
completes. Recent versions of antivirus software also contain the ability to scan for malware,
so a separate scan would not be required.
If you do not have the original evidence drive, then you will need to perform the scans using
a different method. Some forensic software applications allow you to mount the evidence in a
read-only mode and present the data to your analysis machine as if it is another disk drive.
In this way, you merely select the appropriate disk drive as the target for the scans. Another
option would be to load the evidence into a virtual environment using a product such as
VMware Workstation.30 This product allows you to load your evidence into a virtual area of
your analysis machine, thereby observing the subject’s computer exactly as they would. Not
all operating systems are supported in virtual machines, so this may not be an option for
some pieces of evidence.
8-5.7
Write Blockers
As previously mentioned, the use of a write blocker is critical to maintaining data integrity of
the evidence. A fundamental requirement of computer forensics is that original data is not
modified in any way from its original condition. Write blockers maintain this data integrity.
There are several ways to write block the original evidence.
One of the simplest ways is through the use of hardware devices, specifically designed to
prevent writing to the original evidence. Just connecting an evidence drive to a Windowsbased computer will modify the original contents. It may be something as simple as creating
a temporary file on the drive, to scanning the entire contents for viruses and changing all the
file access times. There are several vendors of hardware write blockers. Guidance Software
has now acquired the assets of Tableau LLC. Tableau31 manufactures forensic bridges, which
provide read-only and read/write capability for a number of drive interfaces. They are very
popular and have native SATA and IDE interfaces. They are very flexible and can connect to
your computer via eSATA,32 FireWire 800, FireWire 400, or a USB connection.
Wiebetech33 also produces several hardware write-blocking systems that are used in the
industry. Their field kits are extremely popular because they contain all sorts of adapters to
deal with the various types of drive interfaces that may be encountered in the field.
Write blocking can also be achieved through software means. Guidance Software has an
EnCase add-on module for achieving write blocking via software means. The FastBloc
Software Edition34 protects the original evidence when connected to specifically supported
interface cards. There is an additional charge for this module and it requires having the
EnCase license too. Another software write blocker from ForensicSoft, Inc.35 (SAFE Block) is
30 VMware Workstation, Wikipedia, July 19, 2013, http://en.wikipedia.org/wiki/Vmware (accessed July 19,
2013).
31Classic
Enhanced
Bridge
Family,
tableau.com,
2013,
http://www.tableau.com/in_dex.php?pageid=products&category=forensic_bridges (accessed July 20,
2013).
32 External SATA, Wikipedia, July 20, 2013, http://en.wikipedia.org/wiki/Serial_ATA (accessed July 20,
2013).
33 Wiebetech, weibetech.com, 2013, http://www.wiebetech.com (accessed July 20, 2013).
34FastBloc Software Edition, guidancesoftware.com, 2013, http://www.guidancesoftware.com/computerforensics-software-fastbloc.htm (accessed July 20, 2013).
35 ForensicSoft, Inc., ForensicSoft.com, 2010, http://www.forensicsoft.com (accessed July 20, 2013).
available and does not require any additional licenses or products. You can also write block
any USB connected device by manipulating the registry on a Windows system. The ability to
write to USB devices can be toggled on and off through registry keys giving the examiner a
no-cost solution to write block evidence.
Finally, a large number of forensic examiners are achieving write blocking through the use of
Linux. Linux is used to manually mount the evidence in a read-only mode. Following the
read-only mount, the dd function is used to generate the forensic image. Linux is becoming
very popular for imaging, as it is a low or no-cost solution; however, the command line
operation for forensic acquisitions makes its usage more complicated and better suited for
the technically capable.
In addition to the dd function of Linux, there is an open-source program called dcfldd that is
available at http://dcfldd.sourceforge.net/ and was discussed in section 8-5.3, Image Copies, of
this chapter.
No matter which type of write blocking you choose (hardware, software, Linux, etc.) you
should periodically test and verify the effectiveness of the write-blocking method. As an
example, perhaps a new version of the software write-blocking module has a bug when trying
to protect a disk connected to a specific vendor’s interface card and actually allows writing to
the drive. So how would you test your write-blocking methods? The easiest way is to use a
hashing methodology that was previously mentioned. Connect your test drive to the write
blocker and hash the drive to generate a hash value. Attempt to modify the drive contents
while connected to the write blocker. Shut down the entire system and power it back up
again. Re-hash the exact same number of sectors on the test drive as you did originally. The
hash values had better match, which indicates that the write-blocking mechanism is working
properly. Don’t simply rely on the manufacturer’s statement that the device is properly
protecting the evidence. No technology is 100 percent accurate 100 percent of the time.
Periodic testing will increase your confidence factor and ensure that you are not modifying
the original evidence in any way.
8-6
FORENSIC SOFTWARE
There are several manufacturers of forensic analysis software. It would be impossible to list
every piece of software available. We will identify the more popular packages that you may
come across or hear about as you deal with electronic evidence.
As previously mentioned, EnCase is the most popular and widely used of the computer
forensic software applications. It is commonly used by law enforcement and private sector
examiners alike. EnCase is a complicated software package and requires training and
experience to harness its power as a forensic tool. EnCase is a Windows-based software
package as are many of the other vendors’ products. There are add-on modules for EnCase
that allow enhanced functions such as the Virtual File System (VFS), Physical Disk
Emulator, EnCase Decryption Suite, FastBloc Software Edition (SE), and Smartphone
Examiner.
A competitor to EnCase is Forensic Toolkit (FTK) by Access Data. There are two major
features of FTK that are touted by computer forensic examiners. The first is cost. FTK is
much less expensive as compared to EnCase. The second popular feature is speed. FTK uses
a pre-processing step that indexes the electronic evidence into various groupings. This
indexing helps speed the searching of the data during the analysis phase. FTK has been
known for its e-mail handling capability in the past; however, other vendors are improving
their ability, and individual tools for specific e-mail stores are typically used instead of
relying on the ability of the forensic software package.. In response to the speed of searches
in FTK, Guidance Software has provided an indexing process since version 6 of EnCase.
X-Ways Forensic36 by X-Ways Software Technology AG is even less expensive than FTK. XWays is quickly becoming the forensic tool of choice. Like FTK and EnCase, X-Ways Forensic
is a Windows-based product. Its presentation and interface are similar to other forensic
applications. X-Ways handles some forms of e-mail much better than FTK. The major
advantage is the ability to preserve the linkage of an e-mail message to the body contents. It
does require some time to pre-process in order to maintain this relationship, but it is well
worth it, in the long run.
Practice Tip:
Every good expert comes with a “toolkit”—lots of hardware, lots of
software. This is why computer forensics is not cheap. Good experts
have a diverse arsenal of weapons to handle whatever they encounter.
The use of EnCase is beginning to fall out of favor within the computer forensics community.
Guidance Software appears to be targeting very large organizations and companies for their
products, abandoning those loyal EnCase users of the early days. They are also moving into
the eDiscovery field by providing review tools to handle the electronic evidence throughout
the entire litigation process. Access Data has had trouble ever since their introduction of
FTK 2.x and examiners are still steering away from that product line, as well. The hardware
requirements alone make an FTK 2.x installation very impractical for most examiners. In
response, Access Data has introduced version 3 of FTK with completely rewritten functions.
Today, FTK is at version 5 and it seems like the headaches of old are a thing of the past. The
hardware requirements for FTK are still pretty steep when compared to other vendors. We’re
not sure if cost and the hardware requirements are keeping examiners from utilizing FTK,
but we rarely see it being used by any examiners. In our experience, those with FTK 1.x
licenses are not upgrading to the latest version nor are they investing in further EnCase
versions. Instead, we are seeing a migration among computer forensic examiners to the XWays product line as a primary analysis tool. Many forensic examiners are keeping just one
license of EnCase and FTK to be used for validation purposes and are using X-Ways for the
majority of examinations.
No single piece of software or hardware will address all of the situations encountered with
electronic evidence. Many different tools are needed to effectively analyze the electronic
evidence of today. As an example, a specialized tool may be needed to analyze the data on a
multisession CD.37 CD/DVD Inspector38 is an example of a special tool for analyzing optical
media. The increased use of cellular phones is also requiring special software to deal with
text messages, call logs, and phone book entries on a cell phone. One popular package for
analyzing cell phones is Device Seizure39 by Paraben Forensics. Another challenge with cell
phones is the large number of power supplies and data interconnection cables that are
required for interfacing the phone to the analysis computer. Prior to expending any
significant time and expense in dealing with cell phone forensics, make sure that the target
cell phone is supported by the analysis software, that a power source is available, and that a
data cable is available for the phone. Arguably the leading tool for cell phone (mobile device)
forensics is the Universal Forensic Extraction Device (UFED)40 Touch by Cellebrite.
36X-Ways Forensic, x-ways.net, 2006, http://www.x-ways.net/forensics/index-m.html (accessed June 16,
2011).
37Multisession
CD,
SearchStorage.com,
September
2005,
http://searchstorage.techtarget.com/definition/multisession-CD (accessed July 20, 2013).
38 CD/DVD Inspector, infinadyne.com, http://www.infinadyne.com/cddvd_inspector.html (accessed July 20,
2013).
39 Device Seizure, paraben-forensics.com, 2012, http://www.paraben.com/device-seizure.html (accessed July
20, 2013).
40UFED, cellebrite.com, 2013, http://www.cellebrite.com/mobile-forensic-products.html (accessed July 20,
Cellebrite has the advantage of working with a large number of different cell phone
manufacturers and models since they construct the data transfer devices that the cellular
carrier technicians use to move your address books, etc. when you upgrade your phone. This
means they have “inside” knowledge about how a specific phone stores its data and how to
communicate with the device. There are two versions of the UFED Touch. One is used for
analyzing and extracting logical information and the other is used to extract the physical
memory contents, thereby recovering hidden and deleted data. The UFED Touch Logical
starts at around $4,000 and the UFED Touch Ultimate will set you back around $8,000.
Annual maintenance and licensing costs are also required, which makes the Cellebrite device
pretty expensive. However, it is one of the best tools for analyzing mobile devies (notepads,
tablets, cell phones, etc.) on the market and well worth the thousands of dollars each year.
In order to deal with electronic evidence from mobile devices, some examiners are purchasing
the add-on modules for their base forensic software. EnCase and FTK both have modules
that can be used to analyze some mobile devices. In our experience, neither one is very good
and they are limited in the devices that they support. This is another reason why ivesting
thousands of dollars in a Cellebrite UFED Touch may be a better decision.
Besides the core analytical software used to investigate the electronic evidence, other
software may be needed to deal with specific aspects of the data. Software may be needed to
view specific image file formats if it is not supported in the forensic software package. As an
example, the forensic software may not be able to view the image format used with AOL’s
software; therefore, the images will have to be viewed outside of the forensic software using
an application that can view AOL images. Perhaps the relevant e-mail messages are
accessed using the Lotus Notes application, which is not supported by the forensic analysis
software. Again, a separate software package would be needed to analyze the Notes
information outside of the forensic software application. This is not an unusual situation
because no single software tool can handle all of the formats of electronic evidence you will
encounter. An extremely powerful addition to our lab is software from Nuix.41 We use Nuix
primarily as an e-mail analysis tool, but it also has great filtering and searching capability.
It is excellent in dealing with Exchange data files, PST files, OST (offline PST) files, and
Lotus Notes databases.
Speaking of Nuix. We believe that every lawyer should have a copy of Proof Finder42, another
product from Nuix. The cost is only $100 per year and all revenue goes to charity. There is a
limit of up to 15GB of data per case, but that should be more than sufficient for the majority
of cases. You get all the power of Nuix at a very low cost and charity benefits too. How can
you go wrong?
8-7
DIGITAL FORENSIC CONSULTANTS
What do you look for when selecting a digital forensic consultant or firm? Probably the most
effective method is through referrals. What better way to learn about a company and its
personnel than through someone who has already used their services? You should also
review the CVs of the experts. They should have technical certifications such as Certified
Novell Examiner (CNE), Microsoft Certified Systems Engineer (MCSE), Certified Cisco
Network Administrator (CCNA), and the like. In addition to the technical certifications, look
for digital forensic-specific certifications. the EnCase Certified Examiner (EnCE) and the
Certified Computer Examiner (CCE) are the two most prevalent and respected certifications.
Practice Tip:
2013).
41 NUIX, nuix.com, 2013, http://www.nuix.com/ (accessed July 20, 2013).
42
Proof Finer, nuix.com, 2013 http://www.nuix.com/prooffinder (accessed July 23, 2013).
Turn on the hot white lights and grill your potential expert!
Besides actual credentials, see if the person has ever testified and/or been qualified as an
expert in digital forensics. You probably won’t feel very comfortable getting a “rookie”
technologist who has never qualified. If the forensic technologist is going to testify or be
deposed, can they take complex electronic evidence concepts and present them with a clear
English description? The inability to present simple and clear analogies to a jury or judge is a
huge anchor that can sink your case in a heartbeat.
Have they been published? Do they speak on digital forensics? If so, their testimony is likely
to be seen as more credible by a judge or jury. Make sure you speak with the expert yourself
and ask a few questions to get a sense of whether you can work comfortably with this person.
Don’t hesitate to “grill” them a little—a true expert won’t mind in the least—and you’ll know
if they will be comfortable in making on-the-fly responses from the witness stand.
8-8
EVIDENCE SAMPLING
Practice Tip:
Repeat after us: “Sampling saves money!”
So how do you contain costs and maximize your chances of relevant evidence “harvesting”?
All too often, forensic companies are advising clients to acquire all of the electronic
information available. This can be an extremely costly endeavor. It would be far more cost
effective to only acquire the computers and/or media that contained relevant information, but
how do you know which computers to acquire? A technique called sampling can be used to
determine where the relevant information may reside. Select several computers for some of
the key players in the case and forensically acquire them. Analyze the “subset” to determine
if there is enough data to support your claims. Choosing to first analyze a smaller amount of
data is less expensive and can quickly determine if relevant data may exist in electronic
form.
Perhaps a real-world example can better explain sampling and the resulting effect.
Case Scenario:43
The defendant is accused of continued use of plaintiff’s proprietary database
application following a fallout in the contract negotiations. The defendant claims
to have deleted or returned all of the data associated with the database
application. The plaintiff contends otherwise. The plaintiff desires to perform a
forensic acquisition of all the defendant’s computers in order to determine the
existence of the proprietary data. The defendant contends that performing the
acquisitions is overly burdensome and would significantly impact their business
operation, effectively shutting them down for several days. The judge allows for a
sampling of the main server only for up to six hours over an agreed upon
weekend.
Prior to actually visiting the defendant’s site for the sampling effort, a hash set of
the plaintiff’s database application was created. The hash set represents a digital
value for each file comprising the database application, effectively presenting a
“digital fingerprint” for each piece of digital data contained in the plaintiff’s
application. While on-site at the defendant’s place of business, the hash values
for files on the server were compared to the hash set, which represented the
plaintiff’s proprietary database application. There were over 900 positive hits,
43 Gerner v. Applied Industrial Materials Corp., No. FST-CV-02-0192069-S (Conn. Super. October 17, 2002).
which represents that files from the plaintiff’s database application were still
present on the defendant’s server.
The above-referenced case is illustrative of a practical sampling technique. This process
saved a significant amount of money because only one computer (a server) was sampled
instead of every one of the defendant’s computers. This is similar to the sampling that
occurred in Zubulake v. UBS Warburg, where Judge Scheindlin ordered the restoration of a
small number of backup tapes to determine if any relevant e-mails would be found on the
tapes.
8-9
SEARCHING THE EVIDENCE
At the heart of evidence analysis is the function of searching. Searching can mean trying to
find data that exists in a number of different forms. The desired data is typically found in the
form of documents (word processing, spreadsheets, etc.), financial information, images
(pictures, movies, etc.), messages (e-mail, instant messages (IM), chat rooms, etc.), and
artifacts of electronic data.
The search methods vary depending on the data being searched. Keyword searches are the
most common form of search criteria. The term keyword is used generically to identify words
or phrases. In the simplest form, a single word is used to search against the evidence. The
data is then scanned for the existence of the word selected in the search. As an example,
selecting for the word Frank will return the word and all of its various forms. So “frankly”
and “Frankfurt” would also be identified as search hits. Remember that a hit is a positive
result where the search term exists.
Practice Tip:
Searching smart saves a TON of money. It is imperative to sensibly
reduce the volume of data to be reviewed.
Selecting common terms for search words will return thousands and thousands of hits,
making it almost impossible to review the search results in an efficient manner. Therefore, it
is important to select appropriate search terms and/or use different searching methods to
maximize the amount of relevant data that may be returned. A first step is to select very
narrow search terms or phrases so that a lot of “noise” data is not returned. The problem
with simple searches is that all variants of the selected term are returned, as was previously
described. A secondary problem is that an EXACT match is required to return a search hit.
So why is this a problem? Not everyone types or enters data correctly on every occasion. If
you are searching for the keyword “shipper,” you won’t find a document or e-mail message if
someone typed it as shopper (one letter away on a QWERTY44 keyboard). The key document
to crack open your case may have just been missed.
If you use simple search methods (exact matches), what can you do to return more pertinent
results? Avoiding common terms has already been discussed. Perhaps making the keyword
case sensitive would help reduce the “noise” hits too. Another “trick” is to search on the exact
keyword and not accept the various forms of the word.
Some search engines are capable of “fuzzy” searches. Fuzzy searching45 promises to find
results for misspelled and similar words. The fuzzy search engines work on similarities, but
we’re still beholden to the specific logic that the computer programmer built into the engine.
This “fuzzy” logic may not be what you intended or desired, but you have no choice but to
44 QWERTY, Wikipedia, July 16, 2013, http://en.wikipedia.org/wiki/QWERTY (accessed July 20, 2013).
45Fuzzy string searching, Wikipedia, July 7, 2013, http://en.wikipedia.org/wiki/Fuzzy_string_searching
(accessed July 20, 2013).
accept the results. Some of the more sophisticated search methods contain “artificial
intelligence” and claim to “learn” from the user’s actions. In these cases, a very large amount
of data is needed to even get something close to acceptable results. The user enters a
keyword and views the results. If the user “discards” all of the results, then the search
engine “knows” to try something else on the next round. If the user selects some of the
results as relevant, the search engine factors in the selected characteristics for the next
round of searching. Like the fuzzy search logic, the “artificial intelligence” engine results are
the output of the computer program logic and how it handles the user inputs.
Rather than merely searching for specific words, the use of phrases can significantly reduce
the amount of false positives returned. In addition, the use of Boolean46 searches helps refine
the search results. A Boolean search is where you use multiple keywords and conditionals.
As an example, you may define a Boolean search for “General Electric and 747” hoping to get
documents relating to the jet engines manufactured by GE that are used on a Boeing 747
aircraft. Boolean searches can be as simple or as complex as you want. Many search engines
allow for Boolean operators such as AND, OR, NOT, or W/7 (within 7 words). Make sure you
are familiar with the search string operators for your particular application and/or search
engine. How does the software handle wildcard values? Are hyphens indexed or ignored?
When doing the searches, it is important to understand the form of the data and how it is
stored on the computer media. Not all data is stored in clear text so you may have to create
your keyword searches using hexadecimal values or some other form. One very common form
of writing the data to disk is using Unicode.47 Unicode provides a method to uniquely
represent every character no matter what the platform, program, or language. As an
example, the capital letter L is represented as a hexadecimal 004C in the Basic Latin
language. This would be true for multiple operating systems (for example, Windows NT,
Windows 2000, Sun Solaris, Mac OS 9.2, Mac OS X 10.1, etc.) and multiple programming
languages, which is consistent with the Unicode standard. Therefore, you need to define your
keyword search using Unicode characters when working in a Unicode environment. The good
news is that you don’t have to know the entire Unicode table or even look it up. The search
engine will provide a selection for Unicode and do the hexadecimal conversion for you.
Perhaps your search involves a foreign language in addition to English. Again, you need to
structure your keywords according to the foreign language spelling for the words you desire.
This can increase the review process, especially if you are to search for the same keyword in
multiple languages. Fortunately, most cases do not involve foreign languages, so the
keywords should be fairly straightforward.
As previously mentioned, you need to know how the target data is stored on the computer.
We have already discussed Unicode, which is going to be the most common form of storage
for clear text data. What about searching pictures? Obviously, you cannot do a keyword
search for data contained in an image. Fortunately, a large number of the common image file
formats contain a predefined header within the file. This means that each file starts with the
same hexadecimal value. As an example, a JPG file will have the values of JFIF in byte
position 6 through 9. This makes it easy to search for JPG files because their header is
uniquely defined. Not all files have unique header information, so determining the file type is
nearly impossible. Also, when searching through electronic evidence, especially unallocated
space48 (disk area that is available for overwriting that contains data from previous usage),
for files with known header information, it is rare that there will be a clearly defined footer
46 Boolean, searchSMB.com, April 2005, http://searchcio-midmarket.techtarget.com/definition/Boolean
(accessed July 20, 2013).
47 Unicode, Inc., Unicode Home Page, 2013, http://www.unicode.org/ (accessed July 20, 2013).
48
Unallocated
space,
National
Institute
of
Justice,
http://www.nij.gov/topics/forensics/evidence/digital/digital-glossary.htm (accessed July 20, 2013).
2013,
so that you can determine where the file ends. What this means in the practical sense is that
you normally only get portions of files when searching through the unallocated space.
Perhaps the data is stored in a compressed format. Searching this type of data requires that
you know the compression algorithm in order to determine if there is any relationship to the
stored hexadecimal characters and the clear text that you are looking for. Normally, you
would use the native application and view the files in their native environment or export the
data to a different format (for example, a text file) so that it can be searched more easily.
There are exceptions to this conversion requirement. Some searching software is
programmed to “understand” or decode the file contents of some of the more popular
applications (for example, Word, Excel, Outlook, PST, PDF, etc.). This is extremely valuable
when reviewing the electronic evidence. In addition, many of the products have the ability to
search compressed and compound files (for example, ZIP). If you are using an electronic
evidence management software package such as Summation or Concordance, make sure you
know which file formats are supported. You may need to have your forensic technologist
convert the data prior to your review. Probably one of the most common conversions is to
take the Exchange mail server data (.EDB files) and convert them to .PST49 files. A .PST file
is a personal folder file and is easily viewed using Outlook.
Encryption is a killer for digital forensics, and its impact on searching is equally deadly. You
cannot search encrypted data in its native form. This means that all of those encrypted email messages will not “bubble up” with even the narrowest of keywords. The e-mail
messages must be decrypted prior to running the search. This is another step in the evidence
processing and will increase the cost of analysis and review. Pretty Good Privacy (PGP) is a
very popular encryption application and is used for encrypting e-mail messages among other
things. There is no way to bulk decrypt the messages without writing specialized software or
a scripting routine. Needless to say, perhaps dealing with the unencrypted messages first
will reveal the information needed for the case without having to go through the time and
expense of decrypting messages. There is still hope. Developers of forensic analysis software
now have built-in support for various encryption schemes within their products. This means
that you merely configure the appropriate passphrase or decryption keys and the analysis
software will decrypt it on the fly.
Searching a database is also not a straightforward process. Even if the data is stored in clear
text, what is the data relationship to other data in the database record? Products such as the
popular dtSearch50 have APIs51 or other methods to facilitate the searching of databases.
Effectively, the search engine is reading the data from each record of the database and
adding relevant data to its index. Again, make sure you know which database formats and
versions are supported by the search engine or the searching ability within your electronic
document review application. Custom queries may have to be run against the database to
extract the desired information in a report format. Searching through databases is specific to
the database structure and type. It is best to see if relevant information is available in other
places that are more easily accessible before trying to search and extract data from
databases.
Finally, there is another search methodology known as concept searching. This type of search
returns documents based upon what they represent rather than the raw keywords
themselves. As an example, a concept search for “GPS” should return results related to
“Global Positioning System,” “Satellite Navigation,” and “NAVSTAR.” Like the other
49 .pst, Wikipedia, July 18, 2013, http://en.wikipedia.org/wiki/.pst (accessed July 20, 2013).
50How to index database files with the dtSearch Engine, dtSearch.com, April
3, 2009,
http://support.dtsearch.com/faq/dts0111.htm (accessed July 20, 2013).
51Application
program
interface,
SearchExchange.com,
March
2010,
http://searchexchange.techtarget.com/definition/application-program-interface (accessed July 20, 2013).
innovative searching techniques, concept searching is dependent on the computer
programmer(s) and the logic placed in the search engine. As a result, there is a tendency to
miss relevant data. One very valuable use of concept searching is to help determine what
“raw” keywords can be used for traditional searches. This leaves the conceptual searching
technique as a supplement search methodology and not as a data filtering technique.
Depending on the concept, a search to filter data is a dangerous approach. As the technology
improves, searching results will improve, but leave the concept searching to the outside of
your core evidence review.
It is important to note that no one search method is correct or totally accurate. A study by
the Text REtrieval Conference (TREC) indicates that you will only return approximately 20
percent of the relevant data using a single search methodology. This means that it will be an
iterative process to narrow in on the relevant data for a case. As always, you need to make
sure that your search methodology is transparent, defensible, and tested. Each case is
different and testing the results will help validate that the relevant data is being returned.
The latest marketing hype from the e-discovery vendors is the use of computer assisted
search technology. You have probably heard the term “predictive coding” and wondered what
it means. One company even tried to patent the predictive coding term. There are many
words used by the vendors, but at the end of the day, it means computers being used to
narrow in on relevant data. Think of it as teaching the computer to recognize relevant data
through an iterative process. The technology can be extremely effective, but is also extremely
expensive and not suitable for most cases because of cost. Hopefully, the cost to obtain
computer assisted review will come down in the future and be more affordable for the
masses.
8-10
DUPLICATES
A large amount of the information will be duplicated when dealing with electronic evidence.
The human tendency is to keep multiple copies of the same information because it is so easy
to store electronically. The multiple instances of the same information significantly adds to
the review time and cost. A major decision is going to be whether duplicates are undesirable
or if they may indicate significance to your case. Most electronic data discovery companies
insist that duplicates are bad and are proud of their various methods for dealing with the
duplicate data.
But what exactly is a duplicate and how do you deal with them? Exact duplicates are the
easiest to deal with and discover. Remember the hashing algorithms discussed in a prior
section? Exact duplicates can be discovered by comparing the hash values for the files.
Matching hash values means that the data is identical even if the file name is different.
Would you consider this to be a duplicate? Perhaps the same file (as determined by hash
value) is in two different locations on a server. You may consider the data to be duplicative
since you are only interested in the contents of the file and not the location. However, what if
it is important to know where the file was stored on the server? This could indicate access by
someone not normally authorized to use the data. In this case, you would not want to discard
the data as a duplicate.
Sometimes we need to classify data as duplicative when it is actually a “near” duplicate.
Hash values will not help when trying to cull out “near” duplicates because hashes are too
exacting. The concept of “near” duplicates is really concerned with the data contents and not
the formatting or metadata associated with the file. This process is normally applied to
e-mail messages. As an example, an e-mail message from one person to three other people
could exist in four different places. The first would be in the sent items of the originator and
perhaps in the Inbox of each of the intended recipients. Technically, each message is
different since the e-mail header52 information (routing, recipient, message ID, etc.) will be
different for each of the recipient’s messages. However, you may consider the three recipient
messages to be a duplicate of the origin message since the body contents are identical. From
the origin message you can determine the recipient e-mail addresses and the contents of the
message; therefore, you don’t need to process the other three messages.
One of the steps in reviewing electronic evidence is to address the handling of duplicate and
unneeded information. This preprocessing of the data can be done through hashing or other
vendor-specific software packages. Nuix is one product that is very good at identifying
duplicates and near duplicates. No matter which product you use, make sure that you
understand what constitutes a duplicate and how the software may be adjusted to include or
exclude certain types of information. As with any software processing, you are beholden to
the operation of the program logic, so make sure you or someone on your team understands
how the product works and is prepared to explain to the court why certain data may have
been missed or is included.
8-11
FORMAT OF PRODUCTION
We are still having the great debate over the issue of format of production. Should you
produce the electronically stored information (ESI) in native form or convert it to some other
format? Generally, most experts are advising to produce the data in native format.
Practice Tip:
Discuss the format of production early so you can plan ahead! Don’t
forget that you are not restricted to one format—a mixed production
request is just fine.
So what are the choices for formats and why one over the other? For years, electronic data
discovery companies produced electronic evidence in a TIFF53 format. TIFF can be considered
to be analogous to a digital photocopy. It is an electronic picture of the file contents. As an
example, a six-page Word document that is converted to TIFF would have six images (or
pictures) contained in the file. The advantage of TIFF is that you don’t need any special
software to view the contents. TIFF also makes it very easy to Bates stamp because each
“page” is made up of a single image. So why not produce all of the electronic data in TIFF
format? The primary reason is that a TIFF file is not searchable. Pictures don’t carry any
text to search upon. You would have to perform OCR54 on the TIFF image in order to convert
any text in the picture to something searchable. Another advantage of TIFF is that it strips
all of the metadata from the electronic file. You may elect to produce in TIFF so that the
metadata isn’t given to the other side. Another consideration is cost. EDD companies
typically charge on a per-page basis when doing TIFF conversions. This can become quite
costly for your case.
An alternative to TIFF production is to convert the files to PDF55 format. The pages of a PDF
document can be Bates stamped relatively easily and there is the added bonus of
searchability if the files are converted properly. PDF can also convert the pages of a
document to an image (picture), which is very similar to TIFF.
52 Header, whatis.com, May
2005, http://whatis.techtarget.com/definition/0,,sid9_gci213480,00.html
(accessed Julu 23, 2013).
53 TIFF, SearchSMB.com, September 2005, http://searchcio-midmarket.techtarget.com/definition/TIFF
(accessed July 23, 2013).
54 OCR, SearchSMB.com, September 2005, http://searchcio-midmarket.techtarget.com/definition/OCR
(accessed Julu 23, 2013).
55 PDF, whatis.com, May 2010, http://whatis.techtarget.com/definition/0,,sid9_gci214288,00.html (accessed
July 23, 2013).
The default mode for many EDD vendors is to produce data in TIFF form with metadata load
files and OCR text files in response to the request for native production. The load files are
special files used by the review platforms that contain references to the actual file. The OCR
text files provide a method for searching the TIFF. Think of the OCR text file as a plain text
version of the original document. The metadata load files are used to restrict the amount and
type of metadata that is handed over in production. As you may imagine from all of this
processing, the cost can be very high. This is another reason why there is such an increased
desire for native file production among clients, but push back from the vendors as they see a
significant reduction to their revenue stream.
When dealing with computer forensics as part of the production phase, there needs to be an
agreement on how to deal with any discoverable information that may reside in the
unallocated space. Remember that unallocated space is the “Wild Wild West” of disk storage
and is totally unstructured. The data is not normally in clear text and consists of readable
characters along with non-printable hexadecimal values. Normally the data will be manually
“carved” (extracted) a predefined amount either side of the “hit” value when producing
something potentially responsive from the unallocated space. As an example, if the “hit”
value were “pediatrician,” then perhaps data 80 bytes before and 80 bytes after “pediatrician”
would be extracted as possibly relevant data.
8-12
FORENSIC REPORTS
Practice Tip:
It may be that you don’t need a forensic report. Call your expert.
Perhaps a letter opinion or an affidavit is sufficient. It takes many long
and expensive hours to put together a true forensic report.
At some point during the handling of electronic evidence you will have the opportunity to see
a computer forensic report. When involved in criminal defense work, the forensic report will
be generated by law enforcement. The quality and contents of these reports varies widely and
is not dependent on the source. There are good and bad computer forensic reports generated
by the private sector and law enforcement, too. There are times when you will not want the
results of the computer forensic examination committed to paper. After all . . . the contents
of the report may be discoverable and not protected by any client/attorney privilege or workproduct privilege. Assuming that a formal report is requested or required, there are certain
elements that should be present in the report.
1. Evidence Documentation—A section of the report should identify the evidence that is
being analyzed. The manufacturer, model number, and serial number should be listed.
The hash value (typically MD5) of the original and of the forensically duplicated
evidence should be shown. Although not necessary, it is helpful to have a listing of the
files and folder structure prior to any attempt to recover deleted information.
2. Scan Results—The results of the virus and spyware scans are to be documented. This
information may show the existence of keystroke loggers or a Trojan horse, which could
affect whether the user had knowledge of certain events occurring on the computer.
3. Date and Time Validation—The date and time setting for the computer at the time of
forensic acquisition is to be documented. It is amazing how many forensic reports are
missing this very critical piece of information. The computer clock setting is important
because it establishes a baseline for the computer activity. If the computer clock is not
accurate, then the examiner will make incorrect conclusions as to when certain events
occurred on the computer. Don’t forget the time zone setting, as well. The analysis may
have to account for time variations due to the configured time zone.
4. Analysis Results—This is the meat of the report. This section will have statements of
fact that are supported by the electronic evidence. As an example, there may be a
statement that a particular software application was installed on the computer at a
particular time. There may be Windows registry entries, file creation dates, and a log
file that all support the statement about the installation. When specific files or data are
being referenced in the report, the relevant metadata should be shown along with the
starting physical sector where the information can be found. This physical sector will
help any other examiner find the same information because computer forensics is a
repeatable science. The relevant metadata is typically the Windows file attributes like
creation date, last modified date, last accessed date, and last written date for NTFS
formatted drives. It makes no sense to try and present any dates associated with data
coming from the unallocated sectors. No date attributes are available for information in
the unallocated sectors, but many a rookie examiner will try to tag dates because that’s
what they do for all files identified in the report.
5. Summary/Conclusion—A summary or conclusion paragraph should identify the
primary findings of the report. The really bad computer forensic reports are nothing
more than a regurgitation of the evidence. There is just a listing of files with the file
attributes and no conclusion as to the significance of the files.
Reports may be on paper or optical media. Lawyers love paper and are always asking to have
their electronic evidence printed. Unfortunately, all but the simplest computer forensic
reports do not lend themselves well to paper. Generally, the report will be provided on CD in
a word processing document or in HTML56 code to be accessed with a Web browser. The nice
feature with getting the report on CD is that you can get access to the actual file that is being
referenced in the report. Typically, the report will have hyperlinks to the actual file. This
means the native file is available for viewing with whatever software the reviewer desires.
When dealing with child pornography cases, images, movies, etc. will not be included in the
report because that could constitute redistribution. The file names will be listed, but no
image representation can be committed topaper or optical media. As a result of the Adam
Walsh Act,57 you cannot possess child pornography, even with a court order. Federal law
always trumps the state. Cases involving child pornography must be examined at a
government facility. As a result, the examinations are very costly and are less detailed due to
the time constraints for on-site examinations.
8-13
CONCLUSION
The world of computer forensics moves at a breakneck pace. Go on a cruise for a week and
you feel like you are suddenly “behind” because so much has transpired. This is a field in
which it is critical that you find an expert who is constantly reading about new cases and
new developments, and always seeking further education and certifications. The truth is that
lawyers are, for the most part, never going to understand computer forensics. The hope is
that they understand this 10,000-foot overview well enough to ensure that they manage the
computer forensics part of their cases and engage a competent expert to help them. Let the
expert go “in the weeds”—translating where necessary—so you can do your job as a lawyer.
56Hypertext
Markup
Language,
SearchWebServices.com,
September
2005,
http://searchsoa.techtarget.com/definition/HTML (accessed July 23, 2013).
57 “Title I of the Adam Walsh Act, also known as the Sex Offender Registration and Notification Act
(SORNA), has been codified in large part at 42 U.S.C. 16911 et. seq.” The National Center for
Prosecution of Child Abuse Update, Volume 20, Numbers 9 & 10, 2007.
Checklist for Electronic Media Device Evaluations
Although the exact methodology for the evaluation and analysis of electronic
media devices is obviously sophisticated, this general checklist conveys the
major components in the identification, isolation, evaluation, and
preservation of electronic evidence in a standardized way that will be
admissible in court.
 Record each media device with a unique identifying number.
Ditially photograph any devices.
 Write-protect each media device.
 Forensically duplicate each media device to create a true mirror image
(note that this does NOT mean copying or Ghosting).
 Mathematically verify and validate that the mirror image is identical to
the original by using hashing algorithms (MD5, SHA-1, SHA-256).
 Scan media devices for viruses and spyware—document the results.
 Produce directory structure for each media device.
 Analyze the electronic media and extract relevant information.
 Secure each media device.
Electronic Evidence Best Practices
By Sharon D. Nelson and John W. Simek
© 2011 Sensei Enterprises, Inc.
By rights, anything entitled “Electronic Evidence Best Practices” should be the length of
an epic novel. This is not a short subject and trying to address it concisely means,
necessarily, that the subject is being given short shrift. Nonetheless, the effort is
worthwhile because so many lawyers continue to flounder whenever they encounter
electronic evidence. Bearing in mind that we are only hitting “the top of the waves,” the
guidance that follows may be of assistance in formulating your plans when electronic
evidence is in issue.
Look at all data (your law firm data AND client data) as possible evidence. Deal with
litigation before it happens. What does this mean?







Develop a document retention policy, assembling a team of inside and outside
counsel, management, subject matter specialists (SOX, HIPAA), and IT folks to
craft it.
If you don’t need data, get rid of it. It’s just more chaff hiding the wheat you may
one day need.
For the data you keep, make sure it is retained in such a manner that you can
easily find and produce it if necessary.
Ensure that you are in compliance with the law, federal and state regulations, your
own policies and by-laws and industry standards.
Enforce the policy, because it is useless if you do not.
Review the policy at least annually, because technology morphs rapidly, laws and
regulations are born more quickly than bacteria in a petri dish, and businesses
themselves evolve and present new requirements.
One of the very best resources for understanding records management is ARMA
International, www.arma.org
STOP! STOP! STOP! When a litigation hold occurs, preserve the evidence. For
some reason, this rule is honored in the breach. Do not have a panic response to a
litigation hold because you will very surely “put your foot in it.” When does a litigation
hold take effect? A rough guideline is that a litigation hold takes place when a lawsuit or
regulatory action has commenced or when you know or reasonably should have known
that such action was likely. Is that a little dicey to implement? Absolutely. When some
nutcase says “I’ll sue you!,” you are probably not in a litigation hold. But when, as an
example, someone has written several letters and/or retained counsel and expressed a
credible grievance, it is certainly time to make sure that you are abiding by the rules of
litigation holds as articulated in Zubulake v. UBS Warburg and its brethren. Now that you
know there is evidence to preserve, what do you do?












Have a Litigation Hold Response Team in place. Pre-identifying the folks will
make things happen faster. Your team should include inside and outside counsel,
management, IT folks and those who have specific knowledge of the facts at
issue.
If there are workstations that should be unplugged and taken out of commission
(or you can use Norton Ghost to replicate the drive on a new drive and simply
lock up the originals), do so.
It is now time to cease defragging, disk optimization, deleting data, adding new
programs, or doing anything that might overwrite relevant information.
Do not “stomp on the evidence.” If you or client’s IT staff takes a look at the
evidence to see “how much trouble we’re in,” you will be changing the dates of
last access, at the very least. Relevant evidence should be preserved, not explored,
at this point.
Consider carefully where all the evidence is – and don’t forget the iPads,
BlackBerrys, cell phones, voice mail, USB drives, etc.
Become familiar (and yes, this is now an attorney duty) with the backup system.
Take your bottle of Advil with you, but sit down and talk to the IT staff until you
understand the backup process. Case law is now mandating that attorneys
understand their client’s backup system so they will understand what data is
where and what steps must be taken to preserve evidence.
Do you need to take backup media out of rotation to preserve it?
If you have third party backup, they need to be notified of the duty to preserve.
Look at your document retention policy and alter it as needed for the duration of
the litigation hold.
Write a memo to all those potentially involved, paying particular attention to the
key players, spelling out the duties imposed by the litigation hold – and the
fearsome potential consequences of spoliation, including huge fines, the inability
to use some testimony, the requirement that you will have to pay for any remedial
action, and, worst of all, the potential imposition of the dreaded adverse inference
instruction.
If you are instituting the litigation, make sure you write a clear preservation of
evidence letter, identifying the issues, the people involved, and brandishing the
sword of spoliation as a consequence of failing to comply.
Do it again down the road. Case law now makes it clear that a single memo issued
at the outset is insufficient. Lawyers, though not precisely expected to “babysit”
their clients, are expected to monitor the litigation hold and to issue periodic
reminders to make sure, insofar as they can, that it is complied with.
Gather the evidence with painstaking care. When you are responsible for finding the
appropriate evidence in a case, you have a difficult duty. Most lawyers are not
technologists, but the 21st century is now requiring that lawyers have at least a
fundamental understanding of where electronic evidence may be, so that they can
properly collect evidence in a case. Here are some tips:





Get help. Someone who understands information technology will be invaluable.
You may want to use someone from your own firm, if you have an IT department
and you will surely want to use someone from your client’s IT department.
Evidence tends not to be in a single place. Your client may have a headquarters,
but do they have branch offices? Is backup or storage of data outsourced to third
parties? Who hosts their website? Do employees have laptops? Cell phones?
Tablets? Flash Drives? Do they work at home on their own computers? Don’t
forget digital media cards, digital cameras, voice mail, etc.
If you are crafting discovery, make sure all of the sources listed above are
identified, as well as the names of the principals involved. The more you can
identify the nature of the action and the folks likely to be involved, the more you
have definitively placed the other side on notice about what must be preserved
and produced.
At all times during the gathering of evidence and the computer forensics process,
make sure a proper chain of custody is maintained. A standardized form should be
utilized. And yes, you can FedEx computers/cell phones/media etc. and maintain
chain of custody using your form and the FedEx tracking numbers.
If the other side is claiming that production is too expensive or unduly
burdensome, you always have the option of looking like the “good guy” by
agreeing to forensic “sampling” of the evidence. As an example, if you claim the
defendant has in its possession information belonging to your client, it is child’s
play for a forensic technologist to go in and find files, databases and potentially
proprietary information as identified by your client. After that, the court is likely
to be very impatient with the defendant’s counsel bleating about expense or
burdens when relevant evidence (and pilfered data) is clearly extant.
The analysis of the evidence isn’t just for your forensic technologist – you need to
get involved too!



Make sure you are getting a true forensic image, especially if you are potentially
going to be in court. A genuine bit-by-bit image is not a copy or a Ghost image
(made with Symantec’s Ghost product) but is made using specialized forensic
software such as EnCase, FTK Imager or the dd function of Linux.
Be sure you understand the cost for the forensic services so neither you nor your
client will suffer sticker shock down the road. Many forensic technologists will
flat fee the imaging of anything that can be acquired in their labs. This is because
they can begin the acquisition and walk away to work on another case. However,
if the forensic imaging is done on-site, the technologist must “baby-sit” the
acquisition. If the acquisition involves servers, this must frequently be done on a
weekend to avoid business disruption. Expect to pay time and half for this service.
Once everything has been acquired, analysis is usually performed at an hourly
rate. Here, trust is required. Make sure you have good references for your forensic
technologist. There are those who will tell you their hourly rate is $200 but they
will start their clock when they arrive at 8 a.m. and turn it off at 6 p.m. when they
leave without any regard for the time spent at lunch, chatting with their spouse,
checking e-mail etc. They will also charge for the time a search is running, even



though the process is automated and they can work on another case. Reputable
technologists will only bill you for time spent working on your case. They may
charge $350 an hour as opposed to $200 – and yet you will end up with a smaller
total bill because the billing is honest. As with everything else in life, caveat
emptor.
Understand that your technologist isn’t going to be able to give you a very precise
projection of analysis time (except in rare cases, such as where only a single piece
of e-mail is sought) at the beginning of the project. Give them a day or two of
analysis to see the “size of the elephant” and then they will be able to give you
some sort of reasonable estimate as to the time that the project may require in all
but the largest cases. Once search terms have been run, they will know if they
have 10 hits or 10,000 and likewise will know how much data they will need to
review and potentially extract for you. To give you some idea of general costs, we
generally tell folks that analysis in small cases (e.g. divorce, criminal, small civil
matters) will typically run $4000-$8000. If, after wading into the evidence, we
find that more work is involved, we alert the client before spending more monies.
Often the client will wish to review the evidence procured thus far before
determining whether more funds should be allocated to the effort. The #1
complaint about computer forensics and electronic evidence companies is that
costs spiral out of control.
Search terms should be developed with the assistance of your technologist and, if
the firm has a lawyer on board (which is very handy for litigation support), with
that lawyer. This too will keep costs down because they will look at your
proposed list of keywords and tell you which ones may not make sense. As a for
instance, searching for common names, such as Joe or Mary, is likely to result in a
boatload of irrelevant information. Likewise, if you search on the word “system”
on a computer hard drive, you will be swamped with hits that are meaningless to
your case. And for pity sake, don’t search for the custodian’s e-mail address
within their own mailbox.
It is prudent to give your technologist a statement of the facts in the case or a copy
of (at least) the initial pleadings. When technologists understand what is relevant,
they are going to do a far better job for you. Once again, if there is a lawyer at the
firm, he or she will help devise strategies for effectively searching the evidence
and therefore cutting costs.
How are you going to manage and review the data?


In small cases, lawyers can and do review the evidence themselves. It is simple
enough if there is a limited amount of data. Your technologist will extract the
relevant evidence from the proprietary (and very expensive!) computer forensics
software (which you cannot read, not having the software) and put it in a form
that you can read.
Where the data is large or complex, you will need to determine whether you have
the in-house resources to manage it, perhaps using software such as Summation or
Concordance. If you have a fleet of paralegals to input everything, you may be
just fine following this course.






If you have a big case with terabytes of data and you lack internal resources, you
will need to hire an electronic evidence company. Mind you, many companies,
but not all, do both computer forensics and electronic evidence management. Here
is the basic dividing line between the two fields. Computer forensics has to do
with the preservation, acquisition, extraction and the presentation of evidentiary
findings for the court via a forensics report and/or expert witness testimony.
Electronic evidence companies generally manage the evidence after it is
extracted. Costs here vary widely, and once again, referrals are your best bet to
avoid runaway costs.
Are you collaborating with colleagues from different offices on the case? If you
are, you may also need to have a data hosting company, which can securely place
the evidence on the Internet for review by authorized parties from any location.
If you are the party required to produce data, you will need to make sure you
understand what format it is to be produced in. The Federal Rules of Civil
Procedure (December 2006) require that you produce the data in native format,
absent an agreement to the contrary. Producing in native format keeps the
metadata intact, but can be problematic if the recipient doesn’t have the software
with which to read the data, as often happens with proprietary programs.
Production in TIFF format (essentially taking a picture of the evidence), which
happens often, means the metadata (who authored the document, when it was
created or last accessed, etc.) which accompanied the document, spreadsheet, etc.
is lost to you.
Make sure you are protecting privileged information when you produce
documents. While the Federal Rules will allow you to “call back” privileged
information that was inadvertently produced, the horse has now left the barn. Far
better to carefully review the evidence prior to production to screen for privileged
documents and communications.
If you are dealing with massive amounts of data, consider whether you want to do
a “rolling production” so you can demonstrate that you are attempting to
cooperate fully and quickly with any discovery requests. The process of data
production in large cases can be incredibly time-consuming and judges are
usually happy to work with a rolling production schedule, so long as timetables
are met!
If the discovery request is unduly burdensome or expensive, perhaps because the
deleted data requested exists only on backup tapes or legacy systems, raise that
issue early and be cognizant of the principles of cost-shifting as articulated by
Zubulake v. UBS Warburg.
Is there a real gospel for best practices in electronic evidence? Not yet, but many groups
are attempting to devise them. The Sedona Conference has done the best job so far and
many legal entities, including the American Bar Association, are following in its wake.
For more information about the work of The Sedona Conference and its publications,
visit http://www.thesedonaconference.org/
In the meantime, following some of the bullet points above will give you at least a
rudimentary map for proceeding through the e-evidence maze. If you should get lost now
and again in the maze, don’t worry – you have lots of company.
Sharon D. Nelson, Esq. and John W. Simek are the President and Vice President of
Sensei Enterprises, Inc., a digital forensics, information security and legal technology
firm based in Fairfax, Va. (703) 359-0700 (phone); (703) 357-8434 (fax);
[email protected]; www.senseient.com.