Examining Forensics: Making and questioning various e-discovery requests

No one, even if they have nothing to hide, fancies the idea of relinquishing their data to a total stranger, only to wait for that data to be forwarded on to another stranger, then to a court, finally ending up as part of the official record.

Let’s look at pre-discovery, where you are formulating what types of files and data you are asking for, the format that you would like your deliverables in, as well as any dates or keywords relative to the case.

The overwhelming problems in the discovery system are twofold. On one hand, a large number of judges self-admittedly do not understand the potential of the incredibly large and varying amount of devices, as well as their storage capabilities. On the other hand, the requests which are made tend to be so broad and burdensome that it complicates an already difficult situation.

Recently, I was engaged on a case where the prosecution was on a fishing expedition. A blanket discovery request was made for “any and all data” with a “to include” list that would humble even Encyclopedia Britannica. At issue here was the prosecution asking for everything when in reality they only needed to ask for text messages to prove their point. Their argument quickly escalated into the ridiculous when they mentioned that they did not know what was on the phone, therefore, they “didn’t know what they didn’t know” and that is why they needed everything.

More to the point, this phone was in their possession and they already made a cursory search. Why would they not know what software/apps were installed on the phone? During the initial search, were there no notes taken? Did the forensic or triage software automatically generate a report that provided the information of which apps were installed?

And a related question is what is the duty of a police department or detective to ensure no data is altered or deleted while a phone or computer is in their possession?

Over the years, it is quite common to ask for a COC, or chain of custody form, for the tracking of a specific piece of evidence. How do you, as counsel, know that the arresting officer did not rummage through the defendant’s phone to obtain information of a future arrest police would make, or a seizure of a key piece of evidence that was not initially known to them?

This carries into a much larger question. Is a dump of an entire phone/computer hard drive too invasive? Can specific items be imaged, where others are left undisturbed? The answer in most cases is a resounding yes! There are situations that come up where officers and agencies will claim this is just not possible. The assertion is that the police, or in a civil case, an opposing expert, need to image the entire phone/hard drive because that is what their forensic software or hardware is capable of.

In many instances, this is true; police or the defendant/plaintiff may only be able to image the item as a whole instead of just the text messages. However, most forensic software has the ability to output only certain kinds of data from an image — selective data if you will. Take for instance Police Department A. They want to make an image of a suspect’s phone, but they are only allowed to view the videos residing on the phone per a search warrant. In the final stages of the forensic software, you can change the settings to only export videos and nothing else. Does the rest of the data in the phone or hard drive remain? Yes, but no other personal data has been compromised and the integrity of the initial image of the phone/hard drive remains intact.

As a person who works with counsel on such issues, I tend to ask why you, the attorney, are requesting this information. If you are looking for text messages on one of the newer phone models, you would be remiss in only asking for messages from the phone’s proprietary messaging app. For instance, the iPhone has the normal messaging tab on the home page as well as other third-party apps that integrate into the text messaging platform. A general request for “all text (SMS) or multimedia (MMS) messages that reside on the phone” could put you in a weak position, especially if you are left to argue before a judge or opposing counsel on what constitutes a text message or if a certain app/program should be included in that classification. A conversation with your client, in addition to a look at a possible backup file for the device or drive in question, could alleviate numerous issues.

From a defense point of view, more data can equal mitigation or even an outright alibi. From a prosecution point of view, it could equal additional charges, new witnesses and stronger evidence.

Let me leave you with this last piece of information. When you get a report from the opposing side, ask, “Were the results I have been given completely necessary? Were there bounds that were overstepped? Am I in a defensible point to exclude any of the data obtained from these searches?”•

__________

Darren R. Miller ([email protected]) is a computer forensic examiner at Strategic Forensic Partners LLC in Fishers. He handles computer-based investigations as well as cellphone examinations. Miller has 16 years of experience and has testified as an expert in state and federal courts and works on both criminal and civil cases. The opinions expressed are those of the author.