It is vital for lawyers to understand what digital evidence is, how forensic neutrals work, and what to look for when reviewing a forensics report
As technology rapidly advances, it is becoming more and more difficult to find the hidden truths contained in digital footprints. While this is often not a problem for most people, attorneys in recent years have begun to run into substantial problems in dealing with the complexities of modern digital evidence, namely an inability to know what to look for, and how to get it. These difficulties have led to the rise of forensic experts and other impartial “neutrals” that can assist lawyers in dealing with the intricacies of digital evidence.
In this blog post, I will examine what digital evidence is, how forensic neutrals work, and conclude with a few key points for the reader to consider when reviewing a forensic report.
Digital evidence refers to any type of evidence that is found on a computer, audio file, video recording, or digital image. Importantly, this includes data that may be hidden, erased, or otherwise altered, and requires forensic analysis in order to determine its content. This is a rather expansive definition, but it is the correct definition because there are at least traces of digital evidence wherever one may look. As a result, a natural question arises as to where one should look for useful evidence. There are, of course, the usual suspects: computers, phones, email accounts, local storage and cloud storage solutions, but these alone are no longer sufficient. With the rise of the Internet of Things, computers can be found almost anywhere, including, for example, a car’s black box, a fitness monitor that can track anything from the wearer’s GPS location to their heart rate, and even refrigerators that can actively monitor their own contents.
As a result of this superfluous quantity of data, it is important to seek the aid of a forensic neutral early in a case, as they can effectively cut through the surplus data, and help the parties find the most probative, and potentially dispositive, data.
As discussed briefly above, the rise of cloud computing and storage has led to new issues associated with collecting and analyzing digital evidence that is not controlled locally. While the cloud is undoubtedly a tool of great convenience, it can make the collection and analysis of data an incredibly difficult — even near impossible — task. Moreover, even if a forensic technician is physically and technologically able to collect and analyze the data, there may be other issues, such as extra-territorial disputes that force US laws into conflict with a myriad of foreign laws regarding data protection and privacy. In cases such as these, a forensic neutral can be instrumental in expeditiously resolving these cloud-centric disputes.
The rise of cloud computing and storage has led to new issues associated with collecting and analyzing digital evidence that is not controlled locally.
The next issue to tackle is how, once appointed, a forensic neutral performs his work. Any forensic neutral must begin his process by carefully documenting all sources of data that the parties may provide (usually called “repositories”), and creating a detailed chain of custody. The laws of evidence rightfully require these strict measures, which mean that before beginning his analysis, a forensic neutral must ensure that everything is properly documented and accounted for. The forensic neutral must then create an identical copy of whatever repository he will analyze to ensure the original data is not lost or modified. There are a variety of tools that can be employed to create a duplicate, but once an exact copy is created, verified and validated, the forensic neutral finally may begin his analysis.
After the analysis is complete, a forensic neutral will compile a report that outlines both his process and his findings. One of the key elements of any good forensic report is that another neutral, given the same repositories, should be able to follow the report, step-by-step, and achieve the same results. It is important to note that a proper forensic report is not a legal document — it is a technical and scientific document. It does not contain arguments; it contains facts, namely the immutable truths found within the 1s and 0s of digital evidence.
Let’s look at a sample way a forensic report may be organized:
While this hypothetical table of contents is by no means the only way to prepare a forensic report, if a lawyer sees a report that substantially differs in form and content, it should raise a red flag and be investigated further. Some other key considerations for reviewing a forensic report are the quality of data contained in the report, and any qualifications on the findings of the report.
With respect to the quantity and quality of data contained in a forensic report, one should look to see whether the information included is superfluous or necessary. If a neutral wants to “beef up” a report with a substantial quantity of unnecessary information, it is not a hard task to do, but it often means that there was likely little useful content contained in the report. With respect to qualifications on the neutral’s findings, a good report will contain the following qualifications:
- limitations of the particular tool(s) used;
- applicability of the current technology and industry-standard best practices;
- methodology or techniques such as search criteria or formulae; and
- the scope of the investigation.
No report will ever be perfect, but a good report will identify the areas that might be a potential concern, highlighting the issues, and their implications for counsel and the court.
In sum, as data becomes more complex and more difficult to collect and analyze, courts and attorneys will increasingly turn to forensic neutrals to help find the truths contained within the parties’ digital footprints.
In upcoming blog posts, I will discuss how neutrals can assist on issues of electronic discovery and computer forensics to save clients time and money.
The thoughts expressed herein are solely those of the author, and not those of JAMS, Law & Forensics, the Journal of Law and Cyber Warfare, or Cardozo Law School. The author would like to thank Masha Simonova and Benjamin Dynkin as contributors.