±Forensic Focus Partners

Become an advertising partner

±Your Account


Forgotten password/username?

Site Members:

New Today: 2 Overall: 36324
New Yesterday: 2 Visitors: 137

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Handling data with legal privilege

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts

Senior Member

Handling data with legal privilege

Post Posted: Jun 11, 18 14:28

I would appreciate some insight from the community on how to handle digital data from computers and mobile devices when legal privilege is raised after a seizure.

I am working on a "best practices" guide for my organization since we are seeing more and more instances where legal privilege is raised data is seized.

From experience, there are usually 2 ways that we deal with (potentially) privileged data after a seizure:

1- The seized party provides us with a list of keywords to exclude and we perform the search and exclude ourselves.

2- We provide the seized party with a filtered dataset where each email/document is identified with a unique identifier ("DocumentID"). The seized party reviews the dataset and provides us with a list / privilege log of the documents that they believe to be subjected to client/attorney privilege. We then exclude the listed documents and provide the non-privileged data to the case investigators.

However, those processes bring their share of challenges whether we are dealing with mobile devices or computers / storage devices:

-- The "heat" is on the digital forensics team to perform the search and exclude without reading the content of the document.
-- Special characters
-- Spelling errors
-- Documents unable to OCR

Filtered Dataset:
-- Parent/children relationship (if a children is tagged as privileged, should the parent also be considered as privileged?)

Mobile devices:
-- Cellebrite UFED is not very practical when dealing with privileged data. We saw that even though you might exclude some data from the report (in UFDR format), there still might be traces of that data kept in the file system or the databases.
-- In Cellebrite there is no way to have a unique "DocumentID" for each item exported in the UFDR. There is a "#" column, but it may vary from one report to the other depending on the number of items exported or the way the data is sorted in UFED PA.
-- In Cellebrite, there is no way to seperate an attachment from it's message.
-- There is always the option to output the report in a different format than UFDR (Excel, PDF, etc), but then it becomes a pain to search through the data.

One of the solutions that we are looking into for mobile devices is to export a dataset from UFED PA into UFDR format, then input that UFDR into Nuix. From Nuix, we are able to produce an eDiscovery load file that we can send to the seized party and they can perform their review from their eDiscovery platform or manually by looking at the metadata fields in the load file and looking at the documents themselves. One advantage of that process is that there is a unique "DocumentID" for each item exported. Also, it's the same review method as for the computer items. The defense does not have to use UFED for mobile devices and another technique for computer items.

All in all, I would appreciate if you guys could share you experience with dealing with privileged items. What worked? What did not work?


Senior Member

Re: Handling data with legal privilege

Post Posted: Jun 11, 18 15:29

Well, not privileged, but in an earlier case i did process data during an investigation which i wasn't allowed to read, except for the front page.

The required end result was a list of document IDs and another document field, so i wrote a piece of code that extracted the information from a bunch of DocX files. Sure, this was a very specific case and specifically not LEO, but you probably get the point about the advantages of being a programmer.

Basically if you can get the raw text from the device you could probably write a piece of code to strip out any attachments from a file and ignore the fact that Cellebrite cant cope with this. I encourage more forensics people to learn a bit of programming for those times when your tools run into a wall - string matching text with RegExp in python can be picked up over a few days, same goes for outputting data in a useful format which isn't a pain to search through.

When an investigation stops, "I'm only as good as my tools" is a bad excuse.  


Re: Handling data with legal privilege

Post Posted: Jun 11, 18 15:51

Having had a few dealings with these sort of cases, the stated case of R (McKenzie) v Director of Serious Fraud Office 2016 may help steer you in the right direction (which it sounds like you are heading anyway).

"The scope of the duty upon a seizing authority was instead “to devise and operate a system to isolate potential LPP material from bulk material lawfully in its possession, which can reasonably be expected to ensure that such material will not be read by members of the investigative team before it has been reviewed by an independent lawyer to establish whether privilege exists”.

Seems to be the main conclusion.

From my experience it can be quite difficult to be generic about how the data is filtered, whether by keyords or dates. It becomes even more difficult when the legal advisor is also suspected of criminality. The main lessons being stop and think before revealing anything and keeping good notes about how you applied your processes.  

Senior Member

Re: Handling data with legal privilege

Post Posted: Jun 11, 18 20:46

This makes no sense from what I consider forensics, since you put user interaction (filtering) of the original data in front of the integrity of the analyzed data!

Never permit some user interaction to give the possibility for missing evidence! Evidence can't be trusted without 100% documentation of it's sources, even if those sources might create other trouble Smile

Put everything on the table, in an unassailable way, that is the forensic experts role!

Let the judges decide on everything, including considering an evidence or not, that is their role!
Apple passcode unlock + decrypted filesystem dump, Android user locks unlock + physical dump with decrypted userdata partition. We provide our services world-wide, but we reserve the right for choosing which tasks we take and which we deny! 

Page 1 of 1