This quarter’s edition of our legal update starts with a look at improving digital forensics experts’ credibility, as well as the reliability of the evidence they find — all while dealing with rapidly advancing technology. Two recent academic papers, plus a blog post on reporting by a respected attorney in the community, delve into these issues.
As well, we discuss the nature of “unauthorized access” per a recent United States Supreme Court decision as well as a pending appeals case and recent revelations about security vulnerabilities in one of digital forensics’ best known tools.
Finally, this edition includes new details on a third state consumer privacy law and additional perspectives on cross-border cloud data collection.
Improving digital forensics method validation
The volatility of digital technology — rapid and far-reaching change that’s implemented in consumer products almost as quickly as it’s developed — makes digital evidence collection increasingly difficult to validate per the Daubert test for admissibility.*
That’s the focal point behind a new academic paper, “Reliability validation for file system interpretation,” authored by a group of researchers in the European Union. Rune Nordvik, Radina Stoykova, Katrin Franke, Stefan Axelsson, and Fergus Toolan proposed a new framework for formal reliability testing, designed to fill a gap in practical, day-to-day digital forensics practice.
Their framework defines technology, methodology, and application level process and documentation for three core criteria: method and tool used, test setup, and examiner work. By applying these processes and documentation for each of the three levels, they argued, it can become possible to identify where different types of error occur, as well as any expert skills gaps.
In turn, that could help mitigate some if not many of the shortcomings outlined in the 2018 paper “Improving Judge & Jury Evaluation of Scientific Evidence” (Hans & Saks). While it would still require attorneys to at least have some understanding of digital forensic methods, the framework helps to close a gap that the Daubert standard left with regard to digital evidence.
Stoykova additionally contributed her legal expertise to a different paper, “A new model for forensic data extraction from encrypted mobile devices,” which proposes replacing the existing data-type-based model of mobile forensics (logical, physical, etc.). The new model focuses on acquisition methodology and comprises:
- User secret-based acquisition
- Reverse engineering-based acquisition
- Vulnerability exploitation-based acquisition
The new model is designed to take new methods into account, to which the method described above could conceivably be applied.
*Note: The five criteria listed in the Supreme Court decision, Daubert v. Merrell Dow Pharmaceuticals Inc., 509 U.S. 579 (1993), constitute the widely recognized standard for admissibility of scientific evidence. However, according to Westlaw, the Federal Rules of Evidence 702 were amended multiple times following Daubert, allowing for consideration of other factors not present in Daubert. In addition, many U.S. states still follow the older, broader Frye and/or equivalent state standards.
Tips for writing expert reports
The output of a digital forensic examination is, of course, a written report. Attorney and digital forensic examiner Craig Ball’s “Ten Tips for Better ESI Expert Reports” is a good complement to the research described above, in addition following coverage of ours from September 2020 on expert witness testimony.
We’ve listed the tips here for readers who are either just getting started, or want to be able to pass constructive advice along to people they’re mentoring.
Be sure, though, to read Ball’s commentary on each. As Sharon Nelson, attorney and president of Sensei Enterprises, wrote in response: “Writing an ESI expert report is not a piece of cake. It takes time and skill to craft a first-rate expert report. A great place to start is to read Craig’s post in its entirety.”
Here’s the list:
- Answer the questions you were engaged to resolve.
- Don’t overreach your expertise.
- Define jargon, and share supporting data in useful, accessible ways.
- Distinguish factual findings from opinions.
- Include language addressing the applicable evidentiary standard.
- Eschew advocacy; let your expertise advocate for you.
- Challenge yourself and be fair.
- Proofread. Edit. Proofread again. Sleep on it. Edit again. (Note: Nelson blogged, “We literally have every expert report peer-reviewed by three reviewers before it goes, figuratively, out the door.”)
- Avoid assuming the fact finder’s role in terms of ultimate issues.**
- Listen to your inner voice.
**Editorial note: See U.S. Federal Rules of Evidence 704 for more on the distinction between allowable expert opinion, and Ball’s cautionary statement.
U.S. Supreme Court defines “unauthorized access”
Early June saw a major decision from the nine justices on the U.S. Supreme Court: a clarification of the federal Computer Fraud and Abuse Act (CFAA). “[Van Buren v. U.S.] settles that the CFAA is fundamentally a trespass statute,” wrote renowned legal scholar and law professor Orin Kerr. “The basic wrong is bypassing a closed gate, going where you’re not supposed to go.”
It isn’t a perfect decision, Kerr continued, as it didn’t define everything. Instead, it “leaves to lower courts the largely interstitial work of figuring out the hard line-drawing of what exactly counts as enough of a closed gate to trigger liability.”
Threats from both insiders, like Van Buren himself, and outside “hackers” were addressed in a blog for Lawfare, which argued that “modern technological controls” such as audit and access capabilities could help companies protect both the data they hold and civil liberties. Needless to say, these controls are also valuable to digital forensics examiners called to investigate breaches.
Van Buren is also important for “white hat” security researchers, whose penetration testing activities “often involves accessing computer systems in ways that violate terms of service or other policies,” according to authors with Cooley LLP, an international law firm specializing in corporate and regulatory litigation.
“Many white-hat researchers have thus been deterred by the threat of criminal prosecution under the CFAA for exceeding authorized access,” the authors continued. Quoting from Justice Amy Coney Barrett’s opinion, they wrote: “…the criminal prohibitions are limited to someone who ‘accesses a computer with authorization but then obtains information located in particular areas of the computer – such as files, folders or databases – that are off limits to him.’”
The authors additionally discussed LinkedIn Corp. v. hiQ Labs, Inc., a case that addresses CFAA’s other prong: “without authorization,” rather than “exceeds authorization,” when it comes to the scraping of public data. That case remains pending before the 9th U.S. Circuit Court of Appeals.
The implications of both cases — and the previously discussed reliability issues — are especially poignant for security researchers given revelations about Cellebrite’s internal code. Signal founder Moxie Marlinspike, according to Gizmodo claimed: “…corrupted apps on a targeted phone could basically overwrite any data extracted by Cellebrite’s tools—essentially making it possible for an outside party to manipulate data on confiscated devices.”
That article went on to clarify that the legal implications for this weren’t clear, given:
- People convicted of crimes based on Cellebrite results would need to demonstrate that at the time the data was created, a third party knew of and exploited the same vulnerability.
- Not knowing whether the vulnerability is actively being exploited — especially given recent Cellebrite patches to its software — also puts challenges on shaky ground, since even reasonable doubt needs some basis for a claim.
The upshot: law enforcement and prosecutors should be prepared for challenges from defendants, especially where judges are asked to evaluate admissibility.
Revisiting third-party data holders
In December, we outlined a then-forthcoming law review article about legal considerations for obtaining electronically stored data. Published in the Mitchell Hamline Law Review, “Not an Ocean Away, Only a Moment Away: A Prosecutor’s Primer for Obtaining Remotely Stored Data” discusses “practices for obtaining domestically stored data, obtaining internationally stored data via the CLOUD Act agreement or mutual legal assistance treaty (MLAT), obtaining internationally stored data in the absence of the CLOUD Act agreements or MLATs, and obtaining data stored in extraterrestrial locations.”
These issues were additionally discussed from a European Union (E.U.) perspective during a FORMOBILE webinar, “Extracting data from mobile phones (and the cloud).” Five legal and industry experts joined a panel to discuss:
- Balancing “the fundamental right to privacy and the need to obtain unique [electronic] evidence in complex criminal cases.”
- Legal grounds for investigative access to cloud and mobile device evidence.
- “Tools and technical competency” in mobile device and cloud e-evidence.
- Requesting, collecting, and processing e-evidence in international / multijurisdictional investigations, and the right to an effective defense.
- The European Court of Human Rights (ECHR)’s perspective on collection and use of e-evidence in criminal proceedings.
The European Public Prosecutor’s Office commences operations
Also of note in the E.U.: as of June 1, the European Public Prosecutor’s Office (E.P.P.O.) — a “supranational, independent” institution that’s been 25 years in the making — began the work for which it’s been preparing.
Formed over the period since the E.U. came into being in 1993, the E.P.P.O. focuses on crimes against the E.U. budget. Fraud, money laundering, corruption, misappropriation of funds, and cross-border value added tax (V.A.T.) are all part of this mandate.
The Wall Street Journal reported that since the office’s announcement, 300 cases had already been referred there. Chief Prosecutor Laura Codruta Kövesi wants to hire 50 more investigators as a result.
U.S. states continue to legislate privacy
A third state seeks to join California and Virginia in enacting state legislation modeled after the E.U.’s General Data Protection Regulation (GDPR). The Colorado Privacy Act (“ColoPA”) creates personal data privacy rights for state residents.
Businesses have to adhere when they either “control or process personal data of more than 100,000 consumers per calendar year; or derive revenue from the sale of personal data and control or process the personal data of at least 25,000 consumers.”
As with the other state laws, Colorado consumers “have the right to opt out of the processing of their personal data; access, correct, or delete the data; or obtain a portable copy of the data.” Part of the requirement is for data “controllers” to assess data protection for each processing activity involving personal or sensitive data.
In a notable development following our coverage of third-party providers, the U.S. states Maryland and Montana both passed new laws limiting the use of “forensic genetic genealogy searching” (FGGS), or the practice of law enforcement obtaining consumer DNA data from sites like Ancestry.com, 23andme, and others.
The Electronic Frontier Foundation (E.F.F.) reported:
- Maryland’s new law “requires judicial authorization for FGGS and places strict limits on when and under what conditions law enforcement officers may conduct FGGS,” for example, serious violent rather than property crimes, which XXX had reported comprised a majority of requests.
- Additionally, investigators have to show that they’ve pursued other leads, such as “existing, state-run criminal DNA databases like CODIS” and that their searches have proven fruitless.
- “FGGS may only be used with consumer databases that have provided explicit notice to users about law enforcement searches and sought consent from those users.”
- “[C]riminal defendants may use the technique as well to support their defense (but places similar restrictions on use).”
- Montana’s new law, meanwhile, requires a search warrant for law enforcement to use “familial DNA or partial match search techniques on either consumer DNA databases or the state’s criminal DNA identification index” — or to search other consumer DNA databases.
Have a piece of legal analysis or other relevant material you’d like us to publish, or mention in our next quarterly legal update? Please email christa@forensicfocus.com!
Well done Craig. I’ve been writing expert reports for about 20 years, and can’t think of a better tip than number #8; especially the “sleep on it” part.