Forensic Focus Legal Update September 2020: Evidence, Experts, And Due Diligence

The COVID-19 pandemic slowed many of the gears in justice systems the world over, as courts postponed jury trials, experimented with virtual juries and hearings, and weighed prison conditions against public safety.

But not even the passing of venerable United States Supreme Court Justice Ruth Bader Ginsburg could stop the gears entirely, as our roundup this quarter shows. Read on to learn more about:

  • Introducing and explaining digital evidence, including finding and qualifying a digital forensics expert
  • Shades of gray behind geofences and borders
  • The key questions to the ongoing encryption debate in the U.S.
  • Digital forensics and due diligence in civil law, including what privacy laws could mean for examiners and what’s in a “perfect” preservation letter

(Note: while our legal experts are largely U.S.-based, we encourage attorneys from all around the globe to submit items for inclusion in this quarterly update. Please email christa@forensicfocus.com if you’d like to submit something for inclusion!)

Introducing — and explaining — digital evidence

In the U.S. legal system, the “completeness doctrine” allows an adverse party to introduce explanatory evidence if it’s needed to qualify, explain, or contextualize an original piece of introduced evidence. But how complete is “complete” when it comes to digital evidence

Insights from attorneys J.D. Ronan, Robert J. Peters, Matthew Osteen, and Alicia Loy along with forensics experts Brandon Epstein and Joseph Pochron shaped this article, which seeks to offer some guidance on the balance between “too much” and “not enough” digital evidence needed to prove cases. Relevance, authentication, timelines, the weight of evidence, and practical realities are all discussed.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.


Authentication and admissibility are covered also in attorney Gary Weingarden’s Medium series, “Clarifying Legal Ideas from Technology Certifications”. Seeking to correct for certifying groups’ “‘unique’ understanding” of law, Weingarden’s series focuses on evidence introduced at trial:

  • Part 1 describes the Best Evidence rule as defined under U.S. Federal Rules of Evidence 1001, 1002, 1003, 1006, and 1008.
  • Part 2 talks more extensively about authentication and chain of custody, including the burden of proof that needs to be met.

Forthcoming articles in Weingarden’s series, he says, will include discussions around hearsay and the confrontation clause.

Actually obtaining complete enough digital evidence comes down to a forensic examiner’s expertise. Two complementary articles describe the process of finding and qualifying an expert, from broad considerations to putting them on the stand. Both attorneys and examiners can use their advice to prepare well in advance of a hearing or trial:

  • All the pieces matter: Finding the best digital forensic expert,” written by video forensics expert Brandon Epstein together with attorneys Joseph D. Remy and Robert J. Peters, is an in-depth “baseline of knowledge for attorneys to evaluate potential digital forensic experts and use their judgement to make an informed decision.” It covers where to find an expert, how to evaluate them on paper and beyond what they provide, and evaluating an opposing expert.
  • In “Qualifying A Digital Forensic Expert In Court (Voir Dire),” Patrick Siewert, principal consultant of Pro Digital Forensic Consulting, highlighted specific questions that attorneys can ask — and forensics examiners should expect — to qualify expert witnesses. Wrote Siewert: “Credibility is the most important asset an expert can bring to the case and the weight of the expert’s credibility is the ultimate determiner of their expertise.”

Shades of gray behind geofences and borders

Actually acquiring complete enough digital evidence starts with a legal search. Part 2 of our December legal update highlighted a geofencing case currently before a federal judge in the U.S. Eastern District of Virginia.

At issue in that case, US v. Chatrie, is “a trove of private location information belonging to 19 unknown Google users who happened to be near a local bank on a Monday evening.” The concern, according to an October 2019 motion to suppress evidence is whether the data “show that someone is inside a constitutionally protected space, such as a home, church, or hotel—all of which are in the immediate vicinity of the bank that was robbed in Richmond.”

More recently, reported Ars Technica, a federal magistrate judge in Illinois rejected a third search warrant request by federal law enforcement officials. At issue is whether geofence warrants are, by nature, overbroad: “…to justify this kind of a geofence search, the government needs to show that everyone in the geofenced area is likely to be involved in a crime—not merely that one or a few people are,” the article read.

Geofence warrants aren’t the only gray area when it comes to search and seizure of digital evidence. Increasingly, and contrary to years of doctrine, so are borders.

In late 2019, a federal court ruled that the suspicionless search of travelers’ electronic devices without a warrant is unconstitutional. The American Civil Liberties Union (ACLU) and the Electronic Frontier Foundation (EFF) have wanted to take the standard even further. Also in Part 2 of our December legal update, Robert Peters, senior attorney at the Zero Abuse Project, wrote that the ACLU and EFF advocated “…for the court to impose a probable cause (rather than a reasonable suspicion) standard for border searches of mobile devices.”

In that case, United States v. Wanjiku, 919 F.3d 472 (2019), wrote Peters, “… the Seventh Circuit discussed the specific forensic tools deployed and their non-invasive functionality in its analysis.” However, that was before a July 30, 2020 Department of Homeland Security Border Patrol Privacy Impact Assessment gave a detailed look at its digital forensics program.

The issue isn’t the searches themselves. As Peters wrote, “…the Seventh Circuit conceded that the US Supreme Court has ‘recently granted heightened protection to cell phone data,’ but held that Riley and Carpenter do not apply to border searches where governmental interests ‘are at their zenith.’”

Rather, as CNet reported in August this year, the Border Patrol’s policy is to retain electronic data for 75 years. That data is extracted and saved on the DHS’ local digital forensics network, and transferred to PenLink PLX, a comprehensive data collection and analysis platform that purports to help investigators map records, identify trends, and develop leads in investigations.

That’s in addition to the National Vetting Center, which as of last year provided border agents with access to intelligence databases, including social media data. Legislative measures like the Protecting Data at the Border Act, introduced in May 2019, are unlikely to be enacted.

Lurking in the background of both geofence warrant and border searches is mobile device encryption, by now default on new iOS and Android devices. At the National Cybercrime Conference in July, Gary Kessler, a professor of cybersecurity at Embry-Riddle Aeronautical University and president of Gary Kessler Associates, spoke about “Cryptography, Passwords, Privacy, and the Fifth Amendment.”

In a paper published at the Journal of Digital Forensics, Security, and Law, Kessler and coauthor Ann Phillips posed a number of questions with no easy answers. Among them:

  1. Is the need for an individual’s personal privacy superior to the State’s need to investigate crimes?
  2. Did the authors of the Constitution envision a container that could never be opened and, therefore, never be searched?
  3. Is compelling a user to provide a password a violation of Fifth Amendment protections?
  4. Should crypto products have backdoors for just these reasons?
  5. Who determines who the Good Guys are that get access to the backdoor features?
  6. How would use of the backdoor be controlled, [and] how would access to the backdoor ever be rescinded?
  7. Were any of us – as citizens and consumers – ever asked what we wanted, in terms of strong encryption? [Additionally,] who gave Apple, Google, et al. the right to have unilaterally made the decision about use of strong cryptography without an informed debate?
  8. Do we alter the government’s duty to provide security with the implementation of processes that could block tools used to reach that objective?
  9. Is the subjective expectation of privacy when using encryption so absolute that it meets the “objectively reasonable” test? In particular, does society agree?
  10. How do we resolve conflicts between the protections of two amendments?

Property subject to search and seizure could be intangible, too. On LinkedIn, Keith Lyon, deputy attorney general at the California Department of Justice eCrimes Unit, wrote about “The nature of property” — specifically, forms of intangible property, or “property that is a ‘right’ rather than a physical object,” including ideas, house keys, ATM PINs, phone numbers, and internet domain names. “Each meets the three-part Kremen test of definability, exclusivity, and legitimacy,” Lyon explained, and are subject to the court’s jurisdiction. 

Digital forensics in civil law

On the civil litigation side of the law, the burden of proof may be less — but due diligence remains critical. That’s the foundation of an article by Joseph Pochron, senior manager of forensic and integrity services at EY. “Show Your Work: The impact of privacy regulation on technology practitioners and why they should apply a tried and true forensic approach” describes the impact of the California Consumer Privacy Act (CCPA) on digital forensics.

“…the need to show your work for a variety of purposes including assurance that the bad actors are no longer on the inside, critical systems are not altered, or whether sensitive data was exfiltrated,” Pochron wrote.

“In other words, you’re going to need to show your work of ‘reasonable security’ under CCPA; otherwise you’re elevating your exposure if and when a breach occurs,” he explained. Information governance, vendor management, incident response planning and processes, and organizational training all fall within the realm of “showing your work” both pre-breach and during incident response and/or e-discovery.

Foundational to due diligence is a solid preservation letter, both in criminal and civil legal proceedings. Yet, as attorney and computer forensics expert Craig Ball wrote recently: “Both [a preservation letter and a legal hold notice] … are best when clear, specific and instructive. Both must go out when you know less than you’d like about sources of potentially responsive information. Finally, both tend to receive minimal thought before dissemination, resulting in easily ignored, boilerplate forms crowding out artfully-targeted requests.”

It was a preface to Ball’s newly updated Perfect Preservation Letter, which, while it contains an exemplar, mostly focuses on what needs to be included, and why, for civil litigation. In his words, it “clearly identifies the materials requiring protection, educates your opponent about preservation options and lays out the consequences of failing to preserve the evidence.”

Moreover, he wrote: “You must custom craft [a preservation letter] from a judicious mix of clear, technically astute terminology and fact-specific direction. It compels broad retention while asking for no more than the essentials. It rings with reasonableness. Its demands are proportionate to the needs of the case, and it keeps the focus of e-discovery where it belongs: on relevance.”

We echo Ball’s caveat: “To be useful, the letter must be a living document, changing to reflect new sources… and improved ways to preserve and acquire evidence…. There’s plenty of room for improvement, so dig in, make it better, make it your own.”

More digital evidence case law

The Massachusetts Attorney General’s Office, hosts of the National Cybercrime Conference, have updated the “Electronic Evidence in Criminal Investigations and Actions: Representative Court Decisions and Supplementary Materials.”

Edited by Ronald J. Hedges, a Senior Counsel with Dentons US LLP and a former U.S. Magistrate Judge in the District of New Jersey, the update offers a comprehensive (though not exhaustive) list of U.S. Supreme Court, federal, and state decisions; federal, state, and non-U.S. statutes and regulations; and relevant articles from legal trade media, mainstream media, and law review journals.

Previous supplements going back to 2016 can be found at the Massachusetts AGO’s website.

Have a piece of legal analysis or other relevant material you’d like us to publish, or mention in our next quarterly legal update? Please email christa@forensicfocus.com!)

Christa Miller is a Content Manager at Forensic Focus. She specializes in writing about technology and criminal justice, with particular interest in issues related to digital evidence and cyber law.

Leave a Comment