Is your client an attorney? Be aware of possible constraints on your investigation. (Part 1 of a multi-part series)

Significant legal and ethical challenges confront digital forensics investigators, for which some may not be well prepared. Just as many lawyers may be confounded by technology in dealing with digital forensics matters, many digital forensics experts lack formal legal training, and are uninformed about their special obligations in the employ of a lawyer. These obligations include zealously guarding the attorney-client privilege, applying the work product doctrine, developing reports, exhibits, and testimony (that are both admissible and understandable to a lay jury or judge), and conducting their work in a way that does not compromise the integrity of the case or the rights, privileges, or immunities of the retaining party.

In certain situations, such as where digital forensics examiners serve as special masters (see Fed.R.Civ.P. 53) or third-party neutrals (see Model Rules of Prof’l Conduct R. 2.4 cmt. 1), they are regarded as officers of the court.

The use of a third-party neutral has significant advantages. See, e.g., Craig Ball, Neutral Examiners, Forensic Focus,  First, as an officer of the court, the expert is subject to the court’s inherent powers, thereby providing an extra measure of accountability for misconduct (e.g., confidentiality breaches).  Second, a third-party neutral is ostensibly impartial, which impartiality presumptively aids in the fact-finding process and administration of justice. Third, the third-party neutral is aptly situated to resolve discovery disputes, including issues of confidentiality, relevance, and privilege, and, if necessary, obtain court intervention or in camera review to resolve such disputes.

But if the examiner is not appointed by the court, but rather is retained by a party to an adversarial proceeding, he or she is nevertheless obliged to ferret out the truth.  See, e.g., Ferron v. Search Cactus, L.L.C., No. 2:06-CV-327, 2008 WL 1902499, at *4 (S.D. Ohio Apr. 28, 2008) (court deemed both plaintiff’s and defendant’s computer experts as officers of the court in order to protect the confidentiality of certain ESI found on plaintiff’s computer that was unrelated to the suit).

1. Work Product Doctrine

Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.

The work product doctrine enhances a lawyer’s ability to render competent counsel, as the United States Supreme Court observed in Hickman v. Taylor:

[I]t is essential that a lawyer work with a certain degree of privacy, free from unnecessary intrusion by opposing parties and their counsel. Proper preparation of a client’s case demands that he assemble information, sift what he considers to be the relevant from the irrelevant facts, prepare his legal theories and plan his strategy without undue and needless interference.

329 U.S. 495, 510–11 (1947).  It is therefore imperative that both attorneys and examiners understand the doctrine and how it applies to digital forensics examinations. Enjoying the privilege of work product immunity is one of several reasons the expert should be directly retained by the attorney (rather than the attorney’s client).

Some lawyers conflate the work product doctrine with the attorney-client privilege (discussed below). Although the work product doctrine is broader than the attorney-client privilege, it is not a privilege, but rather a limited immunity from production, and can be overcome in certain situations. See Fed. R. Civ. P. 26(b)(3)(A). The doctrine applies in both civil and criminal cases, and protects not only documents and tangible things prepared by attorneys, but also those prepared by an attorney’s consultants, sureties, indemnitors, insurers, or agents.” Id.  In the context of such examinations, the work product doctrine also covers the “mental impressions, conclusions, opinions, or legal theories of a party’s attorney or other representative concerning the litigation.” Fed. R. Civ. P. 26 (b)(3)(B).

The prudent digital forensics expert should, therefore, take affirmative steps to keep confidential the software and hardware used during the examination, as well as his or her theories, algorithms, cryptology, notes, tools, processes, methods, search queries, resource materials, mental impressions, and techniques. And, because the doctrine may be overcome in limited circumstances, attorneys should give careful consideration to whether they instruct their experts to memorialize preliminary findings in writing.  For example, in the popular textbook, Guide to Computer Forensics and Investigations, (Bill Nelson, et al., 4th ed. 2010), the authors explain:

[The forensic tool] also produces a case log file, where you can maintain a detailed record of all activities during your examination, such as keyword searches and data extractions . . . . At times, however, you might not want the log feature turned on. If you’re following a hunch, for example, but aren’t sure the evidence you recover is applicable to the investigation, you might not want opposing counsel to see a record of this information because he or she could use it to question your methods and perhaps discredit your testimony. Look through the evidence first before enabling the log feature to record searches. This approach isn’t meant to conceal evidence; it’s a precaution to ensure that your testimony can be used in court”).

But see Univ. of Pittsburgh v. Townsend, No. 3:04-CV-291, 2007 U.S. Dist. LEXIS 24620 (E.D. Tenn. Mar. 30, 2007) (holding that it was improper for the counsel to have instructed or otherwise suggested to the experts that all e-mails be destroyed, as they became the subject of multiple discovery requests).

In 2010, Fed. R. Civ. P. Rule 26 was amended to give experts’ draft reports the protection of the work product doctrine, exempting them from mandatory disclosure. Fed. R. Civ. P. 26(b)(4)(B). The rule expressly provides that the doctrine applies to “protect drafts of any report or disclosure required under Rule 26(a)[(2)], regardless of the form in which the draft is recorded.” The amended rule also applies work product protection to communications between experts and the counsel who retain them, with three exceptions: (1) communications pertaining to the expert’s compensation; (2) facts or data that the attorney provided and the expert considered in forming opinions; and (3) assumptions that the attorney provided and that the expert relied on. Fed. R. Civ. P. 26(b)(4)(C).  Critics contend the amendment affords attorneys too much latitude in drafting experts’ reports or influencing their opinions. See, e.g., Robert Ambrogi, Changes to Rule 26 Bring Praise — Albeit Faint, Bullseye Legal Blog (June 1, 2011).  The counter argument is that “[t]he risk of an attorney influencing an expert witness does not go unchecked in the adversarial system, for the reasonableness of an expert opinion can be judged against the knowledge of the expert’s field and is always subject to the scrutiny of other experts.” Haworth, Inc. v. Herman Miller, Inc., 162 F.R.D. 289, 295–96 (W.D. Mich. 1995).

One area of particular concern relating to the work product doctrine and digital forensics investigations is the applicability of the 2006 Adam Walsh Act and similar state statutes. Under 18 U.S.C. § 3509 (m), added by Section 504 of Title V of the Adam Walsh Act, “any property or material that constitutes child pornography . . . shall remain in the care, custody or control of either the government or the court.” Title V of the Act contains congressional findings that: “[e]very instance of viewing images of child pornography represents a renewed violation of the privacy of the victims and a repetition of their abuse;” that “[c]hild pornography constitutes prima facie contraband, and as such should not be distributed to, or copied by, child pornography defendants or their attorneys;” and that “[i]t is imperative to prohibit the reproduction of child pornography in criminal cases so as to avoid repeated violation and abuse of victims, so long as the government makes reasonable accommodations for the inspection, viewing, and examination of such material for the purposes of mounting a criminal defense.” Adam Walsh Child Protection and Safety Act of 2006, Pub. L. 109-248, §§. 501(2)(D)–(F), 120 Stat. 587, 624 (2006).

“Ample opportunity” and “reasonable access” under the Act requires: (1) “the government [to] supply reasonably up-to-date tools (hardware and software) and facilities [in order to] construct a reasonable, available forensic defense,” (2) “[ability of] a defense expert to utilize his or her hardware or software,” and (3) “that the analysis be performed in a situation where attorney-client privilege and work product will not be easily, accidentally exposed to the government, and in a facility which is open to the defense at its request during normal working hours, and to the extent feasible, during non-working hours.” United States v. Flinn, 521 F. Supp. 2d 1097, 1101 (E.D. Cal. 2007). In State v. Boyd, the Supreme Court of Washington held that preparation for trial would “likely require revisiting the evidence many times before and during trial” and, therefore, where the evidence consists of a computer hard drive, “adequate representation requires providing a ‘mirror image’ of that hard drive; enabling the defense attorney to consult with computer experts who can tell how the evidence made its way onto the computer,” and that anything less could place an undue burden on defense counsel or a defense expert, interfering with a defendant’s constitutional rights. 160 Wash.2d 424, 433–37, 158 P.3d 54 (2007).

In my experience, most government agencies endeavor to provide reasonable access, but others, perhaps well-meaning, have sought to dictate what equipment the defense expert may use (including the number of computers, and a restriction of both optical read/write drives and solid state drives), or have proposed the examiner work in a small room alongside state staff, or have required the examiner to use state equipment to conduct Internet research during the examination, or have proposed limiting the examiner to a black-and-white printout of the forensic report or to an electronic copy on a read/write optical device supplied by the state, and insisting that the work product be inspected by a state employee prior to removal from the facility. These limitations not only violate the work product doctrine, but also implicate a defendant’s right to effective counsel and due process, and are likely to result in relinquishment of the media containing the contraband to the defense expert under the Act’s so-called “safety valve.” 18 U.S.C. § 3509(m)(2)(B).  This has already happened in several cases. See, e.g., State v. Allen, No. E2007-01018-CCA-R3-CD, 2009 Tenn. Crim. App. Lexis 114 (Tenn. Crim. App. Feb. 12, 2009); United States v. Knellinger, 471 F. Supp. 2d 640, 650 (E.D. Va. 2007); State v. Johnson, No. 1 CA-CR 09-0300, 2010 WL 1424369 (Ariz. Ct. App. Apr. 8, 2010).

2. Attorney-Client Privilege and Confidentiality

The attorney-client privilege is one of the most hallowed tenets of American common law. The primary function of the privilege “is to encourage full and frank communication between attorneys and their clients and thereby promote broader public interests in the observance of law and administration of justice.” Upjohn Co. v. United States, 449 U.S. 383, 389 (1981). Without the privilege, which withholds otherwise relevant evidence, “the client would be reluctant to confide in his lawyer and it would be difficult to obtain fully informed legal advice.” Fisher v. United States, 425 U.S. 391, 403 (1976). In general, communications are protected under the attorney-client privilege if (1) a person is seeking legal advice from a lawyer acting in his legal capacity, (2) the communication is made for the purpose of obtaining legal advice, (3) the communication is made in confidence, and (4) the communication is made by the client. Restatement (Third) of the Law Governing Lawyers § 68 (2000).

So, you might ask, how might this apply to digital forensics examinations?

I respectfully propose that the following statement by the Colorado supreme court is incorrect:

[A]s both a legal and practical matter, the defense expert’s relationship with the defendant and counsel has been protected from intrusions by the state. The law has recognized several doctrines that afford a degree of confidentiality to the expert-defense relationship. Thus, statements made to the expert by the defendant and counsel may be protected by the attorney-client privilege.

Hutchinson v. People, 742 P.2d 875, 881 (Colo. 1987) (underline emphasis added).

Specifically, statements made to the expert by the defendant and counsel are probably not protected by the attorney client privilege. First, only the client’s statements enjoy the privilege (or the attorney’s statements to the client that contain the substance of the client’s statements, such as an answer by the attorney giving some indication of the client’s question).  See. e.g., Kennedy v. Yamaha Motor Corp., 2010 Phila. Ct. Com. Pl. Lexis 24 at *4 (Pa. C.P., Feb. 2, 2010). (“Attorney-client privilege is perhaps a misnomer, since only the client’s statements enjoy a privilege.  Communications of the attorney, on the other hand, are not privileged, except to the narrow extent to which they reveal communications made by the client”).

Courts may, indeed, construe a client’s direct communications to the digital forensics expert as privileged, if the expert is regarded an agent of the attorney. Fin. Techs. Int’l, Inc. v. Smith, 49 Fed. R. Serv. 3d 961, 967 (S.D.N.Y. 2000).  And it is true that an expert is not considered a third-party whose presence destroys the privilege if the expert’s presence is deemed necessary to secure and facilitate communication between the client and the attorney (not unlike an interpreter). See United States v. Kovel, 296 F.2d 918, 921–922 (2d Cir. 1961); In re Grand Jury Proceedings, 220 F.3d 568, 571 (7th Cir. 2000); United States v. Cote, 456 F.2d 142, 143 (8th Cir. 1972).  But I do not believe that communications between an attorney and an expert are automatically afforded attorney-client privilege, because these are not communications made in confidence to an attorney while seeking legal advice. See Matthew P. Matiasevich, I (Might) Get By With a Little Help from my Expert (May, 2010), 21st Annual Spring Symposia of the ABA Section of Real Property, Trust, and Estate Law (“The attorney-client privilege rarely applies to experts for the simple reason that the expert is almost never the client and hence communications are not confidential”).  For this reason, and although it may hinder the expert’s efficacy, the expert should probably avoid asking questions of the attorney like, “So, did your client admit to knowingly downloading those images?”

My opinion notwithstanding, both the expert and the attorney would owe a duty to the client—the holder of the privilege—to maintain confidentiality. The attorney’s obligation is detailed in the Model Rules of Professional Conduct in Rules 1.6 (governing disclosure by a lawyer of information relating to the representation of a client during the lawyer’s representation of the client), 1.18 (the lawyer’s duties regarding information provided to the lawyer by a prospective client), and 1.9 (the lawyer’s duty not to reveal information relating to the lawyer’s prior representation of a former client).

But, the expert, who usually isn’t present at the time of the communication, is also obliged to zealously protect any information the expert discovers that implicates communications made by the client to his or her attorney.  And this obligation is another reason why digital forensics experts working in litigation support roles really need some legal acumen: He or she needs to correctly recognize and, as necessary, segregate attorney-client privileged data. For example, if the expert encounters e-mails between a client and her attorney, which the client subsequently forwarded to a friend, will the expert recognize a privilege? See generally Jonathan Feld & Blake Mills, The Selective-Waiver Doctrine: Is it Still Alive?, 16 Business Crimes Bulletin 4, 4, (Dec. 2008). When in doubt, the expert should consider the communication privileged and consult with the attorney. Note this exhortation reveals that the integrity of the privilege itself could depend upon the integrity of the communication channel between the expert and the attorney.

3. Information Security

Attorney-client privilege aside, a competent digital forensics expert should also have background and training in information security protocols and be able to observe strict confidentiality of all data entrusted to him or her, as my colleagues Sharon Nelson and John Simek eloquently argue:

Not all cases are shrouded in secrecy, but a fair proportion of them are. There are well known figures getting divorced, major companies with proprietary information at issue, public figures in the headlines and people charged with felonies. . . . During the course of a major case where the expert has been identified, the press will undoubtedly come sniffing around the expert probing for information. A good expert knows the standard answer, “I’m sorry, I have no comment” and is as immoveable as the Great Wall of China.

Sharon D. Nelson & John W. Simek, Finding Wyatt Earp: Your Computer Forensics Expert, Sensei Enterprises, Inc. (2005). A recent Associated Press article, Anthony Computer Expert Backs Off Reported Claims, seems to demonstrate the foregoing point well. But, because the Rules of Professional Conduct do not apply to digital forensics examiners, the only enforcement mechanisms are contractual provisions—i.e., a confidentiality clause in the retainer agreement—and loss of reputation and business. The prudent attorney should, therefore, include a confidentiality provision in the engagement agreement, which may give rise to a breach of contract action if damages are sustained. Also, if the expert is retained while a case is active, either or both parties may move the court for a protective order regarding the expert’s handling of confidential data, under which the expert would be subject to the court’s inherent supervisory powers, including sanctions and contempt authority.

4 thoughts on “Is your client an attorney? Be aware of possible constraints on your investigation. (Part 1 of a multi-part series)”

Leave a Comment

Latest Articles