Is your client an attorney? Be aware of possible constraints on your investigation. (Part 2 of a multi-part series)

In my first post several weeks ago, I discussed some of the special obligations that digital forensics investigators may have while in the employ of a lawyer. I elaborated briefly on the duty to zealously guard the attorney-client privilege, to correctly apply the work product doctrine, and to conduct investigations in a way that does not compromise the integrity of the case or the rights, privileges, or immunities of the retaining party. In this second part of the series, I will explore another important factor for consideration by examiners: the legality of investigative techniques.

Consider, for example, whether an examiner, at the direction of the attorney, may take possession of a computer belonging to a husband, but seized by a wife in preparation for marital dissolution proceedings.  If a court finds that the wife did not have equal dominion over the computer (e.g., if the computer, or some portion thereof, was password-protected by the husband, or belonged to the husband’s employer), the taking of the computer for analysis might constitute a crime. See, e.g., Moore v. Moore, No. 350446/07, 2008 N.Y. Misc. LEXIS 5221, at *1 (N.Y. Sup. Ct. Aug. 4, 2008) (holding that a wife seeking a divorce could use evidence she found on a computer taken from husband’s car just before she petitioned for marital dissolution, because the computer was a family computer (not a work computer as alleged by husband), the taking occurred before the commencement of the dissolution case, and husband’s car was considered the family car).

Many states have statutes criminalizing unauthorized access to computers or protected networks.  Likewise, evidence obtained from a keylogger or spyware deployed by the client or examiner may violate state or federal law (e.g., the Stored Communications Act). See Sean L. Harrington, Why Divorce Lawyers Should Get Up to Speed on CyberCrime Law, Minn. St. B. Ass’n Computer & Tech. L. Sec. (Mar. 24, 2010, 9:40 PM), (collecting cases regarding unauthorized computer access).

Also, certain types of “cyber sleuthing” or penetration testing may be unlawful under various state and federal statutes.  For example, the Computer Fraud and Abuse Act, last amended in 2008, criminalizes anyone who commits, attempts to commit, or conspires to commit an offense under the Act. 18 U.S.C. § 1030 (2006). Offenses include knowingly accessing without authorization a protected computer (for delineated purposes) or intentionally accessing a computer without authorization (for separately delineated purposes).  Various statutory phrases, such as “without authorization” and “access,” have been the continuing subject of appellate review.  See, e.g., State v. Allen, 917 P.2d 848 (Kan. 1996) (affirming trial court’s holding that the State did not prove the defendant committed a crime); see also Orin S. Kerr, Cybercrime’s Scope: Interpreting “Access” and “Authorization” in Computer Misuse Statutes, 78 N.Y.U. L. Rev. 1596, 1624–42 (2003) (showing how and why courts have construed unauthorized access statutes in an overly broad manner that threatens to criminalize a surprising range of innocuous conduct involving computers).

Yet another area of legality concerns recently enacted laws in some states requiring digital forensics examiners to be licensed as private investigators.  Texas passed such a law that provides for up to one year imprisonment and a $14,000 fine for persons conducting unlicensed computer investigations. Tex. Occ. Code Ann. § 1702.104 (2011); see also Private Security Bureau Opinion Summaries: Computer Forensics, Tex. Dep’t Pub. Safety, 4–5 (Aug. 21, 2007).  The Opinion clarifies that the Act applies to computer forensics, defined as:

Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.

[T]he analysis of computer-based data, particularly hidden, temporary, deleted, protected or encrypted files, for the purpose of discovering information related (generally) to the causes of events or the conduct of persons.  We would distinguish such a content-based analysis from the mere scanning, retrieval and reproduction of data associated with electronic discovery or litigation support services.

Id., at 4.

And Michigan’s new law makes unlicensed digital forensics work a felony punishable by up to four years imprisonment, damages, and a $5,000 fine. 2008 Mich. Pub. Acts 67.

In 2008, North Carolina’s Private Protective Services Board proposed to amend General Statute Section 74C-3 to include “Digital Forensic Examiner” as among the roles that must be licensed by the state. See Mack Sperling, North Carolina May Require Licensing for Computer Forensic Consultants, but Do We Need It?, N.C. Bus. Litig. Rep. (Sept. 24, 2008). The measure was defeated. S. 584, 2009 Gen. Assemb., Reg. Sess. (N.C. 2009) (amending GS 74C–3(b) to exempt from the definition of private protective services a person engaged in (1) computer or digital forensic services or the acquisition, review, or analysis of digital or computer-based information, whether for the purposes of obtaining or furnishing information for evidentiary or other purposes, or for providing expert testimony before a court, or (2) network or system vulnerability testing, including network scans and risk assessment and analysis of computers connected to a network).

Meanwhile, the American Bar Association has discouraged such legislation, concluding, “[c]omputer forensic assignments often require handling data in multiple jurisdictions.  For example, data may need to [be] imaged from hard drives in New York, Texas and Michigan.  Does the person performing that work need to have licenses in all three states?” Gilbert Whittemore, Report to the House of Delegates, 2008 A.B.A. Sec. Sci. & Tech. L. 2 .  The ABA Report opined:

The public and courts will be negatively impacted if e-discovery, forensic investigations, network testing, and other computer services can be performed only by licensed private investigators because not all licensed private investigators are qualified to perform computer forensic services and many qualified computer forensic professionals would be excluded because they are not licensed.

Indeed, very few licensed private investigators are qualified to perform computer forensics services.  Nevertheless, the trend seems to be leading away from state licensing requirements.

Undoubtedly, one of the thorniest legal problems facing unwary examiners is that of child pornography (“contraband”) encountered in digital forensics investigations. See generally Beryl Howell, Digital Contraband: Finding Child Porn in the Workplace, reprinted in White Collar Crimes 2008, ABA-CLE (2008).

Federal law prohibits the knowing production, receipt, shipment, distribution, reproduction, sale, or possession of “any . . . visual depiction involv[ing] the use of a minor engaging in sexually explicit conduct,” or of “any material that contains an image of child pornography . . . .” 18 U.S.C. §§ 2251(a), 2252(a), 2252A (a) (2006). Violations are punishable by a mandatory minimum term of imprisonment for five years and up to twenty years, (18 U.S.C. §§ 1466A(a)(2)(B), 2252(b)(1), 2252A(b)(1) (2006)) except for mere possession, which is punishable for up to ten years. 18 U.S.C. §§ 1466A(b)(2)(B), 2252(b)(2), 2252A(b)(2) (2006).

Congress, in enacting the Adam Walsh Act of 2006, reasoned that child pornography as prima facie contraband should not be distributed to or copied by defendants, their attorneys, or experts. Adam Walsh Child Protection and Safety Act, H.R. 4472, 109th Cong. § 501(2)(E) (2006).  Therefore, an examiner who encounters contraband during an investigation outside of a law enforcement facility must cease work, and contact law enforcement to come to the place of the investigation to seize the contraband.  See Larry Daniel, Digital Forensics for Legal Professionals: Understanding Digital Evidence From The Warrant To The Courtroom (Kindle Edition, 2011) at 3602-3603 (“[I]f a non-law-enforcement examiner is analyzing evidence in any kind of case and finds child pornography, he or she is required to stop the examination and notify law enforcement so the evidence can be turned over to authorities”); Bill Nelson, et al., Guide to Computer Forensics and Investigations 508 (4th ed. 2010) at 176 (“The evidence must be turned over to law enforcement. This material is contraband and must not be stored by any person or organization other than a law enforcement agency”).  An expert or attorney who e-mails or delivers the contraband may be prosecuted for copying or distribution. See, e.g., United States v. Flynn, 709 F. Supp. 2d 737, 739 (D. S.D. 2010) (indicting an attorney, who claimed he was doing research for a potential client by investigating the existence of child pornography on a P2P network, for possession and distribution of child pornography); see also State v. Brady, No. 2005–A–0085, 2007 WL 1113969, *2 (Ohio Ct. App. Apr. 13, 2007) (recounting that notwithstanding a state court protective order, the Federal Bureau of Investigation executed a search warrant on court-appointed defense expert’s residence, seized his computer and media, and the Government threatened an indictment for violation of 18 U.S.C. § 2252A), rev’d on other grounds, 894 N.E.2d 671 (Ohio 2008).

It should be noted that Section 3509(m) of the Adam Walsh Act technically does not apply to state criminal proceedings; it expressly governs the Federal Rules of Criminal Procedure. Allen v. Tennessee, 2009 WL 348555, at *6 (U.S. Jan. 11, 2010); State ex rel. Tuller v. Crawford, 211 S.W.3d 676, 679 (Mo. Ct. App. 2007); Commonwealth v. Ruddock, No. 08–1439, 2009 WL 3400927, at *1 (Mass. Supp. Oct. 16, 2009); State v. Blount, No. 81-CR-09-1180, slip op. at 6 (Minn. Dist. Ct., Apr. 7, 2010).  Accordingly, state courts sometimes order a forensic copy be provided to the defense expert under a protective order, which the court found would adequately serve the purpose of the Adam Walsh Act “to protect children from sexual exploitation and to prevent child abuse and child pornography.” Id. ; see also Ruddock, supra, 2009 WL 3400927, at *3 (issuing protective order to prevent “unnecessary disclosure”).  As I will explain below, the expert who takes custody of such contraband is playing with fire, unless he or she has some standing agreement with the local office of the U.S. Attorney for that district.

Notwithstanding the non-applicability of the Act to state court criminal proceedings, and notwithstanding state court protective orders, the Government has prosecuted defense attorneys and experts for contraband acquired in the performance of their official duties. United States v. Flynn, 709 F. Supp. 2d 737, 743 (D. S.D 2010); State v. Brady, 894 N.E.2d 671, 673 (Ohio 2008).

Arguably, there is a rational basis for why an expert should have access to the evidence in his or her own lab, because of the increased costs and inefficiencies of conducting the analysis at law enforcement facilities. See Sharon Nelson et al., “In Defense of the Defense: The Use of Computer Forensics in Child Pornography Cases,” Sensei Enterprises, Inc. (2009)  (“The beleaguered defense expert is forced, often by economics, to do whatever it is possible to do in one or two eight hour days. Frequently, the expert has to fight to use hi/her own equipment and to work in privacy”); Larry Daniel, Digital Forensics for Legal Professionals: Understanding Digital Evidence From The Warrant To The Courtroom (Kindle Edition, 2011) at 2127-2130 (“If the case involves child pornography images, the examiner must travel to and perform all of the work at a law enforcement agency. This will add to the expense as the examiner must charge for all the time spent at the agency, including computer processing time that might not be charged for if the case were analyzed in the examiner’s lab”).see also Blount, supra, note 149 (crediting expert’s testimony that conducting the examination at law enforcement facilities would approximately double the cost); Knellinger, supra, note 101 471 F.Supp.2d at 647-48 (crediting testimony that conducting examination at law enforcement facilities would exacerbate costs).   A useful analogy when considering whether a defense attorney should take possession of child pornography is that, in a drug possession case, the prosecutor does not keep samples of a controlled substance in the case files, and instead must inspect the evidence under controlled conditions where it is kept at the law enforcement facility.

In conclusion, the maxim that ignorance of the law is no excuse is sound, and another compelling reason why a capable digital forensics expert ideally should have a solid legal background.  Indeed, an unwary examiner may be asked by a well-intentioned, but uninformed or negligent attorney to engage in conduct that is unlawful.  Alternatively, the examiner’s work, unbeknownst to the attorney, may lead him or her into a briar bush frought with peril.  Because the examiner will not have an attorney client relationship with the retaining attorney, and notwithstanding that the attorney is obligated to diligently supervise non-lawyers, the ultimate personal responsibility for the legality of the examiner’s work belongs to the examiner.

2 thoughts on “Is your client an attorney? Be aware of possible constraints on your investigation. (Part 2 of a multi-part series)”

Leave a Comment

Latest Videos

Digital Forensics News Round Up, February 14 2024 #digitalforensics #dfir

Forensic Focus 14th February 2024 7:23 pm

Picture Perfect - Using Screenshots And Screen Recording In Mobile Device Investigations

Forensic Focus 13th February 2024 11:23 am

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles