Continuing from Part I, which discussed common types of digital evidence and issues they can pose for defense counsel, Part II provides defense attorneys with suggestions to consider in addressing the prosecution’s digital evidence, both in discovery and during trial.
Entire Forensic Image vs. Forensic Software “Report”
The prosecution might provide the defendant with data extracted from a device, such as the defendant’s or a witness’s cell phone. The data provided may be an image of a device, a backup/archive of a device image parsed by forensic software, in the form of a “report” generated by forensic software, or some other form of data such as screenshots or spreadsheets created by an examiner. Defense attorneys must understand how any disclosed data was generated, the implications of that form of data, and what is potentially missing from it.
1. Entire Forensic Image (e.g., a cell phone extraction or a hard drive image).
o Comprehensive Data. An entire image of a device's storage device captures all or substantially all data from the device, depending on a number of circumstances. This may include deleted files, system files, and metadata. This comprehensive snapshot allows for a thorough examination and can reveal hidden or overlooked information. The government’s digital examiner may have used specialized software to examine and analyze this data, but the software may not be able to examine all data that could be helpful in a case. If the government does not produce a forensic image, the government is likely providing the defendant with less data and less access than is available to the government’s investigators who have the image(s).
o Authenticity and Integrity. An entire image should preserve the original data's integrity, ensuring that it has not been altered. This is critical for establishing the authenticity of the evidence in court. However, data can be changed through the process, and that is important to recognize.
o Forensic Analysis. Defense attorneys can engage experts to review the image. This analysis can uncover exculpatory evidence or identify issues with the prosecution's findings. While the government may provide software along with the data allowing the attorney to access electronic evidence, the “push button” nature of such software can falsely imply that the software is the “easy button” and is reporting on all data on the device. Expert assistance is recommended to confirm the interpretation of data is correct and complete.
2. Backup/Archive of a Parsed Image. Forensic software can generally save a backup or archive of an image. Rather than providing the image generated from a device, a backup or archive is a copy of the data the software ingested and parsed. This is a common form of production of electronic evidence.
o Nearly Comprehensive. This form of production is the closest to the image or extraction obtained by investigators. A backup or archive saves the processing and analysis of the software. This file (or set of files) can then be imported directly into the same software that generated it. While data may be changed from its original form in certain ways, it is intended to be an accurate preservation of data from the device. However, as with any software, always remember “garbage in, garbage out.” Software can make mistakes.
o Authenticity and Integrity. Generally, the government will be able to produce a witness who can testify to the integrity of this data. However, relevant data from a backup or archive should be validated to confirm its integrity, and without an expert, a defense attorney may have a difficult time in proving up such data.
3. Forensic Software Report. Most forensic software can export portions of data extracted from a device, such as particular files (e.g., pictures, videos, text messages, or spreadsheets), in various formats. Such “reports” are generally not the original data in the original structure found on the device. (Also, this is generally not a report in the way attorneys are accustomed to, which is drafted by the expert, contains documentation of work performed, outlines analysis, and sets out the expert’s opinions or conclusions. Rather, it is simply an export of data from the device, although it may contain annotations and may be incorporated into a more comprehensive expert report as envisioned by lawyers).
o Selective Data. A forensic software report typically includes only the data selected by the examiner, generally to focus on what is relevant. This selective extraction can omit crucial information that might be beneficial to the defense, even unintentionally. However, even if the prosecutor complies with Brady requirements by producing all known exculpatory evidence, data may be left behind that the government did not examine, and therefore is unaware of it, unknowingly omitting it from the software report.
o Potential Bias. The report may reflect the prosecution's interpretation of the data, which may be biased or incomplete. Defense attorneys must critically assess the scope of and methodology in creating the report, as well as the data and context it does not contain. For example, exported text messages may result in a simple listing of one message after another rather than the database from which the text messages were collected, leaving behind evidence of deleted messages or related data that may reside elsewhere on the device, such as other forms of communications between those same devices.
o Limitations. Forensic software reports may not capture the full context or metadata associated with the data produced. This limitation can hinder the defense's ability to fully understand and challenge the evidence. A primary example of this is when a phone that was imaged has an app that the forensic software cannot analyze. The data from that app must be analyzed manually. This data may not be included in the “report,” and even if it is, it has not been parsed by the software.
4. Other Forms of Production. If the government only produces screenshots, spreadsheets generated by a forensic examiner, or other data that cannot be traced directly from forensic software to the device, the defense attorney has blinders on. Meaningful analysis of many aspects of this data will be limited. Think of this as the prosecution providing a screenshot of a picture of the murder weapon rather than actual images or access to the weapon itself.
Why You Should Try to Avoid a "Go It Alone" Approach With Viewer Software
As mentioned above, the government’s disclosure may contain electronic data extracted from a device, along with a “viewer” that allows the defense attorney to navigate through the data analyzed by the software. Sorting, filtering, searching, and reviewing data seemingly becomes easy. However, this does not mean that a forensic examiner will not add tremendous value to the case.
1. Limited Functionality. Viewer software provided by the prosecution may have limited functionality and might not allow for a comprehensive analysis of the data. Defense attorneys need advanced tools and expertise to thoroughly examine digital evidence.
2. Risk of Overlooking Critical Information. Without proper training and tools, defense attorneys risk overlooking critical information embedded in the digital evidence. Recognizing what is missing and its significance could be difficult. A superficial review using viewer software can miss exculpatory evidence or fail to identify issues with the prosecution's analysis. Furthermore and as mentioned above, often a device—such as a phone—may have apps that the forensic software cannot parse. Data from these apps would need to be examined manually and may require research, testing, or both, in order to understand it. None of that will happen when using a viewer from forensic software.
3. Lack of Expertise. Digital forensics is a highly specialized field that requires technical expertise. Attempting to analyze digital evidence without expert assistance can lead to misinterpretations and missed opportunities to challenge the prosecution's case. Going it alone can mean not validating the tool’s output and can present insurmountable hurtles to admission of evidence without an expert to predicate it. Does the time stamp really mean what it seems to mean? Can the location data be relied upon for the assertion the government makes? For example, does a timestamp in browser activity indicate when the activity occurred, or was the data written to the database at a later time for some reason? Are time zones at play in a timestamp?
4. Admissibility Challenges. Improper handling or analysis of digital evidence can result in challenges to its admissibility in court. Forensic experts ensure that the evidence is analyzed and presented in a manner that complies with legal standards, safeguarding its integrity and admissibility. Experts can also assist in excluding questionable evidence.
Strategies for Scrutinizing Digital Evidence
1. Requesting Full Access. Defense attorneys should consider requesting full access to all digital evidence provided in discovery. This includes raw data, forensic images, reports, and maybe more. Full access allows for an independent review and potential identification of overlooked issues or alternative interpretations. Do not rule out obtaining another extraction or image of devices the government examined.
2. Conducting Independent Analysis. Engaging independent forensic experts to analyze the digital evidence can provide a second opinion and uncover potential flaws or biases in the prosecution's analysis. Independent analysis can strengthen the defense's position and provide additional avenues for challenging the evidence.
3. Challenging Admissibility. Defense attorneys should be prepared to challenge the admissibility of digital evidence. This can involve questioning the methods used for data extraction, the qualifications of the prosecution's experts, chain of custody, and the relevance and reliability of the evidence itself.
4. Cross-Examination of Experts. Effective cross-examination of the prosecution's forensic experts is critical. Defense attorneys should be prepared to pose detailed questions that probe the methods, assumptions, and conclusions of these experts. Highlighting any inconsistencies or weaknesses can undermine the prosecution's case. A digital forensic expert can be invaluable here.
Case Studies Highlighting the Importance of Digital Evidence Understanding
1. An export of selected text messages, rather than the entire database they came from, prevented the defense from determining whether messages had been deleted from the device or if communications through other channels had occurred.
2. Producing a PDF “report” containing images from a cell phone leaves behind telling metadata, such as potential location data relating to the pictures, information about the device that took them, and device activity relating to the images.
3. A phone sat in an evidence vault for years while the case was pending, during which time more complete extraction tools became available, yet the only extraction produced from the phone was from years before, at the outset of the case.
Conclusion
For criminal defense attorneys, understanding the data provided in discovery by prosecutors when investigators have extracted data from computer devices is essential, along with knowing what you don’t know. With a thorough understanding of digital evidence, maintaining vigilance in scrutinizing its collection and analysis, and enlisting the help of forensic experts when necessary, defense attorneys can effectively challenge the prosecution's evidence and present a better defense for their clients.
Comentarios