top of page

Approaching Digital Evidence in Discovery: A Guide for Criminal Defense Attorneys (Part I)

Updated: Aug 6, 2024

Electronic data resides in an increasingly frightening number of places. Cell phones are the most obvious because we use them for everything: communications, internet activity, banking, entertainment, and controlling other devices such as alarm systems and  the HVAC at home. But what not so obvious data sources may impact your client’s case? Surveillance systems? The neighbor’s doorbell camera? Your client’s car—particularly if your client connects a phone to it? Speaking of connections, what about devices, such as phones and tablets, that are sync’d? The cell phone is only the beginning, and while it contains obvious data, such as text messages, internet history, and user-generated media, it also contains a wealth of information you probably do not realize exists. Representing your client requires understanding the significance of  the prosecutor’s disclosures after investigators extracted data from computer devices. This may include being able to test and contradict conclusions government digital examiners offer at trial about the data they find. Furthermore, a defense requires knowing how and when to develop digital evidence for your client.

This two-part blog will discuss why it is essential for defense attorneys to grasp the intricacies of digital evidence, common types of data encountered, and strategies for effectively scrutinizing this evidence to build a robust defense. Part I provides information about commonly encountered digital evidence and issues they present at trial. Part II examines some strategies in dealing with digital evidence presented by the prosecution, both in disclosures and at trial.


The Importance of Understanding Digital Evidence


  1. Building a Strong Defense. Digital evidence can include emails, text messages, documents, media, browsing history, and metadata, which can incriminate or exonerate a defendant. Health data can track activity. Any number of apps can create and store location data. A thorough understanding of this evidence allows defense attorneys to challenge its validity, identify inconsistencies, and develop a compelling narrative that supports their client's case.

  2. Ensuring Fairness. The prosecution's evidence must be scrutinized to ensure it was collected, handled, and analyzed properly. Mistakes in data collection or analysis can lead to wrongful convictions. The data is what it is—but is it being interpreted correctly? Are timestamps and location data accurate reflections of events and when they occurred? Can anything be inferred by the absence of data points? Does additional electronic data exist from a device imaged by law enforcement that is inconsistent with the data law enforcement examined? By understanding digital evidence, defense attorneys can protect their clients' rights and better ensure a fair trial.

  3. Technological Proficiency. Defense attorneys must be proficient in understanding and challenging digital evidence to keep pace with the prosecution and the evolving landscape of criminal investigations. At the very least, attorneys must be able to recognize what devices may impact the case and what data those devices may hold. While attorneys need not try to be digital examiners, they need to recognize and evaluate potential evidence sources. Weather apps can collect location data, data generated by apps may remain behind even if the app is deleted. Cars may hold phone data. Alarm systems can augment timelines.  TVs, smart speakers, and other internet devices can contain data that many people would never dream of. If you are not able to evaluate the existence of digital evidence and its significance, can you defend against the evidence when it is presented in court?


Common Types of Digital Evidence


  1. Emails and Messages. Email and messaging data can reveal communications relevant to the case. Defense attorneys should examine the content, timestamps, and metadata of these communications to assess their authenticity and context. Multiple apps that contain communication channels from the same device could each have their own data. Simply because the prosecutor produced text message data does not mean the prosecutor produced all communication data, such as Signal, WhatsApp, etc.

  2. Documents and Files. Digital documents, including text files, spreadsheets, PDFs, etc., can contain critical information, along with data generated by the computer operating system about interaction with those files, even if the files have been deleted. It is essential to analyze the creation, modification, and access history of these files to understand their potential relevance and authenticity.

  3. Browsing History and Internet Activity. Browsing history can provide insights into a defendant's online behavior and interests. Even with “private browsing,” significant data may contain clues as to online activities. Defense attorneys should review this data to challenge its interpretation by the prosecution or to identify potential exculpatory evidence.

  4. Metadata. Metadata provides information about other data, such as the date and time of file creation, modification, and circumstances of file creation. It can be used to establish timelines, verify the authenticity of documents, and identify potential tampering.

  5. Social Media Activity. Social media posts, messages, and interactions can be relevant in criminal cases. Defense attorneys should scrutinize this data for context, authenticity, and any potential exculpatory information, including the social media activity of potential witnesses.

  6. The “unknown unknowns.” Simply interacting with a device can generate data. Picking up a cell phone. Bypassing the phone’s lock screen. Turning a phone from landscape to portrait. Switching from one app to another. Connecting a thumb drive to a computer. Connecting to a Wifi network. Connecting Bluetooth devices. The data that could exist is mind boggling, and it is growing. Much of it can help create or refute timelines.


Key Considerations for Defense Attorneys


  1. Chain of Custody. Ensuring that digital evidence has been handled correctly from the point of collection to presentation in court is vital. Defense attorneys should thoroughly review the chain of custody documentation to identify any potential breaches that could affect the evidence's integrity.

  2. Forensic Integrity. The methods used to extract and analyze digital evidence must be forensically defensible. Defense attorneys should be familiar with these methods and be prepared to challenge any deviations that could compromise evidence obtained from electronic devices. Was the device promptly isolated? What interaction with the device occurred? Was any imaging or extraction properly conducted? Were files hashed, providing a method for determining whether data has changed or whether it indeed came from the device it is being attributed to?

  3. Expert Assistance. Given the technical complexity of digital evidence, defense attorneys should consider enlisting the help of forensic experts  even for guidance. These experts can provide insight into the reliability of the evidence, identify issues regarding analysis, help uncover additional evidence, assist in preparing for cross examinations, and more.

  4. Data Interpretation. Understanding how data is interpreted is crucial. Defense attorneys should evaluate the prosecution's interpretation of the evidence and be prepared to offer alternative explanations that support the client's defense. Maybe the prosecutor’s witness offers one explanation for the data presented, but other explanations may exist. If the prosecution witness used software to find data and present findings, do not assume that the software is infallible or that the examiner’s interpretation is correct.


Continue to Part II, which discusses forms of production by the prosecution, their implications, and strategies for digital evidence.

44 views0 comments

Comments


bottom of page