Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

Chapter 15. Discovery of Digital Evidence in Criminal Cases

Information in this chapter:

• Sources of digital evidence

• Building the motion

We will show how to analyze initial discovery documents to determine what digital evidence should be available to be discovered as well as the language needed to get everything that is relevant for examination by an expert. We will also show you what to ask in order to get evidence that was collected but not examined or copied due to technical limitations of law enforcement agencies. We will also cover some not-so-obvious items that are helpful to get during the discovery process.

Keywords

Building Criminal Discovery Motions, Specific Motion Language

Introduction

Criminal cases can involve many types of digital evidence. The key is to make sure that you are getting all of the evidence you need to defend your client effectively. To do this, you must first go through the initial discovery provided in the case and then determine what digital evidence might be available, either directly from the law enforcement agency or via subpoenas of third parties. If you can get a qualified expert involved early in the case, they can assist you with determining what digital evidence may be available and of interest in the case and how to ask for it in discovery motions.

The information in this chapter can apply to any criminal case; however, specific attention must be paid to cases involving contraband. For example, federal child pornography contraband cases are governed by the Adam Walsh Child Protection and Safety Act of 2006. Discovery in cases involving contraband is covered in Chapter 21.

15.1. Sources of digital evidence

Every criminal case is unique; however, the method for determining what evidence to look for via discovery can be well defined. During the initial fact-finding process of reading initial discovery provided by the prosecution, pay particular attention to items collected as well as clues to items that may be available from third parties:

• Search Warrant Returns

• Search warrant returns provide a listing of all evidence collected by law enforcement when they execute the warrants. It is important to pay special attention to the items in the inventory to see if they might yield digital evidence. While it may appear obvious that you want to ensure that you get computers and cell phones, other devices, such as cameras, GPS units, and storage devices, can also contain critical evidence.

• Paper Discovery

• It can be easy to miss potential digital evidence when working through paper discovery if you are not aware of some of the evidence that can be gathered based on clues provided by witness statements, investigative reports, and documents gathered from third parties.

• Evidence in the paper discovery can include cell phone call records, GPS records from third-party monitoring services, web pages from social media sites, printouts of e-mails and file listings, and specific computer screenshots.

15.2. Building the motion

When you build your motion for discovery in these cases, it is important to make sure you include items in the motion that may not seem obvious. For instance, many law enforcement agencies collect items that may contain digital evidence, yet they may never examine those items. In many cases, the warrant is written in such a way as to allow the wholesale collection of anything and everything in the realm of electronics, including items like facsimile machines, cameras, video tapes, CD-ROMs, movie cameras, music players, and game consoles.

During the process of discovery review, your expert should also be able to assist you in identifying evidence that was collected improperly from third parties and evidence that was not requested from third parties. Call detail records are collected in many cases today, and in many circumstances they are not requested properly. Discovery of call detail records is covered in detail in Chapter 24.

15.2.1. Discovery motion specifics

• The Inventory. Defense requests a complete inventory of all items taken that may contain any type of digital data, whether or not such items were examined or copied by prosecution’s experts.

• Items the Defense Will Supply to Assist in Getting the Discovery. Defense will provide sanitized hard drives for the forensic copies if requested by the law enforcement agency.

• Specifying the Forensic Copy Format. The preferred format for forensic images is EnCase (E01) Expert Witness Format. However, any forensically sound format is acceptable. (Expert Witness Format is a widely used format that can be opened by the majority of forensic tools available. It is also easily converted into other formats. Finally, it is a self-contained set of files that are not subject to contamination.)

• Specifying Other Formats. Defense requests that any items provided to the prosecution in electronic format including but not limited to call detail records, audio or video recordings, and GPS logs, be provided in the same format to the defense.

• Requesting Supplemental Documents. Defense requests a complete copy of all forensics reports, chain of custody records, and lab notes generated by the prosecution’s experts pertaining to the acquisition, preservation, analysis, and/or reporting by said experts in the course of this investigation.

Defense also requests a copy of the resume or curriculum vitae of any prosecution expert involved in the collection, handling, imaging, or examination of any electronic evidence and or items collected.

• Computers and Related Items. Defense requests a duplicate of any forensic copies made by the prosecution’s experts of any computer hard drive, digital storage media, including but not limited to CD-ROMs, USB flash drives, floppy disks, memory cards, digital camera storage, smart cards, and portable hard drives.

• Cell Phones, GPS Devices, and Other Portable Devices. Defense requests duplicates of any forensic copies made by the prosecution’s experts of any cell phone and/or SIM cards, media cards, GPS devices, media players, game consoles, video recording devices, audio recording devices, or any other electronic devices collected in this case.

• Items Collected and Not Forensically Imaged. In the event the prosecution’s experts did not make a forensic copy of any original media, defense requests that forensically sound copies be made and furnished to the defense for examination by the defense expert.

In the event the prosecution’s experts are unable to make forensic copies of any evidence, the defense requests access to said evidence in order to make forensic copies for examination.

Note

Why They Don’t Examine What They Collect and Why You Should

Many police departments and state law enforcement agencies are lacking in trained personnel and forensic equipment. For this reason, many of the items collected in search warrants are never examined, or in the case of cell phones, are examined informally without using proper forensic tools and procedures. That is why it can be important to make sure that your expert has the training and tools to collect and examine digital evidence from disparate devices. In some cases, this may require that you employ multiple experts depending on the evidence collected by law enforcement. In other cases, one firm may be able to provide experts in all areas of your case.

You can never tell when some odd device may contain evidence critical to your case. Something as innocent sounding as a PlayStation Portable, Xbox, or iPod can contain evidence you may be able to use in litigating your case.

15.1.Example language for a consent order for digital evidence

(This is an example of a consent order from the State of North Carolina.)

UPON MOTION OF THE DEFENDANT, by and through his counsel, _________, and it appearing to the Court:

1. That Defendant has been indicted for the offenses of ______________________;

2. That based upon discovery received to date by the Defendant, (list items here if known) were seized and removed from the alleged crime scene by law enforcement and are presently in the custody of the _______________;

3. That counsel for Defendant has a reasonable belief that there exists information contained within the data files in the aforementioned computers that is necessary to ensure Defendant receives a fair trial and effective assistance of counsel and to adequately prepare a defense in this matter;

4. That the Defendant is entitled under the discovery statutes of Article 48 of the North Carolina General Statutes, as well as Brady v. Maryland, 373 U.S. 83, 83 S. Ct. 1194 10 L. Ed. 2d 215 (1963), and its progeny, to these requested items;

5. That the Assistant District Attorney, counsel for Defendant consent to the entry of this Order as indicated by the signature of each below.

IT IS THEREFORE ORDERED that:

1. The law enforcement agency or agencies provide to the Assistant District Attorney the following:

a. A duplicate of any forensic copies made by the law enforcement personnel or by the prosecution’s experts of any computer hard drive, digital storage media including but not limited to CD-ROMs, USB flash drives, floppy disks, memory cards, digital camera storage, smart cards, and portable hard drives, GPS units, or other devices capable of storing electronic data;

b. Duplicates of any forensic copies made by state law enforcement personnel or by the prosecution’s experts of any cell phone and/or SIM cards, media cards, or other storage used in conjunction with telephony;

c. In the event law enforcement personnel or the prosecution’s experts did not make a forensic copy of any original media, defense requests that forensically sound copies be made and furnished to the defense for examination by the defense expert;

d. In the event that said law enforcement agencies are unable to provide copies of evidence from any of the devices seized, a defense expert shall be given the appropriate opportunity to make forensic copies of any such devices or storage media.

e. A complete inventory of all items taken that may contain any type of digital data, whether or not such items were examined or copies made by law enforcement personnel or the prosecution’s experts, and;

f. A complete copy of all forensics reports, chain of custody records, and lab notes generated by law enforcement personnel or the prosecution’s experts pertaining to the acquisition, preservation, analysis, and or reporting by said personnel or experts in the course of this investigation.

g. A copy of the resume or curriculum vitae of any prosecution expert involved in the seizure, handling, copying, or examination of the items listed in this order.

2. That, upon receipt from the law enforcement agency, the Assistant District Attorney provide to counsel for Defendant copies of the aforementioned items.

Summary

In this chapter we looked at the general language you can use to build discovery motions in the majority of criminal cases. If you follow these guidelines, you should be able to get what you need in the hands of law enforcement. Specific types of motions and subpoenas will be discussed in later chapters that deal with specific evidence types such as cell tower records and video and audio evidence.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for Chapter 15. Discovery of Digital Evidence in Criminal Cases

Create new playlist

Sign In

Sign Up