Chapter 14. Overview of Digital Evidence Discovery

Information in this chapter:

• Discovery motions in civil and criminal cases
With the ubiquitous nature of digital evidence, it may seem as if finding and recovering digital evidence is a simple task. It is not. There are legal and technical barriers to obtaining digital evidence that must be overcome in every instance involving electronic data. Depending on the type and location of the evidence, if one can even make that determination, there are legal hurdles to cross before you can obtain that evidence, whether it is protected in some way by the Electronic Communications Privacy Act (ECPA), HIPAA, Fourth Amendment protections against unlawful search and seizure, or expectations of privacy in the workplace.
Keywords
Discovery Issues, Discovery Challenges, Civil Discovery, Criminal Discovery

Introduction

Creating effective discovery motions for digital evidence is not a cookie-cutter process. In order to get the information your expert will need to perform a comprehensive examination, the discovery motion will need to be tailored to the type of digital evidence that is of interest in the case. For example, a discovery motion created for data on a computer will not work for all computers; what if that computer is a live production server at a corporate facility that absolutely cannot be taken offline without completely crippling a company? A situation such as this will require forensic processes that are of a higher degree of complexity when capturing that data. Yes, the data can be collected, but a discovery motion designed for a generic computer is not going to provide information that could end up being critical to a case when it comes time to actually examine the data collected from a live production server.
The following chapters in this section will guide you through our process of creating discovery motions for types of digital evidence. The expert you hire should be able to assist you in creating your discovery motions. Your expert should be the one who knows all the intricacies regarding a type of digital evidence, and should also know all the peripheral information related to that evidence needed to examine it properly. If the expert you have hired cannot do this, his competence must immediately come into question. This is not asking a digital forensics expert to be proficient in lawyering; it is asking an expert to bring his expertise to bear by assisting you in creating the discovery motion so that he can perform his job correctly.

14.1. Discovery motions in civil and criminal cases

When you are creating discovery motions for criminal defense cases, the evidence in question is usually in a postmortem state, meaning that it is not in use, it is offline, and it is probably in the custody of law enforcement. Forensic images have probably been made of much of the evidence, and if not, access can be gained to these items so that your expert can do so. Also, the evidence usually has decent chain of custody documentation. With civil cases, it is common for the evidence items to still be in use and online. Sometimes the digital evidence devices cannot be taken offline or powered off for full forensic acquisitions. This is especially true in e-discovery cases. Even when the devices can be taken offline and fully acquired, the window of time to do so can be as limited as overnight or a few hours. Since these items are often still in use, deliberate planning and scheduling must be done in order to forensically collect the evidence of interest. It is also common to see a lack of chain of custody documentation, if any exists at all, in civil cases. Getting your expert access to the evidence is always a critical component when creating discovery motions. Due to the differences between civil and criminal cases, the discovery motions have to be crafted differently to contend with the unique challenges that civil and criminal cases have, especially when it comes to getting access to the evidence.

14.1.1. Common challenges in criminal and civil cases

The following is the 30,000-foot view of the common challenges in civil and criminal cases that need to be addressed when creating discovery motions. The subsequent chapters will cover these challenges in greater detail, but for the moment it will suffice to bring them to your attention.

14.1.1.1. Common challenges in criminal cases

1. The evidence in the case contains contraband images, preventing you from getting a copy of the evidence and requiring that all forensic examination by the defense expert be performed on location at the law enforcement facility and under the supervision of a law enforcement officer.
2. Evidence items, such as cell phones, were returned to their owners by law enforcement before an opposing expert could examine them. It is also common for this to be done without law enforcement creating any kind of copy, forensic or otherwise, of the evidence.
3. All elements of the documentation created by the law enforcement examiner, such as reports and bench notes, are not requested in the discovery motion.
4. Evidence is not turned over because the law enforcement agency did not have the tools to make a copy of the evidence.
5. The evidence is in a form that is difficult to capture, such as a global positioning system (GPS) device.

14.1.1.2. Common challenges in civil cases

1. The chain of custody for an item of digital evidence is poorly documented or unknown. It is important for your expert to know, if possible, of everyone who has handled this digital evidence, and whether they did so in a way that forensically preserves the evidence.
2. Access to the evidence is limited. These limitations could be because the item cannot be taken offline, such as a live production server, or if the device can only be offline or out of the possession of the custodian for a short period of time, like a CEO’s laptop.
3. All of the documentation created by the opposing expert, or about the opposing expert, has not been requested in the discovery motion. This is critical in civil cases, as we have encountered many people claiming to be forensics experts who have no forensic training, experience, or tools. In these situations, there is a high probability that the opposing expert has altered the evidence in some way or even destroyed evidence.
4. There is a tendency in many civil cases to perform self-collection where the producing party collects the evidence using their computer support persons, or the custodians themselves copy documents and such to an external hard drive. This poses many problems, including the alteration of metadata, lack of authentication, and the inability to reproduce the evidence in its original unaltered form for inspection by a third party at a later date.
5. The evidence is in a format that the receiving party cannot use such as backup tape, a forensic image format, or a database, or it is in a proprietary file structure.
6. The evidence may be in the control of a third party such as a cell phone service provider, an Internet service provider, or a third-party data backup or storage provider.

Summary

In this chapter we learned about some of the common challenges to getting evidence in criminal and civil cases. Such challenges include incomplete discovery motions, self-collection, inaccessible formats, and items lost due to returns to the owners without an examination being performed.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset