Dec 10, 2015

Capsicum’s Leeza Garber authored an article in The Legal Intelligencer entitled “Evolving Process of Preserving and Using Cellphone Evidence”. The original article is available here.

In the last few years, an increasing number of digital forensic companies and computer security providers have investigated phones being sold on eBay and Craigslist in order to prove one significant point: It's hard to actually, completely, and finally delete electronically stored information. People continue to sell used iPhones and Androids that supposedly have been "wiped"—only to have a security firm retrieve data files from the device, including salacious pictures, loan applications, Web browsing history, and text messages. As cellphones have become the new portable workspace, social hangout, and ever-present handheld computer, it is important for attorneys and their clients to recognize that these devices are powerful evidence troves.

It is not surprising that the use of cellphone contents, particularly text messages, as evidence has made interesting forays into local news. Recently, a former middle-school teacher in Coatesville was allowed to quote portions of racist text messages sent between the school officials to support a federal civil rights lawsuit against the school district. In Berks and Montgomery counties, five men charged in a heroin-trafficking operation utilized massive group texts to alert buyers as to what drugs were available and when a transaction could take place.

Consequently, it follows that attorneys and judges are persistently evaluating the uses and consequences of technological stores of evidence—and evolving case law highlights this winding path. A recent Superior Court of New Jersey lawsuit addressed the issue of reviewing cellphone communications. In E.C. v. R.H., No. FV-15-194-16 (Super. Ct. N.J. Aug. 11, 2015), the judge held that the parties needed to obtain tangible copies of all text messages and voicemails in order to ensure that the record would be accurate and complete. Furthermore, a recent New Jersey Department of Corrections administrative action utilized thousands of text messages as evidence to investigate multiple officers (many of whom were later dismissed from their positions).

NuVasive v. Madsen Medical, No. 3:13-cv-02077-BTM-RBB (S.D. Cal. July 22, 2015), is especially helpful in understanding how courts are addressing the preservation of digital data. InNuVasive, the court held that the plaintiff's employees had destroyed evidence that the plaintiff was under a duty to preserve—the employees had deleted cellphone text messages in a variety of manners (wiping, upgrading, etc.). Defense counsel claimed spoliation for the destruction of the text messages—and the court issued a sanction, instructing the jury that NuVasive Inc. had "failed to prevent the destruction of evidence ... after its duty to preserve the evidence arose." There are a slew of legal issues that counsel must consider when dealing with electronically stored information that are enumerated in Federal Rule of Civil Procedure 37 (part (e), Failure to Make Disclosures or to Cooperate in Discovery; Sanctions: Failure to Preserve ESI) and relevant case law. Complying with a litigation hold is a serious endeavor, which is why it is so important to preserve early and often to avoid spoliation issues. Spoliation issues continue to plague cases addressing electronically stored information (ESI) evidence, as the preservation and discovery of ESI adapts to new technologies.

Just as the legal profession has explored the ramifications of ESI, technologists continue to investigate and discover the cutting-edge. The recovery, investigation and analysis of data in electric devices and storage media are encompassed by the field of digital forensics—a field that is quickly becoming necessary for attorneys to appreciate. This eternally evolving discipline utilizes a multitude of specially designed tools and techniques to remain abreast of constantly advancing technologies, including cellphones. The digital investigation process can be broken down into two major phases: collection and analysis. For collection of the data, there are two major types of preservation techniques that digital forensics experts use: logical extraction and physical extraction. A logical extraction retrieves all information found on the operating system of the cellphone—including currently existing and active files. A physical extraction takes longer but is more inclusive, collecting the currently existing, active files and all data found within the unallocated space on the cellphone. Unallocated space, in layman's terms, is the unused space within the cellphone's flash storage that is available to be used. However, in the process of waiting to store new, current, and/or active files, it may hold onto deleted data until such time that it must be overwritten with new information. Deep-diving into that unallocated space, as a physical extraction does, allows for the opportunity to potentially retrieve deleted texts, photos and other interesting bits of information.

Once a cellphone is forensically processed, a comprehensive image is made that the investigator can search and analyze. First, however, that image must be authenticated in order for a court to have proof that it is in fact a complete copy of the original media, unchanged by the investigator. A hash algorithm represents the uniqueness of a piece or set of data, and acts as a digital fingerprint to prove (or disprove) that the original and the image match each other. Moving forward, a forensic expert may testify as to the approach and findings of a digital forensics collection—and the hash value works to authenticate the image and allow for a defensible process. That process can be further defended with the use of an expert affidavit, which assists in officially identifying the procedure and findings, alongside the chain of custody and acquisition forms.

What if your case's key photo or text message was deleted? In the context of digital forensics investigations, "delete" buttons have been (informally) relabeled as "hide" buttons, as data may be retrieved even if the phone, laptop, or other data storage device has been factory reset or wiped, or if texts have been "deleted." While such actions may make the forensic analysis process more difficult, there are certain methods and tools that allow a forensic analyst to access the multiple layers of data on a phone. Data may reside within multiple locations on a cellphone, in an SD card, on cloud storage, in a backup device, on the machine it was last synced to, or potentially in proxy servers between the phone and the Internet. Still, the accessibility of information on a cellphone is significantly dependent upon its operating system and settings. Phones in particular are set up to avoid overwriting data indiscriminately, so if there is spare storage space, the device will utilize that before overwriting or erasing previously used space (like that used to hold deleted messages, photos, etc.). Technically then, deleted text messages may just sit in the phone's memory until they must be overwritten to save new, active data.

Once the data is retrieved, analysis of "digital artifacts" (which generally refer to anything of interest related to computer forensics, but specifically can mean certain files or emails, or even a time stamp, file creation date, or note of a file modification) can begin. Certain text applications, like WhatsApp, can provide information related to phone numbers, message contents, message status, time stamps, attachments and geolocation details of a user. Unfortunately, the question of "how long is the data saved?" does not follow with a clear-cut answer—it depends on the make, model and settings of the particular device. However, a skilled forensics expert will be able to advise the client as to potentially available data after basic information is provided about the cellphone.

As technology itself continues to move only slightly slower than the speed of light, the field of digital forensics advances alongside it. One can only imagine how much and what types of data will be available to attorneys as the Internet of Things—the steadily advancing network of objects embedded with network connectivity and software—progresses, and our clients' affinity for tech devices grows. The courtroom is in the process of deciphering how to best handle overwhelming amounts of social media, cellphone, server and computer information, and there are certain technological specificities that courts may not be able to address with generalities. (See PTSI v. Haley, 2013 PA Super 130 (2013), in which the court determined whether ESI destruction was "innocent cleanup" and considered the volume of texts exchanged by cellphone users versus the "limited storage" on cellphones.) Excitingly, attorneys are in a position to utilize a better understanding of ESI and related technology to ramp up evidentiary possibilities. When reviewing all of the sources of ESI relevant to a case, and choosing a digital forensics expert, it is undeniably valuable to understand what data may be available on an electronic device, what related storage sources exist (third-party cloud service, SD cards in the back of a desk drawer, a backup hard drive in the office closet), and what investigative options will best and most efficiently serve your needs.

Leeza Garber is corporate counsel and director of business development for Capsicum Group LLC, a technology consulting company that specializes in digital forensics and investigations, e-discovery, and cybersecurity.

Reprinted with permission from the “December 10, 2015” edition of the “Legal Intelligencer” © 2016 ALM Media Properties, LLC. All rights reserved.

Further duplication without permission is prohibited. ALMReprints.com877-257-3382 reprints@alm.com.