Cyber-Investigations For The Defense: Fair Discovery?
Last week the Missouri Lawyer’s Media did an article on a discovery issue that Prosecutors, Defense Attorneys, and Investigators have been wrestling with for a while now. In this article I was quoted by the reporter that interviewed me for this article. I wanted to take some time and elaborate a little further on my position in regards to this issue. First I’d like to present to you a copy of the article. I snipped the full article, but cropped out the other articles that were mentioned in this Trade Journal. Below is the entire article:
First of all I should state that I know some of the members of our Local Internet Crimes Task Force, and the ones that I know are good and honest people. I do trust the members of our local Internet Crimes Task Force and I don’t think they would ever do anything intentional that might send an innocent person to prison. I should caution anyone reading this that attempting to gain access to the hard drive of the investigating agency’s computer should not be the first course of action by the defense, a Digital Forensic’s Expert should first read the reports written by the Investigating Officer’s to try to determine if there is any cause to try to gain access to the investigating agency’s hard drive; often times there is no cause to do so. I should also state that I am not an attorney but I think it is also fair to state that most of the attorneys mentioned in this article are not Digital Forensics Experts either; and certainly not Merilee Crockett as evidenced by some of her statements in this article. The first quote from Merilee Crockett that I noticed was this:
A lot of people believe that once something is on a hard drive it is there forever. That’s a myth. There are no layers. It’s either there or it is not.
Well in essence that is true, but it is also over-simplistic. What is important to remember here in these types of cases is that we are dealing with Digital Evidence, and there is nothing simple about Digital Evidence. When someone tries to over-simplify how data on a computer is stored, over-written, or deleted there are a lot of key issues that get lost in the translation from complex to simple. First of all let me explain data deletion. When a file is “deleted” as the layman may believe, the file is not actually deleted initially, instead it is simply no longer linked to a “file tree” on the computer. The file is still on the computer for the time being until another file is saved and the space where that old file is at is reallocated for the new file, and then the old file gets overwritten. So often Digital Forensics Experts will say something like this to a layman as an example:
Nothing is ever deleted from a computer, it is overwritten. Think of the data on a computer as layers of information, and think of computer forensic software as a tool that can lift these layers of data to expose what you thought was once “deleted”.
Now one must understand that this quote is usually being made from a Digital Forensics Expert trying to explain data storage and deletion to a layman. This too is also an over-simplification of how data is stored, overwritten, and deleted. The difference is that what Merilee Crockett is saying here is for the purpose of trying to give an excuse as to why the defense should be hampered in discovery by limiting what can be key and important information that the defense needs, while all the Digital Forensics Expert is trying to do is give a layman an idea of what to expect in a Computer Forensic Examination. What may be the most accurate way to explain what happens is through this illustration listed below that was provided to me by a well known, and world renowned Digital Forensics Examiners and close associate of mine; Brian Ingram
How many computer novices and laymen do you think would completely understand that illustration above? There is one thing that is clear, if there is a file that occupies a portion of a cluster on a hard drive, then there is room for data from another file on the portion of that cluster that is not occupied, that portion of the cluster that is not occupied is called “File Slack“; and it is not only possible but also likely that a completely different file may occupy this same cluster in the unused portion of this cluster or the “File Slack”. This is a completely accurate illustration of the example that Digital Experts are trying to give laymen when they explain how data is overwritten and they use an example involving “layers of data”. And if you look at the example carefully, and read closely you will see that Merilee Crockett did actually simplify this issue to the point that some key issues on how data is recovered from a hard drive are lost in her “translation” of how data is stored, over-written, and deleted from a hard drive.
There is a reason that I gave the example of how an over-simplified interpretation of an issue such as what we are addressing here can be harmful. Prosecutors typically want to try to limit as much as they can with regard to discovery in a criminal case; but I should also say that there are a few Prosecutors that also believe in “Open Discovery” and Full Disclosure. There is nothing wrong with that, the defense also does the same thing. This is a good example of attorneys doing their jobs. But when a Prosecutor tries to limit evidence that can be exculpatory to the defendant; they start to breach a more sinister area resulting in a denial of justice to the defendant. As any good attorney knows this at the very least may border on what is known as a “Brady Violation”.
One of the key points that the prosecution tries to make when arguing against the defense looking at the hard drive from the Law Enforcement Agency that conducted the forensic examination on a defendant’s hard drive is that the hard drive from the Law Enforcement Agency’s computer will contain sensitive case information from other cases. If you read what Merilee Crockett has to say in this article, she proposes the same argument:
The hard drive contains chats from ongoing investigations. It has names of potential suspects never charged with crimes. It has the photos and names of underage personas used by undercover investigators, which a disgruntled defendant could easily post online. Defense attorneys can’t prevent that from happening. They have an ethical obligation to give the client everything they can
That sounds like a good argument; doesn’t it? I’d say that if I did not know what I know about Digital Forensics, encryption, and how to safely store data I’d agree with that as a good reason NOT to have to hand over the hard drive from the Law Enforcement Agency’s computer. But the problem with this argument is that the whole issue of exposing such sensitive case information to Defense Investigators is that there are a number of remedies that can be applied here. A digital image can be transferred to a hard drive and check-summed to show that it is a true bit image of the original hard drive from the defendant and all of the notes and other such pertinent information that is gathered in the course of the investigation of the specific case in question can also be transferred to that same hard drive; thereby consolidating the case information generated from the Law Enforcement investigation onto one hard drive for the Defense Investigator and keeping all of the other non-pertinent sensitive case information protected. Encryption could also be used on the hard drive belonging to the Law Enforcement Agency to limit what is viewed to only the pertinent data that applies to the case at hand. Under the Adam Walsh Child Protection Safety Act the Defense Investigator has to view the evidence at the Law Enforcement Agency’s facility, so a Law Enforcement Officer can easily sit down and decrypt the section or sections of the hard drive that needs to be examined by the Defense Investigator, thereby protecting all of the non-pertinent sensitive case information on the hard drive in question. The court can also impose orders that limit what the Defense Investigator can discuss with the Defense Attorney and their client to only case related material. There should also be multiple computers that are being used by the Law Enforcement Agency tasked with these types of investigations that have specific purposes; for example the computer that is being used to image and analyze the defendant’s hard drive should be a stand alone computer, not attached to the Internet in any way, that has all wireless adapters turned off this way there is a minimal chance of any evidence corruption issues. The computer that is used to chat with potential offenders should also have that one specific purpose; this way with the use of encryption all chat logs for a specific case can be freely examined by the defense in these types of cases. Are some of these methods labor intensive? Sure, but we are discussing a criminal case in which there is a possibility that a person can be wrongly accused, sent to prison, put on a sex offender registry for the rest of their life, and have their entire life negatively impacted as a result; isn’t doing everything we can to eliminate that possibility worth a little more work? There are ways around this issue; IF the concern here is a level playing field for the defense?
There are always questions in these cases when it comes to best practices in the forensic analysis of the defendant’s computer, evidence preservation and storage, and evidence spoliation issues. Often times these issues are insignificant enough that the chance of them presenting a problem in a case are so unlikely that they don’t warrant any consideration. I am not saying that I don’t trust that Law Enforcement is dong the best they can to make sure that their evidence is correct, but I am saying that it is real easy to make a mistake in cases that involve digital evidence. However when these questions rise to a level of concern to cause a realistic possibility that they could impede a defendant’s right to a fair trial; if the Defense’s expert can clearly articulate the reason for that concern the court should weigh the defendant’s right to a fair trial against the possibility that the investigating agency may have to expose some of it’s sensitive data to the Defense team. In my personal opinion; if you are looking at sending a man to prison for ten (10) years, then his right to a fair trial trumps a risk of exposure of sensitive data from the investigating agency’s computer.
There are a number of questions that the Defense Investigator should be trying to answer when looking over the discovery material from the prosecution.
(1) Was the computer that was used to conduct the Digital Forensic Examination attached to the Internet?
(2) What digital forensic software was used to conduct the examination with?
(3) Was there a virus scanner used by the investigating agency to see if the defendant’s hard drive may have a virus, Trojan, or some other type of malware that could have caused any content to be downloaded to the defendant’s computer without the defendant’s knowledge? If so, what virus scanner was used, what version, was it updated, and are there any known vulnerabilities associated with the virus scanner?
(4) Are there any anti-forensic tools on the investigating agency’s computer? If there are; why are they there?
These are only a small sampling of the questions that the Defense Investigator should be asking and trying to answer by reading the discovery material. If enough of these questions are answered in such a way that they give the Defense Investigator clear concerns that may need to be further examined, then it may be necessary to ask for the hard drive from the investigating agency’s computer. The Defense Investigator should be able clearly articulate these concerns to the court and explain the impact that they may have on the evidence. If the court finds that the Defense Investigator gave a reasonable accounting to the court of his or her concerns, and the court is convinced that these concerns are realistic; then perhaps it is not such a bad thing that the Defense Investigator is given what he or she needs to further explore these concerns instead of having to be forced to trust a detective that may not even know if he or she made a mistake in how they gathered and handled the case evidence?
I have noted that Merilee Crockett has compared handing over the hard drive from the investigating agency’s computer in cases that involve digital evidence to handing over a breathalyzer machine. One difference to note in these two examples is that with regard to digital evidence, usually the defense gets a copy of a detailed report from the investigating agency that outlines their computer examination in fair detail. With breathalyzer tests, there is less detail, and less tools and procedures for the Law Enforcement Officer to detail in his or her report, thus short of a fishing expedition there usually is not enough information to articulate a need to examine the breathalyzer machine source code. In People v. Cialino, 831 N.Y.S.2nd 680, 681 (Crim. Ct. 2007) the court did not deny access to the breathalyzer source code because it was not significant to the case; the court denied access to the breathalyzer because the defense could not clearly articulate why access to the breathalyzer source code was significant to the case; this can be seen in the language the court used when the court first called the defendant’s request a “fishing expedition” but then went on to say “it is incumbent on the defendant to show that a software change has altered the reliability and accuracy of the machine” and the court said that the defendant had not provided a reasonable basis that changes in the software of the Intoxilyzer 5000 had caused it to become unreliable. So the court left the door open for the examination of the source code of the breathalyzer machine in question, but it required a clear articulation as to why it would be reasonable for the defense should be permitted to examine the source code. In cases involving digital evidence that is gathered from imaging a hard drive, the investigative agency’s digital forensic analysis report will usually allow the Defense Investigator more information on the software used, processes used, and evidence interpretations made by the Detective to form any questions that might be pertinent to the case and research these questions to see if there may be good cause and NOT just a “fishing expedition” to ask for the hard drive from the investigating agency’s computer.
In summary; I am not saying that in every case the defense should have access to the investigating agency’s computer hard drive. What I am saying is that the courts should try to be open to seriously considering any request by the defense to examine the investigating agency’s hard drive if the defense can clearly articulate a need to do so. In my mind the whole issue comes down to a balancing act; the court should balance the defendant’s right to a fair trial against the need for Law Enforcement to keep sensitive case information confidential; once a clear articulation is made by the defense that demonstrates that there are reasonable issues that need to be explored by the defense in order to defend the defendant against any evidence corruption issues that may negatively impact the defendant’s right to a fair trial.
Ricky B. Gurley