The Dep’t of Justice (“DoJ”) and Federal Trade Commission (“FTC”) have extended the comments period for the Patent Assertion Entities/Antitrust workshop. In December, a joint workshop was held by the DoJ and FTC to discuss Patent Assertion Entity (PAE) behavior, the effects of such behavior and how antitrust laws apply to such behavior. Following the workshop, the FTC and the DOJ was accepting public comments until March 10, 2013, but that public comment period has been extended to April 5, 2013.

Visit for more information on submitting comments.

Hat tip to Alycia R. Kirkevold, Esq., for this timely information.

The above-captioned hearing was held before the House Committee on the Judiciary, Subcommittee on Crime, Terrorism, Homeland Security, and Investigation on March 13, 2013.

Members in attendance included: Jim Sensenbrenner (R-WI, Chairman), Louie Gohmert (R-TX, Vice Chairman), Howard Coble (R-NC), Randy Forbes (R-VA), Trent Franks (R-AZ), Jason Chaffetz (R-UT), Trey Gowdy (R-SC), Bob Goodlatte (R-VA), Robert Scott (D-VA), Suzan Delbene (D-WA), Judy Chu (D-CA), Cedric Richmond (D-LA), and John Conyers (D-MI). Witenesses included Jenny Durkan (U.S. Attorney, W.D. Wash), John Boles (Deputy Ass’t Director, FBI Cyber Division), Robert Holleyman (President and CEO, BSA, The Software Alliance), and Prof. Orin Kerr, (George Washington University School of Law).

Entirety of the statements and witness testimony is located here.

Read more after the bump.


Continue reading ““Investigating and Prosecuting 21st Century Cyber Threats”” »

The above-captioned hearing was before the House Committee on Homeland Security, held March 13, 2013.

Members in attendance included Michael McCaul (R-Texas) Chairman, Peter T. King (R- New York) , Patrick Meehan (R-Pennsylvania), Steven M. Palazzo (R-Mississippi), Chris Stewart (R-Utah), Keith J. Rothfus (R-Pennsylvania), Susan W. Brooks (R-Indiana), Bennie G. Thompson (D-Mississippi) Ranking Member, Loretta Sanchez (D-California), Sheila Jackson Lee (D-Texas), Yvette D. Clarke (D-New York), Ron Barber (D- Arizona), Donald M. Payne, Jr (D- New Jersey), Beto O’Rourke (D-Texas), Steven A. Horsford (D-Nevada), and Eric Swalwell (D-California).   Witnesses included Hon. Jane Holl Lute (Deputy Secretary, Dep’t of Homeland Security), Anish B. Bhimani (Chairman, Financial Services Information Sharing and Analysis Center), Gary W. Hayes (Chief Information Officer, Centerpoint Energy), and Michelle Richardson (Legislative Counsel,
American Civil Liberties Union).

The opening statements recognized the “U.S. Federal Cybersecurity Operations Team” as including DOJ/FBI, DHS, and DoD; alleged that China, Iran and Russia are “dangerous offenders” in cyber-attacks against the U.S. and against American financial institutions; and —citing the recent Executive Order— that Cybersecurity should be the highest legislative priority in this Congress.

The entirety of the statements and witness testimony can be found here.

The above-captioned was a hearing before the House Committee on Armed Services Subcommittee on Intelligence, Emerging Threats, and Capabilities, held March 13, 2013.  The entirety of the statements can be found here.

Read more after the bump.

Continue reading ““Information Technology and Cyber Operations: Modernization and Policy Issues to Support the Future Force”” »

On February 26, the National Institute of Standards and Technology (NIST) published a request for information (“RFI”) on the “Framework for Reducing Cyber Risks to Critical Infrastructure,” as directed by the February 13 Executive Order on Improving Critical Infrastructure Cybersecurity. Submission deadline is April 8, 2013.

The Social Networking Online Protection Act (SNOPA), “A bill to prohibit employers and certain other entities from requiring or requesting that employees and certain other individuals provide a user name, password, or other means for accessing a personal account on any social networking website,”  was reintroduced on February 6th by Representatives Eliot Engel (D-N.Y.), Jan Schakowsky (D-I.L.) and Michael Grimm (R-N.Y.).   The bill would not only ban employers and schools from being able to request or require that employees, job applicants, students, or student applicants provide access to personal password protected digital accounts, but also would protect such persons from being punished for refusing these requests.

Although the bill is welcomed by privacy rights advocates, some contend it may actually protect businesses and schools from legal liability because, without access, constructive custody, or control, it may be more difficult for an employer or school to be held vicariously responsible for digital content authored by an employee or student on a personal account.

The above-captioned Executive Order signed yesterday was developed to manage cybersecurity risks to critical infrastructure, and addresses two key issues: information sharing and development of a cybersecurity framework.
Information Sharing
Under this Executive Order, the Government will expand current information sharing responsibilities. These include the development of non-classified reports on threats and efficient dissemination of classified reports to appropriate individuals.

In addition, the process of issuing security clearances to certain personnel will be expedited, and the Secretary of Homeland Security will increase the programs for private sector subject matter experts into Federal service on a temporary basis. This includes the Defense Industrial Base, which will now be open to additional sectors.  The Secretary of Homeland Security will establish a consultative process to coordinate improvements to the cybersecurity of critical infrastructure. All policies will be reviewed by the privacy office of DHS.

Cybersecurity Framework

The National Institute of Standards and Technology (NIST) will lead the development of a Cybersecurity Framework to include standards, methodologies, procedures, and processes to address cyber risk. NIST will engage in an open review and comment process.

DHS and Sector Specific Agencies (see prev. post for explanation) will establish a voluntary program to support the adoption of the Cybersecurity Framework. SSAs will report annually to the President how institutions identified at greatest risk (as determined by DHS with input from SSAs), are complying with the Cybersecurity Framework. Institutions identified at greatest risk will be notified confidentially.

DHS will coordinate and establish incentives to promote participation in the Program.  Agencies with responsibility for regulating the security of critical infrastructure will work with DHS, the Office of Management and Budget (OMB) and National Security Staff to review the preliminary Cybersecurity Program and determine if current requirements are sufficient. The regulatory agencies will provide a report as to their ability to regulate in this space. If current regulatory requirements are deemed insufficient, agencies will propose actions to mitigate cyber risk. Independent regulatory agencies are encouraged to participate in the consultative process.

  • 120 days – Attorney General, Secretary of Homeland Security, and Director of National Intelligence will issue instructions releasing unclassified reports of cyber threats.
  • 120 days – Secretary of Homeland Security and Secretary of Defense will establish procedures to expand the Enhanced Cybersecurity Services program.
  • 120 days – DHS, Treasury and Commerce shall make recommendations of a set of incentives to encourage participation in the Program.
  • 120 days – Department of Defense, General Services Administration and Federal Acquisition Regulatory Council report on feasibility of including security standards into acquisition planning and contract administration.
  • 150 days – DHS will identify critical infrastructure at greatest risk.
  • 240 days – NIST to provide a preliminary version of the Cybersecurity Framework
    • 90 days of release of preliminary – Regulatory agencies submit a report to the President whether they have authority to establish requirements based on the Framework.
    • 90 days release of final – If current regulatory requirements are deemed insufficient, regulatory agencies shall propose actions to mitigate cyber risk.

Presidential Policy Directive on Critical Infrastructure Security and Resilience

The Presidential Policy Directive, PPD-21, released on February 12 supersedes the 2003 Homeland Security Presidential Directive (PPD-7). The intent of the Directive is to provide an “all hazards” approach to the risks facing critical infrastructure.

PPD-21 directs and encourages the participation of critical infrastructure owners and operators.

Department of Homeland Security (DHS)
The DHS has primary responsible for maintaining national critical infrastructure centers for situational awareness, coordinating Federal Government response to significant cyber or physical incidents and reporting annually on the status.

DHS will coordinate with sector specific agencies to:

  • Identify and prioritize critical infrastructure
  • Provide analysis, expertise and other technical assistance to critical infrastructure
  • Conduct comprehensive assessments of vulnerabilities
  • Map and sort critical infrastructure.

DHS will support the law enforcement agencies to investigate and prosecute threats.

In addition, DHS will run two national critical infrastructure centers. One will focus on cyber threats and the other will be on physical threats. They will be integrated and will perform analysis and situational awareness.
Sector Specific Agencies (SSAs)

The following are the SSAs:

  • Chemical : Department of Homeland Security
  • Commercial Facilities : Department of Homeland Security
  • Communications : Department of Homeland Security
  • Critical Manufacturing : Department of Homeland Security
  • Dams : Department of Homeland Security
  • Defense Industrial Base : Department of Defense
  • Emergency Services : Department of Homeland Security
  • Energy : Department of Energy
  • Financial Services : Department of the Treasury
  • Food and Agriculture : U.S. Department of Agriculture & Department of Health and Human Services
  • Government Facilities : Department of Homeland Security & General Services Administration
  • Healthcare and Public Health : Department of Health and Human Services
  • Information Technology : Department of Homeland Security
  • Nuclear Reactors, Materials, and Waste : Department of Homeland Security
  • Transportation Systems : Department of Homeland Security and Department of Transportation
  • Water and Wastewater Systems : Environmental Protection Agency

Each SSA has unique responsibilities for its corresponding sector, including:

  • Working with owners and operators to implement the directive
  • Serve as day-to-day interface for the coordination of sector activities
  • Carry out incident management responsibilities
  • Provide support or facilitate technical support for the sector
  • Annually provide sector-specific critical infrastructure information.
    Additional Responsibilities

In addition, several other federal departments are required to support the functions of critical infrastructure, including:

  • Engaging foreign governments (Department of State)
  • Counterterrorism and counterintelligence investigations (Department of Justice, including Federal Bureau of Investigation)
  • Resilience of national monuments (Department of the Interior)
  • Encourage research and development to improve security and technology (Department of Commerce)
  • Provide intelligence assessments (Director of National Intelligence)
  • Ensure audit rights for government contracts (General Services Administration)
  • Oversee protection of nuclear reactors (Nuclear Regulatory Commission)
  • Identify, prioritize and respond to vulnerabilities in communications infrastructure (Federal Communications Commission)
  • Inform the situation awareness (all Federal departments and agencies)

All agencies are directed to review and continue information sharing with an assurance that privacy requirements are met.


  • 120 days – DHS to develop a description of the functional relationships  within DHS and across the Federal Government
  • 150 days – DHS and SSAs evaluate existing public-private partnerships
  • 180 days – DHS and SSAs identify baseline data and system requirements for Federal government
  • 240 days – DHS develop a near-real time situational awareness capability
  • 240 days – DHS update National Infrastructure Protection Plan
  • 730 days (2 years) – DHS with OSTP, SSAs and DoC develop a research and development plan

Incorporating Extrinsic Evidence into the Digital Forensics Investigation

Sean L. Harrington

Your role as a computer forensics professional is to gather evidence from a suspect’s computer and determine whether the suspect committed a crime or violated a company policy.


Do you agree with the foregoing statement? Perhaps it’s a little unfair to ask, because it is taken slightly out of context from the source,[1] but it is fair to say that many, if not most, believe that is the essence of what a digital forensics examiner does (or ought to be doing). Not that I disagree, as it is the quintessential substance of what we do — but I don’t believe it should be the sum. And so, one topic that I have found that receives little attention is the consideration of extrinsic evidence in digital forensics investigations.

Extrinsic evidence in legal parlance is “evidence outside the writings.” For purposes of this comment, it is evidence not found on the hard-drive, mobile device, or media subject to forensic examination.  Examples of extrinsic evidence include police reports, interview and interrogation reports, deposition transcripts, comments and opinions made by police or others close to the investigation, statements made by retaining counsel. [2] Extrinsic evidence can even include information about the parties that is available on the Internet, social media, or news stories (although for reasons I explain below, I do not advocate that an examiner embark in an unauthorized safari for such information).

Extrinsic “evidence” directly relates to the case at hand, and is to be distinguished from external “information,” such case law, facts capable of judicial notice, a learned treatise, or an examiner’s prior experience. Consider, for example, a number of appellate decisions reveal file-naming conventions frequently used by those found with child pornography (“contraband”), as in United States v. Beatty:

[I]t does not necessarily follow as an inevitable corollary . . . that no file name can ever be regarded as a logical indication of the file’s salient features . . . one can also envision circumstances where the file name is so explicit and detailed in its description as to permit at least a reasonable inference as to what the actual file is likely to show. Many, if not most, of the files at issue here had titles that contained highly graphic references to specific sexual acts . . . Several of the files also reference terms such as “child_sex,” “pedofilia,” “illegal pedo sex,” “incest,” or “Lolita.” The unmistakable inference which arises from such highly descriptive file names, is that the content includes material pertaining to the sexual exploitation of children — i.e., evidence of criminal activity, if not outright contraband. Given the number of files in question and the pointed references in their titles to specific sexual acts involving young children — described in the most coarse and vulgar terms, this inference is a strong one.[3]

Just as external information is capable of providing invaluable insights, it is my experience that extrinsic evidence provides context and may even permissibly limit or broaden the scope of an investigation.  And, although this topic hasn’t earned itself a chapter in any of the digital forensics books I’ve read, I found support for the notion in reading between the lines:

[I]dentifying case requirements involves determining the type of case you’re investigating . . . you should outline the case details systematically, including the nature of the case, the type of evidence available, and the location of the evidence.[4]

One of the greatest mistakes that can be made is to look at any digital evidence in isolation without properly considering all of the processes, inputs, and outputs that can impact the interpretation.[5]

Accordingly, I believe examiners should insist upon unfettered access not only to the media, but also to the court filings and related discovery (e.g., arrest reports, opposing party’s expert’s report, etc.).[6]

I have found that gathering and reviewing extrinsic evidence is a concept that roughly approximates of so-called early case assessment (“ECA”) in the e-discovery world.  One e-discovery solutions vendor, StoredIQ, explains “using ECA, legal counsel can assess the merits of a dispute, formulate a legal strategy and make decisions concerning the matter before the costly process of taking the case to trial begins.”  Another familiar vendor, Guidance Software, distinguishes their product on the basis of ECA by claiming that “other products . . . provide analysis and review only after completing collection and processing.”

Below I provide a few examples of how extrinsic evidence helped tailor the scope of an investigation:

Example 1: In a domestic relations case, a concerned attorney contacted me because opposing counsel intended to print out and introduce as evidence certain photographs of pornography from husband’s laptop to support an argument that he was a “pornography addict” and, therefore, not fit to be a custodial parent. Under the particular facts as she described them to me, I recalled several cases where a spouse contemplating or after filing for marital dissolution had accused the other spouse of being a pornography addict, but had actually planted the evidence to frame the other spouse.[7]  I suggested to the attorney that she advise opposing counsel that she would be retaining a digital forensics expert to examine the files to determine their probable source and time of download, and to challenge the authenticity of printed photographs.  Opposing counsel conferred with the client, and the issue was immediately dropped.

Example 2: In one contraband case, where I was retained by defense counsel to conduct an examination at a law enforcement facility under the Adam Walsh Act protocols, I examined the arrest reports and noted that defendant claimed he had reported the finding of contraband (on a Web site) to the Federal Bureau of Investigation.  When I questioned defense counsel, I was told that claim didn’t pan out — namely, that call records from the relevant time turned up no evidence of such a call.  Nevertheless, based on this information, I presumed that the defendant, who lived in a rural part of the state, didn’t search for the FBI’s contact number in a phone book, but rather probably searched for it on the Internet.  Therefore, as my first task, I searched the media for —and found— evidence of an Internet search for the FBI office’s phone number, the date of which search occurred prior to the time frame for the call records that had been subpoenaed. This led to an amended subpoena to include the proper time frame, while I continued with the examination.  Nevertheless, a careful reading of the alleged interview statements [by defendant] strained credulity and, combined with my findings of the search, led me to develop a theory about why the defendant had done the Internet search, and whether he had placed such a call.

In the same case, two of the investigating officers and I engaged in some ongoing “shop talk.”  One of the officers revealed that he had met the adult girlfriend of the defendant, but that she presented as a prepubescent teenager.  Later, as I came across personal, unidentified photographs (of clothed persons), I was able to discern a disproportionately high number of photographs of the described woman.  Later, when I examined the alleged contraband, I was able to discern seeming similarities between the body habitus of a high number of particular photographs that were alleged to be contraband and the defendant’s girlfriend.  The photographs, taken as a whole, helped me to develop a probable profile of the defendant’s lifestyle, and correlative findings helped me to develop a theory regarding the presence of the alleged contraband, which theory I presented to defense counsel.  My exposition of that theory led to a more frank discussion between defense counsel and his client, which in turn led to a more expedient disposition of the case, ultimately saving both taxpayers and the defendant litigation expense.

Example 3: In another contraband case, I read carefully through the transcripts of both pre-Miranda and jailhouse interviews of the defendant. The defendant was located because of personal information found on media [containing the contraband] that was left in a public place. Many of the alleged statements of the defendant were inculpatory, which might have led a reasonable person to conclude his guilt.  Yet, he also offered information, little of which had been revealed to me by defense counsel,[8] claiming that he, in fact, had found the media in a public place. This information led me to search for any indicia that another party was responsible for the contraband, a search that I might not have undertaken but for the reports.

Example 4: In yet another contraband case, one of the arresting officers described the interior of the apartment searched, and his belief that the defendant was some kind of “computer tech.”  I found this corroborated in the record (discovery produced by the prosecution).  This information helped explain why the hard-drives of one computer were seemingly sterile of usual extraneous files (e.g., social media artifacts, temporary Internet files, e-mail, etc.), and that it was reserved solely for peer-to-peer file downloading and online gaming, whereas another machine (a laptop) was apparently reserved for e-mail and casual Internet browsing.  More importantly, this kind of information could tip off an examiner to be more wary of drive wiping utilities or data hiding.

The possible scenarios —corporate fraud, sexual harassment, embezzlement, etc.— where extrinsic evidence can help expand or limit the scope of an investigation are limitless. But inexperience and lack of discernment in considering such evidence is fraught with peril: any expansion of the scope of the investigation will be more costly, and if it is unauthorized, may be perceived a breach of loyalty to the client.  Likewise, allowing such evidence to improperly circumscribe the scope of the investigation, or to start with a conclusion and work one’s way backward, can lead to overlooking relevant and potentially probative evidence.

Furthermore, an examiner should be vigilant against extrinsic evidence suggested by others —particularly affiliated with the opposing party— that may be intended to distract or lead the examiner on a costly, and unproductive safari.  Similarly, I believe examiners should resist any undue influence by the retaining attorney with regard to what can or should be found,[9] although I acknowledge not everyone may share this view.[10]

Finally, I would advise against incorporating extrinsic evidence into the Report and Findings: Although this information may be discoverable or arise during cross-examination (and, for that reason, the examiner should make the retaining attorney aware of extrinsic evidence he or she may have considered),such evidence is usually not a basis for digital forensics findings, but rather, and as explained above, it is a means to help the examiner refine or interpret what was found (or not found) on the media, the subject of the investigation.


The author, Sean L. Harrington, is a law student and digital forensics examiner, information security professional, and e-discovery, trial, and litigation consultant with the Midwest private practice firm of Attorney Client Privilege, LLC (, and an information security risk management team lead for US Bank. Harrington holds the MCSE, CISSP, CHFI, CSOXP, and LexisNexis CaseMap support certifications.

[1] Bill Nelson et al., Guide to Computer Forensics and Investigations, 28 (4th ed., Kindle Edition, 2010).

[2] N.B., The Federal Rules of Civil Procedure exempt work product protection of communications between experts and the counsel in the following three situations: (1) communications pertaining to the expert’s compensation; (2) facts or data that the attorney provided and the expert considered in forming opinions; and (3) assumptions that the attorney provided and that the expert relied on. Fed. R. Civ. P. 26(b)(4)(C).

[3] 2009 U.S. Dist. LEXIS 121473, 2009 WL 5220643 (W.D. Pa. Dec. 31, 2009). See also United States v. Flyer, 633 F.3d 911, 915 (9th Cir. Ariz. 2011) (“r@ygold,” is a term commonly understood to refer to child pornography); United States v. Evans-Martinez, 530 F.3d 1164, 1166 (9th Cir., 2008) (same); United States v. Wilder, 526 F.3d 1, 4 (1st Cir., 2008) (in filenames, “pthc” is an abbreviation for “pre-teen hard core,” and “pedo” is short for “pedophile”)

[4] Nelson, et al., supra note 1 at 32.

[5] Daniel & Daniel, Digital Forensics for Legal Professionals: Understanding Digital Evidence From The Warrant To The Courtroom, 223-224 (Kindle Edition, 2012).

[6] Nelson, et al., supra note 1 at 586 (“Your attorney owes you a fair statement of the case or situation, adequate time to review evidence and prepare your report, and a reasonable opportunity to examine data, conduct testing, and investigate the matter before rendering an opinion. If the attorney wants you to render an opinion quickly and without adequate opportunity to review, be cautious. He might be trying to get you to commit based on inadequate information . . .”).

[7] See, e.g., Tauck v. Tauck, 2007 Conn. Super. LEXIS 2618 (Conn. Super. Ct. Sept. 21, 2007). And see State ex rel. C.H. v. S.P.H., 14 So. 3d 601, 607 (La.App. 2 Cir. 2009) (“More and more allegations of incest and [child] sexual abuse by husbands are being made by their wives during custody disputes. If the allegations are proven, the perpetrator, usually the husband/father, is excluded from contact with his children…. Child psychiatrists are frequently used by both sides to evaluate the child and make a determination about the authenticity of the charges…. A mistake might jeopardize a child’s future or destroy a man’s family life and career.”). (quoting Green, True and False Allegations of Sexual Abuse in Child Custody Disputes, Journal of the American Academy of Child Psychiatry, vol. 25, 449-456, at p. 449 (1986)).


[8] Sometimes, counsel may withhold opinions or information in order to protect the attorney work product privilege (See Note 2, supra), or to allow the examiner to independently arrive at his or her own findings.

[9] Daniel & Daniel, supra note 5, at 2482-2487 (“[T]he digital forensics examiner or expert is not an advocate. While he may not be neutral, he must remain independent  . . . no matter which side the examiner is working for, he must keep an unbiased stance that allows him to stick to the facts in a case and report those facts independently of the desires or goals of the advocates in the case. A digital forensics examiner is ethically bound to report the truth, even when that truth does not match the claims of the parties.”); Nelson et al., supra note 1, at 523 (“Your only agenda should be finding the truth, so don’t think in terms of catching somebody or proving something. It’s not your job to win the case. Don’t become an advocate . . . .”); Sharon D. Nelson & John W. Simek, Electronic Evidence: The Ten Commandments, Sensei Enterprises, Inc. (2003),  (“[G]ood experts are seekers of truth and will report their findings regardless of what those findings may be.”).

[10] See, e.g., Hutchinson v. People, 742 P.2d 875, 882 (Colo. 1987) (“As a practical matter, too, an expert hired by defense counsel is likely to feel a degree of loyalty to the defendant’s cause. We need not ascribe this fact to base motives on the part of the experts; indeed, the nature of the adversary process, the confidentiality surrounding legal representation and professional norms and ethics of particular experts all may foster this attitude of loyalty to the defendant.”); Christa L. Klopfenstein, Discoverability of Opinion Work Product Materials Provided to Testifying Experts, 32 IND. L. REV. 481, 503 (1999) (“Unlike other types of trial witnesses, experts are part of a party’s litigation team who, like the attorney, are employed expressly for the purpose of analyzing the strengths and weaknesses of a party’s case. . . . Experts are not impartial witnesses. Like attorneys, they are paid to advocate a point of view.”).

Rep. Mike Rogers (R-Mich.), the chair of the US House Intelligence Committee intends to reintroduce H.R. 3523, the Cyber Intelligence Sharing and Protection Act (“CISPA”), which would provide for the sharing of certain cyber threat intelligence and cyber threat information between the intelligence community and cybersecurity entities. Although this initiative has apparently not yet been reported in the news, I was given the privilege to comment on and supply proposed language for the legislative drafts based on a request by the Representative’s office to a trade organization I belong to.

Also, Senators John D. (Jay) Rockefeller IV (Chair of the Senate Commerce, Science, and Transportation Committee), Tom Carper (Chair of the Senate Homeland Security and Governmental Affairs Committee), and Dianne Feinstein (Chair of the Senate Select Committee on Intelligence),  have introduced introduced a new Bill styled theCybersecurity and American Cyber Competitiveness Act 2013, “To secure the United States against cyber attack, to improve communication and collaboration between the private sector and the Federal Government, to enhance American competitiveness and create jobs in the information technology industry, and to protect the identities and sensitive information of American citizens and businesses.” The press release is here, and the Bill is here.

Next Page »