Incorporating Extrinsic Evidence into the Digital Forensics Investigation
Sean L. Harrington†
“ |
Your role as a computer forensics professional is to gather evidence from a suspect’s computer and determine whether the suspect committed a crime or violated a company policy. |
Do you agree with the foregoing statement? Perhaps it’s a little unfair to ask, because it is taken slightly out of context from the source,[1] but it is fair to say that many, if not most, believe that is the essence of what a digital forensics examiner does (or ought to be doing). Not that I disagree, as it is the quintessential substance of what we do — but I don’t believe it should be the sum. And so, one topic that I have found that receives little attention is the consideration of extrinsic evidence in digital forensics investigations.
Extrinsic evidence in legal parlance is “evidence outside the writings.” For purposes of this comment, it is evidence not found on the hard-drive, mobile device, or media subject to forensic examination. Examples of extrinsic evidence include police reports, interview and interrogation reports, deposition transcripts, comments and opinions made by police or others close to the investigation, statements made by retaining counsel. [2] Extrinsic evidence can even include information about the parties that is available on the Internet, social media, or news stories (although for reasons I explain below, I do not advocate that an examiner embark in an unauthorized safari for such information).
Extrinsic “evidence” directly relates to the case at hand, and is to be distinguished from external “information,” such case law, facts capable of judicial notice, a learned treatise, or an examiner’s prior experience. Consider, for example, a number of appellate decisions reveal file-naming conventions frequently used by those found with child pornography (“contraband”), as in United States v. Beatty:
[I]t does not necessarily follow as an inevitable corollary . . . that no file name can ever be regarded as a logical indication of the file’s salient features . . . one can also envision circumstances where the file name is so explicit and detailed in its description as to permit at least a reasonable inference as to what the actual file is likely to show. Many, if not most, of the files at issue here had titles that contained highly graphic references to specific sexual acts . . . Several of the files also reference terms such as “child_sex,” “pedofilia,” “illegal pedo sex,” “incest,” or “Lolita.” The unmistakable inference which arises from such highly descriptive file names, is that the content includes material pertaining to the sexual exploitation of children — i.e., evidence of criminal activity, if not outright contraband. Given the number of files in question and the pointed references in their titles to specific sexual acts involving young children — described in the most coarse and vulgar terms, this inference is a strong one.[3]
Just as external information is capable of providing invaluable insights, it is my experience that extrinsic evidence provides context and may even permissibly limit or broaden the scope of an investigation. And, although this topic hasn’t earned itself a chapter in any of the digital forensics books I’ve read, I found support for the notion in reading between the lines:
[I]dentifying case requirements involves determining the type of case you’re investigating . . . you should outline the case details systematically, including the nature of the case, the type of evidence available, and the location of the evidence.[4]
One of the greatest mistakes that can be made is to look at any digital evidence in isolation without properly considering all of the processes, inputs, and outputs that can impact the interpretation.[5]
Accordingly, I believe examiners should insist upon unfettered access not only to the media, but also to the court filings and related discovery (e.g., arrest reports, opposing party’s expert’s report, etc.).[6]
I have found that gathering and reviewing extrinsic evidence is a concept that roughly approximates of so-called early case assessment (“ECA”) in the e-discovery world. One e-discovery solutions vendor, StoredIQ, explains “using ECA, legal counsel can assess the merits of a dispute, formulate a legal strategy and make decisions concerning the matter before the costly process of taking the case to trial begins.” Another familiar vendor, Guidance Software, distinguishes their product on the basis of ECA by claiming that “other products . . . provide analysis and review only after completing collection and processing.”
Below I provide a few examples of how extrinsic evidence helped tailor the scope of an investigation:
Example 1: In a domestic relations case, a concerned attorney contacted me because opposing counsel intended to print out and introduce as evidence certain photographs of pornography from husband’s laptop to support an argument that he was a “pornography addict” and, therefore, not fit to be a custodial parent. Under the particular facts as she described them to me, I recalled several cases where a spouse contemplating or after filing for marital dissolution had accused the other spouse of being a pornography addict, but had actually planted the evidence to frame the other spouse.[7] I suggested to the attorney that she advise opposing counsel that she would be retaining a digital forensics expert to examine the files to determine their probable source and time of download, and to challenge the authenticity of printed photographs. Opposing counsel conferred with the client, and the issue was immediately dropped.
Example 2: In one contraband case, where I was retained by defense counsel to conduct an examination at a law enforcement facility under the Adam Walsh Act protocols, I examined the arrest reports and noted that defendant claimed he had reported the finding of contraband (on a Web site) to the Federal Bureau of Investigation. When I questioned defense counsel, I was told that claim didn’t pan out — namely, that call records from the relevant time turned up no evidence of such a call. Nevertheless, based on this information, I presumed that the defendant, who lived in a rural part of the state, didn’t search for the FBI’s contact number in a phone book, but rather probably searched for it on the Internet. Therefore, as my first task, I searched the media for —and found— evidence of an Internet search for the FBI office’s phone number, the date of which search occurred prior to the time frame for the call records that had been subpoenaed. This led to an amended subpoena to include the proper time frame, while I continued with the examination. Nevertheless, a careful reading of the alleged interview statements [by defendant] strained credulity and, combined with my findings of the search, led me to develop a theory about why the defendant had done the Internet search, and whether he had placed such a call.
In the same case, two of the investigating officers and I engaged in some ongoing “shop talk.” One of the officers revealed that he had met the adult girlfriend of the defendant, but that she presented as a prepubescent teenager. Later, as I came across personal, unidentified photographs (of clothed persons), I was able to discern a disproportionately high number of photographs of the described woman. Later, when I examined the alleged contraband, I was able to discern seeming similarities between the body habitus of a high number of particular photographs that were alleged to be contraband and the defendant’s girlfriend. The photographs, taken as a whole, helped me to develop a probable profile of the defendant’s lifestyle, and correlative findings helped me to develop a theory regarding the presence of the alleged contraband, which theory I presented to defense counsel. My exposition of that theory led to a more frank discussion between defense counsel and his client, which in turn led to a more expedient disposition of the case, ultimately saving both taxpayers and the defendant litigation expense.
Example 3: In another contraband case, I read carefully through the transcripts of both pre-Miranda and jailhouse interviews of the defendant. The defendant was located because of personal information found on media [containing the contraband] that was left in a public place. Many of the alleged statements of the defendant were inculpatory, which might have led a reasonable person to conclude his guilt. Yet, he also offered information, little of which had been revealed to me by defense counsel,[8] claiming that he, in fact, had found the media in a public place. This information led me to search for any indicia that another party was responsible for the contraband, a search that I might not have undertaken but for the reports.
Example 4: In yet another contraband case, one of the arresting officers described the interior of the apartment searched, and his belief that the defendant was some kind of “computer tech.” I found this corroborated in the record (discovery produced by the prosecution). This information helped explain why the hard-drives of one computer were seemingly sterile of usual extraneous files (e.g., social media artifacts, temporary Internet files, e-mail, etc.), and that it was reserved solely for peer-to-peer file downloading and online gaming, whereas another machine (a laptop) was apparently reserved for e-mail and casual Internet browsing. More importantly, this kind of information could tip off an examiner to be more wary of drive wiping utilities or data hiding.
The possible scenarios —corporate fraud, sexual harassment, embezzlement, etc.— where extrinsic evidence can help expand or limit the scope of an investigation are limitless. But inexperience and lack of discernment in considering such evidence is fraught with peril: any expansion of the scope of the investigation will be more costly, and if it is unauthorized, may be perceived a breach of loyalty to the client. Likewise, allowing such evidence to improperly circumscribe the scope of the investigation, or to start with a conclusion and work one’s way backward, can lead to overlooking relevant and potentially probative evidence.
Furthermore, an examiner should be vigilant against extrinsic evidence suggested by others —particularly affiliated with the opposing party— that may be intended to distract or lead the examiner on a costly, and unproductive safari. Similarly, I believe examiners should resist any undue influence by the retaining attorney with regard to what can or should be found,[9] although I acknowledge not everyone may share this view.[10]
Finally, I would advise against incorporating extrinsic evidence into the Report and Findings: Although this information may be discoverable or arise during cross-examination (and, for that reason, the examiner should make the retaining attorney aware of extrinsic evidence he or she may have considered),such evidence is usually not a basis for digital forensics findings, but rather, and as explained above, it is a means to help the examiner refine or interpret what was found (or not found) on the media, the subject of the investigation.
† The author, Sean L. Harrington, is a law student and digital forensics examiner, information security professional, and e-discovery, trial, and litigation consultant with the Midwest private practice firm of Attorney Client Privilege, LLC (http://attyClientPriv.com), and an information security risk management team lead for US Bank. Harrington holds the MCSE, CISSP, CHFI, CSOXP, and LexisNexis CaseMap support certifications.
[1] Bill Nelson et al., Guide to Computer Forensics and Investigations, 28 (4th ed., Kindle Edition, 2010).
[2] N.B., The Federal Rules of Civil Procedure exempt work product protection of communications between experts and the counsel in the following three situations: (1) communications pertaining to the expert’s compensation; (2) facts or data that the attorney provided and the expert considered in forming opinions; and (3) assumptions that the attorney provided and that the expert relied on. Fed. R. Civ. P. 26(b)(4)(C).
[3] 2009 U.S. Dist. LEXIS 121473, 2009 WL 5220643 (W.D. Pa. Dec. 31, 2009). See also United States v. Flyer, 633 F.3d 911, 915 (9th Cir. Ariz. 2011) (“r@ygold,” is a term commonly understood to refer to child pornography); United States v. Evans-Martinez, 530 F.3d 1164, 1166 (9th Cir., 2008) (same); United States v. Wilder, 526 F.3d 1, 4 (1st Cir., 2008) (in filenames, “pthc” is an abbreviation for “pre-teen hard core,” and “pedo” is short for “pedophile”)
[4] Nelson, et al., supra note 1 at 32.
[5] Daniel & Daniel, Digital Forensics for Legal Professionals: Understanding Digital Evidence From The Warrant To The Courtroom, 223-224 (Kindle Edition, 2012).
[6] Nelson, et al., supra note 1 at 586 (“Your attorney owes you a fair statement of the case or situation, adequate time to review evidence and prepare your report, and a reasonable opportunity to examine data, conduct testing, and investigate the matter before rendering an opinion. If the attorney wants you to render an opinion quickly and without adequate opportunity to review, be cautious. He might be trying to get you to commit based on inadequate information . . .”).
[7] See, e.g., Tauck v. Tauck, 2007 Conn. Super. LEXIS 2618 (Conn. Super. Ct. Sept. 21, 2007). And see State ex rel. C.H. v. S.P.H., 14 So. 3d 601, 607 (La.App. 2 Cir. 2009) (“More and more allegations of incest and [child] sexual abuse by husbands are being made by their wives during custody disputes. If the allegations are proven, the perpetrator, usually the husband/father, is excluded from contact with his children…. Child psychiatrists are frequently used by both sides to evaluate the child and make a determination about the authenticity of the charges…. A mistake might jeopardize a child’s future or destroy a man’s family life and career.”). (quoting Green, True and False Allegations of Sexual Abuse in Child Custody Disputes, Journal of the American Academy of Child Psychiatry, vol. 25, 449-456, at p. 449 (1986)).
[8] Sometimes, counsel may withhold opinions or information in order to protect the attorney work product privilege (See Note 2, supra), or to allow the examiner to independently arrive at his or her own findings.
[9] Daniel & Daniel, supra note 5, at 2482-2487 (“[T]he digital forensics examiner or expert is not an advocate. While he may not be neutral, he must remain independent . . . no matter which side the examiner is working for, he must keep an unbiased stance that allows him to stick to the facts in a case and report those facts independently of the desires or goals of the advocates in the case. A digital forensics examiner is ethically bound to report the truth, even when that truth does not match the claims of the parties.”); Nelson et al., supra note 1, at 523 (“Your only agenda should be finding the truth, so don’t think in terms of catching somebody or proving something. It’s not your job to win the case. Don’t become an advocate . . . .”); Sharon D. Nelson & John W. Simek, Electronic Evidence: The Ten Commandments, Sensei Enterprises, Inc. (2003), http://www.senseient.com/articles/pdf/article18.pdf (“[G]ood experts are seekers of truth and will report their findings regardless of what those findings may be.”).
[10] See, e.g., Hutchinson v. People, 742 P.2d 875, 882 (Colo. 1987) (“As a practical matter, too, an expert hired by defense counsel is likely to feel a degree of loyalty to the defendant’s cause. We need not ascribe this fact to base motives on the part of the experts; indeed, the nature of the adversary process, the confidentiality surrounding legal representation and professional norms and ethics of particular experts all may foster this attitude of loyalty to the defendant.”); Christa L. Klopfenstein, Discoverability of Opinion Work Product Materials Provided to Testifying Experts, 32 IND. L. REV. 481, 503 (1999) (“Unlike other types of trial witnesses, experts are part of a party’s litigation team who, like the attorney, are employed expressly for the purpose of analyzing the strengths and weaknesses of a party’s case. . . . Experts are not impartial witnesses. Like attorneys, they are paid to advocate a point of view.”).