U.S. v. MORGAN et al: KNOW WHAT YOU DON’T HAVE

[Editor’s Note: Tom O’Connor is an attorney, educator, and well respected e-discovery and legal technology thought leader. A frequent lecturer on the subject of legal technology, Tom has been on the faculty of numerous national CLE providers and has taught college level courses on legal technology. He has also written three books on legal technology and worked as a consultant or expert on computer forensics and electronic discovery in some of the most challenging, front page cases in the U.S. Tom is the Director of the Gulf Coast Legal Technology Center in New Orleans, LA ]

If you were practicing in federal court before email, ECF filing, and in the days when Joe Montana threw to Jerry Rice then you probably remember discovery productions were typically hardcopy documents you picked up at the US Attorney’s Office. The volume was so small it easily fit into your briefcase. Those were the days when everyone complained about not getting enough discovery. The challenge was moving to compel for more discovery when you didn’t know what you didn’t have.

Joe Montana and Jerry Rice

Fast forward to the present. Tom Brady is throwing to Rob Gronkowski (again but in a different city) and discovery is typically so voluminous it cannot be provided in hardcopy form. Productions can be hundreds of gigabytes and sometimes dozens of terabytes full of investigative reports, search warrant pleadings, surveillance audio and video, cell phone data, cell tower material, years of bank records, GPS data, social media materials, and forensic images of servers, desktop computers, and mobile devices. Common are duplicate folders of discovery produced “in the abundance of caution” to protect the Government against Brady violations. Despite the volume, the same issue exists: How do you know what you don’t have?

Tom Brady and Rob Gronkowski

US v Morgan (Western District of New York, 1:18-CR-00108 EAW, decided Oct 8, 2020) is an example of diligent defense counsel challenging the government on how it produced terabytes of data.

Defendants Robert Morgan, Frank Giacobbe, Todd Morgan, and Michael Tremiti were accused by way of a 114-count Superseding Indictment of running an illegal financial scheme spanning over a decade. The government alleged they defrauded financial institutions and government sponsored enterprises Freddie Mac and Fannie Mae in connection with the financing of multi-family residential apartment properties that they owned or managed. There were also allegations of related insurance fraud schemes against several of the defendants.

The government made several productions which the defense contended were deficient (including the lack of metadata on numerous documents) and, in several cases, omitted key pieces of evidence. The defense enlisted the help of e-Discovery experts, who stated the government failed to properly process and load evidence into their database for production to defense counsel.

The issue was brought before the court in defense motions to compel and dismiss. First to the magistrate judge then to the district court judge, which resulted in a critical analysis of the way the government handled the discovery.

CASE TIMELINE

The original status conference in the case was held on May 29, 2019. For the next year, a series of motions and hearings proceeded with regards to delays and failures on the part of the government to meet discovery deadlines imposed by the court.

An evidentiary hearing was finally held before district court Judge Elizabeth A. Wolford on July 14, 2020, continuing through the remainder of that week until July 17, 2020, and then resumed and concluded on July 22, 2020. There were multiple expert witnesses, and the review of that testimony is over 7 pages in the Opinion.

On September 10, 2020, oral argument on the motions to compel and dismiss was heard before Judge Wolford. The Court entered its Decision and Order on October 8, 2020.

There was no dispute that the discovery in this matter was not handled properly. In the second paragraph of the above cited Decision and Order, Judge Elizabeth A. Wolford states,

“The Court recognizes at the outset that the government has mishandled discovery in this case—that fact is self-evident and cannot be reasonably disputed. It is not clear whether the government’s missteps are due to insufficient resources dedicated to the case, a lack of experience or expertise, an apathetic approach to the prosecution of this case, or perhaps a combination of all of the above.”

Specifically, the government somehow failed to process and/or produce ESI from several devices seized pursuant to a search warrant executed in May 2018 and in one case, a cell phone, seems to have actually been lost. The court ultimately dismissed the case without prejudice. This gave the parties time to resolve the discovery issues. On March 4, 2021, a grand jury returned a new 104 count indictment.

More important for our purposes are the discussions regarding the ESI and production issues. They are outlined below.

PROJECT MANAGEMENT

The Court wasted no time in saying “It is evident that the government has demonstrated a disturbing inability to manage the massive discovery in this case, and despite repeated admonitions from both this Court and the Magistrate Judge, the government’s lackadaisical approach has manifested itself in repeated missed deadlines.”

And later, “To be clear, the Court does not believe the record supports a finding that any party acted in bad faith. Rather, the discovery in this case was significant, and the government failed to effectively manage that discovery. In the end, because of its own negligence, the government did not meet the discovery deadline set by the Magistrate Judge.”

COMPLEXITY OF LARGE AMOUNTS OF ESI

Judge Wolford made several references to the “massive discovery.” In an attempt to manage that data, the Magistrate Judge had initially directed the parties to draw up a document entitled “Data Delivery Standards” (hereinafter referred to as “the DPP”) which would control how documents were exchanged. It failed to do so for several reasons.

First was the large amount of data. Testimony by a defense expert witness at the evidentiary hearing of July 14, 2020, stated that “… the government’s Initial Production consisted of 1,450,837 documents, reflecting 882,841 emails and 567,996 other documents. Of those documents, 860,522 were missing DATE metadata, with over 430,000 documents reflecting no change in the DATE metadata field formatting after the DPP was agreed-upon. Once overlays were provided by the government, the DATE metadata field was corrected for almost one-third of the documents (primarily emails), but 590,448 documents still were missing DATE metadata, including 294,818 emails. Of those 294,818 emails, 169,287 had a misformatted DATE value and 125,531 had no DATE value. The Initial Production also contained missing values for the metadata fields of FILE EXTENSION, MD5 HASH, PATH, CUSTODIAN, MIME TYPE, and FILE SIZE— and the government overlays did not change the status of the information in any of those fields.”

Additionally, the USAO-WDNY’s processing tool was Nuix while another entity—the Litigation Technology Support Center in Columbia, South Carolina – processed some of the hard drives using a different processing tool called Venio. Additionally, the Federal Housing Finance Agency (“FHFA”) processed the Laptop Production using a “much more robust” version of Nuix than the system possessed by the USAO-WDNY.

These differing versions led to different productions which had different values for the metadata fields. Standardization on one tool could have prevented much of this. But the Court also noted that “… the quality review conducted by the government was insufficient to catch these errors.”

Inconsistent directions were an ongoing issue. For example, the Court found that “… the government prosecutors expressly instructed Mr. Bowman not to produce CUSTODIAN information for the Laptop Production, even though the government had provided similar information previously.”

Other government errors included:

  1. It applied different processing software inconsistently to the PST or OST files, thereby missing some metadata and producing varying results.
  2. It misformatted the DATE metadata caused by failing to catch the errors while conducting a quality review.
  3. It failed to produce native files in “the format in which they are ordinarily used and maintained during the normal course of business[.]” It produced near native or derivative native files from the OST or PST files without corresponding metadata.
  4. In many instances, load files necessary to install the document productions in the defense review software platform were missing.
  5. There were ongoing errors with respect to CUSTODIAN metadata, which were the result of human error on the part of the government.

WHAT DOES THIS MEAN TO YOU?

With regards to what specific steps can be used to take control of cases with large amounts of ESI, the Court mentioned several.

  1. Use an exchange protocol. In civil cases, this document would arise from FRCP Rule 26(f), which mandates a “Meet & Confer” conference of the parties so that they might plan for discovery through the presentation of a specific plan to the Court. 

    In Morgan, this was the document entitled the DPP. In criminal cases going forward, the new Federal Rule of Criminal Procedure 16.1 will address some of these concerns. Drawn up specifically as a response to deal with the manner and timing of the production of voluminous Electronically Stored Information (ESI) in complex cases, Subsection (a) requires the prosecution and defense counsel to confer “[n]o later than 14 days after the arraignment…to try to agree on a timetable and procedures for pretrial disclosure under Rule 16.1.” Subsection (b) authorizes the parties, separately or together, to “ask the court to determine or modify the time, place, manner or other aspects of disclosure to facilitate preparation for trial.”

  2. Standardize the use of technology. As Judge Wolford said, “In sum, the Court believes that it would have been much more prudent if the government, after reaching agreement with the defense about the DPP, had utilized a competent vendor to process the ESI (and all the previously produced ESI) in the same manner with the same settings and utilizing the same tools.”

  3. Get a data manager. A common saying in IT circles is that “someone needs to own the data.” In this case, where the Government used multiple parties who employed different tools to work with the data, nobody owned the data. This lack of a central manager “… led to electronic productions being produced in an inconsistent manner and, in some instances, in violation of the DPP.”

  4. Get an expert. After hearing multiple experts testify for several days on what had transpired with the ESI, the Court noted, “… electronic discovery is a complicated and very technical subject. As a result, facts can be easily spun in a light most favorable to one party’s position or the other. That occurred here on behalf of all parties.”

    Nonetheless, the experts were able to bring clarification to the issues of “missing” metadata and divergent processing results that had beleaguered the parties and the Court. This field, especially with large amounts of ESI, is a classic example of the old maxim, “do not try this at home.” Get an expert.

  5. Use a review tool. ESI in these large amounts are simply not able to be reviewed manually. Both parties here recognized that fact and, as the Court noted several times, most of the errors in the case were not due to software but what we nerds call the “loose nut on the keyboard” syndrome.

    Get review software. Get trained on it. Use it. One admonition I always make which could have avoided many delays in this matter is do not try to load everything at once into your review platform. Start with a small amount of sample data to be sure you are getting what you need. Which leads to our last takeaway.

  6. Talk with the government. Judge Wolford specifically noted that the “… the Court also concludes that Defendants and the government were not always communicating effectively regarding electronic discovery.” For example, none of the parties could recall “… any discussions during those negotiations about the processing tools that would be utilized or the type of native file that would be analyzed for purposes of creating a load file.”

CONCLUSION

The Morgan case illustrates there are ways to learn about what you don’t have so you can bring it to the government’s attention and if need be, to the Court. It is also example of a Court being knowledgeable about ESI productions. The Court noted often and in different ways that “… electronic discovery is challenging even under the best of circumstances. In other words, the facts and circumstances cannot be appropriately evaluated without considering the volume of discovery and the enormous efforts needed to manage an electronic production of this nature.”

Find an expert who understands your needs and has effective communication skills to convey to you, the government, and Court complex technical issues. For many years, Magistrate Judge Andrew Peck (SDNY, Retired) advocated “Bring-Your-Geek-To-Court Day,” in which parties bring an outside consultant or an in-house IT person to address disputes. If you were to remember only one thing form this case, it should be: Go get a geek.

Tom O’Connor
Director
Gulf Coast Legal Tech Center
toconnor@gulfltc.org
www.gulfltc.org 
Blog: https://technogumbo.wordpress.com/
Twitter: @gulfltc

Inside The Black Box: Excluding Evidence Generated by Algorithms

[Editor’s Note: John C. Ellis, Jr. is a National Coordinating Discovery Attorney for the Administrative Office of the U.S. Courts, Defender Services Office. In this capacity, he provides litigation support and e-discovery assistance on complex criminal cases to defense teams around the country. Before entering private practice, Mr. Ellis spent 13 years as a trial attorney and supervisory attorney with Federal Defenders of San Diego, Inc. He also serves as a digital forensic consultant and expert.]

Introduction:

For many years, law enforcement officers have used records generated by mobile carriers to place a mobile device in a general area. The records are called Call Detail Records (“CDRs”). CDRs are generated when a mobile device sends or receives calls and text messages. Mobile carriers likewise keep records of when data is used, such as browsing the internet. These records are called Usage Detail Records (“UDRs”). At times, the records generated by mobile carriers include the location of the cell site or cell sites and the direction of antenna that connected with the mobile device.

Cell Site Location Information (“CSLI”) is the practice of creating maps showing the possible coverage area of a cell site at the time a device was being used. For these purposes, it is important to keep in mind that the records only show the location of the cell site and the direction the antenna is facing. Recent technological improvements have resulted in mobile carriers now generating Enhanced Location Records (“ELRs”), which purport to show more precise location data. In AT&T parlance, such records are based on the Network Event Location System (“NELOS”). This location data is derived from proprietary algorithms.

In a recent federal case, the government, through a member of the Federal Bureau of Investigation’s (“FBI”) Cellular Analysis Survey Team (“CAST”), sought to introduce NELOS records in a trial. However, after a Daubert hearing where the CAST agent testified, the district court excluded the records, in part, because of concerns over the reliability of the algorithms used to determine the location data.

This article provides an overview of CSLI and NELOS records, discusses the order excluding NELOS records from trial, and provides practical advice for practitioners.

Overview:

When CDRs include cell site location data, analysts and law enforcement officers use these records to show the location of the cell site and the orientation of the sector. In North America, many cell towers contain three sets of antennas, with each set offering specific coverage area.

Picture 1

To illustrate this point, Picture 1 is an overview picture of a multi-directional cell tower. Each blue arm is a sector. When a mobile device connects to a cell site, the mobile carrier often records the activity (i.e., a sent text message), the time of the activity, and the location of the cell site and sector that was used.

Using these three data points, analysists and law enforcement officers create maps showing the location of the cell site and the orientation of the sector. In Map 1, the arms are used to demonstrate the beamwidth of the sector, which in this case records indicate is 120-degrees. The cone at the base of the triangle is only meant to show the orientation of the sector, not coverage area. Moreover, analysts generally will not testify that the mobile device was within the triangle. The triangle is only meant to represent the location of the cell site and the orientation of the sector.

Map 1

With NELOS records, on the other hand, the ELRs purport to show the location of a device as opposed to the location of the cell site. In the following example, the red pin represents the location of the device. The blue circle represents what AT&T calls the “Location Accuracy.” This accuracy ranges from approximately several meters to 10,000 meters. And some records are marked by “location accuracy unknown.” As discussed below, the Location Accuracy is determined by proprietary algorithms used by AT&T.

Map 2

In Map 2, the ELR indicates that the “[l]ocation accuracy [is] likely better than 300 meters.” In other words, the phone was at the red pin or within the blue circle at a specific date and time. NELOS records, however, contain the following statement: “The results provided are AT&T’s best estimate of the location of the target phone. Please exercise caution in using these records for investigative purposes, as location data is sourced from various databases, which may cause the location results to be less than exact.” DE 156 at 23 (emphasis added).

To put the first two examples into perspective, Map 3 shows both traditional CSLI and the use of NELOS records.

Map 3

The NELOS demonstrative, even taking account of the “Location Accuracy,” still provides a much smaller, and thus more specific, area of where the phone activity took place.

United States v. Smith, et al. (4:19-CR-514-DPM) (EDAR):

Donald Smith and Samuel Sherman were charged in a five-count indictment with various crimes relating to a murder. See Docket Entry (“DE”) 1. The government sought to introduce the testimony of CAST Agent Mark Sedwick “that provider-based location data typically is collected by obtaining historical call detail records for a particular cellular telephone from the service provider, along with a listing of the cell tower locations for that service provider.” DE 102 at 1. According to the government, “[t]his data is then analyzed for the purpose of generally placing a cellular telephone at or near an approximate location or locations on a map at points in time.” Id.

The government sought to have Agent Sedwick testify “regarding the activity and approximate locations of the cellular telephones believed to have been utilized by Donald Bill Smith, Samuel Sherman, Racheal Cooper and Susan Cooper on the approximate dates and times relevant to the charges in the Indictment.” Id. at 1-2. Attached to the government’s motion is the report created by Agent Sedwick. Maps 4 and 5 are examples from Agent Sedwick’s report. Map 4 shows how Agent Sedwick mapped traditional CSLI, and Map 5 shows how he mapped the same time period using NELOS records:

 

Map 4
Map 5

Map 4 shows traditional CSLI mapping with the location of the cell site and the orientation of the sector. With Map 5, each circle represents the area in which the device was used. Here, there are four such events. For comparison, in Map 4, Agent Sedwick’s opinion is limited to testifying about the location of the cell site and the orientation of the sector, whereas with Map 5, the testimony is the mobile device is within the circle.

Prior to trial, defense counsel challenged Agent Sedwick’s potential testimony and the district court conducted a hearing to determine the admissibility of the records pursuant to Daubert v. Merrell Dow Pharmaceuticals, Inc., 509 US 579 (1993). During the hearing, Agent Sedwick explained the reason AT&T created NELOS was to “test the health of the 3G network for planning and troubleshooting. It is a passive system where, while the phone is on the control channel communicating with the network across the control channel, it would passively pull whatever location data it could pull or data to compute location from that device.” DE 156 at 8.

Agent Sedwick further explained: “NELOS also became the generic term for any kind of location data. So depending, there might be other databases that were also pulled into the NELOS report that we receive from AT&T. Just from that report there’s no way to determine what other databases that was pulled from.” DE 156 at 9.

Agent Sedwick also provided information about known issues with NELOS data, specifically based on Temporary Mobile Subscriber Identity (“TMSI”). By way of background, mobile devices are assigned an International Mobile Subscriber Identity (“IMSI”), a unique number used by mobile carriers, which establishes that the mobile device can operate on a specific network. This is the number used by mobile carriers when creating CDRs. At times, however, in order to mask a device’s actual IMSI, networks assign the device a TMSI.[1] This is problematic for NELOS records because as Agent Sedwick explained, “[t]hat TMSI sometimes can get reallocated and then allocated back to a device, so you can have sometimes where the NELOS data will pull from a different device and get put into the records for the device that you’re requesting.” DE 156 at 10.

During cross-examination, Agent Sedwick was questioned about the portion of NELOS records that “caution in using these records for investigative purposes.” Agent Sedwick responded: “I wouldn’t rely on it if all I had was a NELOS point putting someone at a scene and that’s all I had, no, I would not use it. I’m using it—there is a caution with it, but I’m using it in the context of I have call and text to support it, I have other data to support, I have very good precise NELOS data. I feel very, very confident that this is accurate.” DE 156 at 24.

Agent Sedwick’s confidence in the accuracy of NELOS records was based on the proprietary algorithms created by the phone company. See DE 156 at 12 (“Question: Okay. So the device is sending various different events, they’re plugged into that algorithm, and essentially the algorithm will spit out what it computes as accuracy; is that correct? Answer: Yes, ma’am”). But Agent Sedwick acknowledged that he was not privy to the algorithm, nor whether NELOS was tested by AT&T for reliability. Instead, Agent Sewick testified he believed the algorithms are reliable “[b]ecause AT&T relies on that to make multi-million-dollar decisions on how they’re going to design their network.” DE 156 at 32.

In granting the defense’s motion to exclude NELOS data, the district court found:

What particularly concerns me, though, is this mystery algorithm that our—and the proprietary software. We don’t know, I don’t know exactly what is in the algorithm, and the agent gave some testimony at a general level about the kind of information that goes in, but it seems to me that I’m missing a—an important foundational stone there of something with more specificity as to the kinds of things that the algorithm uses and how the algorithm does its work.

We know that there are disturbances from time to time, or anomalies as was called, with the TMSI number. I also—I acknowledge some uncertainty about TMSI numbers and how many devices that might be connected with and how it is that the algorithm might deal with that. So there’s that. Then there is, in my view, almost a—so we’ve got our black box there, which is concerning, and I would say at this point there’s a peer review problem, as well, because I don’t have any scholarly literature or evaluation of the black boxes or the kind of things that could go into this black box and how it would work.

I understand about the corroboration, but I still find myself at sea of understanding how it is the—how things happen in the black box and whether—whether what comes out of the black box is sufficiently reliable that the jury can rely on it.

DE 156 at 85-87 (emphasis added).

Based on this, the district court entered the following order: “Agent Sedwick may testify about call detail records and historical cell-site analysis; but he may not testify about NELOS data and analysis.” DE 154.

Further Consideration:

The district court’s exclusion of NELOS records was based, in part, on the use of data generated by untested algorithms. Other mobile carriers also use ELRs, which generate purported location data that are also based on proprietary algorithms similar to NELOS. In seeking to exclude ELRs, as well as other forms of computer-generated data, counsel should encourage courts to question the reliability of evidence created by algorithms that lack independent validation and verification.

Glossary:

Acronym Full Title
CASTCellular Analysis Survey Team
CDRCall Detail Records
CSLICell Site Location Information
ELREnhanced Location Records
IMSIInternational Mobile Subscriber Identity
NELOSNetwork Event Location System
TMSITemporary Mobile Subscriber Identity
UDRUsage Detail Records

[1] As explained by EFF, “upon first connecting to a network, the network will ask for your IMSI to identify you, and then will assign you a TMSI … to use while on their network. The purpose of the pseudonymous TMSI is to try and make it difficult for anyone eavesdropping on the network to associate data sent over the network with your phone.” See https://www.eff.org/wp/gotta-catch-em-all-understanding-how-imsi-catchers-exploit-cell-networks.

Microsoft Excel Tips & Tricks for CJA Cases: Filename Lists

By Alex Roberts

This post is part of an ongoing series of videos on how Microsoft Excel can help CJA practitioners (including attorneys, paralegals, investigators, and mitigation specialists) in their CJA cases.

Today’s Post: Filename Lists

When working with discovery, investigative documents, or other case-related materials, it is often helpful to have a list of filenames in an Excel table.

There are times when the government produces to defense counsel digital files where the name of the file indicates something about the file content without a user having to open each file individually.

For example, the government may produce a list of investigative reports in PDF format which, as part of the file name, has the date of the report, the type of report (e.g. FBI 302) and the author. In those instances, it can be beneficial to create a spreadsheet of the filenames and information about the files for later review and organization. Even in instances where the filename is only the Bates number of the file, it can be useful to have a spreadsheet of those numbers.

Microsoft Excel is a useful tool for generating such a filename list. When properly setup, Excel allows users to sort, filter and search for specific files based on different criteria. Fields can be created and associated such as comments, document type, review status, dates and related issues. Additionally, hyperlinks to a specific file or folder can be created for quick and easy access to an item. We will examine these functions in greater detail in future videos.

This video will demonstrate how lists can quickly be created and recommendations to follow when setting up a file list. The video looks at three methods for creating filename lists:

  • Method 1: Creating a query table by running the “Get Folder Data” process that is currently available in the newer “Office 365” version of Excel.
  • Method 2: Using the “Copy Path” process available in Windows File Explorer.
  • Method 3: Using a “File List Program” specifically designed for creating a list of files in Excel format (ex: Directory List and Print).

E-Discovery: Computer Forensic Images and Computer Forensic Reports

[Editor’s Note: John C. Ellis, Jr. is a National Coordinating Discovery Attorney for the Administrative Office of the U.S. Courts, Defender Services Office. In this capacity, he provides litigation support and e-discovery assistance on complex criminal cases to defense teams around the country. Before entering private practice, Mr. Ellis spent 13 years as a trial attorney and supervisory attorney with Federal Defenders of San Diego, Inc. He also serves as a digital forensic consultant and expert.]

CJA panel attorneys frequently ask me for strategies for how to manage and review computer forensic images they receive in discovery. It is a great question. Forensic images are often difficult for CJA panel attorneys to access, and they can contain an immense amount of information (often much more than the rest of the discovery production). Without opening them, they already know that a lot of the information in the forensic image is irrelevant. But they also know that often crucial information is in the forensic image that is important for them to know so they can prepare their client’s defense.

Short technical background:

There are two ways data from a computer is provided in discovery:

  1. Duplicates, which refers to “an accurate and complete reproduction of all data objects independent of the physical media”; or
  2. Forensic Images, which refers to “a bit stream copy of the available data” (see SWGDE Digital & Multimedia Evidence Glossary, June 2016).

Usually the government provides forensic images.  The forensic image is created using specialized software such as opentext EnCase or AccessData Forensic Toolkit (FTK). These forensic images cannot be opened without specialized software. Although there are free viewer programs, such as AccessData’s FTK Imager, which enable users to review the contents of forensic images, the process can be time-consuming and difficult.

Computer Forensic Reports

Isn’t there a better way? Yes, there is. Computer Forensic Reports (there are caveats). But first, why are they important and relevant to you?

Besides the forensic image that the government provides you, they may also provide you something called a Forensic Report (or forensic program generated report). Two common examples for computers will be an EnCase Report or an FTK Report. These reports, generated through the forensic software program, can allow you to see and review the information extracted from the image in a more user-friendly way. This can frequently mean you won’t need to use a forensic image viewer or a computer expert to assist you.

FTK HTML Report

FTK HTML Report

Now these computer forensic reports are not the same as a law enforcement report written by an agent discussing what information was on a computer and describing the evidence they think may be relevant to the criminal investigation. These forensic reports are generated through the forensic tool that was used to examine the data found on the device.

So, the first thing you should do when the government provides a forensic image to you is to ask the government if they have a forensic report as well and request a copy.

Forensic reports are useful because they can make it much easier for a legal professional to review data extracted from the device without having to use a forensic tool. Since most forensic examiners work with law enforcement, they typically create these reports for case agents and prosecutors. The information in the report can include information about documents, images, emails, and web browsing history. These reports often show both the content of a file as well as the metadata (such as the date the document was created). These reports are limited to the data extracted from the original device, the parameters of the forensic program, and the choices made by the forensic examiner.

The forensic reports can be provided in a several formats, including PDF, Excel and HTML. Many forensic tools also include a reader or viewer program that is proprietary to the forensic too, such as Magnet’s AXIOM Portable Case, opentext’s EnCase and AccessData’s FTK also have reader or viewer programs. These forensic reports allow legal professionals to search, review, sort and filter information in ways that can be superior to reviewing the reports in PDF, HTML or Excel formats.

Axiom Portable Case

Axiom Portable Case

These reports are valuable and frequently provide most of the information that a legal team will need to understand the contents of a forensic image. It should be noted that forensic reports may not contain all data that was on the original digital device.  Therefore, counsel should consider engaging a forensic expert or consultant when he or she does not understand the forensic report or image.

[NOTE: Law enforcement will frequently generate a forensic report after completing an extraction from a mobile device. A common forensic report seen in federal criminal cases is a Cellebrite Reader Report. See the Mobile Forensic Reports post for more details.]

Dealing with Encrypted Discovery

Whether it is on media (CD Rom, USB drive, or hard drive) or through the internet (email or USAfx) it is becoming common practice that discovery files will be “encrypted.” Encryption adds a layer of protection by scrambling the data, so files cannot be seen unless a digital “key” (password) is provided. The goal is to protect the data while it is being shipped in case it is lost or stolen.

Decryption” is the process of unscrambling an encrypted file so it is readable. The first step you should take when you receive encrypted files is to create a decrypted copy of the files. The decrypted copies will allow you to search, review and work with them on your computer that the encrypted files will not, and you will not need to enter a password each time to open them.

When receiving encrypted case related materials:

  1. Look for cover letters and associated correspondence that mention password protection or encryption. Often the sender will tell you that the files are encrypted and provide instructions on how to obtain the key (password). If the media contains encrypted files you cannot work with them unless you have that password.
  2. Use a Windows computer. Most decryption programs included on the media are designed to work with Windows computers.  Sometimes decryption can be done on Mac computers, but often it requires additional software not included with the media.
  3. Insert the media and look for either a “password” prompt or a decryption program. Certain encryption programs (like Microsoft “Bitlocker“) will automatically prompt for a password when the media is inserted. Other times the media will include Windows-based software programs that needs to be run.
  4. Create decrypted copies of the files. When you open a file that is encrypted a computer will typically only temporarily decrypt it.  The file may be in a “read-only” mode that will not work well with most software programs and will continue to need a password when reopening.  Making a decrypted copy of the file will allow it to be correctly recognized by the programs on your computer and will no longer need a password when opening the copy.

McAfee Removable Media Protection

McAfee Removable Media Protection” is a common encryption program used by the USA’s when delivering discovery on thumb drives and CD/DVD discs. The media usually includes an executable file that when run will allow users to make decrypted copies of the files. To create decrypted copies:

  • Create a destination. Open File Explorer (the file browser on your computer) and navigate to a destination on your computer (or external drive) with enough room to hold a copy of the files. Create a folder that will keep the decrypted copy of the files.
  • Open McAfee. Insert the media and look for a McAfee program executable file (the file is usually called “MfeEERM” and will have the “.exe” extension).McAfee
  • Run the executable and look for a dialog window prompting for a password.  Enter the password and click “OK”.
    Password
  • Copy the files or folders. From within McAfee:
    1. Select the “Top Level” folder from the left-hand navigation pane.
    2. From the main window (on the right side), select all the files and folders listed, right-click on them and choose “Copy”.
      Copy
  • Paste the copies into the destination. Switch back to File Explorer. Right-click on an empty space within the destination location and choose “Paste”. For larger sets of data (over 10,000 files/folders), try dividing the copy process into smaller batches of about 1,000 files / folders each. Verify the copied files can be opened by closing McAfee and opening a few of the copied files.

Here is a quick video demonstration of the process:

Acrobat download“Encrypted Discovery” PDF file download

Box.com Features

Box.com is a cloud-based repository that allows users to store, access, share and transfer electronic files. It also has features that allow for collaboration on the drafting of documents. We will touch on some of the key features here and more detailed information about each feature will be provided in future blog posts. Users can easily access files from different devices (such as computers, tablets and smartphones) anywhere they can connect to the internet. This allows federal defender offices and CJA panel attorneys to share discovery and work product easily and efficiently in a secure environment. With the national contract the National Litigation Support Team (NLST) has with Box.com, the security features emulates those of USAfX, the DOJ’s re-branded version of Box.com they use to disseminate discovery in many districts. If you are interested in using Box.com for one of your cases or have questions about its utility, please contact Kalei Achiu with the NLST at Sammy Lopez or 510-250-6310.

Box Drive, otherwise known as “Desktop, meets cloud”, allows users to access Box content from their desktop. Unlike Box Sync, Drive brings the entire universe of Box.com files to the desktop without taking up too much space on a hard drive since files are stored in the cloud instead of locally on a computer. However, it does not support offline access to content. Users will need an internet connection to access files. Box Drive can be easily accessed on a user’s desktop from Windows Explorer (Finder on a Mac) or the Windows System Tray (System Notification on a Mac). Documents can be created and/or edited from the desktop and changes will automatically be saved back to Box.com. Drive also gives users the option to “lock” shared files to keep other collaborators from overwriting edits.  Learn more about Box Drive and download it here:  https://www.box.com/resources/downloads/drive.

Box Sync allows users to mirror data stored on Box.com on their desktop or laptops. Unlike, Box Drive, users do not need an internet connection to access files once they are downloaded. Box Sync allows users to choose which files to sync so you don’t have to sync an entire folder. If any changes or edits are made, they will be synced back to Box.com the next time you connect to the internet. Box Sync allows the user syncing documents to choose the location where the synced folder resides. By default, synced folders live on the user’s local C: drive. However during the initial setup, the location can be changed to a shared network drive so that all those with access to that shared network drive can then access the synced folder.  Learn more about Box Sync and download it here:  https://community.box.com/t5/Using-Box-Sync/Installing-Box-Sync/ta-p/85.

Box Edit is a feature that makes collaboration even easier by allowing users to edit files directly from Box.com. Users no longer must download a file, make their changes and then upload it back to Box with a different name. Box Edit works with many programs including Word, Excel, PowerPoint and Adobe Acrobat. Once Box Edit is installed on a computer that also has the program in which the file was originally created, users can access the file in Box, which will then launch the document in the original program. Revisions are made in the original program, the updated file is automatically saved directly back to Box because of the integration. Box Edit will track the version history of the documents so users don’t have to worry about saving files as different versions. Older versions of the documents can be accessed in the version history on Box. Box Edit also allows users to create new documents directly on Box. Users must “Select” New and choose the type of document they want to create. Once created, it is available to any collaborator with access to that folder for editing.  Learn more about Box Edit and download it here:  https://app.box.com/services/box_edit.

Box Notes is an easy to use tool that works on Box.com or as a separate “add-on” for your desktop. Box Notes allows users to quickly take notes, share ideas and collaborate with others. The live editing and collaboration feature allows everyone to see the same note and make changes or suggestions in real time. Users can see a list of all existing notes on Box and their associated folders as well as the last collaborator to update the note. The Box Notes desktop application is a separate add-on feature, but works the same way as Box Notes in your web browser. Once Notes is installed on the computer, a shortcut icon is created on the desktop. It can also be accessed from the list of programs installed on the computer. Users can edit and collaborate on notes as they would on Box.com. Any edits or changes made on the desktop application are available to collaborators in real time on Box.com.  Learn more about Box Notes and download it here:  https://www.box.com/notes.

Box.com FAQ’s

boxbanner

To assist federal defender offices and CJA panel attorneys who need to share and transfer e-discovery in their cases, the National Litigation Support Team (NLST) has obtained (“cloud”) space from Box.com for the short-term storage and transfer of data.

Details

Box.com is a simple cloud-based collaboration program that allows users to store, access, share, and transfer electronic files and documents.  The service encrypts all data and has additional security features.  Users can store an unlimited number of files, for their own use or to share with others, without having to use remote access to office computers. Defense teams can use different devices (such as computers, tablets, or smartphones) to access case data anywhere they can connect to the internet.  This allows CJA panel attorneys to share discovery and work product easily and efficiently in a secure environment.

Box.com is being used by the Department of Justice (DOJ) as their cloud service to distribute e-discovery to the defense. DOJ evaluated it against other similar products and concluded it best met their security standards.

Box.com is committed to ensuring that your data will remain as secure as possible, and providing strong customer support. They have worked closely with the NLST in designing a cloud service that effectively addresses CJA counsels’ growing problem of moving and sharing large volumes of data. The NLST will work directly with each defense team to set up their cloud case folders, and to provide ongoing support of their use of Box.com.

The NLST will manage:

  1. creating case folders to hold electronic information on a case in the cloud,
  2. inviting team members (“collaborators”) to help them get access to the cloud data, and,
  3. granting rights of different team members to get into specific folders.

Because cloud contracts like this store case information on servers owned by Box.com, attorneys remain ultimately responsible for the use of this service. Before using it, CJA members should review their local bar opinions regarding the use of cloud computing and storage.

Once approved, the NLST will send you a form asking for the case details including who will serve as the “point of contact” for each defense team, and who on the team should be given access to the what files that have been stored on the cloud. Note that additional team members can be added later. The NLST will set up a short session to show all those who will use this cloud service how to navigate the system, and how to upload and download data. The NLST will be the team’s first point of contact if there are any questions about using Box.com, technical questions, or any concerns regarding using this
cloud-based case information repository.

Please note that Box.com does not offer advanced e-discovery features found in online document review programs such as Relativity, Summation, or Catalyst. It does not have a database and other advanced tools for organizing, reviewing, and analyzing e-discovery. Rather, its purpose is for short-term storage and transfer of information in the “cloud.”

When the case has concluded, (or sooner if counsel no longer needs this service), the CJA lawyer must delete all case materials from Box.com. The NLST will help ensure the case files are deleted, and the case is properly closed. Counsel should always maintain a copy of all files on their office computer system (besides the information stored in the cloud), as only duplicate files should be stored on Box.com.

Below are some answers to Frequently Asked Questions (FAQ’s) in regards to this service:

What is the difference between Box.com and Dropbox?

Box.com and Dropbox are both cloud based repositories. The Department of Justice is using Box.com, renamed USAfx, to distribute discovery to defense counsel in many districts. Since the DOJ has approved of the security protocols of Box.com, we felt that it would be helpful to make Box.com available to federal defender offices and CJA panel attorneys on a national level. For that reason, the National Litigation Support Team (NLST) has a national contract with Box.com and not with DropBox. The NLST assists in creating and managing case folders on Box.com for the sharing of work product and discovery but we do not support the use of DropBox in any way.

Since USAfx is just Box.com rebranded, can I use my USAfx user ID to log in to a case folder that I have asked the NLST to create on Box.com?

Unfortunately, no. Your user ID and password for USAfx is unique to USAfx and will only work on USAfx. You will need to set up a regular Box.com account and use that user ID and password to access any case folder created by the NLST.

How do I request a new case folder to be set up?

If you think your case would benefit from having a case folder set up on Box.com, please contact the NLST (Sammy Lopez or Alex Roberts). Once it has been decided that Box.com is the way to go, fill out a request form at: http://survey.fd.org/TakeSurvey.aspx?SurveyID=boxrequest. You will be notified once your case folder is ready to be used.

What is a collaborator?

Every person invited to work within a folder on Box.com is known as a collaborator. Each collaborator needs to have their own Box.com account and needs to be invited to the folder by the NLST.  If you receive an invitation to collaborate on a folder and you don’t have a Box.com account yet, you will first need to set one up.

Can I invite other users to collaborate on a case folder myself?

Only the NLST can invite collaborators to a folder to ensure that only those who should have access to a folder are granted access.

We have an expert on our case. Can we give them access to just a specific folder under our case folder on Box.com

Box.com works well for sharing a subset of information with an expert. Each sub-folder can have a different set of collaborators so you can set up a folder that only you and your expert can access.

Can access to a folder be limited to “read only” for certain users?

Each person invited to collaborate on a folder can be set up with their own unique permission level. The permission levels options for Box collaborators are:
Box.com Permission Levels

How do I setup a Box.com account?

To set up a free, personal Box.com account, which is all you need to access any case folder created by the NLST, simply go to https://app.box.com/signup/n/personal and follow the instructions.

Can I access my Box.com folder on my phone or tablet?

Box.com is mobile device friendly. You can download the Box app to your phone or tablet and access your folders and documents using the same log in credentials you do on Box.com when sitting at your computer.

Why am I being asked verify my account with a text code?

We want to make sure that the data being shared is done so in a secure way. Asking for a text code in addition to your user name and password is one way of ensuring that the person who is logging in is in fact the person authorized to see the data. This two factor authentication process is just one of the many security measures that makes Box.com a safer way to transfer data between legal teams, clients and experts.

How do I upload items?

There are two ways to upload items into your case folder. You can either (1) drag and drop a file or folder from your computer into the folder or (2) click on the “Upload” button at the top of the page and browse to the filer or folder you want to upload.

How do I download items?

There are two ways to download items into your case folder. You can either (1) right click on the file or folder and choose the download option or (2) click on the ellipses […] next to the file or folder and choose download.  Folders are downloaded as .zip files so you have to extract the files to your computer once the download is complete.

Can I get notified when another collaborator adds or deletes documents from a folder?

You can set your user preferences to receive email notifications when another collaborator downloads, uploads, makes comments, previews or deletes items from your case folder. Click on the down arrow next to your name and select account settings. Then click on Notifications along the menu bar. From there, you can select when you receive email notifications based on the actions of other collaborators.

How do I setup a sub-folder within a case folder?

If you have a folder on your computer that you want to make a sub-folder in your Box.com case folder, drag and drop the folder from your computer into your case folder. If you want to create a new sub-folder, click on the “New” button and a sub-folder will appear.

What happens when something is deleted?

Items that are deleted are moved to your Box.com Trash folder.  Deleted items will stay in the Trash folder for 90 days, during which time you can go into your Trash folder and restore those items to your case folder. After 90 days, they will be permanently deleted.

Is there a maximum amount of data that I can use Box.com to share?  What if I have 75 gigs or 1 terabyte?

There is no limit to the number of files or folders that can be shared on Box.com. For most users, there is a 250MB per file upload limit.  If you need to upload files larger than 250MB, contact the NLST for assistance.

How do I edit a Microsoft Office document that has been shared on Box.com and track each version on Box.com?

Collaborators can use Box Edit to make changes to Microsoft Office documents.  The changes will be saved directly back to Box.com along with access to prior versions of the document (see: https://app.box.com/services/box_edit for details and requirements).

Why is “NLST Admin” the Owner of the folder I requested to be created?

The NLST has a national contract with Box.com and is responsible for the creation and management of case folders in order to ensure sure that the appropriate security settings and collaborator permissions are used.  We are responsible for the security of our hosted space on Box.com and we want to make sure that nobody is accidentally allowed access to any case data.

Can I use Box.com to store old case files?

While your personal Box.com space can be used for any purpose, the case folders set up on Box.com by the NSLT is not designed for the storage of old files long term.  Case folders are meant for the short term sharing and transfer of files and to allow for teams to collaboratively edit documents while tracking each version.

dtSearch User Preferences

When you first open dtSearch the window layout and user preferences will be using the programs default settings.  We’ve found that modifying certain settings will increase the search capabilities and will make navigating and working with the program easier.  The system will remember your preferences so you only have to modify these settings once.

By default, the program is set to search document content, but not file or folder names and there are times when searching file and folder names can be helpful.  Additionally, the search results screen uses a top-bottom layout (the list of results will be on the top with a document preview on the bottom).  Since most documents have a portrait orientation, a side-by-side layout is generally easier to work with.  With Adobe Acrobat documents, there is an additional plug-in needed to be able to navigate through search results within the same document.

To change the user preferences, go to the “Options” menu and choose “Preferences”.

image1

In the Preferences window, under “Indexing Options” place a check next to “Index filenames as text” (leave “Include path information” checked as well).

image2

 

Next, go to “Search results” within the “Search Options” section and place a check next to “Checkbox” and “Type” within the “Items to include in search results” section.  Then under the “Window layout” section, select “Vertical split”.

image3

Finally, select “PDF view options” in the “Document Options” section.  Look in the “Highlighting hits in Adobe Reader” area.  If the screen reads “A plug-in is needed…” then select the “Configure Plug-in” button and follow the screen prompts to install (if the screen reads the plug-in is installed then there is nothing more you need to do).

image4

Once you have made the changes, click “OK”.  You will receive a message notifying you that the new window layout won’t appear until you close and restart dtSearch.

To see the changes, close dtSearch and re-open it.  You will see the window layout is in the side-by-side “Vertical split” view.  When you run a search, your search results will now appear on the left, with checkboxes and the document viewer on the right.  Within PDF documents you will now be able to use the hit navigation buttons.

image9

Going forward, any new indexes you create will include the ability to search file and folder names.  If you wish to add this feature to any of your existing indexes, run “Update Index” from the “Index” menu.

For additional help with dtSearch, please use the “Help” menu or visit dtSearch.com.

.

 

 

Acrobat DC New Features

All of you use Adobe Acrobat on a daily basis.  Whether it is Adobe Acrobat Reader, Standard or Pro, it is an excellent tool for legal professionals for everything from saving pleadings to file with the court’s case management/electronic case file system to reviewing discovery.  Some of you have been using Acrobat for a while and know that Adobe comes out with new versions every couple of years.  The latest version of Acrobat stopped using the number of release to distinguish a new version (like Adobe Acrobat XI), but now calls itself DC, which stands for Document Cloud, and labels the version by the year of the release (Adobe Acrobat DC 2016 the most recent version).  Like many other software companies, Adobe is moving to a cloud based service giving users the option of working on multiple devices seamlessly if they choose to store their files online.  Though designed for cloud use, users do not have to store their documents remotely, and they can continue using Acrobat DC as a desktop program as they always have.

Acrobat DC has a new look compared to previous versions, has been designed to be tablet and cell phone friendly, and gives users the ability to work on a document from different devices seamlessly. The addition of a user friendly tabbed tool bar makes switching from one document to another that much easier.

The “Home” tab shows the most recent files you have worked with.  You can also search for a file in the search bar, open a file by navigating to it by clicking on “My Computer” or going to the File Menu and selecting → Open.

9-20-2016 1-29-00 PM.jpg

Once you open a document, the “Document” tab appears at the top of the screen, allowing you to easily navigate from the Document to the Tool Center to the Home page.

9-20-2016 1-31-49 PM.jpg

The “Tools” tab, otherwise known as the DC Tool Center centralizes all the features of Acrobat in one place for easy access. Now you can quickly find the tool you need without having to remember which  menu in the tools section to navigate to.

9-20-2016 1-44-24 PM.jpg

The “Search Tools” option in DC is intuitive and easy to use. If you want to OCR a document, type OCR in the “Search Tools” section of the Tool Center and all the toolsets related to recognizing text will appear.

9-20-2016 1-45-13 PM.jpg

The tool pane that users see when looking at a document can be customized. You can add a tool to the tool pane by selecting “Add Shortcut” from the Tool Center or by right-clicking in the Tool Pane when searching for a tool and adding it there.

image5

When Tool Groups are opened, they are automatically pinned to the top of the screen. The Tool Group stays open until you close it or open another tool.

9-20-2016 1-47-39 PM.jpg

DC gives you multiple ways of accessing the tools you are looking for and then quickly going back to working with your documents.

image8.png

The new tabbed tool bar is just one feature of Acrobat DC that makes upgrading worthwhile.  More features will be highlighted in upcoming posts so stay tuned.

So you think you don’t need tech?

Editor’s Note: Penny Marshall is currently in private practice, focusing on Law and Technology.  Previously she was the Federal Defender for the Federal Public Defender Office for the District of Delaware.  Her practice has also included the federal and local level in the District of Columbia and a year and a half stint in the state of Georgia.  She has served as President of the Association of Federal Defenders and Chair of the Third Circuit Lawyers Advisory Committee.  In addition, she is an adjunct faculty member at Widener Law School and has served as guest faculty at both Harvard Law School and Benjamin Cardoza School of Law. 

Imagine that the government has provided you with 50 DVD’s, a stack of paper amounting to more than a 100,000 documents, an ample number of CD’s and a list several hundred witnesses.  If you instinctively start to prepare by hiring enough paralegals to print out all of documents on the DVD’s, put them all in manila folders, and then hope that you or your smart energetic personnel will remember, in the middle of cross-examination, exactly where a particular impeaching statement is located, then this blog is certainly for you.

Unfrozen Caveman Lawyer

Even in the less complex cases, there is increasing reliance by prosecutors on digital discovery rather than forwarding a stack of reports and pictures.  And certainly the video and audio of our clients providing visual and audio support for the government case will be represented in a digital fashion.

In the new technological age more and more the government is able to “over paper” a case by putting any and all documents on electronic media and challenge YOU to find what is truly relevant.  More and more the government is following the way of our civil counterparts, who have long used technology as a way to organize and present their case.  We, as defense lawyers are prime to catch up.

At different stages of litigation there are several advantages to the use of technology:

  • Generally, the first advantage is that technology allows all of your information to be stored and organized in a compact easy to find location.  Almost gone are the days of moving numerous boxes from one location to the other to be copied and filed.
  • The next advantage is that the digital approach allows for your documents to be searched, either by looking in the digital file or by a program that blitzes through numerous documents to find one name or one crucial word.  Tiny print, upside down lettering and even handwriting can be deciphered.
  • A third advantage is that technology is a less costly way of presenting evidence.  For example: compare for example a FBI model versus using a computer program to reconstruct a crime scene.  Also think of the flexibility!
  • Fourth, technology organization requires you to focus on your case in advance. Rather than place the paper in an accordion file and bringing it out close to trial, electronics says you must consider the parts of the case in advance.

The fact that we are in a visual age cannot be understated.  TV, Text, Laptops, PCs, Phones, Tablets all require us to stare at electronic screens.  Each of these compete for our attention by making more and more exciting bells and whistles.  Check out the lines in front of an Apple store once a new “iDevice” is revealed.

Lining up for new technology

Even though jury duty is a diversion from the normal life for our citizenry, many jurors are regular consumers who expect theatrics in the courtroom. I must admit that, at first, I went kicking and screaming that I was not fully comfortable with tech in the courtroom, but having tried complex cases where it was an absolute necessity and experienced the impact of it in even the more modest case, I am an absolute convert. Think about it, even if you are one of the great lawyers of the day, jurors may tire of your voice in a long case with significant documents, especially if you are asking the Court’s indulgence to find your trial evidence!!