E-Discovery: Mobile Forensic Reports

By Sean Broderick and John C. Ellis, Jr.

[Editor’s Note: Sean Broderick is the National Litigation Support Administrator.  He provides guidance and recommendations to federal courts, federal defender organization staff, and court appointed attorneys on electronic discovery and complex cases, particularly in the areas of evidence organization, document management and trial presentation. Sean is also the co-chair of the Joint Working Group on Electronic Technology in the Criminal Justice System (JETWG), a joint Department of Justice and Administrative Office of the U.S. Courts national working group which examines the use of electronic technology in the federal criminal justice system and suggested practices for the efficient and cost-effective management of post-indictment electronic discovery. 

John C. Ellis, Jr. is a National Coordinating Discovery Attorney for the Administrative Office of the U.S. Courts, Defender Services Office. In this capacity, he provides litigation support and e-discovery assistance on complex criminal cases to defense teams around the country. Before entering private practice, Mr. Ellis spent 13 years as a trial attorney and supervisory attorney with Federal Defenders of San Diego, Inc. He also serves as a digital forensic consultant and expert.]

Most federal criminal cases involve discovery that originally came from a cell phone. CJA panel attorneys and Federal Defenders have now become accustomed to receiving “reports” generated from Cellebrite.[1] In this blog post, we will talk about the valuable information that may be contained in those Cellebrite generated reports and what form of production you can get the reports in. Spoiler alert: we suggest you request that you receive those reports in Cellebrite Reader format and not just default to the PDF format that you know and love.

We are going to cover:

  1. the basic concepts behind the forensic process that law enforcement uses when using Cellebrite UFED to extract information from a phone,
  2. what is a Cellebrite generated mobile forensic report (which Cellebrite calls extraction reports), and
  3. the pros and cons for the potential formats you can receive Cellebrite generated reports in.

Though there are a number of forensic tools that law enforcement may use to extract data from a phone, the most common is Cellebrite. We are going to discuss Cellebrite, but know there are others (e.g. Oxygen, Paraben, etc.). Many of the processes and principles that apply to Cellebrite will apply to other tools.

Basic concepts behind the forensic process

How does a digital forensic examiner get the data from the mobile phone? Extracting data from mobile devices (a.k.a. acquisition) is complex and requires a great amount of skill when done correctly. For purposes of this blog post, we are only going to focus on one concept, which is the type of extraction that was performed. In order to retrieve data from a mobile phone, an examiner attaches the mobile phone to a computer which has the Cellebrite UFED software, follows a series of protocols, and saves a portion of the data on an external storage device. In most cases, examiners will not retrieve all data that was on the mobile phone at the time of the extraction—this is based in part on the phone’s memory architecture. Moreover, the type of extraction that is performed on the device can limit the amount of data that is retrieved.

The following are the most common types of extractions for Android devices: (1) Logical (or Advanced Logical); (2) File System; and (3) Physical. As for Apple, the most common types are Logical (Partial) and Advanced Logical. Generally, physical extractions retrieve the most data. After the iPhone 4, physical extractions are currently no longer available with Cellebrite with an iPhone device.

After a digital forensic examiner does an extraction of a phone (for this example, we will assume that the extraction was done through the Cellebrite UFED4PC), it generates an extraction files/folders, along with a .UFD (text) file that tells Cellebrite Physical Analyzer basic information about the extraction (such as which UFED was used, start and finish time, and hash information). The extraction files can be produced in a number of formats (.zip and .bin are common examples) depending on the type of extraction done. The takeaway here is that the type of extraction impacts the type and volume of data that was retrieved during the extraction process.

What is a Cellebrite generated report?

After extracting the data, the examiner uses Cellebrite Physical Analyzer to review the data retrieved from the mobile phone. The examiner also has the option of generating a report, which allows users without specialized forensic software to view the data retrieved from the mobile phone. As discussed below, the “extraction report” may be produced in multiple formats. Of note, the examiner can apply filters to decide what data types to export (e.g. emails, images, instant messages, searched items, etc.), and can further filter the data by date range. These reports are limited to the data extracted from the original device; the parameters of the forensic program dictated by the forensic examiner. The takeaway here is that a report does not necessarily include all data that was retrieved during the extraction.

Option for the Cellebrite generated report (extraction report)

Cellebrite generated reports, like the extractions described above, contain information from the mobile phone. This may include text messages, emails, call logs, web browsing history, location data, etc. They can be produced in a number of formats, though the most common are .PDF, .HTML, and .UFDR. There are pros and cons for each format of report.

PDF

Report in PDF format

There are several pros to receiving a Cellebrite generated report in PDF. CJA panel attorneys and Federal Defender defense teams are used to working PDFs. It is easy to add Bates stamps to them. They work on Macs. And they can be annotated and highlighted.

But there are also several important cons that make PDF a less desirable file type for Cellebrite generated reports. For instance, because phones have the capacity to contain large volumes of data, the reports generated from extractions can be quite large. A Cellebrite generated PDF report can easily reach 10,000 pages, which can cause a computer to slow down or even crash. Moreover, users cannot sort or filter data, hide data fields, or search within search results. In short, although PDFs are a convenient file type, it is not the most useful or efficient format for reviewing these types of reports.

HTML

Report in HTML format

There are several pros to receiving a Cellebrite generated report in the HTML format. The files load fast and can be viewed in any browser (such as Chrome, Firefox or Safari). In this format, each data type, such as SMS Messages, are hyperlinked and open in a new browser. (Please note that the hyperlinks only work if the file and the data are provided with the HTML file which can easily get overlooked when people move data.) Moreover, it is easy to search within HTML files and they operate on Macs.

But like PDFs, HTML files have several notable cons. First, you cannot sort or filter the data. Nor can you hide data fields. And you cannot easily generate reports for other subsets of information. Although HTML files are easy to use, they have significant limitations when it comes to reviewing reports.

UFDR

Report in UFDR format

The best format for receiving Cellebrite generated reports is the Cellebrite Reader format. The Cellebrite Reader format allows a user to create reports containing all data, or a portion thereof, in multiple formats including PDF, HTML and UFDR. So, if you receive if in UFDR format you can easily convert it to PDF or HTML later on (which is not possible if you receive it in HTML or PDF). Additionally, in this file format, users can sort and filter data, can search within results, can move or reorder data within columns, and can create tags—which is a convenient way to organize large volumes of discovery. And a user can open multiple UFDR files at the time and search across them. This allows a user to, amongst other things, search for keywords across multiple devices simultaneously.

The one downside to UFDR files is that they will not work on a Mac. You also need to have the free Cellebrite Reader program to open and use the UFDR file. Overall, this is the format you should request when speaking to the government about what form you would like reports generated from Cellebrite produced in.

Final note about formats: When deciding about your preferred format to review a Cellebrite generated report, remember that it is easy for an examiner to select all three formats at the same time. Often, an examiner will provide all three to make it easier for people to review the data in the way they want.

Conclusion

Mobile forensic reports are a ubiquitous part of discovery. When reviewing them, it is important to remember that the information in the report is limited by the limitations of retrieving data from mobile devices, the type of extraction performed on the device, and the data the examiner decided to include in the report. And the form of production of the report can affect how you review the data. Attorneys should consider contacting an expert or consultant if they have questions about the contents of a report.

Of note, Troy Schnack, Computer System Administrator for Federal Public Defender Office in Kansas City, Missouri, will be doing a webinar on mobile devices and will go into detail regarding Cellebrite Reader on Tuesday, September 22, 2020. Please register for the program on fd.org – we highly recommend it.


[1] Cellebrite UFED is a mobile forensic software program that allows trained users to extract and analyze phone call history, contact information, audio, photos, and videos and texts from mobile phones or forensic images of mobile devices produced as part of discovery. It has wide coverage for accessing digital devices from Android to Apple, with more than 31,000 device profiles of the most common phones. Cellebrite UFED can come as software only or can include a physical unit with accessories such as tip and cable set to connect to various mobile devices.

 

Ephemeral Messaging Apps

[Editor’s Note: John C. Ellis, Jr. is a National Coordinating Discovery Attorney for the Administrative Office of the U.S. Courts, Defender Services Office. In this capacity, he provides litigation support and e-discovery assistance on complex criminal cases to defense teams around the country. Before entering private practice, Mr. Ellis spent 13 years as a trial attorney and supervisory attorney with Federal Defenders of San Diego, Inc. He also serves as a digital forensic consultant and expert.]

Ephemeral Messaging Apps are a popular form of communication. With privacy a concern for everyone, using a self-destructing message that works like disappearing ink for text and photos has a certain allure. All messages are purposely short-lived, with the message deleting on the receiver’s device, the sender’s device, and on the system’s servers seconds or minutes after the message is read. Although these apps were initially only used by teenagers, they are now a ubiquitous part of corporate culture.

According to the 6th Annual Federal Judges Survey, put together by Exterro, Georgetown Law CLE, and EDRM, 20 Federal Judges were asked “[w]hat new data type should legal teams be most worried about in the 5 years?”[1]  The overwhelming response was “Ephemeral Apps (Snapchat, Instagram, etc.).” Id.  In fact, 68% of those surveyed believed ephemeral messaging apps where the most worrisome new data type, whereas only 16% responded that biometric data (including facial recognition and fingerprinting) were the greatest risk. Only 5% were concerned with Text Messages and Mobile, and 0% were concerned with the traditional social media such as Facebook and Twitter.  Id.

Even now, Courts are attempting to sort out the evidentiary issues cause by ephemeral messaging apps, see e.g., Waymo LLC v. Uber Technologies, Inc. 17cv0939-WHA (NDCA).  This article discusses popular ephemeral messaging apps and discusses guidelines for addressing potential evidentiary issues.

Short technical background:

There are several background definitions relevant to this discussion:

  1. Text Messages – otherwise known as SMS (“Short Message Service”) messages, text messages allow mobile device users to send and receive messages of up to 160 characters. These messages are sent using the mobile phone carriers’ network. Twenty-three billion text messages are sent worldwide each day.  Generally, mobile carriers do not retain the contents of SMS messages, so the records will only show the phone number that sent or received the messages and the time it was sent or received.
  2. Messaging Apps – allow users to send messages not tethered to a mobile device (e., a phone number). With some apps, a user may send messages from multiple devices. These apps include iMessage, WhatsApp, and Facebook Messenger. Messaging Apps are generally free. Unlike text messages, these apps rarely have monthly billing records or records showing when messages were sent or received.
  3. Ephemeral Messaging Apps – are a subset of Messaging Apps that allow users to cause messages (words or media) to disappear on the recipient’s device after a short duration. The duration of the message’s existence is set by the sender. Messages can last for seconds or days, unless the receiver of the message takes a “screenshot” of the message before its disappearance.
  4. End-to-End Encryption – also known as E2EE, this is a type of encryption where only the communicating parties can decipher the messages, which prevents eavesdroppers from reading them in transit.

Common Disappearing Messaging Apps:

Messaging apps, like all apps, are changing.  The following is a list and description of several popular ephemeral messaging apps.


Snapchat – both a messaging platform and a social network. The app allows users to send messages and media (including words and emojis appearing on the media) that disappear after a set period of time. Photos and videos created on Snapchat are called “snaps.” Approximately 1 million snaps are sent per day.

Signal – an encrypted communications app that uses the Internet to send one-to-one and group messages which can include files, voice notes, images and videos, which can be set to disappear after a set period of time. According to Wired, Signal is the one messaging app everyone should be using.

Wickr Me – a messaging app that allows users to exchange end-to-end encrypted and content-expiring messages, including photos, videos, and file attachments.

Telegram – cloud-based instant messaging app with end-to-end encryption that allows users to send messages, photos, videos, audio messages and files. It has a feature where messages and attachments can disappear after a set period of time.

CoverMe – a private messaging app that allows users to exchange messages, files, photographs, and phone calls from a fake (or “burner”) phone number. It also allows for private internet browsing, and llows users to hide messages and files.

Confide – a messaging app that allows users to send end-to-end encrypted messages.  The user can also send self-destructing messages purportedly screenshot-proof.

Evidentiary Issues:

Messaging app data, like other forms of evidence, must, amongst other criteria, be relevant (Fed.R.Evid. 401); authenticated (Fed.R.Evid. 901 et seq); and comply with the best evidence rule (Fed.R.Evid 1001 et seq).

As for the Best Evidence Rule, based on the nature of disappearing messaging apps, the original writing of the message is not preserved for litigation. See Fed.R.Evid. 1004(a) (finding that the original is not required if “all the originals are lost or destroyed, and not by the proponent acting in bad faith.”) Sometimes, the contents of the message may be established by the testimony of a witness. In other cases, the contents of the message may be based on a screen shot of the message.

Authenticating messages from apps, regardless of their ephemeral nature, is often difficult—text messages can be easily faked. When it comes ephemeral messages, we often must rely upon a screenshot or testimony regarding the alleged contents of the message.  In such circumstances, the following factors—repurposed from Best Practices for Authenticating Digital Evidence—are useful[2]:

  • testimony from a witness who identifies the account as that of the alleged author, on the basis that the witness on other occasions communicated with the account holder;
  • testimony from a participant in the conversation based on firsthand knowledge that the screen shot fairly and accurately captures the conversation;
  • evidence that the purported author used the same messaging app and associated screen name on other occasions;
  • evidence that the purported author acted in accordance with the message (e.g., when a meeting with that person was arranged in a message, he or she attended);
  • evidence that the purported author identified himself or herself as the individual sending the message;
  • use in the conversation of the customary nickname, avatar, or emoticon associated with the purported author;
  • disclosure in the message of particularized information either unique to the purported author or known only to a small group of individuals including the purported author;
  • evidence that the purported author had in his or her possession information given to the person using messaging app;
  • evidence that the messaging app was downloaded on the purported author’s digital device; and evidence that the purported author elsewhere discussed the same subject.

Conclusion:

Ephemeral messaging app data will continue to impact investigators, attorneys, and the Court. Defense teams should be prepared for the challenges ephemeral messages cause from investigations to evidentiary issues.


[1]Available at https://www.exterro.com/2020-judges-survey-ediscovery.

[2] Hon. Grimm, Capra, and Joseph, Best Practices for Authenticating Digital Evidence (West Academic Publishing 2016), pp. 11-12.

 

NLST webinar

The National Litigation Support Team (NLST) recently presented a national webinar entitled, “Managing and Reviewing Electronic Discovery for CJA Panel Attorneys.” This 90-minute webinar was recorded and is available on fd.org for your review. The recording provides an overview of technology, techniques and search strategies that can help CJA panel attorneys (and federal defender organization personnel) with your review and analysis of electronically stored information that is provided in discovery. We discussed resources that are available to you as a CJA panel attorney or federal defender employee, and questions to ask the next time you get a complex case. Topics covered include the importance of search and retrieval techniques, encryption, Box.com, Adobe Acrobat Pro, dtSearch, CaseMap, Casepoint, and new federal criminal Rule 16.1.

If you are interested in viewing the recording, please go to fd.org/program-materials-and-videos. (NOTE: To view the webinar, you will need to be either a CJA panel attorney who has registered with fd.org , or a member of a federal defender office. If you need assistance accessing the information, go to fd.org/login-help). If you have follow-up questions about any of the topics (as the presentation was meant as an overview), please email us.

Three Types of PDFs

Acrobat

PDFs (portable document format files) are a common file format in federal criminal discovery. But are all PDFs created equal? As you all have experienced, the answer is no, they are not.

Think about PDFs in three distinct categories:

  1. True PDFs;
  2. Image-based PDFs; and
  3. Made-searchable PDFs.

For discovery review, these distinctions are important because it impacts whether the PDF is searchable and the accuracy of your text searches within the PDF file. With voluminous discovery, the ability to search and review PDFs is critical for organizing and reviewing it.

  • True PDFs (also known as text-based or digitally created PDFs). These PDFs are created using software such as Microsoft Word, Excel, or using the “print to PDF” function in those programs. They consist of both text and images. We should think about these PDFs having two layers – one layer is the image and a second layer is the text. The image layer shows what the document will look like if it is printed to paper. The text layer is searchable text that is carried over from the original Word file into the new PDF file (the technical term for this layer is “extracted text”). There is no need to make it searchable and the new PDF will have the same text as the original Word file. An example of True PDFs that federal defenders and CJA panel attorneys will be familiar with are the pleadings filed in CM/ECF. The pleading is originally created in Word, but then the attorney either saves it as PDF or prints to PDF and they file that PDF document with the court. Using either process, there is now a PDF file created with an image layer plus text layer. In terms of usability, this is the best type of PDF to receive in discovery as it will have the closest to text searchability of the original file. Click here to see an example of a True PDF.
  • Image-based PDFs (also known as image-only PDFs). Image-based PDFs are typically created through scanning paper in a copier, taking photographs or taking screenshots. To a computer, they are images. Though we humans can see text in the image, the file only consists of the image layer but not the searchable text layer that True PDFs contain. As a result, we cannot use a computer to search the text we see in the image as that text layer is missing. There are times when discovery is produced, it will be in an image-based PDF format. When you come across image-based PDFs, ask the U.S. Attorney’s Office in what format was that file originally. Second, ask if they have it in a searchable format and specifically if they have it in a digitally created, True, Text-based PDF format. They may not, as they often receive PDFs from other sources before they provide them to you, but you will want to know what is the format in which they have it in, and what is the original format of the file (as far as they know). Click here to see an example of an Image-based PDF.
  • Made-searchable PDFs (also known as “OCRed” PDFs). Image-based PDFs can be made text searchable by applying optical character recognition (OCR). CJA panel attorneys frequently use Adobe Acrobat Pro (or other PDF editor software) to make image-based PDFs searchable. During the OCR process, the software program interprets each character on the image as text and adds a text layer to the image layer. Made-searchable PDFs are like True PDFs, but the searchability of the OCRed document will depend on the quality of the image, or the recognizability of the writing. They are often not 100% accurate when you do keyword searches of the text. Click here to see an example of a Made-searchable PDF.

The ESI Protocol (formally known as the Recommendations for Electronically Stored Information (ESI) Discovery Production in Federal Criminal Cases) noted the limitations of OCR process on scanned paper.

“Generally speaking, OCR does not handle handwritten text or text in graphics well. OCR conversion rates can range from 50 to 98% accuracy depending on the underlying document. A full page of text is estimated to contain 2,000 characters, so OCR software with even 90% accuracy would create a page of text with approximately 200 errors.”

People ask how accurate software programs are in the OCR conversion. That is important, but the biggest factor for how searchable your OCR PDF will become is the underlying quality of the scanned image. A clean copy of a pleading will have high accuracy; a twice photocopied school paper record from the 1950s will be less accurate.

A quick way to see what the quality of the text is compared to the image is to select the text in question in a PDF file (you can use Control + A in Windows or Command + A in Mac to copy all the text on a page), and then copy and paste the text into a Word document. Put the two files side by side and visually compare them.

Side by Side

Why You Should Consider a Windows Computer and Laptop Buying Advice

W10

Why do we recommend having a Windows computer for CJA panel attorneys?

One of the great modern-day debates is Windows versus Apple. Like college football rivalries (think Alabama versus Auburn or UCLA versus USC), this discussion can generate intense emotions on both sides of the aisle. Add into the mix the introduction of Chromebooks (using a Chrome OS operating system), and it can be difficult for CJA panel attorneys to decide what to use in their practice.

For this conversation, let’s talk about laptops. When talking to people outside of the federal criminal defense world, we would usually say choosing a laptop depends on personal preference. You should pick the laptop that makes sense to you and allows you to be most productive. If you find you are more productive with a Mac, that’s great. People may be drawn to one operating system or the other for any number of reasons. Typically, the most important factor in choosing an operating system is which one you have used the most.  The mechanics of how that system functions will seem more intuitive to you, because you have years of experience using it.

However, for federal criminal cases, we suggest having a Windows machine available to you.

Why?

Three reasons:

  1. The Department of Justice, as well as most law enforcement agencies, use Windows computers. The systems they use to manage evidence and electronically stored information (ESI) will, by default, work on Windows machines. As a result, when they produce discovery to the defense, it will work (usually) on Windows machines.
  2. Several important software programs and digital forensics programs do not work on Macs. Examples include dtSearch, CaseMap, Cellebrite Reader (a free viewer that can speed up review of cellphone dumps) and FTK Imager (a free tool to look at computer images the government seized, so that you can see what the computer looked like to the person who used it). Now you may not need to use these tools (there are work arounds or alternatives), but it is a limitation. In addition, while many file formats can be opened on either Windows or Apple machines, such as Word documents, PDFs and PowerPoint files, there are other file types that do not work natively on Macs. For example, certain proprietary audio and video files can only be played on applications that work in Windows. Now that all discovery being provided by the U.S. Attorney’s Office is encrypted in transit, they often use tools designed to function on Windows machines and not Macs. Of course, you can try to work it out with the government, so you receive something that is Mac-friendly (and many times they will be accommodating), but it is not their default procedure.
  3. There are other costs associated with Macs. For one, PCs are often cheaper than their Mac counterparts.  Additionally, programs offered for a discount to CJA panel lawyers by the Defender Services program typically are Windows based.

Does this mean we are saying you should abandon your Mac? No. Plenty of us use both Windows and Macintosh computers at work or at home.  What we are saying is that you should consider having a Windows computer available to you to assist you in your CJA cases, as it can save you time and money in the long run.

Which laptop should I buy?

When it comes to buying a Windows laptop, there are hundreds of options.  The following minimum criteria should be considered when purchasing a new laptop:

  • 12.5 to 14-inch size screen – typically a good balance between usability and portability. This assessment is something to consider. If you are going to be mobile, go on the smaller side. If you are going to more stationary, consider the larger screen;
  • At least a Core i5 CPU;
  • At least 8 gigabytes (GB) of RAM;
  • Screen resolution of 1920 x 1080;
  • At least 500 SSD (solid state drive);
  • 8+ hours batter life;
  • Windows Professional – which gives you Bitlocker, an easy way to encrypt files and folders.

If you can afford to spend a little more, adding to these minimum specs options can result in better performance. For myself, I like to have at least a machine with Core i7 CPU, 16 gigabytes of RAM. Many of our colleagues have found that if they have a more robust machine, problems they had scrolling through large PDF files or viewing proprietary video files in their older, less powerful machines went away. However, price is always the top issue so shop around and find what works for you and your budget.

Adobe Acrobat Training Videos: Text Recognition

Next Video – Searching Fundamentals

Adobe Acrobat Pro is one of the most popular computer software programs on the market for FDO and CJA panel attorneys.  Since so much of the discovery we currently receive in criminal cases is provided in paper or scanned paper format, Acrobat Pro is an excellent tool to help you to better organize and review it.

In our team’s continued efforts to providing resource to CJA panel attorneys and FDO staff, we are creating a series of training videos. Each short video will address a specific feature in a computer software program with our first set focused on Adobe Acrobat Pro XI.

These videos do not take the place of hands-on training sessions where we can get in depth about a variety of software programs and legal strategies for addressing complex cases, but it hopefully will provide you some basic background information that can help you in your cases.

The first video (created by Kelly Scribner and Alex Roberts) gives key information to consider when using OCR text recognition with Adobe Acrobat Pro for scanned paper. Though much has been written about the incredible functionality available with Adobe Acrobat Pro, this short seven minute demonstration focuses on points that we think are most important for you to consider when using OCR in Acrobat Pro.

Future videos we are developing will also be posted on this blog.  Make sure to check back in or sign up to subscribe to our blog to get notices of new posts by email.

.

Important 11th Circuit decision regarding compelling of unencrypted data

Editor’s Note: Justin Murphy is a counsel at Crowell & Moring’s Washington, D.C. office, where he practices in the White Collar & Regulatory Enforcement Group and E-Discovery and Information Management Group. Justin’s practice focuses on SEC enforcement, white collar criminal matters, e-discovery matters relating to internal and government investigations, and related civil litigation. He has represented clients in both federal and state criminal proceedings, including state trial panel work in Maryland. Justin has a wealth of expertise in electronic discovery issues in government investigations and criminal litigation, having both written and presented on the subject. In this blog entry, Justin discusses United States v. Doe, a big win for AFPD Chet Kaufman of the Florida Northern Federal Public Defender Office.

Appeals Court Finds Encrypted Data Beyond Reach of Government Investigators

by: Justin P. Murphy, Counsel, Crowell & Moring LLP

In an important decision that could have significant implications for government enforcement, the Eleventh Circuit ruled that a suspect could not be required to decrypt his computer hard drives because it would implicate his Fifth Amendment privilege and amount to the suspect’s testifying against himself.

In United States v. Doe, the government seized hard drives that it believed contained child pornography.  Some of the hard drives were encrypted, and the suspect refused to decrypt the devices, invoking his Fifth Amendment right against self-incrimination.  The Eleventh Circuit held that compelling the suspect to decrypt and produce the drives’ contents “would be tantamount to testimony by Doe of his knowledge of the existence and location of potentially incriminating files; of his possession, control, and access to the encrypted portions of the drives; and of his capability to decrypt the files.”  Moreover, the government could not force a suspect to decrypt and produce the information where it could not identify with “reasonable particularity” the existence of certain files, noting that an “act of production can be testimonial when that act conveys some explicit or implicit statement of fact that certain materials exist, are in the subpoenaed individual’s possession or control, or are authentic.”  The court also rejected the government’s attempt to immunize production of the drives’ contents because the government acknowledged that “it would use the contents of the unencrypted drives against” the suspect. 

This decision appears to limit government investigators’ ability to compel an individual to reveal the contents of devices encrypted with passwords or codes in a criminal investigation based only on government speculation as to what data may be contained in certain files.  Although a corporation or partnership does not enjoy Fifth Amendment protection, individuals and sole proprietorships do, and this decision could have a significant impact on small businesses and individuals who work in highly regulated industries including health care, government contracting, energy, chemicals, and others that may face government scrutiny. 

For a copy of the decision, please click here.

Recommendations for ESI Discovery in Federal Criminal Cases

The Administrative Office/Department of Justice Joint Working Group on Electronic Technology (JETWG) has announced the development of a recommended ESI protocol for use in federal criminal cases. Entitled “Recommendations for Electronically Stored Information (ESI) Discovery Production in Federal Criminal Cases“, it is the product of a collaborative effort between representatives from the Defender Services program and DOJ and it has DOJ leadership’s full support.

The primary purpose of the ESI protocol is to facilitate more predictable, cost-effective, and efficient management of electronic discovery and a reduction in the number of disputes relating to ESI. What this means for federal defenders and the CJA panel is that there is now a mechanism, through a meet and confer process, to address problems a receiving party might have with an ESI production early in a case, and to discuss the form of the discovery that they receive. The participants on both sides of JETWG are intimately familiar with the day-to-day challenges attorneys face in criminal cases, and the protocol reflects a pragmatic approach to the problems both prosecutors and defense attorneys face when dealing with electronic discovery.

The protocols were negotiated and drafted over an 18-month period by JETWG which has representatives from the Federal Defender Offices, CJA Panel, Office of Defender Services, and DOJ, with liaisons from the United States Judiciary. Andrew Goldsmith, the DOJ National Criminal Discovery Coordinator, and I (Sean Broderick) serve as co-chairs. Donna Elm, Federal Public Defender for the Middle District of Florida, Doug Mitchell, CJA Panel Attorney District Representative for the District of Nevada, Bob Burke, Chief of the Training Branch for Office of Defender Services, and Judy Mroczka, Chief of the Legal and Policy Branch for Office of Defender Services round out the membership on the Defender Services side of the joint working group.

The ESI protocol was directly impacted by input provided by FDO and CJA panel attorneys, FDO technology staff, paralegals, investigators in the field. In addition, we received comments and input on draft versions of the Recommendations from different working groups compromised of Federal Defenders and CJA panel representatives (just as DOJ did on their side).

The Recommendations consist of four parts:

  1. an Introduction containing underlying principles, with hyperlinks to related recommendations and strategies; 
  2. the Recommendations themselves; 
  3. Strategies and Commentary that address technical and logistical issues in more detail and provide specific advice on discovery exchange challenges; and 
  4. an ESI Discovery Production Checklist.

In general, the agreement is designed to encourage early discussion of electronic discovery issues through “meet and confers,” the exchange of data in industry standard or reasonably useable formats, notice to the court of potential discovery issues, and resolution of disputes without court involvement where possible.

We are excited about this announcement. Although almost all information is now created and stored electronically, the discovery provisions of the Federal Rules of Criminal Procedure are largely silent on this issue. At the same time there is a void because criminal cases, just like civil cases, are impacted by our shift from a paper to a digital-based society. We believe that this is an important step towards addressing the ESI challenges that people can face in a federal criminal case, if not now, certainly in the future.

We expect to continue the collaborative process with DOJ, and look forward to an ongoing dialogue with people in the field who are dealing with electronic discovery.

PDF link: Recommendations for Electronically Stored Information (ESI) Discovery Production in Federal Criminal Cases

Posted in ESI

CJA Panel Attorney Software Discounts

There are several vendors who offer discounted rates to CJA panel attorneys for their litigation support software.  Currently, there are discounted rates being offered on:

  • CaseMap Bundle (CaseMap/TimeMap/DocManager)
  • TrialDirector

We hope to continue the national contracts which encourage these deals to be offered to the CJA panel, but considering the ongoing budget limitations all deals are subject to change.

Note: Like many litigation software programs, these programs are developed for Windows based operating systems and do not work with Macintosh operating systems.

Below is a brief description of the software and the current pricing information for these programs:

_______________________________________________________________________

CaseMap Bundle (CaseMap/TimeMap/DocManager)

CaseMap and TimeMap are two of the most popular litigation support software programs for FDOs and CJA panel attorneys. CaseMap is a fact management application used to organize, manage, and connect case facts, legal issues, key players, and documents. Because it is a single database, it allows team members to work collaboratively and store important case information in specialized relational spreadsheets for ready access and analysis. Through flexible filtering, CaseMap enables end-users to see how any person, fact, document, or issue relates to other elements in a case. TimeMap is a graphing software used to create visual timelines of case events, assisting judges and jurors in their understanding of the sequence of key events in a case. TimeMap integrates with CaseMap, allowing any record in CaseMap that has a date associated with it to be sent to TimeMap instantly.  DocManager is a CaseMap plug-in that allows users to view highlighted search hits in DocManager’s near-native viewer, and bulk import and view many file formats while still providing Adobe Acrobat integration and functionality that users are accustomed to.

LexisNexis offers CJA panel attorneys the CaseMap / TimeMap / DocManger bundle for a special reduced price of $739.00.  Contact PMsales@lexisnexis.com (email) for assistance and questions.  Make sure to mention that you are a CJA attorney and that you are interested in CaseMap products at the special discounted rate.

_______________________________________________________________________

TrialDirector 6.8

TrialDirector 6.8 is one of the most popular electronic courtroom presentation software programs, and FDO and CJA panel attorneys have been using it in trial and evidentiary hearings for many years. TrialDirector 6.8 allows attorneys to do multimedia presentations in court, including presenting imaged documents, document highlighting, document callout and zooming, cropping, annotating, multiple zoom capabilities, side by side exhibit comparison, playing audio and video, and the playing of synchronized audio/video transcripts. It allows for the importation and organization of case files including exhibits, documents, images, videotaped depositions, deposition transcripts, synchronized deposition transcripts and can be synchronized with document review databases.

To purchase TrialDirector 6.8, contact James Orcutt at iPro Tech (jorcuttt@iprotech.com). Inform him that you are a CJA attorney and that you would like to purchase the TrialDirector 6.8 software at the special CJA rate.  iPro Tech offers CJA panel attorneys TrialDirector 6.8 at a 50% discount, currently $397.50, plus a mandatory software maintenance fee of $159, for a total of $556.50 (compared to the regular price of $954 for a license and maintenance).

_______________________________________________________________________

If you have any questions regarding the utilization of any of these litigation support software programs in your office, please contact either Alex Roberts or Kelly Scribner of the National Litigation Support Team at .

E-Discovery Software Makes The New York Times: But What Does It Mean For You?

Always an observant lot, a number of federal defenders emailed me the link to a March 4, 2011 NY Times article which discusses how e-discovery software is saving attorney time and charges. See Armies of Expensive Lawyers, Replaced by Cheaper Software. Comparing the traditional method of document review where attorneys and paralegals do “eyes on paper,” the article discusses e-discovery software that can analyze documents more quickly and for less money – music to everyone’s ears, especially those who do indigent criminal defense work.

The article describes how some of these software analytics can more effectively search and retrieve information than ever before, even if a human being viewed and indexed every document. Examples include “conceptual searching” software which, broadly stated, can find the ideas in which you are interested, even if the specific keywords are not contained in the document. So, for example, if you are looking for the concept of “bill of law,” the program identifies relevant documents (documents that reference bill of laws, constitutional amendments, etc.) and excludes other documents which may have the word “bill” in them but do not include the concept of “bill” that you are interested in (such as duck bill).

(As an aside, this has been discussed and utilized for years within the electronic discovery world. Over four years ago, The Sedona Conference, a nonprofit research and educational institute dedicated to the advanced study of law and policy, published an excellent commentary discussing the challenges and potential solutions involved with searching large amounts of ESI in The Sedona Conference Best Practices Commentary on the Use of Search and Information Retrieval Methods in E-Discovery, August 2007 (TheSedonaConference.org). In part, the commentary states that “[h]uman review of documents in discovery is expensive, time consuming, and error-prone. There is growing consensus that the application of linguistic and mathematic-based content analysis, embodied in new forms of search and retrieval technologies, tools, techniques and process in support of the review function can effectively reduce litigation cost, time, and error rates.”)

As many federal defender staff and CJA panel attorneys know, federal criminal cases are experiencing an explosion of electronic data, with cases involving increased volume, multiple file types and multiple source devices including social media. The idea that technology can save us from this problem is enticing. I often wish that I was Spock talking to the computer on the Starship Enterprise, where the computer would provide me the relevant information succinctly and to the point (with a friendly voice to boot).

Though artificial intelligence has grown by leaps and bounds, it is nowhere near that Star Trek 23rd century vision of the world, and all of the software described in the New York Times article requires significant up-front human thinking and planning to make it effective. That is not say it isn’t useful and shouldn’t be explored (in fact, it must be), but the software in itself is not a panacea to the problems of electronic discovery.

The article, which also focuses on the possibility that the software may reduce legal jobs, is a great read if you are interested in what is the current cutting-edge technology. Practically, the products mentioned in the NYT article are out of the realm of most people’s current day-to-day practice. The higher level analytics are very expensive and are currently only useful for the few exceptional cases that reach extremely large volumes of data. That said, there are limited instances where defense teams have taken advantage of this type of technology to narrow the data in their case. We have found that by using the proper workflow, doing front-end thinking and planning, this technology does result in overall cost-effectiveness and allows defense teams to spend more time on what they care about most.

Three additional points to consider:

  1. Paper and electronically scanned paper generally does not work with these new tools
     
    The majority of discovery in indigent federal criminal cases is in scanned paper form, i.e., it was a piece of paper that was imaged and then converted into either TIFF or PDF format even though almost all of that paper was originally produced by a computer). As exciting as these new tools are, they generally don’t work with scanned paper because they are designed to use the metadata associated with the native ESI to do the higher level searching and threading. This is one reason why it is important for opposing parties to discuss in advance the form in which information in the case will be produced.
     
  2. When dealing with sizable amounts of information, a review tool is needed
     
    Historically, people who do indigent criminal work have gotten by without using an in-house review tool such as Concordance or Summation, or one of the many web-hosted solutions now out there. Instead, they used Adobe Acrobat Reader, IPRO, Windows Explorer, or they simply printed out the documents to look at them. With the dramatic volume increase, and the myriad file formats containing additional information that isn’t visible when you simply hit “print,” federal defender offices and CJA panel attorneys have a greater need to have a review tool (be it on their computer or web-based), which allows them to more effectively review and manage case information.
     
  3. Greater productivity is needed just to keep pace with the information explosion. 
     
    Though not a panacea, we must examine and embrace new technologies to deal with this onslaught. Electronic discovery experts recognize that while all the new technology in the litigation support arena should allow us to search in more sophisticated ways, organize in a more refined manner and review more data faster, we continue to be hard pressed to keep up with the amount of information inundating us.

Ralph Losey, a nationally recognized electronic discovery expert, had his typical witty and insightful take on this article. See NY Times Discovers e-Discovery, But Gets the Jobs Report Wrong.  I found the following particularly relevant to the future challenges in the criminal litigation context: “The new technologies allow us to go faster and search and review more and more bits than ever before, but still, we are just treading water. . . . I do not know the actual metrics here. I don’t think anyone does. But it is my impression that the incredible advancements and improvements in search and review speed made possible by some software are roughly counterbalanced by the growth in information.”

The “tried and true” discovery management techniques that serve so well in cases involving a handful of bankers boxes of paper documents will not work in modern-day litigation. Just the volume itself forces one to take advantage of what technology has to offer. In this point in time, everyone who practices law uses some form of technology. By taking the next steps of learning more about technology and understanding how information is stored digitally, people can do their jobs more effectively and efficiently. I firmly believe that with the right education, human resources, processes, and tools, the computer can help you process, organize, and find critical information more quickly and allow you to more effectively represent your client during these times of limited funds.

– Sean

Posted in ESI