E-Discovery: Mobile Forensic Reports

By Sean Broderick and John C. Ellis, Jr.

[Editor’s Note: Sean Broderick is the National Litigation Support Administrator.  He provides guidance and recommendations to federal courts, federal defender organization staff, and court appointed attorneys on electronic discovery and complex cases, particularly in the areas of evidence organization, document management and trial presentation. Sean is also the co-chair of the Joint Working Group on Electronic Technology in the Criminal Justice System (JETWG), a joint Department of Justice and Administrative Office of the U.S. Courts national working group which examines the use of electronic technology in the federal criminal justice system and suggested practices for the efficient and cost-effective management of post-indictment electronic discovery. 

John C. Ellis, Jr. is a National Coordinating Discovery Attorney for the Administrative Office of the U.S. Courts, Defender Services Office. In this capacity, he provides litigation support and e-discovery assistance on complex criminal cases to defense teams around the country. Before entering private practice, Mr. Ellis spent 13 years as a trial attorney and supervisory attorney with Federal Defenders of San Diego, Inc. He also serves as a digital forensic consultant and expert.]

Most federal criminal cases involve discovery that originally came from a cell phone. CJA panel attorneys and Federal Defenders have now become accustomed to receiving “reports” generated from Cellebrite.[1] In this blog post, we will talk about the valuable information that may be contained in those Cellebrite generated reports and what form of production you can get the reports in. Spoiler alert: we suggest you request that you receive those reports in Cellebrite Reader format and not just default to the PDF format that you know and love.

We are going to cover:

  1. the basic concepts behind the forensic process that law enforcement uses when using Cellebrite UFED to extract information from a phone,
  2. what is a Cellebrite generated mobile forensic report (which Cellebrite calls extraction reports), and
  3. the pros and cons for the potential formats you can receive Cellebrite generated reports in.

Though there are a number of forensic tools that law enforcement may use to extract data from a phone, the most common is Cellebrite. We are going to discuss Cellebrite, but know there are others (e.g. Oxygen, Paraben, etc.). Many of the processes and principles that apply to Cellebrite will apply to other tools.

Basic concepts behind the forensic process

How does a digital forensic examiner get the data from the mobile phone? Extracting data from mobile devices (a.k.a. acquisition) is complex and requires a great amount of skill when done correctly. For purposes of this blog post, we are only going to focus on one concept, which is the type of extraction that was performed. In order to retrieve data from a mobile phone, an examiner attaches the mobile phone to a computer which has the Cellebrite UFED software, follows a series of protocols, and saves a portion of the data on an external storage device. In most cases, examiners will not retrieve all data that was on the mobile phone at the time of the extraction—this is based in part on the phone’s memory architecture. Moreover, the type of extraction that is performed on the device can limit the amount of data that is retrieved.

The following are the most common types of extractions for Android devices: (1) Logical (or Advanced Logical); (2) File System; and (3) Physical. As for Apple, the most common types are Logical (Partial) and Advanced Logical. Generally, physical extractions retrieve the most data. After the iPhone 4, physical extractions are currently no longer available with Cellebrite with an iPhone device.

After a digital forensic examiner does an extraction of a phone (for this example, we will assume that the extraction was done through the Cellebrite UFED4PC), it generates an extraction files/folders, along with a .UFD (text) file that tells Cellebrite Physical Analyzer basic information about the extraction (such as which UFED was used, start and finish time, and hash information). The extraction files can be produced in a number of formats (.zip and .bin are common examples) depending on the type of extraction done. The takeaway here is that the type of extraction impacts the type and volume of data that was retrieved during the extraction process.

What is a Cellebrite generated report?

After extracting the data, the examiner uses Cellebrite Physical Analyzer to review the data retrieved from the mobile phone. The examiner also has the option of generating a report, which allows users without specialized forensic software to view the data retrieved from the mobile phone. As discussed below, the “extraction report” may be produced in multiple formats. Of note, the examiner can apply filters to decide what data types to export (e.g. emails, images, instant messages, searched items, etc.), and can further filter the data by date range. These reports are limited to the data extracted from the original device; the parameters of the forensic program dictated by the forensic examiner. The takeaway here is that a report does not necessarily include all data that was retrieved during the extraction.

Option for the Cellebrite generated report (extraction report)

Cellebrite generated reports, like the extractions described above, contain information from the mobile phone. This may include text messages, emails, call logs, web browsing history, location data, etc. They can be produced in a number of formats, though the most common are .PDF, .HTML, and .UFDR. There are pros and cons for each format of report.

PDF

Report in PDF format

There are several pros to receiving a Cellebrite generated report in PDF. CJA panel attorneys and Federal Defender defense teams are used to working PDFs. It is easy to add Bates stamps to them. They work on Macs. And they can be annotated and highlighted.

But there are also several important cons that make PDF a less desirable file type for Cellebrite generated reports. For instance, because phones have the capacity to contain large volumes of data, the reports generated from extractions can be quite large. A Cellebrite generated PDF report can easily reach 10,000 pages, which can cause a computer to slow down or even crash. Moreover, users cannot sort or filter data, hide data fields, or search within search results. In short, although PDFs are a convenient file type, it is not the most useful or efficient format for reviewing these types of reports.

HTML

Report in HTML format

There are several pros to receiving a Cellebrite generated report in the HTML format. The files load fast and can be viewed in any browser (such as Chrome, Firefox or Safari). In this format, each data type, such as SMS Messages, are hyperlinked and open in a new browser. (Please note that the hyperlinks only work if the file and the data are provided with the HTML file which can easily get overlooked when people move data.) Moreover, it is easy to search within HTML files and they operate on Macs.

But like PDFs, HTML files have several notable cons. First, you cannot sort or filter the data. Nor can you hide data fields. And you cannot easily generate reports for other subsets of information. Although HTML files are easy to use, they have significant limitations when it comes to reviewing reports.

UFDR

Report in UFDR format

The best format for receiving Cellebrite generated reports is the Cellebrite Reader format. The Cellebrite Reader format allows a user to create reports containing all data, or a portion thereof, in multiple formats including PDF, HTML and UFDR. So, if you receive if in UFDR format you can easily convert it to PDF or HTML later on (which is not possible if you receive it in HTML or PDF). Additionally, in this file format, users can sort and filter data, can search within results, can move or reorder data within columns, and can create tags—which is a convenient way to organize large volumes of discovery. And a user can open multiple UFDR files at the time and search across them. This allows a user to, amongst other things, search for keywords across multiple devices simultaneously.

The one downside to UFDR files is that they will not work on a Mac. You also need to have the free Cellebrite Reader program to open and use the UFDR file. Overall, this is the format you should request when speaking to the government about what form you would like reports generated from Cellebrite produced in.

Final note about formats: When deciding about your preferred format to review a Cellebrite generated report, remember that it is easy for an examiner to select all three formats at the same time. Often, an examiner will provide all three to make it easier for people to review the data in the way they want.

Conclusion

Mobile forensic reports are a ubiquitous part of discovery. When reviewing them, it is important to remember that the information in the report is limited by the limitations of retrieving data from mobile devices, the type of extraction performed on the device, and the data the examiner decided to include in the report. And the form of production of the report can affect how you review the data. Attorneys should consider contacting an expert or consultant if they have questions about the contents of a report.

Of note, Troy Schnack, Computer System Administrator for Federal Public Defender Office in Kansas City, Missouri, will be doing a webinar on mobile devices and will go into detail regarding Cellebrite Reader on Tuesday, September 22, 2020. Please register for the program on fd.org – we highly recommend it.


[1] Cellebrite UFED is a mobile forensic software program that allows trained users to extract and analyze phone call history, contact information, audio, photos, and videos and texts from mobile phones or forensic images of mobile devices produced as part of discovery. It has wide coverage for accessing digital devices from Android to Apple, with more than 31,000 device profiles of the most common phones. Cellebrite UFED can come as software only or can include a physical unit with accessories such as tip and cable set to connect to various mobile devices.

 

Ephemeral Messaging Apps

[Editor’s Note: John C. Ellis, Jr. is a National Coordinating Discovery Attorney for the Administrative Office of the U.S. Courts, Defender Services Office. In this capacity, he provides litigation support and e-discovery assistance on complex criminal cases to defense teams around the country. Before entering private practice, Mr. Ellis spent 13 years as a trial attorney and supervisory attorney with Federal Defenders of San Diego, Inc. He also serves as a digital forensic consultant and expert.]

Ephemeral Messaging Apps are a popular form of communication. With privacy a concern for everyone, using a self-destructing message that works like disappearing ink for text and photos has a certain allure. All messages are purposely short-lived, with the message deleting on the receiver’s device, the sender’s device, and on the system’s servers seconds or minutes after the message is read. Although these apps were initially only used by teenagers, they are now a ubiquitous part of corporate culture.

According to the 6th Annual Federal Judges Survey, put together by Exterro, Georgetown Law CLE, and EDRM, 20 Federal Judges were asked “[w]hat new data type should legal teams be most worried about in the 5 years?”[1]  The overwhelming response was “Ephemeral Apps (Snapchat, Instagram, etc.).” Id.  In fact, 68% of those surveyed believed ephemeral messaging apps where the most worrisome new data type, whereas only 16% responded that biometric data (including facial recognition and fingerprinting) were the greatest risk. Only 5% were concerned with Text Messages and Mobile, and 0% were concerned with the traditional social media such as Facebook and Twitter.  Id.

Even now, Courts are attempting to sort out the evidentiary issues cause by ephemeral messaging apps, see e.g., Waymo LLC v. Uber Technologies, Inc. 17cv0939-WHA (NDCA).  This article discusses popular ephemeral messaging apps and discusses guidelines for addressing potential evidentiary issues.

Short technical background:

There are several background definitions relevant to this discussion:

  1. Text Messages – otherwise known as SMS (“Short Message Service”) messages, text messages allow mobile device users to send and receive messages of up to 160 characters. These messages are sent using the mobile phone carriers’ network. Twenty-three billion text messages are sent worldwide each day.  Generally, mobile carriers do not retain the contents of SMS messages, so the records will only show the phone number that sent or received the messages and the time it was sent or received.
  2. Messaging Apps – allow users to send messages not tethered to a mobile device (e., a phone number). With some apps, a user may send messages from multiple devices. These apps include iMessage, WhatsApp, and Facebook Messenger. Messaging Apps are generally free. Unlike text messages, these apps rarely have monthly billing records or records showing when messages were sent or received.
  3. Ephemeral Messaging Apps – are a subset of Messaging Apps that allow users to cause messages (words or media) to disappear on the recipient’s device after a short duration. The duration of the message’s existence is set by the sender. Messages can last for seconds or days, unless the receiver of the message takes a “screenshot” of the message before its disappearance.
  4. End-to-End Encryption – also known as E2EE, this is a type of encryption where only the communicating parties can decipher the messages, which prevents eavesdroppers from reading them in transit.

Common Disappearing Messaging Apps:

Messaging apps, like all apps, are changing.  The following is a list and description of several popular ephemeral messaging apps.


Snapchat – both a messaging platform and a social network. The app allows users to send messages and media (including words and emojis appearing on the media) that disappear after a set period of time. Photos and videos created on Snapchat are called “snaps.” Approximately 1 million snaps are sent per day.

Signal – an encrypted communications app that uses the Internet to send one-to-one and group messages which can include files, voice notes, images and videos, which can be set to disappear after a set period of time. According to Wired, Signal is the one messaging app everyone should be using.

Wickr Me – a messaging app that allows users to exchange end-to-end encrypted and content-expiring messages, including photos, videos, and file attachments.

Telegram – cloud-based instant messaging app with end-to-end encryption that allows users to send messages, photos, videos, audio messages and files. It has a feature where messages and attachments can disappear after a set period of time.

CoverMe – a private messaging app that allows users to exchange messages, files, photographs, and phone calls from a fake (or “burner”) phone number. It also allows for private internet browsing, and llows users to hide messages and files.

Confide – a messaging app that allows users to send end-to-end encrypted messages.  The user can also send self-destructing messages purportedly screenshot-proof.

Evidentiary Issues:

Messaging app data, like other forms of evidence, must, amongst other criteria, be relevant (Fed.R.Evid. 401); authenticated (Fed.R.Evid. 901 et seq); and comply with the best evidence rule (Fed.R.Evid 1001 et seq).

As for the Best Evidence Rule, based on the nature of disappearing messaging apps, the original writing of the message is not preserved for litigation. See Fed.R.Evid. 1004(a) (finding that the original is not required if “all the originals are lost or destroyed, and not by the proponent acting in bad faith.”) Sometimes, the contents of the message may be established by the testimony of a witness. In other cases, the contents of the message may be based on a screen shot of the message.

Authenticating messages from apps, regardless of their ephemeral nature, is often difficult—text messages can be easily faked. When it comes ephemeral messages, we often must rely upon a screenshot or testimony regarding the alleged contents of the message.  In such circumstances, the following factors—repurposed from Best Practices for Authenticating Digital Evidence—are useful[2]:

  • testimony from a witness who identifies the account as that of the alleged author, on the basis that the witness on other occasions communicated with the account holder;
  • testimony from a participant in the conversation based on firsthand knowledge that the screen shot fairly and accurately captures the conversation;
  • evidence that the purported author used the same messaging app and associated screen name on other occasions;
  • evidence that the purported author acted in accordance with the message (e.g., when a meeting with that person was arranged in a message, he or she attended);
  • evidence that the purported author identified himself or herself as the individual sending the message;
  • use in the conversation of the customary nickname, avatar, or emoticon associated with the purported author;
  • disclosure in the message of particularized information either unique to the purported author or known only to a small group of individuals including the purported author;
  • evidence that the purported author had in his or her possession information given to the person using messaging app;
  • evidence that the messaging app was downloaded on the purported author’s digital device; and evidence that the purported author elsewhere discussed the same subject.

Conclusion:

Ephemeral messaging app data will continue to impact investigators, attorneys, and the Court. Defense teams should be prepared for the challenges ephemeral messages cause from investigations to evidentiary issues.


[1]Available at https://www.exterro.com/2020-judges-survey-ediscovery.

[2] Hon. Grimm, Capra, and Joseph, Best Practices for Authenticating Digital Evidence (West Academic Publishing 2016), pp. 11-12.

 

E-Discovery: Computer Forensic Images and Computer Forensic Reports

[Editor’s Note: John C. Ellis, Jr. is a National Coordinating Discovery Attorney for the Administrative Office of the U.S. Courts, Defender Services Office. In this capacity, he provides litigation support and e-discovery assistance on complex criminal cases to defense teams around the country. Before entering private practice, Mr. Ellis spent 13 years as a trial attorney and supervisory attorney with Federal Defenders of San Diego, Inc. He also serves as a digital forensic consultant and expert.]

CJA panel attorneys frequently ask me for strategies for how to manage and review computer forensic images they receive in discovery. It is a great question. Forensic images are often difficult for CJA panel attorneys to access, and they can contain an immense amount of information (often much more than the rest of the discovery production). Without opening them, they already know that a lot of the information in the forensic image is irrelevant. But they also know that often crucial information is in the forensic image that is important for them to know so they can prepare their client’s defense.

Short technical background:

There are two ways data from a computer is provided in discovery:

  1. Duplicates, which refers to “an accurate and complete reproduction of all data objects independent of the physical media”; or
  2. Forensic Images, which refers to “a bit stream copy of the available data” (see SWGDE Digital & Multimedia Evidence Glossary, June 2016).

Usually the government provides forensic images.  The forensic image is created using specialized software such as opentext EnCase or AccessData Forensic Toolkit (FTK). These forensic images cannot be opened without specialized software. Although there are free viewer programs, such as AccessData’s FTK Imager, which enable users to review the contents of forensic images, the process can be time-consuming and difficult.

Computer Forensic Reports

Isn’t there a better way? Yes, there is. Computer Forensic Reports (there are caveats). But first, why are they important and relevant to you?

Besides the forensic image that the government provides you, they may also provide you something called a Forensic Report (or forensic program generated report). Two common examples for computers will be an EnCase Report or an FTK Report. These reports, generated through the forensic software program, can allow you to see and review the information extracted from the image in a more user-friendly way. This can frequently mean you won’t need to use a forensic image viewer or a computer expert to assist you.

FTK HTML Report

FTK HTML Report

Now these computer forensic reports are not the same as a law enforcement report written by an agent discussing what information was on a computer and describing the evidence they think may be relevant to the criminal investigation. These forensic reports are generated through the forensic tool that was used to examine the data found on the device.

So, the first thing you should do when the government provides a forensic image to you is to ask the government if they have a forensic report as well and request a copy.

Forensic reports are useful because they can make it much easier for a legal professional to review data extracted from the device without having to use a forensic tool. Since most forensic examiners work with law enforcement, they typically create these reports for case agents and prosecutors. The information in the report can include information about documents, images, emails, and web browsing history. These reports often show both the content of a file as well as the metadata (such as the date the document was created). These reports are limited to the data extracted from the original device, the parameters of the forensic program, and the choices made by the forensic examiner.

The forensic reports can be provided in a several formats, including PDF, Excel and HTML. Many forensic tools also include a reader or viewer program that is proprietary to the forensic too, such as Magnet’s AXIOM Portable Case, opentext’s EnCase and AccessData’s FTK also have reader or viewer programs. These forensic reports allow legal professionals to search, review, sort and filter information in ways that can be superior to reviewing the reports in PDF, HTML or Excel formats.

Axiom Portable Case

Axiom Portable Case

These reports are valuable and frequently provide most of the information that a legal team will need to understand the contents of a forensic image. It should be noted that forensic reports may not contain all data that was on the original digital device.  Therefore, counsel should consider engaging a forensic expert or consultant when he or she does not understand the forensic report or image.

[NOTE: Law enforcement will frequently generate a forensic report after completing an extraction from a mobile device. A common forensic report seen in federal criminal cases is a Cellebrite Reader Report. We plan on doing another blog post focused on mobile devices shortly.]

Box.com FAQ’s

boxbanner

To assist federal defender offices and CJA panel attorneys who need to share and transfer e-discovery in their cases, the National Litigation Support Team (NLST) has obtained (“cloud”) space from Box.com for the short-term storage and transfer of data.

Details

Box.com is a simple cloud-based collaboration program that allows users to store, access, share, and transfer electronic files and documents.  The service encrypts all data and has additional security features.  Users can store an unlimited number of files, for their own use or to share with others, without having to use remote access to office computers. Defense teams can use different devices (such as computers, tablets, or smartphones) to access case data anywhere they can connect to the internet.  This allows CJA panel attorneys to share discovery and work product easily and efficiently in a secure environment.

Box.com is being used by the Department of Justice (DOJ) as their cloud service to distribute e-discovery to the defense. DOJ evaluated it against other similar products and concluded it best met their security standards.

Box.com is committed to ensuring that your data will remain as secure as possible, and providing strong customer support. They have worked closely with the NLST in designing a cloud service that effectively addresses CJA counsels’ growing problem of moving and sharing large volumes of data. The NLST will work directly with each defense team to set up their cloud case folders, and to provide ongoing support of their use of Box.com.

The NLST will manage:

  1. creating case folders to hold electronic information on a case in the cloud,
  2. inviting team members (“collaborators”) to help them get access to the cloud data, and,
  3. granting rights of different team members to get into specific folders.

Because cloud contracts like this store case information on servers owned by Box.com, attorneys remain ultimately responsible for the use of this service. Before using it, CJA members should review their local bar opinions regarding the use of cloud computing and storage.

Once approved, the NLST will send you a form asking for the case details including who will serve as the “point of contact” for each defense team, and who on the team should be given access to the what files that have been stored on the cloud. Note that additional team members can be added later. The NLST will set up a short session to show all those who will use this cloud service how to navigate the system, and how to upload and download data. The NLST will be the team’s first point of contact if there are any questions about using Box.com, technical questions, or any concerns regarding using this
cloud-based case information repository.

Please note that Box.com does not offer advanced e-discovery features found in online document review programs such as Relativity, Summation, or Catalyst. It does not have a database and other advanced tools for organizing, reviewing, and analyzing e-discovery. Rather, its purpose is for short-term storage and transfer of information in the “cloud.”

When the case has concluded, (or sooner if counsel no longer needs this service), the CJA lawyer must delete all case materials from Box.com. The NLST will help ensure the case files are deleted, and the case is properly closed. Counsel should always maintain a copy of all files on their office computer system (besides the information stored in the cloud), as only duplicate files should be stored on Box.com.

Below are some answers to Frequently Asked Questions (FAQ’s) in regards to this service:

What is the difference between Box.com and Dropbox?

Box.com and Dropbox are both cloud based repositories. The Department of Justice is using Box.com, renamed USAfx, to distribute discovery to defense counsel in many districts. Since the DOJ has approved of the security protocols of Box.com, we felt that it would be helpful to make Box.com available to federal defender offices and CJA panel attorneys on a national level. For that reason, the National Litigation Support Team (NLST) has a national contract with Box.com and not with DropBox. The NLST assists in creating and managing case folders on Box.com for the sharing of work product and discovery but we do not support the use of DropBox in any way.

Since USAfx is just Box.com rebranded, can I use my USAfx user ID to log in to a case folder that I have asked the NLST to create on Box.com?

Unfortunately, no. Your user ID and password for USAfx is unique to USAfx and will only work on USAfx. You will need to set up a regular Box.com account and use that user ID and password to access any case folder created by the NLST.

How do I request a new case folder to be set up?

If you think your case would benefit from having a case folder set up on Box.com, please contact the NLST (Kalei Achiu – kalei_achiu@fd.org, 510-250-6310; Alex Roberts – alex_roberts@fd.org, 510-637-1955; Kelly Scribner, 510-637-1952) Once it has been decided that Box.com is the way to go, fill out a request form at: http://survey.fd.org/TakeSurvey.aspx?SurveyID=boxrequest. You will be notified once your case folder is ready to be used.

What is a collaborator?

Every person invited to work within a folder on Box.com is known as a collaborator. Each collaborator needs to have their own Box.com account and needs to be invited to the folder by the NLST.  If you receive an invitation to collaborate on a folder and you don’t have a Box.com account yet, you will first need to set one up.

Can I invite other users to collaborate on a case folder myself?

Only the NLST can invite collaborators to a folder to ensure that only those who should have access to a folder are granted access.

We have an expert on our case. Can we give them access to just a specific folder under our case folder on Box.com

Box.com works well for sharing a subset of information with an expert. Each sub-folder can have a different set of collaborators so you can set up a folder that only you and your expert can access.

Can access to a folder be limited to “read only” for certain users?

Each person invited to collaborate on a folder can be set up with their own unique permission level. The permission levels options for Box collaborators are:
Box.com Permission Levels

How do I setup a Box.com account?

To set up a free, personal Box.com account, which is all you need to access any case folder created by the NLST, simply go to https://app.box.com/signup/n/personal and follow the instructions.

Can I access my Box.com folder on my phone or tablet?

Box.com is mobile device friendly. You can download the Box app to your phone or tablet and access your folders and documents using the same log in credentials you do on Box.com when sitting at your computer.

Why am I being asked verify my account with a text code?

We want to make sure that the data being shared is done so in a secure way. Asking for a text code in addition to your user name and password is one way of ensuring that the person who is logging in is in fact the person authorized to see the data. This two factor authentication process is just one of the many security measures that makes Box.com a safer way to transfer data between legal teams, clients and experts.

How do I upload items?

There are two ways to upload items into your case folder. You can either (1) drag and drop a file or folder from your computer into the folder or (2) click on the “Upload” button at the top of the page and browse to the filer or folder you want to upload.

How do I download items?

There are two ways to download items into your case folder. You can either (1) right click on the file or folder and choose the download option or (2) click on the ellipses […] next to the file or folder and choose download.  Folders are downloaded as .zip files so you have to extract the files to your computer once the download is complete.

Can I get notified when another collaborator adds or deletes documents from a folder?

You can set your user preferences to receive email notifications when another collaborator downloads, uploads, makes comments, previews or deletes items from your case folder. Click on the down arrow next to your name and select account settings. Then click on Notifications along the menu bar. From there, you can select when you receive email notifications based on the actions of other collaborators.

How do I setup a sub-folder within a case folder?

If you have a folder on your computer that you want to make a sub-folder in your Box.com case folder, drag and drop the folder from your computer into your case folder. If you want to create a new sub-folder, click on the “New” button and a sub-folder will appear.

What happens when something is deleted?

Items that are deleted are moved to your Box.com Trash folder.  Deleted items will stay in the Trash folder for 90 days, during which time you can go into your Trash folder and restore those items to your case folder. After 90 days, they will be permanently deleted.

Is there a maximum amount of data that I can use Box.com to share?  What if I have 75 gigs or 1 terabyte?

There is no limit to the number of files or folders that can be shared on Box.com. For most users, there is a 250MB per file upload limit.  If you need to upload files larger than 250MB, contact the NLST for assistance.

How do I edit a Microsoft Office document that has been shared on Box.com and track each version on Box.com?

Collaborators can use Box Edit to make changes to Microsoft Office documents.  The changes will be saved directly back to Box.com along with access to prior versions of the document (see: https://app.box.com/services/box_edit for details and requirements).

Why is “NLST Admin” the Owner of the folder I requested to be created?

The NLST has a national contract with Box.com and is responsible for the creation and management of case folders in order to ensure sure that the appropriate security settings and collaborator permissions are used.  We are responsible for the security of our hosted space on Box.com and we want to make sure that nobody is accidentally allowed access to any case data.

Can I use Box.com to store old case files?

While your personal Box.com space can be used for any purpose, the case folders set up on Box.com by the NSLT is not designed for the storage of old files long term.  Case folders are meant for the short term sharing and transfer of files and to allow for teams to collaboratively edit documents while tracking each version.

So you think you don’t need tech?

Editor’s Note: Penny Marshall is currently in private practice, focusing on Law and Technology.  Previously she was the Federal Defender for the Federal Public Defender Office for the District of Delaware.  Her practice has also included the federal and local level in the District of Columbia and a year and a half stint in the state of Georgia.  She has served as President of the Association of Federal Defenders and Chair of the Third Circuit Lawyers Advisory Committee.  In addition, she is an adjunct faculty member at Widener Law School and has served as guest faculty at both Harvard Law School and Benjamin Cardoza School of Law. 

Imagine that the government has provided you with 50 DVD’s, a stack of paper amounting to more than a 100,000 documents, an ample number of CD’s and a list several hundred witnesses.  If you instinctively start to prepare by hiring enough paralegals to print out all of documents on the DVD’s, put them all in manila folders, and then hope that you or your smart energetic personnel will remember, in the middle of cross-examination, exactly where a particular impeaching statement is located, then this blog is certainly for you.

Unfrozen Caveman Lawyer

Even in the less complex cases, there is increasing reliance by prosecutors on digital discovery rather than forwarding a stack of reports and pictures.  And certainly the video and audio of our clients providing visual and audio support for the government case will be represented in a digital fashion.

In the new technological age more and more the government is able to “over paper” a case by putting any and all documents on electronic media and challenge YOU to find what is truly relevant.  More and more the government is following the way of our civil counterparts, who have long used technology as a way to organize and present their case.  We, as defense lawyers are prime to catch up.

At different stages of litigation there are several advantages to the use of technology:

  • Generally, the first advantage is that technology allows all of your information to be stored and organized in a compact easy to find location.  Almost gone are the days of moving numerous boxes from one location to the other to be copied and filed.
  • The next advantage is that the digital approach allows for your documents to be searched, either by looking in the digital file or by a program that blitzes through numerous documents to find one name or one crucial word.  Tiny print, upside down lettering and even handwriting can be deciphered.
  • A third advantage is that technology is a less costly way of presenting evidence.  For example: compare for example a FBI model versus using a computer program to reconstruct a crime scene.  Also think of the flexibility!
  • Fourth, technology organization requires you to focus on your case in advance. Rather than place the paper in an accordion file and bringing it out close to trial, electronics says you must consider the parts of the case in advance.

The fact that we are in a visual age cannot be understated.  TV, Text, Laptops, PCs, Phones, Tablets all require us to stare at electronic screens.  Each of these compete for our attention by making more and more exciting bells and whistles.  Check out the lines in front of an Apple store once a new “iDevice” is revealed.

Lining up for new technology

Even though jury duty is a diversion from the normal life for our citizenry, many jurors are regular consumers who expect theatrics in the courtroom. I must admit that, at first, I went kicking and screaming that I was not fully comfortable with tech in the courtroom, but having tried complex cases where it was an absolute necessity and experienced the impact of it in even the more modest case, I am an absolute convert. Think about it, even if you are one of the great lawyers of the day, jurors may tire of your voice in a long case with significant documents, especially if you are asking the Court’s indulgence to find your trial evidence!!

Important 11th Circuit decision regarding compelling of unencrypted data

Editor’s Note: Justin Murphy is a counsel at Crowell & Moring’s Washington, D.C. office, where he practices in the White Collar & Regulatory Enforcement Group and E-Discovery and Information Management Group. Justin’s practice focuses on SEC enforcement, white collar criminal matters, e-discovery matters relating to internal and government investigations, and related civil litigation. He has represented clients in both federal and state criminal proceedings, including state trial panel work in Maryland. Justin has a wealth of expertise in electronic discovery issues in government investigations and criminal litigation, having both written and presented on the subject. In this blog entry, Justin discusses United States v. Doe, a big win for AFPD Chet Kaufman of the Florida Northern Federal Public Defender Office.

Appeals Court Finds Encrypted Data Beyond Reach of Government Investigators

by: Justin P. Murphy, Counsel, Crowell & Moring LLP

In an important decision that could have significant implications for government enforcement, the Eleventh Circuit ruled that a suspect could not be required to decrypt his computer hard drives because it would implicate his Fifth Amendment privilege and amount to the suspect’s testifying against himself.

In United States v. Doe, the government seized hard drives that it believed contained child pornography.  Some of the hard drives were encrypted, and the suspect refused to decrypt the devices, invoking his Fifth Amendment right against self-incrimination.  The Eleventh Circuit held that compelling the suspect to decrypt and produce the drives’ contents “would be tantamount to testimony by Doe of his knowledge of the existence and location of potentially incriminating files; of his possession, control, and access to the encrypted portions of the drives; and of his capability to decrypt the files.”  Moreover, the government could not force a suspect to decrypt and produce the information where it could not identify with “reasonable particularity” the existence of certain files, noting that an “act of production can be testimonial when that act conveys some explicit or implicit statement of fact that certain materials exist, are in the subpoenaed individual’s possession or control, or are authentic.”  The court also rejected the government’s attempt to immunize production of the drives’ contents because the government acknowledged that “it would use the contents of the unencrypted drives against” the suspect. 

This decision appears to limit government investigators’ ability to compel an individual to reveal the contents of devices encrypted with passwords or codes in a criminal investigation based only on government speculation as to what data may be contained in certain files.  Although a corporation or partnership does not enjoy Fifth Amendment protection, individuals and sole proprietorships do, and this decision could have a significant impact on small businesses and individuals who work in highly regulated industries including health care, government contracting, energy, chemicals, and others that may face government scrutiny. 

For a copy of the decision, please click here.

Recommendations for ESI Discovery in Federal Criminal Cases

The Administrative Office/Department of Justice Joint Working Group on Electronic Technology (JETWG) has announced the development of a recommended ESI protocol for use in federal criminal cases. Entitled “Recommendations for Electronically Stored Information (ESI) Discovery Production in Federal Criminal Cases“, it is the product of a collaborative effort between representatives from the Defender Services program and DOJ and it has DOJ leadership’s full support.

The primary purpose of the ESI protocol is to facilitate more predictable, cost-effective, and efficient management of electronic discovery and a reduction in the number of disputes relating to ESI. What this means for federal defenders and the CJA panel is that there is now a mechanism, through a meet and confer process, to address problems a receiving party might have with an ESI production early in a case, and to discuss the form of the discovery that they receive. The participants on both sides of JETWG are intimately familiar with the day-to-day challenges attorneys face in criminal cases, and the protocol reflects a pragmatic approach to the problems both prosecutors and defense attorneys face when dealing with electronic discovery.

The protocols were negotiated and drafted over an 18-month period by JETWG which has representatives from the Federal Defender Offices, CJA Panel, Office of Defender Services, and DOJ, with liaisons from the United States Judiciary. Andrew Goldsmith, the DOJ National Criminal Discovery Coordinator, and I (Sean Broderick) serve as co-chairs. Donna Elm, Federal Public Defender for the Middle District of Florida, Doug Mitchell, CJA Panel Attorney District Representative for the District of Nevada, Bob Burke, Chief of the Training Branch for Office of Defender Services, and Judy Mroczka, Chief of the Legal and Policy Branch for Office of Defender Services round out the membership on the Defender Services side of the joint working group.

The ESI protocol was directly impacted by input provided by FDO and CJA panel attorneys, FDO technology staff, paralegals, investigators in the field. In addition, we received comments and input on draft versions of the Recommendations from different working groups compromised of Federal Defenders and CJA panel representatives (just as DOJ did on their side).

The Recommendations consist of four parts:

  1. an Introduction containing underlying principles, with hyperlinks to related recommendations and strategies; 
  2. the Recommendations themselves; 
  3. Strategies and Commentary that address technical and logistical issues in more detail and provide specific advice on discovery exchange challenges; and 
  4. an ESI Discovery Production Checklist.

In general, the agreement is designed to encourage early discussion of electronic discovery issues through “meet and confers,” the exchange of data in industry standard or reasonably useable formats, notice to the court of potential discovery issues, and resolution of disputes without court involvement where possible.

We are excited about this announcement. Although almost all information is now created and stored electronically, the discovery provisions of the Federal Rules of Criminal Procedure are largely silent on this issue. At the same time there is a void because criminal cases, just like civil cases, are impacted by our shift from a paper to a digital-based society. We believe that this is an important step towards addressing the ESI challenges that people can face in a federal criminal case, if not now, certainly in the future.

We expect to continue the collaborative process with DOJ, and look forward to an ongoing dialogue with people in the field who are dealing with electronic discovery.

PDF link: Recommendations for Electronically Stored Information (ESI) Discovery Production in Federal Criminal Cases

Posted in ESI

DeMystifying De-NIST

With ever rising volumes of discovery data, increasingly legal teams are looking for solutions that can assist them manage the amount of data they need to review.  In circumstances where significant amounts of ESI (Electronically Stored Information) and forensic images of hard drives are involved, one common method is to “De-NIST” discovery data sets.  “De-NIST”ing can be a significant time and money saver and an important part of the discovery review process.

So what the heck does “De-NIST” mean?  

NIST is the acronym for the National Institute of Standards and Technology (website www.nsrl.nist.gov).  One of NIST’s projects is the National Software Reference Library.  This project is designed to identify and collect software from various sources and create a Reference Data Set (RDS).  The RDS is a collection of digital signatures of known, traceable software applications. 

A digital signature is like a digital fingerprint (it is also commonly referred to as a hash value).  In theory, every file has a unique hash value.  If two files have the same hash value they are considered duplicates.  

Most software applications are comprised of multiple files.  For example: when Adobe Acrobat Reader is installed there are hundreds of standard files copied to a computer’s hard drive.   All of these standard install files are the same (i.e., they have identical hash values) no matter what computer they reside on.  A typical computer contains hundreds of software applications.  The files associated with running these applications are not user generated and hold little evidentiary value for litigation purposes.  The NIST list is a database that contains over 28 Million of these file signatures.

De-NIST”ing is the process of identifying these files so that a decision can be made if they should be set aside or removed from a discovery database.  The NIST list is compared to the file signatures of the data sets within the discovery.  Any file that has a signature that matches one in the NIST list can be “De-NIST”ed (identified or removed) from the collection. 

While many legal review teams expect the De-NIST process to get rid of every application or system file within a data collection it is important to note that the NIST list does not contain every single system file.  Though it may not remove all of the system files, it can significantly reduce the dataset, especially when working with with copies of hard drive images. 

When presented with an overwhelming river of information, trying to find relevant information can feel like you’re panning for gold.  De-NIST’ing can help to identify or get rid of the much of the water, stones and muck and leave you with a much more manageable pan.   

Posted in ESI

The Role of a Coordinating Discovery Attorney

“I solve problems…”  

We all have our favorite lines from the Quentin Tarantino movie, Pulp Fiction.  Mine is from the scene where Winston Wolfe, played by Harvey Keitel, arrives to clean up a mess caused by the accidental discharge of John Travolta’s handgun.  As lawyers, we’re called upon to “solve problems” and help clean up messes.  For me, it includes addressing how to handle terabytes of data that may include hundreds of thousands of pages of documents, tens of thousands of emails, hundreds of email attachments, tens of thousands of wire taps, body wires, GPS longitude and latitude data, hundreds of photos and many hours of video.

But as investigative methods become more sophisticated, so do the means to cull through and organize massive amounts of discovery.  Picking the right tool is the key to “solving problems”.  It might mean creating sortable spreadsheets or retaining the services of state-of-the art web-based document repositories.

For example, on multiple-defendant drug cases, we recommend using Excel spreadsheets to create sortable indices.  One of the spreadsheets is for the line sheets and corresponding wiretap audio files.  The other spreadsheet is for the remainder of the discovery and can include documents, photos, videos and body wire recordings.  Counsel can sort by defendant name, date, call number or any other subject for which we have entered information.  Each discovery item is hyperlinked to the spreadsheet; just sort down to a particular grouping and click on the hyperlink.  The document displays, audio plays or photograph opens. 

For fraud cases, which often include hundreds of thousands of pages of documents including emails, discovery can be hosted and accessed using an online document database.  Multiple defense team members can access, search, sort and identify documents simultaneously using sophisticated search features.  Online database programs have capacities to manage huge amounts of discovery – far greater than any desktop application.  They also have features to help find key documents, tag them for their importance and even save them for later review.

I can help solve your problems.  I am a CJA Panel Attorney in Seattle, Washington.  I am under contract with the Administrative Office of U.S. Court, Office of Defender Services as a Coordinating Discovery Attorney (“CDA”) to support your work on multi-defendant prosecutions involving large amounts of discovery.  My job is to help you strategize and implement ways to use technology to create cost effective ways to better represent clients in massive discovery cases for CJA panel attorneys and FDO staff across the country.

I evaluate each lawyer’s level of computer sophistication; identify the types of discovery involved; assist in determining how best to distribute the discovery; determine what technology and other resources are necessary for discovery review and management; and help in maintaining quality control of the discovery review process.

I focus on a limited number of cases each year that have been identified by the National Litigation Support Team (“NLST”) as needing a CDA, whether due to the complexity of the matter, the number of parties involved, or the nature and/or volume of the discovery.  After an initial consultation with the NLST, and a second one with me, a decision will be made about the use of my services.

The factors that are considered in determining whether a CDA should work on a particular case are:

  • Whether the number of co-defendants is so large as to create a risk of costly duplicative efforts, which could otherwise be eliminated or reduced upon the appointment of a CDA, or whether there are other factors that create a likelihood that the CDA’s participation would enable costs to be contained;
  • Whether the volume of discovery is so large that addressing the Organizational needs in the case would interfere with defense counsel’s ability to address the legal and factual issues in a case;
  • Whether unusual organizational or technological issues exist, not commonly found even in complex cases, that would interfere with defense counsel’s ability to address the legal and factual issues in a case;
  • Whether the case is prosecuted in a region that lacks experts who can provide necessary technology support and document management expertise in addressing the factors described above;
  • Whether the timing of the request, which preferably should be made early in a case, is such that the CDA’s participation is likely to be of assistance to defense counsel, promote efficiency, and contain costs; and,
  • The CDA’s workload.

All these factors need not be present.  Any final determination will be made by the National Litigation Support Administrator.  In determining how much weight to provide each factor, the seriousness of the alleged offense will be factored into any decision.

If approved, CJA panel counsel then petitions the court for my appointment.  By having the court appoint, I will have standing to confer directly with the prosecution on issues of discovery, which allows for better coordination and overall cost-efficiencies regarding information exchange.  I will examine the discovery and propose a plan of action.  If counsel agrees, we’re on our way.  If outside services are necessary, the proposed services of vendors will be evaluated and competitive price quotes obtained.  I will recommend to the court the proposed strategy and petition for the necessary funds.  Throughout the project, work will be monitored to make sure it is being performed properly and in an expeditious manner.

Russell M. Aoki,

Coordinating Discovery Attorney

If you have any questions regarding the services of a CDA, please contact either:

Posted in ESI

E-Discovery Software Makes The New York Times: But What Does It Mean For You?

Always an observant lot, a number of federal defenders emailed me the link to a March 4, 2011 NY Times article which discusses how e-discovery software is saving attorney time and charges. See Armies of Expensive Lawyers, Replaced by Cheaper Software. Comparing the traditional method of document review where attorneys and paralegals do “eyes on paper,” the article discusses e-discovery software that can analyze documents more quickly and for less money – music to everyone’s ears, especially those who do indigent criminal defense work.

The article describes how some of these software analytics can more effectively search and retrieve information than ever before, even if a human being viewed and indexed every document. Examples include “conceptual searching” software which, broadly stated, can find the ideas in which you are interested, even if the specific keywords are not contained in the document. So, for example, if you are looking for the concept of “bill of law,” the program identifies relevant documents (documents that reference bill of laws, constitutional amendments, etc.) and excludes other documents which may have the word “bill” in them but do not include the concept of “bill” that you are interested in (such as duck bill).

(As an aside, this has been discussed and utilized for years within the electronic discovery world. Over four years ago, The Sedona Conference, a nonprofit research and educational institute dedicated to the advanced study of law and policy, published an excellent commentary discussing the challenges and potential solutions involved with searching large amounts of ESI in The Sedona Conference Best Practices Commentary on the Use of Search and Information Retrieval Methods in E-Discovery, August 2007 (TheSedonaConference.org). In part, the commentary states that “[h]uman review of documents in discovery is expensive, time consuming, and error-prone. There is growing consensus that the application of linguistic and mathematic-based content analysis, embodied in new forms of search and retrieval technologies, tools, techniques and process in support of the review function can effectively reduce litigation cost, time, and error rates.”)

As many federal defender staff and CJA panel attorneys know, federal criminal cases are experiencing an explosion of electronic data, with cases involving increased volume, multiple file types and multiple source devices including social media. The idea that technology can save us from this problem is enticing. I often wish that I was Spock talking to the computer on the Starship Enterprise, where the computer would provide me the relevant information succinctly and to the point (with a friendly voice to boot).

Though artificial intelligence has grown by leaps and bounds, it is nowhere near that Star Trek 23rd century vision of the world, and all of the software described in the New York Times article requires significant up-front human thinking and planning to make it effective. That is not say it isn’t useful and shouldn’t be explored (in fact, it must be), but the software in itself is not a panacea to the problems of electronic discovery.

The article, which also focuses on the possibility that the software may reduce legal jobs, is a great read if you are interested in what is the current cutting-edge technology. Practically, the products mentioned in the NYT article are out of the realm of most people’s current day-to-day practice. The higher level analytics are very expensive and are currently only useful for the few exceptional cases that reach extremely large volumes of data. That said, there are limited instances where defense teams have taken advantage of this type of technology to narrow the data in their case. We have found that by using the proper workflow, doing front-end thinking and planning, this technology does result in overall cost-effectiveness and allows defense teams to spend more time on what they care about most.

Three additional points to consider:

  1. Paper and electronically scanned paper generally does not work with these new tools
     
    The majority of discovery in indigent federal criminal cases is in scanned paper form, i.e., it was a piece of paper that was imaged and then converted into either TIFF or PDF format even though almost all of that paper was originally produced by a computer). As exciting as these new tools are, they generally don’t work with scanned paper because they are designed to use the metadata associated with the native ESI to do the higher level searching and threading. This is one reason why it is important for opposing parties to discuss in advance the form in which information in the case will be produced.
     
  2. When dealing with sizable amounts of information, a review tool is needed
     
    Historically, people who do indigent criminal work have gotten by without using an in-house review tool such as Concordance or Summation, or one of the many web-hosted solutions now out there. Instead, they used Adobe Acrobat Reader, IPRO, Windows Explorer, or they simply printed out the documents to look at them. With the dramatic volume increase, and the myriad file formats containing additional information that isn’t visible when you simply hit “print,” federal defender offices and CJA panel attorneys have a greater need to have a review tool (be it on their computer or web-based), which allows them to more effectively review and manage case information.
     
  3. Greater productivity is needed just to keep pace with the information explosion. 
     
    Though not a panacea, we must examine and embrace new technologies to deal with this onslaught. Electronic discovery experts recognize that while all the new technology in the litigation support arena should allow us to search in more sophisticated ways, organize in a more refined manner and review more data faster, we continue to be hard pressed to keep up with the amount of information inundating us.

Ralph Losey, a nationally recognized electronic discovery expert, had his typical witty and insightful take on this article. See NY Times Discovers e-Discovery, But Gets the Jobs Report Wrong.  I found the following particularly relevant to the future challenges in the criminal litigation context: “The new technologies allow us to go faster and search and review more and more bits than ever before, but still, we are just treading water. . . . I do not know the actual metrics here. I don’t think anyone does. But it is my impression that the incredible advancements and improvements in search and review speed made possible by some software are roughly counterbalanced by the growth in information.”

The “tried and true” discovery management techniques that serve so well in cases involving a handful of bankers boxes of paper documents will not work in modern-day litigation. Just the volume itself forces one to take advantage of what technology has to offer. In this point in time, everyone who practices law uses some form of technology. By taking the next steps of learning more about technology and understanding how information is stored digitally, people can do their jobs more effectively and efficiently. I firmly believe that with the right education, human resources, processes, and tools, the computer can help you process, organize, and find critical information more quickly and allow you to more effectively represent your client during these times of limited funds.

– Sean

Posted in ESI