This post is part of an ongoing series of videos on how Microsoft Excel can help CJA practitioners (including attorneys, paralegals, investigators, and mitigation specialists) in their CJA cases.
Today’s Post: Filename Lists
When working with discovery, investigative documents, or other case-related materials, it is often helpful to have a list of filenames in an Excel table.
There are times when the government produces to defense counsel digital files where the name of the file indicates something about the file content without a user having to open each file individually.
For example, the government may produce a list of investigative reports in PDF format which, as part of the file name, has the date of the report, the type of report (e.g. FBI 302) and the author. In those instances, it can be beneficial to create a spreadsheet of the filenames and information about the files for later review and organization. Even in instances where the filename is only the Bates number of the file, it can be useful to have a spreadsheet of those numbers.
Microsoft Excel is a useful tool for generating such a filename list. When properly setup, Excel allows users to sort, filter and search for specific files based on different criteria. Fields can be created and associated such as comments, document type, review status, dates and related issues. Additionally, hyperlinks to a specific file or folder can be created for quick and easy access to an item. We will examine these functions in greater detail in future videos.
This video will demonstrate how lists can quickly be created and recommendations to follow when setting up a file list. The video looks at three methods for creating filename lists:
Method 1: Creating a query table by running the “Get Folder Data” process that is currently available in the newer “Office 365” version of Excel.
Method 2: Using the “Copy Path” process available in Windows File Explorer.
Method 3: Using a “File List Program” specifically designed for creating a list of files in Excel format (ex: Directory List and Print).
We recently spoke to a well-respected CJA panel attorney, and he mentioned he had a discovery coordinator on a multidefendant case. He did not understand how discovery coordinators were either assigned or appointed in federal CJA cases, or what his expectations should be for what the discovery coordinator could do to assist him or his fellow CJA panel counsel. After talking with him, we thought it would help to have a blog post on the current state of discovery coordination in federal criminal cases.
Hundreds of multidefendant criminal prosecutions are occurring in federal courts throughout the United States. As federal criminal defense lawyers know well, these cases frequently involve complex forms and large amount of e-discovery. Complicating matters for many individual clients in multidefendant cases is that much of the discovery produced is not relevant to them. Even so, the defense team still needs to organize and manage the discovery. It can be laborious, overwhelming and time consuming for individual defense teams to organize the discovery on their own.
To help address this issue, the Administrative Office of U.S. Courts Committee on Defender Services approved the use of national Coordinating Discovery Attorneys (CDAs) to assist with discovery coordination between the government and the defense team, and to manage the discovery for all court appointed defense attorneys in multidefendant cases. Having a CDA serve as a single point of contact for distribution of discovery, managing the discovery and coordinating the vendor relationships necessary in complex cases can be an advantage to all involved. For the courts, who are in part overseeing CJA expenditures in a case, they are understandably interested in ways to lower costs by avoiding defense teams having to duplicate basic organization and management of discovery[1]. For defense counsel, who are concentrating on the needs and interests of their particular client, and who are focusing on case strategy, a CDA can assist with uploading, centralizing, and overseeing organization of voluminous discovery. For prosecutors, having a single source of distribution of discovery for all clients makes production of discovery more efficient. They can discuss form of production with one or two knowledgeable counsel as opposed to dozens of attorneys who may have varying experience and knowledge with technology and e-discovery.
However, not all discovery coordination is the same. Districts have implemented discovery coordination in a number of ways. Historically, there have been four principal types of discovery coordinators in federal criminal cases: National Coordinating Discovery Attorneys; Local Coordinating Discovery Attorney; Joint Paralegals or Investigators; and, Litigation Support Vendors.
This blog post describes four types of discovery coordination and explains the strengths and limitations of each one from the perspective of CJA panel counsel.
National Coordinating Discovery Attorneys
National Coordinating Discovery Attorneys (CDAs) are federal criminal defense attorneys who have experience working on CJA cases. The national CDAs have been appointed by federal district judges in numerous multidefendant cases in some of the most complex litigation in the United States. Since they are appointed by district courts, they have standing to communicate directly with the government. They are experienced in participating in Rule 16.1 “meet and confers” with the prosecution. These meetings can result in CJA panel attorneys obtaining discovery from the government in more useful formats, setting deadlines for rolling productions, getting volume estimates for planning purposes, and assisting the defense teams in setting dates for events that rely upon productions (e.g. pretrial motions, motions in limine, preliminary list of exhibits and witnesses, and trial dates). CDAs provide status reports to the court regarding the status of discovery productions which can assist defense counsel with preparing their case as the court will have a third party source to notify it regarding problems and challenges with discovery production (which can result in more time or more resources to assist defense counsel in the case).
The national CDAs are managed by the National Litigation Support Team (NLST), which provides a support network for guidance on pressing technology challenges. This national support network assists the CDAs develop innovative and practical solutions focused on the needs of CJA cases. Accordingly, CDAs are knowledgeable about the types of software programs available to assist in the management of discovery and know how to effectively use technology and litigation support vendors to assist with the organization, search, review and analysis of large volumes of electronically stored information (ESI).
CDAs have project management and technical support staff proficient in industry standard technology used to organize and review discovery. Additionally, CDAs’ staff provide training and technical support to all legal teams and can assist in executing the strategies that the CDA recommends in categorizing and searching the data received. CDAs monitor the marketplace and are experienced in vetting litigation support and e-discovery vendors to make certain that vendors provide quality services at the best possible rates. They are experienced in preparing funds requests to the court for third party assistance which they can do on behalf of CJA panel attorneys. Finally, CDAs are contracted with Administrative Office of U.S. Courts, Defender Services Office, so panel counsel need not prepare funds requests to the courts for their assistance.
Though CDAs have been appointed in cases in half of the federal districts in the country, they may not have experience in your jurisdiction. Due to their workload, they are only assigned to a limited number of cases. Also, they cannot do subjective analysis of the discovery for your particular client. For example, they will not tell defense counsel “here are all the files that relate to your client.” You will still need to develop a theory of defense, and use the tools provided to search, review and prepare the defense case (but that is what you are trained to do).
Currently, CDAs provide experience, technical proficiency, dedicated staff and accountability with experience in more than 45 federal district courts.
Local Coordinating Discovery Attorneys
In several jurisdictions, districts have appointed coordinating discovery attorneys on cases. Typically, they are attorneys that the court, or those who manage the CJA panel in that jurisdiction, have identified as having e-discovery experience in criminal cases. Since they are working in their own jurisdictions, these local CDAs know the practices and the types of government discovery productions which can help them when working with CJA panel attorneys. However, they have limited experience performing discovery coordination. The local CDAs do not have experienced staff such as project managers or technical support personnel who are knowledgeable and skilled with litigation support technology to help. Due to their limited assignments to complex cases (there have only been a handful of local CDAs appointed to multidefendant cases), they are limited in their experience in vetting litigation support and e-discovery vendors, and they do not have the breadth of experience training on various technology solutions similar to the national CDAs.
Joint Paralegals or Investigators
Joint paralegals have provided discovery coordination in a number of cases. Typically, this assistance has been done informally, where the paralegal has been officially appointed to assist one attorney representing a single defendant, but with the understanding that they may assist all of the defense teams with basic organization of discovery. The advantages of joint paralegals are that they often have significant experience working with and managing discovery in their own cases, and they are familiar with litigation support technology.
Though having a joint paralegal (or investigator) provide basic organization for multiple defense teams can work, there are issues to consider upfront to improve success for everyone. One question to clarify at the inception is how they are appointed to work in the case. Typically, even if there is an understanding that a joint paralegal’s work may be used to assist multiple defense teams, practically they will be appointed to assist a single client. Defense teams need to address what work is to be done, define what specific output they expect the paralegal to provide (e.g. level of detail in joint indices, what objective information is to coded, whether they will be producing spreadsheets or word indices, etc.), and prioritization of the work. Both the attorney who is responsible for the joint paralegal (under the Professional Rule of Responsibility 5.3), and the joint paralegal need to be clear about their roles between themselves and the rest of the defense teams and be aware of potential ethical considerations that may arise. As one example, an attorney for a different client may ask the joint paralegal to do subjective analysis specific to their client, but this request could reveal case strategy that the attorney may not want to share with defense counsel representing other clients.
Joint paralegals will be limited in communicating with the government. They are not in a position to receive the discovery directly from the government, nor are they in a position to lead a Rule 16.1 conference (though they certainly can assist counsel during that meeting or process). Joint paralegals rarely have staff to assist them. They will have limited experience compared to CDAs regarding various technology challenges that may be present in a case, limited exposure to litigation support technology outside of what they have been able to use with defense counsel they have worked with, and likely have limited experience in vetting litigation support and e-discovery vendors. Finally, they will have limited or no experienced in preparing funds requests to the court for third party assistance.
Third Party Vendors
There are several vendors who have worked on CJA cases, and who have played an important role in discovery coordination in multidefendant cases. Among other things, they have served as a clearing house for discovery productions and pushing out discovery to various defense teams and providing discovery tools such as spreadsheets or online databases for use in cases. In the right situation, a good litigation support or e-discovery vendor can bring industry standard technology, security and experience along with their services. They frequently have staff who can assist in the project, so they can scale up or down depending on the size of the case.
However, most vendors do not have significant experience working on CJA cases. Most litigation support and e-discovery vendors are focused on civil litigation (especially since it is challenging to be a viable business subsisting only on CJA cases).
Similar to joint paralegals, they will not be appointed to the case, but rather appointed to assist one of the defense teams, even if it is on behalf of the other defense teams. They, and the attorney who filed the funds request for their assistance from the court, must be mindful of the ethical issues that can arise as their appointment may likely to be specific to one attorney and client.
Vendors cannot communicate with the government on format of production or issues with data provided. They will not have experience participating in Rule 16.1 “meet and confers” with the government. Though they are experienced with litigation support technology, they may default to their own solutions, even if it is a poor fit for the needs of the case. They will not be experienced vetting litigation support and e-discovery vendors to make certain that vendors provide quality services at the best possible rates, nor will they be able to prepare funds for third party assistance.
Conclusion
Whatever your situation, be it a single or multidefendant case, the NLST is available to consult with appointed counsel when considering how best to manage and organize discovery in your case.
[Editor’s Note: Sean Broderick is the National Litigation Support Administrator. He provides guidance and recommendations to federal courts, federal defender organization staff, and court appointed attorneys on electronic discovery and complex cases, particularly in the areas of evidence organization, document management and trial presentation. Sean is also the co-chair of the Joint Working Group on Electronic Technology in the Criminal Justice System (JETWG), a joint Department of Justice and Administrative Office of the U.S. Courts national working group which examines the use of electronic technology in the federal criminal justice system and suggested practices for the efficient and cost-effective management of post-indictment electronic discovery.
John C. Ellis, Jr. is a National Coordinating Discovery Attorney for the Administrative Office of the U.S. Courts, Defender Services Office. In this capacity, he provides litigation support and e-discovery assistance on complex criminal cases to defense teams around the country. Before entering private practice, Mr. Ellis spent 13 years as a trial attorney and supervisory attorney with Federal Defenders of San Diego, Inc. He also serves as a digital forensic consultant and expert.]
Most federal criminal cases involve discovery that originally came from a cell phone. CJA panel attorneys and Federal Defenders have now become accustomed to receiving “reports” generated from Cellebrite.[1] In this blog post, we will talk about the valuable information that may be contained in those Cellebrite generated reports and what form of production you can get the reports in. Spoiler alert: we suggest you request that you receive those reports in Cellebrite Reader format and not just default to the PDF format that you know and love.
We are going to cover:
the basic concepts behind the forensic process that law enforcement uses when using Cellebrite UFED to extract information from a phone,
what is a Cellebrite generated mobile forensic report (which Cellebrite calls extraction reports), and
the pros and cons for the potential formats you can receive Cellebrite generated reports in.
Though there are a number of forensic tools that law enforcement may use to extract data from a phone, the most common is Cellebrite. We are going to discuss Cellebrite, but know there are others (e.g. Oxygen, Paraben, etc.). Many of the processes and principles that apply to Cellebrite will apply to other tools.
Basic concepts behind the forensic process
How does a digital forensic examiner get the data from the mobile phone? Extracting data from mobile devices (a.k.a. acquisition) is complex and requires a great amount of skill when done correctly. For purposes of this blog post, we are only going to focus on one concept, which is the type of extraction that was performed. In order to retrieve data from a mobile phone, an examiner attaches the mobile phone to a computer which has the Cellebrite UFED software, follows a series of protocols, and saves a portion of the data on an external storage device. In most cases, examiners will not retrieve all data that was on the mobile phone at the time of the extraction—this is based in part on the phone’s memory architecture. Moreover, the type of extraction that is performed on the device can limit the amount of data that is retrieved.
The following are the most common types of extractions for Android devices: (1) Logical (or Advanced Logical); (2) File System; and (3) Physical. As for Apple, the most common types are Logical (Partial) and Advanced Logical. Generally, physical extractions retrieve the most data. After the iPhone 4, physical extractions are currently no longer available with Cellebrite with an iPhone device.
After a digital forensic examiner does an extraction of a phone (for this example, we will assume that the extraction was done through the Cellebrite UFED4PC), it generates an extraction files/folders, along with a .UFD (text) file that tells Cellebrite Physical Analyzer basic information about the extraction (such as which UFED was used, start and finish time, and hash information). The extraction files can be produced in a number of formats (.zip and .bin are common examples) depending on the type of extraction done. The takeaway here is that the type of extraction impacts the type and volume of data that was retrieved during the extraction process.
What is a Cellebrite generated report?
After extracting the data, the examiner uses Cellebrite Physical Analyzer to review the data retrieved from the mobile phone. The examiner also has the option of generating a report, which allows users without specialized forensic software to view the data retrieved from the mobile phone. As discussed below, the “extraction report” may be produced in multiple formats. Of note, the examiner can apply filters to decide what data types to export (e.g. emails, images, instant messages, searched items, etc.), and can further filter the data by date range. These reports are limited to the data extracted from the original device; the parameters of the forensic program dictated by the forensic examiner. The takeaway here is that a report does not necessarily include all data that was retrieved during the extraction.
Option for the Cellebrite generated report (extraction report)
Cellebrite generated reports, like the extractions described above, contain information from the mobile phone. This may include text messages, emails, call logs, web browsing history, location data, etc. They can be produced in a number of formats, though the most common are .PDF, .HTML, and .UFDR. There are pros and cons for each format of report.
PDF
Report in PDF format
There are several pros to receiving a Cellebrite generated report in PDF. CJA panel attorneys and Federal Defender defense teams are used to working PDFs. It is easy to add Bates stamps to them. They work on Macs. And they can be annotated and highlighted.
But there are also several important cons that make PDF a less desirable file type for Cellebrite generated reports. For instance, because phones have the capacity to contain large volumes of data, the reports generated from extractions can be quite large. A Cellebrite generated PDF report can easily reach 10,000 pages, which can cause a computer to slow down or even crash. Moreover, users cannot sort or filter data, hide data fields, or search within search results. In short, although PDFs are a convenient file type, it is not the most useful or efficient format for reviewing these types of reports.
HTML
Report in HTML format
There are several pros to receiving a Cellebrite generated report in the HTML format. The files load fast and can be viewed in any browser (such as Chrome, Firefox or Safari). In this format, each data type, such as SMS Messages, are hyperlinked and open in a new browser. (Please note that the hyperlinks only work if the file and the data are provided with the HTML file which can easily get overlooked when people move data.) Moreover, it is easy to search within HTML files and they operate on Macs.
But like PDFs, HTML files have several notable cons. First, you cannot sort or filter the data. Nor can you hide data fields. And you cannot easily generate reports for other subsets of information. Although HTML files are easy to use, they have significant limitations when it comes to reviewing reports.
UFDR
Report in UFDR format
The best format for receiving Cellebrite generated reports is the Cellebrite Reader format. The Cellebrite Reader format allows a user to create reports containing all data, or a portion thereof, in multiple formats including PDF, HTML and UFDR. So, if you receive if in UFDR format you can easily convert it to PDF or HTML later on (which is not possible if you receive it in HTML or PDF). Additionally, in this file format, users can sort and filter data, can search within results, can move or reorder data within columns, and can create tags—which is a convenient way to organize large volumes of discovery. And a user can open multiple UFDR files at the time and search across them. This allows a user to, amongst other things, search for keywords across multiple devices simultaneously.
The one downside to UFDR files is that they will not work on a Mac. You also need to have the free Cellebrite Reader program to open and use the UFDR file. Overall, this is the format you should request when speaking to the government about what form you would like reports generated from Cellebrite produced in.
Final note about formats: When deciding about your preferred format to review a Cellebrite generated report, remember that it is easy for an examiner to select all three formats at the same time. Often, an examiner will provide all three to make it easier for people to review the data in the way they want.
Conclusion
Mobile forensic reports are a ubiquitous part of discovery. When reviewing them, it is important to remember that the information in the report is limited by the limitations of retrieving data from mobile devices, the type of extraction performed on the device, and the data the examiner decided to include in the report. And the form of production of the report can affect how you review the data. Attorneys should consider contacting an expert or consultant if they have questions about the contents of a report.
Of note, Troy Schnack, Computer System Administrator for Federal Public Defender Office in Kansas City, Missouri, will be doing a webinar on mobile devices and will go into detail regarding Cellebrite Reader on Tuesday, September 22, 2020. Please register for the program on fd.org – we highly recommend it.
[1]Cellebrite UFED is a mobile forensic software program that allows trained users to extract and analyze phone call history, contact information, audio, photos, and videos and texts from mobile phones or forensic images of mobile devices produced as part of discovery. It has wide coverage for accessing digital devices from Android to Apple, with more than 31,000 device profiles of the most common phones. Cellebrite UFED can come as software only or can include a physical unit with accessories such as tip and cable set to connect to various mobile devices.
[Editor’s Note: John C. Ellis, Jr. is a National Coordinating Discovery Attorney for the Administrative Office of the U.S. Courts, Defender Services Office. In this capacity, he provides litigation support and e-discovery assistance on complex criminal cases to defense teams around the country. Before entering private practice, Mr. Ellis spent 13 years as a trial attorney and supervisory attorney with Federal Defenders of San Diego, Inc. He also serves as a digital forensic consultant and expert.]
Ephemeral Messaging Apps are a popular form of communication. With privacy a concern for everyone, using a self-destructing message that works like disappearing ink for text and photos has a certain allure. All messages are purposely short-lived, with the message deleting on the receiver’s device, the sender’s device, and on the system’s servers seconds or minutes after the message is read. Although these apps were initially only used by teenagers, they are now a ubiquitous part of corporate culture.
According to the 6th Annual Federal Judges Survey, put together by Exterro, Georgetown Law CLE, and EDRM, 20 Federal Judges were asked “[w]hat new data type should legal teams be most worried about in the 5 years?”[1] The overwhelming response was “Ephemeral Apps (Snapchat, Instagram, etc.).” Id. In fact, 68% of those surveyed believed ephemeral messaging apps where the most worrisome new data type, whereas only 16% responded that biometric data (including facial recognition and fingerprinting) were the greatest risk. Only 5% were concerned with Text Messages and Mobile, and 0% were concerned with the traditional social media such as Facebook and Twitter. Id.
Even now, Courts are attempting to sort out the evidentiary issues cause by ephemeral messaging apps, see e.g., Waymo LLC v. Uber Technologies, Inc.17cv0939-WHA (NDCA). This article discusses popular ephemeral messaging apps and discusses guidelines for addressing potential evidentiary issues.
Short technical background:
There are several background definitions relevant to this discussion:
Text Messages – otherwise known as SMS (“Short Message Service”) messages, text messages allow mobile device users to send and receive messages of up to 160 characters. These messages are sent using the mobile phone carriers’ network. Twenty-three billion text messages are sent worldwide each day. Generally, mobile carriers do not retain the contents of SMS messages, so the records will only show the phone number that sent or received the messages and the time it was sent or received.
Messaging Apps – allow users to send messages not tethered to a mobile device (e., a phone number). With some apps, a user may send messages from multiple devices. These apps include iMessage, WhatsApp, and Facebook Messenger. Messaging Apps are generally free. Unlike text messages, these apps rarely have monthly billing records or records showing when messages were sent or received.
Ephemeral Messaging Apps – are a subset of Messaging Apps that allow users to cause messages (words or media) to disappear on the recipient’s device after a short duration. The duration of the message’s existence is set by the sender. Messages can last for seconds or days, unless the receiver of the message takes a “screenshot” of the message before its disappearance.
End-to-End Encryption – also known as E2EE, this is a type of encryption where only the communicating parties can decipher the messages, which prevents eavesdroppers from reading them in transit.
Common Disappearing Messaging Apps:
Messaging apps, like all apps, are changing. The following is a list and description of several popular ephemeral messaging apps.
Snapchat – both a messaging platform and a social network. The app allows users to send messages and media (including words and emojis appearing on the media) that disappear after a set period of time. Photos and videos created on Snapchat are called “snaps.” Approximately 1 million snaps are sent per day.
Signal – an encrypted communications app that uses the Internet to send one-to-one and group messages which can include files, voice notes, images and videos, which can be set to disappear after a set period of time. According to Wired, Signal is the one messaging app everyone should be using.
Wickr Me – a messaging app that allows users to exchange end-to-end encrypted and content-expiring messages, including photos, videos, and file attachments.
Telegram – cloud-based instant messaging app with end-to-end encryption that allows users to send messages, photos, videos, audio messages and files. It has a feature where messages and attachments can disappear after a set period of time.
CoverMe – a private messaging app that allows users to exchange messages, files, photographs, and phone calls from a fake (or “burner”) phone number. It also allows for private internet browsing, and llows users to hide messages and files.
Confide – a messaging app that allows users to send end-to-end encrypted messages. The user can also send self-destructing messages purportedly screenshot-proof.
Evidentiary Issues:
Messaging app data, like other forms of evidence, must, amongst other criteria, be relevant (Fed.R.Evid. 401); authenticated (Fed.R.Evid. 901 et seq); and comply with the best evidence rule (Fed.R.Evid 1001 et seq).
As for the Best Evidence Rule, based on the nature of disappearing messaging apps, the original writing of the message is not preserved for litigation. SeeFed.R.Evid. 1004(a) (finding that the original is not required if “all the originals are lost or destroyed, and not by the proponent acting in bad faith.”) Sometimes, the contents of the message may be established by the testimony of a witness. In other cases, the contents of the message may be based on a screen shot of the message.
Authenticating messages from apps, regardless of their ephemeral nature, is often difficult—text messages can be easily faked. When it comes ephemeral messages, we often must rely upon a screenshot or testimony regarding the alleged contents of the message. In such circumstances, the following factors—repurposed from Best Practices for Authenticating Digital Evidence—are useful[2]:
testimony from a witness who identifies the account as that of the alleged author, on the basis that the witness on other occasions communicated with the account holder;
testimony from a participant in the conversation based on firsthand knowledge that the screen shot fairly and accurately captures the conversation;
evidence that the purported author used the same messaging app and associated screen name on other occasions;
evidence that the purported author acted in accordance with the message (e.g., when a meeting with that person was arranged in a message, he or she attended);
evidence that the purported author identified himself or herself as the individual sending the message;
use in the conversation of the customary nickname, avatar, or emoticon associated with the purported author;
disclosure in the message of particularized information either unique to the purported author or known only to a small group of individuals including the purported author;
evidence that the purported author had in his or her possession information given to the person using messaging app;
evidence that the messaging app was downloaded on the purported author’s digital device; and evidence that the purported author elsewhere discussed the same subject.
Conclusion:
Ephemeral messaging app data will continue to impact investigators, attorneys, and the Court. Defense teams should be prepared for the challenges ephemeral messages cause from investigations to evidentiary issues.
[Editor’s Note: John C. Ellis, Jr. is a National Coordinating Discovery Attorney for the Administrative Office of the U.S. Courts, Defender Services Office. In this capacity, he provides litigation support and e-discovery assistance on complex criminal cases to defense teams around the country. Before entering private practice, Mr. Ellis spent 13 years as a trial attorney and supervisory attorney with Federal Defenders of San Diego, Inc. He also serves as a digital forensic consultant and expert.]
CJA panel attorneys frequently ask me for strategies for how to manage and review computer forensic images they receive in discovery. It is a great question. Forensic images are often difficult for CJA panel attorneys to access, and they can contain an immense amount of information (often much more than the rest of the discovery production). Without opening them, they already know that a lot of the information in the forensic image is irrelevant. But they also know that often crucial information is in the forensic image that is important for them to know so they can prepare their client’s defense.
Short technical background:
There are two ways data from a computer is provided in discovery:
Duplicates, which refers to “an accurate and complete reproduction of all data objects independent of the physical media”; or
Usually the government provides forensic images. The forensic image is created using specialized software such as opentext EnCase or AccessData Forensic Toolkit (FTK). These forensic images cannot be opened without specialized software. Although there are free viewer programs, such as AccessData’s FTK Imager, which enable users to review the contents of forensic images, the process can be time-consuming and difficult.
Computer Forensic Reports
Isn’t there a better way? Yes, there is. Computer Forensic Reports (there are caveats). But first, why are they important and relevant to you?
Besides the forensic image that the government provides you, they may also provide you something called a Forensic Report (or forensic program generated report). Two common examples for computers will be an EnCase Report or an FTK Report. These reports, generated through the forensic software program, can allow you to see and review the information extracted from the image in a more user-friendly way. This can frequently mean you won’t need to use a forensic image viewer or a computer expert to assist you.
FTK HTML Report
Now these computer forensic reports are not the same as a law enforcement report written by an agent discussing what information was on a computer and describing the evidence they think may be relevant to the criminal investigation. These forensic reports are generated through the forensic tool that was used to examine the data found on the device.
So, the first thing you should do when the government provides a forensic image to you is to ask the government if they have a forensic report as well and request a copy.
Forensic reports are useful because they can make it much easier for a legal professional to review data extracted from the device without having to use a forensic tool. Since most forensic examiners work with law enforcement, they typically create these reports for case agents and prosecutors. The information in the report can include information about documents, images, emails, and web browsing history. These reports often show both the content of a file as well as the metadata (such as the date the document was created). These reports are limited to the data extracted from the original device, the parameters of the forensic program, and the choices made by the forensic examiner.
The forensic reports can be provided in a several formats, including PDF, Excel and HTML. Many forensic tools also include a reader or viewer program that is proprietary to the forensic too, such as Magnet’s AXIOM Portable Case, opentext’s EnCase and AccessData’s FTK also have reader or viewer programs. These forensic reports allow legal professionals to search, review, sort and filter information in ways that can be superior to reviewing the reports in PDF, HTML or Excel formats.
Axiom Portable Case
These reports are valuable and frequently provide most of the information that a legal team will need to understand the contents of a forensic image. It should be noted that forensic reports may not contain all data that was on the original digital device. Therefore, counsel should consider engaging a forensic expert or consultant when he or she does not understand the forensic report or image.
[NOTE: Law enforcement will frequently generate a forensic report after completing an extraction from a mobile device. A common forensic report seen in federal criminal cases is a Cellebrite Reader Report. See the Mobile Forensic Reports post for more details.]
The National Litigation Support Team (NLST) recently presented a national webinar entitled, “Managing and Reviewing Electronic Discovery for CJA Panel Attorneys.” This 90-minute webinar was recorded and is available on fd.org for your review. The recording provides an overview of technology, techniques and search strategies that can help CJA panel attorneys (and federal defender organization personnel) with your review and analysis of electronically stored information that is provided in discovery. We discussed resources that are available to you as a CJA panel attorney or federal defender employee, and questions to ask the next time you get a complex case. Topics covered include the importance of search and retrieval techniques, encryption, Box.com, Adobe Acrobat Pro, dtSearch, CaseMap, Casepoint, and new federal criminal Rule 16.1.
If you are interested in viewing the recording, please go to fd.org/program-materials-and-videos. (NOTE: To view the webinar, you will need to be either a CJA panel attorney who has registered with fd.org , or a member of a federal defender office. If you need assistance accessing the information, go to fd.org/login-help). If you have follow-up questions about any of the topics (as the presentation was meant as an overview), please email us.
PDFs (portable document format files) are a common file format in federal criminal discovery. But are all PDFs created equal? As you all have experienced, the answer is no, they are not.
Think about PDFs in three distinct categories:
True PDFs;
Image-based PDFs; and
Made-searchable PDFs.
For discovery review, these distinctions are important because it impacts whether the PDF is searchable and the accuracy of your text searches within the PDF file. With voluminous discovery, the ability to search and review PDFs is critical for organizing and reviewing it.
True PDFs (also known as text-based or digitally created PDFs). These PDFs are created using software such as Microsoft Word, Excel, or using the “print to PDF” function in those programs. They consist of both text and images. We should think about these PDFs having two layers – one layer is the image and a second layer is the text. The image layer shows what the document will look like if it is printed to paper. The text layer is searchable text that is carried over from the original Word file into the new PDF file (the technical term for this layer is “extracted text”). There is no need to make it searchable and the new PDF will have the same text as the original Word file. An example of True PDFs that federal defenders and CJA panel attorneys will be familiar with are the pleadings filed in CM/ECF. The pleading is originally created in Word, but then the attorney either saves it as PDF or prints to PDF and they file that PDF document with the court. Using either process, there is now a PDF file created with an image layer plus text layer. In terms of usability, this is the best type of PDF to receive in discovery as it will have the closest to text searchability of the original file. Click here to see an example of a True PDF.
Image-based PDFs (also known as image-only PDFs). Image-based PDFs are typically created through scanning paper in a copier, taking photographs or taking screenshots. To a computer, they are images. Though we humans can see text in the image, the file only consists of the image layer but not the searchable text layer that True PDFs contain. As a result, we cannot use a computer to search the text we see in the image as that text layer is missing. There are times when discovery is produced, it will be in an image-based PDF format. When you come across image-based PDFs, ask the U.S. Attorney’s Office in what format was that file originally. Second, ask if they have it in a searchable format and specifically if they have it in a digitally created, True, Text-based PDF format. They may not, as they often receive PDFs from other sources before they provide them to you, but you will want to know what is the format in which they have it in, and what is the original format of the file (as far as they know). Click here to see an example of an Image-based PDF.
Made-searchable PDFs (also known as “OCRed” PDFs). Image-based PDFs can be made text searchable by applying optical character recognition (OCR). CJA panel attorneys frequently use Adobe Acrobat Pro (or other PDF editor software) to make image-based PDFs searchable. During the OCR process, the software program interprets each character on the image as text and adds a text layer to the image layer. Made-searchable PDFs are like True PDFs, but the searchability of the OCRed document will depend on the quality of the image, or the recognizability of the writing. They are often not 100% accurate when you do keyword searches of the text. Click here to see an example of a Made-searchable PDF.
The ESI Protocol (formally known as the Recommendations for Electronically Stored Information (ESI) Discovery Production in Federal Criminal Cases) noted the limitations of OCR process on scanned paper.
“Generally speaking, OCR does not handle handwritten text or text in graphics well. OCR conversion rates can range from 50 to 98% accuracy depending on the underlying document. A full page of text is estimated to contain 2,000 characters, so OCR software with even 90% accuracy would create a page of text with approximately 200 errors.”
People ask how accurate software programs are in the OCR conversion. That is important, but the biggest factor for how searchable your OCR PDF will become is the underlying quality of the scanned image. A clean copy of a pleading will have high accuracy; a twice photocopied school paper record from the 1950s will be less accurate.
A quick way to see what the quality of the text is compared to the image is to select the text in question in a PDF file (you can use Control + A in Windows or Command + A in Mac to copy all the text on a page), and then copy and paste the text into a Word document. Put the two files side by side and visually compare them.
Why do we recommend having a Windows computer for CJA panel attorneys?
One of the great modern-day debates is Windows versus Apple. Like college football rivalries (think Alabama versus Auburn or UCLA versus USC), this discussion can generate intense emotions on both sides of the aisle. Add into the mix the introduction of Chromebooks (using a Chrome OS operating system), and it can be difficult for CJA panel attorneys to decide what to use in their practice.
For this conversation, let’s talk about laptops. When talking to people outside of the federal criminal defense world, we would usually say choosing a laptop depends on personal preference. You should pick the laptop that makes sense to you and allows you to be most productive. If you find you are more productive with a Mac, that’s great. People may be drawn to one operating system or the other for any number of reasons. Typically, the most important factor in choosing an operating system is which one you have used the most. The mechanics of how that system functions will seem more intuitive to you, because you have years of experience using it.
However, for federal criminal cases, we suggest having a Windows machine available to you.
Why?
Three reasons:
The Department of Justice, as well as most law enforcement agencies, use Windows computers. The systems they use to manage evidence and electronically stored information (ESI) will, by default, work on Windows machines. As a result, when they produce discovery to the defense, it will work (usually) on Windows machines.
Several important software programs and digital forensics programs do not work on Macs. Examples include dtSearch, CaseMap, Cellebrite Reader (a free viewer that can speed up review of cellphone dumps) and FTK Imager (a free tool to look at computer images the government seized, so that you can see what the computer looked like to the person who used it). Now you may not need to use these tools (there are work arounds or alternatives), but it is a limitation. In addition, while many file formats can be opened on either Windows or Apple machines, such as Word documents, PDFs and PowerPoint files, there are other file types that do not work natively on Macs. For example, certain proprietary audio and video files can only be played on applications that work in Windows. Now that all discovery being provided by the U.S. Attorney’s Office is encrypted in transit, they often use tools designed to function on Windows machines and not Macs. Of course, you can try to work it out with the government, so you receive something that is Mac-friendly (and many times they will be accommodating), but it is not their default procedure.
There are other costs associated with Macs. For one, PCs are often cheaper than their Mac counterparts. Additionally, programs offered for a discount to CJA panel lawyers by the Defender Services program typically are Windows based.
Does this mean we are saying you should abandon your Mac? No. Plenty of us use both Windows and Macintosh computers at work or at home. What we are saying is that you should consider having a Windows computer available to you to assist you in your CJA cases, as it can save you time and money in the long run.
Which laptop should I buy?
When it comes to buying a Windows laptop, there are hundreds of options. The following minimum criteria should be considered when purchasing a new laptop:
12.5 to 14-inch size screen – typically a good balance between usability and portability. This assessment is something to consider. If you are going to be mobile, go on the smaller side. If you are going to more stationary, consider the larger screen;
At least a Core i5 CPU;
At least 8 gigabytes (GB) of RAM;
Screen resolution of 1920 x 1080;
At least 500 SSD (solid state drive);
8+ hours batter life;
Windows Professional – which gives you Bitlocker, an easy way to encrypt files and folders.
If you can afford to spend a little more, adding to these minimum specs options can result in better performance. For myself, I like to have at least a machine with Core i7 CPU, 16 gigabytes of RAM. Many of our colleagues have found that if they have a more robust machine, problems they had scrolling through large PDF files or viewing proprietary video files in their older, less powerful machines went away. However, price is always the top issue so shop around and find what works for you and your budget.
Whether it is on media (CD Rom, USB drive, or hard drive) or through the internet (email or USAfx) it is becoming common practice that discovery files will be “encrypted.” Encryption adds a layer of protection by scrambling the data, so files cannot be seen unless a digital “key” (password) is provided. The goal is to protect the data while it is being shipped in case it is lost or stolen.
“Decryption” is the process of unscrambling an encrypted file so it is readable. The first step you should take when you receive encrypted files is to create a decrypted copy of the files. The decrypted copies will allow you to search, review and work with them on your computer that the encrypted files will not, and you will not need to enter a password each time to open them.
When receiving encrypted case related materials:
Look for cover letters and associated correspondence that mention password protection or encryption. Often the sender will tell you that the files are encrypted and provide instructions on how to obtain the key (password). If the media contains encrypted files you cannot work with them unless you have that password.
Use a Windows computer. Most decryption programs included on the media are designed to work with Windows computers. Sometimes decryption can be done on Mac computers, but often it requires additional software not included with the media.
Insert the media and look for either a “password” prompt or a decryption program. Certain encryption programs (like Microsoft “Bitlocker“) will automatically prompt for a password when the media is inserted. Other times the media will include Windows-based software programs that needs to be run.
Create decrypted copies of the files. When you open a file that is encrypted a computer will typically only temporarily decrypt it. The file may be in a “read-only” mode that will not work well with most software programs and will continue to need a password when reopening. Making a decrypted copy of the file will allow it to be correctly recognized by the programs on your computer and will no longer need a password when opening the copy.
McAfee Removable Media Protection
“McAfee Removable Media Protection” is a common encryption program used by the USA’s when delivering discovery on thumb drives and CD/DVD discs. The media usually includes an executable file that when run will allow users to make decrypted copies of the files. To create decrypted copies:
Create a destination. Open File Explorer (the file browser on your computer) and navigate to a destination on your computer (or external drive) with enough room to hold a copy of the files. Create a folder that will keep the decrypted copy of the files.
Open McAfee. Insert the media and look for a McAfee program executable file (the file is usually called “MfeEERM” and will have the “.exe” extension).
Run the executable and look for a dialog window prompting for a password. Enter the password and click “OK”.
Copy the files or folders. From within McAfee:
Select the “Top Level” folder from the left-hand navigation pane.
From the main window (on the right side), select all the files and folders listed, right-click on them and choose “Copy”.
Paste the copies into the destination. Switch back to File Explorer. Right-click on an empty space within the destination location and choose “Paste”. For larger sets of data (over 10,000 files/folders), try dividing the copy process into smaller batches of about 1,000 files / folders each. Verify the copied files can be opened by closing McAfee and opening a few of the copied files.
Here is a quick video demonstration of the process:
Box.com is a cloud-based repository that allows users to store, access, share and transfer electronic files. It also has features that allow for collaboration on the drafting of documents. We will touch on some of the key features here and more detailed information about each feature will be provided in future blog posts. Users can easily access files from different devices (such as computers, tablets and smartphones) anywhere they can connect to the internet. This allows federal defender offices and CJA panel attorneys to share discovery and work product easily and efficiently in a secure environment. With the national contract the National Litigation Support Team (NLST) has with Box.com, the security features emulates those of USAfX, the DOJ’s re-branded version of Box.com they use to disseminate discovery in many districts. If you are interested in using Box.com for one of your cases or have questions about its utility, please contact Kalei Achiu with the NLST at Sammy Lopez or 510-250-6310.
Box Drive, otherwise known as “Desktop, meets cloud”, allows users to access Box content from their desktop. Unlike Box Sync, Drive brings the entire universe of Box.com files to the desktop without taking up too much space on a hard drive since files are stored in the cloud instead of locally on a computer. However, it does not support offline access to content. Users will need an internet connection to access files. Box Drive can be easily accessed on a user’s desktop from Windows Explorer (Finder on a Mac) or the Windows System Tray (System Notification on a Mac). Documents can be created and/or edited from the desktop and changes will automatically be saved back to Box.com. Drive also gives users the option to “lock” shared files to keep other collaborators from overwriting edits. Learn more about Box Drive and download it here: https://www.box.com/resources/downloads/drive.
Box Sync allows users to mirror data stored on Box.com on their desktop or laptops. Unlike, Box Drive, users do not need an internet connection to access files once they are downloaded. Box Sync allows users to choose which files to sync so you don’t have to sync an entire folder. If any changes or edits are made, they will be synced back to Box.com the next time you connect to the internet. Box Sync allows the user syncing documents to choose the location where the synced folder resides. By default, synced folders live on the user’s local C: drive. However during the initial setup, the location can be changed to a shared network drive so that all those with access to that shared network drive can then access the synced folder. Learn more about Box Sync and download it here: https://community.box.com/t5/Using-Box-Sync/Installing-Box-Sync/ta-p/85.
Box Edit is a feature that makes collaboration even easier by allowing users to edit files directly from Box.com. Users no longer must download a file, make their changes and then upload it back to Box with a different name. Box Edit works with many programs including Word, Excel, PowerPoint and Adobe Acrobat. Once Box Edit is installed on a computer that also has the program in which the file was originally created, users can access the file in Box, which will then launch the document in the original program. Revisions are made in the original program, the updated file is automatically saved directly back to Box because of the integration. Box Edit will track the version history of the documents so users don’t have to worry about saving files as different versions. Older versions of the documents can be accessed in the version history on Box. Box Edit also allows users to create new documents directly on Box. Users must “Select” New and choose the type of document they want to create. Once created, it is available to any collaborator with access to that folder for editing. Learn more about Box Edit and download it here: https://app.box.com/services/box_edit.
Box Notes is an easy to use tool that works on Box.com or as a separate “add-on” for your desktop. Box Notes allows users to quickly take notes, share ideas and collaborate with others. The live editing and collaboration feature allows everyone to see the same note and make changes or suggestions in real time. Users can see a list of all existing notes on Box and their associated folders as well as the last collaborator to update the note. The Box Notes desktop application is a separate add-on feature, but works the same way as Box Notes in your web browser. Once Notes is installed on the computer, a shortcut icon is created on the desktop. It can also be accessed from the list of programs installed on the computer. Users can edit and collaborate on notes as they would on Box.com. Any edits or changes made on the desktop application are available to collaborators in real time on Box.com. Learn more about Box Notes and download it here: https://www.box.com/notes.
[Editor’s Note: 
[Editor’s Note: 
