Expert Witness Forum West

The Use of Computer Forensics, Mobile Forensics and e-Discovery in Expert Witness Testimony

Michael Chong, Kemar Wilks – The use of Computer Forensics, Mobile Forensics and e-Discovery in Expert Witness Testimony

 

Lawyers need to get comfortable with digital evidence

Even though technology is all around us — from cell phones to computers to always listening personal digital assistants in our homes — it doesn’t mean everybody has an equal understanding of how digital information is created and stored and accessed, and that includes lawyers.

As the amount of digital data continues to grow, those electronic ones and zeros are playing ever-increasingly important roles in legal actions. Some lawyers who are either technology buffs in their personal lives or who have professional experience with cases involving digital forensics are comfortable examining digital evidence and hunting through electronic information looking for information to support their positions. Others, however, find themselves having to navigate an unfamiliar world of metadata and hashes and logs, all while doing the best they can for their clients.

For those legal professionals, it’s not a matter of learning to code or becoming technical wizards, but it’s about developing an understanding of the digital landscape and the evidence that it contains so they can do their jobs better.

Michael Mulligan

Michael Mulligan, Mulligan Tam Pearson Law Corporation

“If you don’t know [digital evidence] is there, you’re not going to make efforts to look at it, or you’re just going to focus on some other aspect of the case because you’re unfamiliar with it,” said Michael Mulligan of the Victoria, B.C.,-based defence firm Mulligan Tam Pearson Law Corporation. “People have to be familiar enough with it to know it exists and then retain an appropriate expert if they don’t know enough about it.

“It’s like if you’re a police officer, and you didn’t know about DNA evidence. You’re just not going to take the steps to check and see if it exists or take the steps to see that it’s properly preserved. Pretending it doesn’t exist, I don’t think, is a satisfactory response to it.”

As to what that familiarity amounts to, Jeffrey Posluns, owner of the Toronto-based information technology security company Posluns Consulting, said lawyers should understand some fundamental concepts.

Jeffrey Posluns

Jeffrey Posluns, Posluns Consulting

“They need to have a basic understanding that e-mails can be spoofed and that any log that shows something on a computer or a server can be fabricated or adjusted or can show wrong information if the logs aren’t set up properly.

“At the same time, when they are looking for evidence, they need to understand that logs should exist for most situations and for most activities in companies that have competent systems administration and/or a networking team. … In summary, it’s most important for a lawyer to know what is possible and what exists, not necessarily how to use it or what it does or where it goes,” said Posluns.

Lawyers dealing with digital data should be aware that there are acceptable procedures that must be employed while retrieving information from devices, and if the proper steps aren’t taken, any evidence obtained may be deemed inadmissible at best or irretrievably lost at worst.

“The first principle of digital forensics is don’t change anything,” said Robin Fowler, junior forensic examiner at TCS Forensics Ltd. in Richmond, B.C.

“One of the main issues in relation to the admissibility of digital evidence is the fact that metadata — which is like the dates and the times that files were created or accessed or modified — are changed really, really easily,” explained TCS senior forensic examiner Kemar Wilks.

Wilks said when inexperienced people attempt to retrieve files by opening them and saving them, they alter the computer’s records — its logs of when that data was originally created and accessed — which is typically the evidence that is needed to support legal arguments. To get around this problem, most experts use a technique known as imaging the drive, which Wilks likens to taking a snapshot of the data.

Robin Fowler

Robin Fowler, TCS Forensics Ltd.

“It’s a court-accepted procedure. At the beginning of the imaging process, something is done known as hashing, which is generally just creating a serial number of the data as it is. Then we copy it. We do the same process again to see if the serial number is the same and normally it is.

“Say, for instance, after you create the serial number, you open a document on the same hard drive and put in one change and save the document. Then the serial number will be completely different. [The hash] is almost as unique as DNA. I think it’s the most important step in digital forensic analysis as a matter of fact.”

Preserving information isn’t just something forensics experts do. It’s actually something that computers and other electronic devices are very adept at.

“The basic advice would be if you delete something from an electronic device, a computer or a cell phone, it’s not gone. It’s the equivalent of taking the index card out of the old library card catalogue but leaving the book in place. When you delete the file from the computer, you don’t get rid of the underlying data, you just make a notation on the file system that the space might be available for future use,” said Mulligan.

“If you examine the computer in a forensic way, you are likely to find vast quantities of data that would not be apparent to a user of the machine. You’ll get the deleted e-mails, the previous versions of documents — just a vast amount of information that is there and many lawyers simply do know it exists so they’re not looking for it.”

Kemar Wilks

Kemar Wilks, TCS Forensics Ltd.

It’s not just computers and cell phone with memories. Smart devices from printers to Internet-enabled appliances and TVs, also retain logs and records. For example, Fowler said TCS Forensics was involved in an intellectual property case where one side was supposed to have destroyed a set of documents by a certain date. TCS proved that didn’t happen.

“We were able to determine from a print log file that they had been printing those documents —  documents that weren’t found on their computers — at a later date than they were supposed to have destroyed the documents,” he said.

The type of law a lawyer practises will likely influence the type of digital data encountered. Mulligan said in the criminal world, it used to be child pornography cases that would mainly rely on digital evidence, but today almost every case touches on some element of it. Determining people’s locations by tracking where their phones were, for example, could easily find its way into murder cases.

Posluns said he spends half his time on e-mail related, 25 per cent looking into malicious activity that took place by analyzing IT infrastructure, servers, platforms and code, and the rest performing an assortment of activities, including explaining to one lawyer how to purchase illegal drugs on the dark Web and how police investigate those types of purchases. (The lawyer’s client was accused of performing that activity.) Currently, when TCS is consulting on civil cases, 80 per cent of what the company deals with are mobile devices including cell phones and tablets.

For lawyers looking to hire a forensic expert to assist them with an investigation or to explain certain aspects of technology, Mulligan, Fowler, Wilks and Posluns all agree that one of the key qualifications is that person’s ability to explain things in clear, succinct language, and to offer explanations that could be understood not just by the lawyer but by judges and juries (if necessary).

Lawyers can also ask about forensic training accreditation and inquire if they have licences for the software that was used to find or create the evidence. (Mulligan noted that police departments, for example, often use a program called EnCase Forensic to conduct their investigations, so it helps to be able to use the same software to examine the evidence they collect.)

As for lawyers who are still uncomfortable with the idea of dealing with digital data, unfortunately, there is only going to be a proliferation of it in the future, except instead of being stored on people’s desktop computers or in their handheld devices, a higher percentage of it will be kept in the cloud on servers across the country, or even in countries across the globe. A growing percentage of that will be information collected by personal digital assistants like Apple’s Siri, Amazon’s Alexa or Microsoft’s Cortana. Additionally, more previously unnetworked devices are being transformed by their manufacturers into Internet of Things (IoT) products, with the addition of wireless connectivity (including GPS tracking).

As people’s lives become increasingly tracked and traced online, there will be more opportunity to find, retrieve and use that data in legal actions, and doing so will become even more commonplace than it is today, leaving lawyers who are technology adverse an increasing disadvantage compared with their colleagues.

Thursday, December 28, 2017 @ 10:56 AM | By Carolyn Gruske | The Lawyer’s Daily

Lunch & Learn Events, Presentations and Workshops 2018

We are now booking lunch & learn events and presentations for 2018. We will also be offering in-house and on-site training workshops in 2018 with several engaging topics listed below. Please contact us directly for more information.

  • Digital Forensics Challenges in the Internet of Things (IoT) World
  • Digital Forensics and Big Data Challenges
  • Demystifying eDiscovery & Digital Forensics
  • Digital Forensics and the Cloud Computing Environment
  • Digital Forensics Evidence Collection and Management
  • The Value of Digital Forensics to Your Organization