Computers (and the people who work with them) are strange and wonderful things. Whether we like computersor not, all of us who handle criminal cases have to learn how to deal with computers as pieces of evidence. Thisrule applies not only computer crime or pornography cases. In most business and home searches now, thegovernment seizes computers. The government is looking not just at what our clients have on their computers. They are also analyzing what used to be there; when information was “deleted” and how it was deleted.
In many ways, computerized evidence must be dealt with the same way as any other type of evidence. It issubject to the same need for defense inspection, the same chain of custody requirements, and the same rules ofadmissibility. Defense counsel have to inspect computerized evidence just like they would a stack of documentsthat were seized or the evidence taken after a barroom brawl.
In other ways, counsel’s role in inspecting computerized evidence goes much deeper. It is not enough to acceptpaper printouts or the government’s other representations about what is found on a computer. Not only do youhave to find out what the government claims was on the computer, you have to know: How did it get there? When was it created or put on the machine? Where was it stored? What kind of file is it? To find out these answers, you have to turn to an expert in computer forensics, and you have to know how to getthe evidence and approach the expert correctly.
Finding an Expert
Finding the right computer forensic expert is not always easy. Although with a quick internet search one can findhundreds of people who claim to be qualified in computer forensics, truly capable forensic experts are rare. It isbeyond the scope of this article to make any particular recommendation, but it is of utmost importance to findsomeone who not only knows the latest technology for examining hard drives but can communicate. Computergurus tend to use abstruse language, even in talking about simple concepts. You need to find someone who cantalk to you and, if necessary, to a jury.
It has been the disappointing experience in our firm recently that many well-qualified experts refuse to work fordefense counsel. They are worried, perhaps legitimately, about being blacklisted from any governmentconsulting work. This has been particularly true in pornography cases.
To overcome this initial reluctance, defense counsel must let the expert know up front that all we are looking foris the absolute truth. The forensic examiner can be assured that we are not looking for any particular slant butjust to know what the objective facts are and the answers to the what, when, how, where questions above. If theperson views himself or herself as an objective scientist, often initial reluctance to work for a defendant isovercome when the expert realizes that counsel is above board and really just looking for help understanding acomplicated scientific or technical subject.
There are also credible on-line resources that can help you find the right expert. Although a search engine searchfor “computer forensics” or similar phrase immediately pulls up hundreds of questionable resources, many of thetop examiners have a web presence. It is also helpful to browse these sites just to get a feel for what the issuesare and what it is you want to look for or accomplish. Also, there are entire periodicals devoted to computerizedevidence, and the contributors to those periodicals may prove to be excellent resources.1 Finally, and mostimportantly, NACDL and its members are the best resources for finding trustworthy experts.2 Talk to people whohave used forensic computer examiners before.
As with any expert, enter into a written contract. The contract should be between the expert and the law firm toensure attorney-client and work-product privileges. The contract should require the examiner to preserve confidentiality, and should specify the type of examination to be performed and the type of report to be produced. You should talk to the examiner enough beforehand to come to an understanding of the forensic software to beused and what its capabilities are, and the type of examination to be performed should be specified in thecontract. It has been our experience that the examiner will require at least a full week to complete a full forensicevaluation of a single computer.
Thorough forensic examination, like quality legal representation, takes a long time, and is expensive. If your client cannot afford adequate expert services, remember that even if you are retained and your client is rendered indigent, a federal judge has the authority to appropriate Criminal Justice Act funds for a defense expert.
Finally, with regard to experts, identify and retain the expert early. The expert can shape the investigation andassist in what to ask for in discovery and how to ask for it.
Getting Access to the Real Thing — Unique Discovery Issues
If any of the evidence the prosecution intends to use comes from a computer, get access to the original computer or an exact copy – mirror image. Do not accept a compact disc or a floppy containing what the government saysit found on the machine. The importance of the original will be discussed below, but access to the original driveis a must.
The government will often balk at giving defense counsel access to the original computers or even a mirrorimage. In pornography cases, the government has often taken the position that defense counsel is not entitled to acopy of the evidence at all, since the government claims it to be contraband.
Fortunately, most courts have rejected the government’s position. The text of Rule 16 of the Federal Rules ofCriminal Procedure clearly requires access. The rule provides that the government must allow the defendant “toinspect and copy” a number of things, including tangible objects that the government intends to use in its case,that are material to the preparation of the defense or that were obtained from the defendant.4 If there is anyquestion about the propriety of further distribution of the evidence, the court has the specific power under Rule16(d) to enter a protective order. An appropriate example of an order allowing access with appropriateprecautions has been entered by Judge Breyer in the Northern District of California. There the government wasrequired to allow the defense to copy the original computer files. The court instructed defense counsel to keepthe material locked and to allow only experts, investigator and paralegal and the defendant (with counsel present)to examine the material.5Similarly, in a very thoughtful opinion, Chief Judge Charles Haden of the United StatesDistrict Court for the Southern District of West Virginia ordered that defense counsel be allowed a “mirror”image of the computer hard drives in question. In that case, the government had offered to let the defense expertcome to the U.S. Attorney’s office to examine the originals. The court pointed out:
The mirror-image hard drives are necessary to allow computer experts to determine when and how particular files were accessed and downloaded. Simply viewing the materials is insufficient. Similarly, allowing defense experts to manipulate the hard drives under the scrutiny of the government essentially would make defense “work product” an open book.6
Thus, with the proper protective order, counsel should be able to obtain an exact, mirror-image of any drive from which evidence has been obtained in the case.7 At our firm, we have no problem with agreeing to a Rule 16(d)protective order. Because we may actually have access to contraband, restrictions on dissemination seemreasonable, and having a clearly stated order will protect defense counsel as well.
What You See Is Not Necessarily What Your Client Had — Why Access to the Original Is So Important
In a recent case, we were given a floppy disk by the government that supposedly contained contraband pornography images taken from our client’s computer. Things did not look good for our client. Once we got ourexpert access to mirror images of the hard drives, however, he was able to show us that the offending imageswere from “banner” advertisements that our client had not sought or saved in any way. The images were fromadvertisements that popped up at the top of the screen when the client was looking at other sites. Our client hadno recollection of seeing them and certainly no intent to possess the images. Unbeknownst to him, however, all the images that show up on one’s screen while viewing a web page or normally stored on the computer hard drive as a temporary internet file. The expert was also able to put together a chronology of how and when theimages got on the hard drive. Had it been necessary, we could have further shown exactly what our client hadbeen looking at intentionally (by following links on the web), and that trail was embarrassing but notincriminating.
That experience solidified for me how important it is to have access to the actual computer or a mirror image.There are certain things that can be determined by an expert examination of the hard drive that simply cannot bedetermined by looking at individual files. One of the important questions listed above was “How did it getthere?” An expert examining the hard drive can tell when a file was created, copied or modified. If it involved adownloaded file, it is also probable that you can learn where it came from.
What I mean by a mirror image is an exact copy of the hard drive. Perhaps a simpler way to copy computer fileswould be just to open up the menu on the original computer and copy over all the interesting files. The problemwith this is that there is a lot of very interesting information that is contained in files that do not appear on thedirectory. The files not shown on directories can be a major source of information. For example, it may bepossible to reconstruct the various versions that a file or document went through before it was saved in its finalform that you could see on a computer directory or menu. Various techniques exist for getting access to all theinformation on a hard drive. Several different software programs might be able to provide the informationneeded, and getting an exact copy of the hard drive might not be the perfect solution either. The point, however, is that working with your expert, you need to make sure you are getting access to everything on the computer in question, not just the files the government picks out for you.8
There are a number of forensic programs used by examiners. The copying process you want may depend uponthe program to be used by your expert. Therefore, you need to consult with the expert prior to having the copyingdone. The expert will also want to know what program the government expert is using.By now most of us know that deleting a file does not really make it go away. The information is not taken off ofthe surface of the hard disk. Rather, the file is simply no longer linked to the menus that the computer user sees.The space that the file occupies also becomes available for writing new data, but the “deleted” material will notdisappear until it is completely overwritten. Of course, no deleted information would be accessible without atleast a mirror image. Government technicians know how to look for deleted files. They are going to find them.Our challenge will be to learn how those deleted files got there, when and why they were deleted and where theycame from. If that information is impossible to determine, the forensic examiner may be helpful in explainingthat the deleted files or fragments of deleted files are not significant because there is no proof of how, when andwhy they got there.
Getting access to the original hard drive or a mirror image is worth fighting for if there is any question about howthe evidence got there or its legitimacy.
So, What Can the Expert Figure Out?
Using forensic software, a good analyst can come close to recreating the activity that occurred on the computer. Some programs even have a timeline program that creates a report showing when files were created, modifiedand deleted.
Hash analysis is the process of taking a list of computer files and checking the target computer to determinewhether any of those files are on that machine. The government uses hash analysis in pornography cases to checkagainst a list of known child pornography files to see if files with the same characteristics are on the computerbeing examined.
In any case in which there is a question about files that came from the internet, forensic analysis is a must. Verycreative but misguided people create internet technology. Pornographers have been at the forefront of writingcodes that can actually take over a computer and open files that the user never intended to use. You haveprobably experienced some sort of “pop-up” ads when using the world wide web. This same technology can beapplied on a large scale causing a seemingly endless series of differing pages to open on an individual’s
5/16/2018Untitled Documenthttps://www.rddjlaw.com/articles/ComputerForensics.html4/4computer. The expert can also used software to run searches for certain key words or phrases on a computer.
As noted above, deleted files may still exist on the hard drive. Portions of files may still be in what experts callslack space or free space. Experts will not be able to recover all deleted files but the more recent the deletion themore likely the expert can recover the file because it likely will not have been overwritten. Deleted e-mail willmost often be recoverable. Forensic examiners can check versions of a file against backups or other versions theyfind to determine when changes were made and what was changed. This can lead to very important historicalinformation.
Conclusion
With the proliferation of computerized information, we all have to learn to evaluate and use electronic evidence. Unfortunately, most lawyers are not going to be able to evaluate the evidence just by taking a look at it. Learninghow to work with an forensic expert and getting him or her on board early is essential in being able to understandand handle the challenges computerized evidence create for us. With some planning, though, even those of us who do not like to turn on computers can become comfortable with how to evaluate electronic evidence.
1. The Bureau of National Affairs, for example, through its subsidiary Pike & Fischer publishes DigitalDiscovery & e-Evidence. See www.pf.com.
2. NACDL members have access to a forensic evidence hotline on the NACDL web page, www.nacdl.org.
3. If you want to contact me, I can provide you with an example of an application for expert funds used in a case in which we were retained.
4. R. 16(a)(1)(C), Fed.R.Crim.P.
5. United States v. Pedram Ibrahimi, No. 02-0008 (N.D.Ca. 2/20/02). At the 2002 NACDL annual meeting NanciClarence and Geoffrey Hansen distributed copies of a number of cases allowing defense access to a mirror imageof a hard drive. Just having access to those cases has allowed me to convince prosecutors that we are entitled to an exact copy of the hard drives.
6. United States v. Alan Tanner, No. 2:01-00145 (S.D.W.Va. 6/26/01).
7. State cases seem to be in accord. See Taylor v. State, 2002 WL 31318065 (Tex. App. 10/17/02)(finding error where the defendant had not been given an exact copy of the hard drive and holding that merely allowing inspection of the questions images off of the drive was insufficient because it does not allow for proper expert analysis).
8. Having an “exact” image of a hard drive can pose its own problems. Just by booting up a computer, you canchange the structure of the hard drive. Also, in order to use an exact mirror image of a hard drive, you mighthave to have the same CPU that the original drive came from.