Digital Forensics and Civil Litigation
Discussions of electronic evidence in civil suits often revolve around large bulk production of electronically stored information—e.g., how do we determine which files or e-mails are responsive to a discovery request, how do we redact privileged material intermingled with other communications, and how do we find the small but critical text message? But smaller-scale investigation of digital evidence on single systems is equally important, and arguably the more common need. Information about our clients and their matters is increasingly found on smartphones, tablets, and other devices, or out in “the cloud” in the custody of an application provider.
Comment 8 to Wisconsin Supreme Court Rule 20:1.1 (“Competence”) admonishes attorneys to “keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.” In other words, not only do attorneys have the incentive to understand enough about digital evidence to be effective advocates for their clients, they have an ethical duty to do so. For most attorneys, it is not feasible to learn enough about operating systems, application development, and networking to shoulder that responsibility on their own, and therefore expert assistance may be needed.
The Lifecycle of Digital Evidence
Digital evidence has some unique characteristics. Unlike an organic sample or a witness’s memory, it generally does not decay. In other words, it only accumulates—once discovered, it will be around for the life of the case. It can be copied quickly, easily, and with perfect accuracy—there is generally no difference whatsoever between the “original” of a file and a copy. At the same time, it can often be modified just as easily and potentially undetectably. Moreover, some aspects of digital evidence are delicate, and improperly examining certain things can change them or obliterate information that might otherwise have been useful. With these points in mind, it is worthwhile to consider the four main phases in the life of digital evidence.
Obtaining digital evidence is the first step, but also the one most fraught with risk. The goal at this phase is to acquire the evidence without altering it. How this is accomplished varies based on where the information resides. In the case of a computer hard drive, the process generally involves connecting the drive to a device that allows the contents of the storage media to be read and duplicated without alteration. With tablets, smartphones, and other devices, additional specialized equipment and techniques may be needed, because, whereas general-purpose computers have relatively standard and accessible components, mobile devices have purpose-specific hardware and software. The main thing to remember is that it is not good practice simply to examine digital evidence in situ. Doing so is likely to destroy traces of how and when files were accessed that might be essential to the case.
Sound forensic techniques are important, but so is knowledge of where information may be found.For example, if messages delivered via Snapchat or the now-defunct Yik Yak are important in a case, critical data may reside not on the smartphones from which the messages were sent or received, but rather in the records of the application provider. Information about the source of a transmission of information may reside with an Internet Service Provider. Information about unauthorized use of corporate computing resources might be found in log files of network infrastructure devices. Thorough acquisition of digital evidence may therefore involve subpoenas, and demand a working knowledge of what information is stored where, how to craft an intelligible request for it, and how to correlate data from disparate sources.
Once information has been acquired, the next step is to preserve it. Generally, this means storing it in such a way that there can be no accusations of spoliation. With respect to physical items—i.e., the devices themselves—this amounts to creating a chain-of-custody log and keeping the items in a physically secure area. With respect to data extracted from devices, this often means creating a forensic image—i.e., a special type of file that contains an exact copy of the original, but also cryptographic safeguards to render it tamper-evident.
Once digital evidence has been properly acquired and preserved, the next step is to figure out what it means. This often requires not only knowledge of specialized forensic tools—i.e., tools to recover deleted files or to search for patterns in large volumes of information—but also a thorough understanding of the sources of the digital evidence. What can the presence of a file in a web browser’s cache tell us about what the user was up to? Are there differences between what we can learn from Google’s Chrome web browser as opposed to Microsoft’s Internet Explorer? Does it matter whether the computer where the web browser was installed ran on Windows XP as opposed to Windows 7? In a nutshell, analysis of digital evidence can be subtle, and at times the key to understanding a piece of digital evidence is not to think about it in a vacuum, but rather to consider it in a larger context.
Like any other evidence, the purpose of relevant digital evidence in a civil lawsuit is to persuade the trier of fact. It might be relatively easy to confront an adverse witness with a copy of a damning e-mail, but it is another to present a fraud case based on back-dated transaction records in an online accounting system. In other words, it’s not enough that an attorney understand the evidence in depth—a successful presentation requires witnesses who can explain how and why the digital evidence supports the theory of the case. A trier of fact needs to understand the facts, and attorneys must often rely on experts to develop the necessary degree of understanding.
Working with Experts
The phases discussed in the previous section tell us something about the experts we may need and when we will need them. First, concerns about digital evidence may crop up very early in a case—perhaps even when an attorney is evaluating a matter before deciding whether to undertake representation—so it is prudent to cultivate a relationship with someone who can at the very least assist with data acquisition. Knowing who to call when the need arises might make the difference between being able to find and preserve evidence and letting it vanish.
Next, it’s not necessarily the case that a single expert will suffice. Someone who does a great job at acquiring a piece of evidence may not know how to interpret it if the information at stake is the product of specialized software. For example, a medical instrument might store information on standard storage media, the acquisition of which could be done by any properly equipped forensic analyst. However, it is unlikely that the same person would have knowledge about how the instrument works, or how to interpret the data it stores. Having contacts in the technical community may make finding the right expert easier.
In addition, there may be more than one way to get at the information. If extraction of data from a smartphone is impossible because of encryption, it might be possible to seek sufficient information elsewhere. Someone with broad expertise might be able to help brainstorm tactics to get at information that is otherwise inaccessible.
Finally, attorneys should be mindful of the fact that the field of digital forensics continues to expand with the development of new devices. Data from pacemakers, Fitbit fitness trackers, smart televisions, and home assistant devices such as Amazon’s Echo are making their way into lawsuits, and are all proper subjects for forensic analysis. As these technologies mature, so will techniques for acquiring and analyzing the information they store and process.
A small local healthcare provider recently suffered a security breach, and the contents of some of its systems were held hostage by ransomware. In addition to the critical practical need to get systems up and running again, the situation presented three major legal issues. First, what were the organization’s responsibilities under HIPAA and Wisconsin’s data breach notification law with respect to reporting the incident? Second, which patients should be notified, and what should the notice contain? And third, did the organization have any legal recourse?
A forensic consultant was able to determine which patients’ information was affected, and the type of information involved. Based on that determination, the organization was able to conclude that it had no obligation under Wisconsin’s data breach notification statute, Wis. Stat. § 134.98. However, it did have notification obligations under 45 C.F.R. § 164.404(a). Finally, the forensic consultant was able to determine that the ransomware made it into the organization not via a malicious e-mail attachment, but rather through a chink in the organization’s perimeter defenses, left there by the organization’s IT consultant whose work across the board was below acceptable standards.
Nothing related to this incident has found its way into a lawsuit as of yet, but the forensic consultant’s work was essential to enable the organization’s attorney to provide appropriate guidance.
Unless the user of a computer (or phone or tablet) takes specific steps to purge information, it is prudent to assume that everything the system has stored or done could potentially be recovered by a forensic analyst. For this reason, attorneys advising clients should also be aware of anti-forensic technologies. The most prominent among these are tools for encrypting data. Most mobile device and computer operating systems have at least some encryption capabilities built in, but these may not be suitable for all client needs. Also of interest are tools for securely deleting unwanted data—e.g., making sure that deleted files are no longer present on the system and eliminating traces of activities that should be kept confidential. Policies governing the destruction of unneeded data can greatly simplify discovery should litigation ensue down the road.
In the same vein, ABA Formal Opinion 477, released in May of 2017, updates guidance for attorneys about encryption of data, including e-mail, which is transmitted via the Internet. The opinion stops short of providing a bright-line rule specifying that encryption is required in certain contexts, and instead offers a list of factors to weigh in determining whether encryption would be appropriate in a given situation. Widespread encryption of e-mail remains cumbersome, and therefore unappealing to many clients, but in the wake of Formal Opinion 477, it is reasonable to expect that there will be at least some increase in the deployment of encryption for attorney communications. Generally speaking, however, the Formal Opinion only addresses encryption of data in transit, and not at rest on the sender’s or recipient’s systems, or on e-mail servers in between.
The Big Picture
Digital forensics is a vast and fast-moving field. More importantly, it is a field whose importance to civil litigation will continue to grow as clients continue to become more reliant on digital devices for communication and storage of information. This means attorneys can expect increased reliance on forensic experts as the collection of information essential to litigation, from financial records, to video messages, to GPS coordinates, becomes more and more reliant on digital sources.
John Mitby serves as counsel for numerous businesses, engineering and construction firms, insurance companies, non-profit organizations, and elder care facilities. John’s commercial practice includes resolving a variety of matters relating to contracts, transactional work, real estate, employment, financing, municipal, business, insurance, and litigation. John works with clients on acquisitions including those involving professional and technical businesses, and provides general corporate oversight for profit and nonprofit organizations. He has provided counsel on many complex business transactions, such as the reorganization of a cooperative, the purchase and sale of numerous businesses, including the House on the Rock, one of Wisconsin’s most prominent landmarks, and the development of the Princeton Clubs. John’s litigation practice includes defense of contract matters, class actions, insurance claims, electronic discovery issues, cyber liability, investigative matters, and other highly complex business legislation matters.
Peyton B. Engel is an attorney with Hurley, Burish & Stanton, S.C., where he helps individuals and businesses with civil litigation, represents licensed professionals including attorneys in disciplinary matters, and provides consulting and expert witness services in matters where digital evidence is at issue.
Mr. Engel’s particular area of interest is in information technology, security, and privacy. He has extensive practical experience with information technology and compliance (primarily with respect to HIPAA and the PCI Data Security Standard), and has assisted attorneys with technology aspects of both civil and criminal matters.
Before joining the firm, Mr. Engel worked for more than 18 years in information technology, with sixteen years of that time spent specialized in network and information security. He holds the CISSP certification, and the Wisconsin Law Journal recently recognized him as one of the three best forensic experts in the state. He is a member of the State Bar of Wisconsin and the Dane County Bar Association.
Mr. Engel earned his B.A. degree from Grinnell College; his M.A. degree from the University of Wisconsin - Madison; and his J.D. degree, magna cum laude, Order of the Coif, from the University of Wisconsin Law School.