Category: Legal

When I take on a job, my first ask is for the Request for Production (RFP) or another official, judge-approved document, clearly calling for specific data from specific devices.

In an ideal world I get an RFP with all the particulars spelled out, with each device clearly listed, with date ranges and a keyword list for search, and clear instructions on exactly how I am to obtain these devices (for example, they are already in the attorney’s possession and they will drop them off at my office).

In reality, it usually doesn’t work that way. This is not to throw shade on lawyers or judges — as a digital forensics analyst, I don’t expect that you would know as much as I do about digital devices — but it means that I often have to work with the attorneys (both sides) to nail down exactly what I am to look for and report on.

Show me the complaint

I always ask to see the complaint as an accompaniment to the RFP. This helps me determine that the RFP is on the right track to produce a full and complete report that speaks to the case.

If something doesn’t seem right with the RFP, I will speak up and discuss it with the attorney. Sometimes it’s just a point that I need clarified, and sometimes it means the RFP needs an overhaul.

Data isn’t where you think it is

In another blog post, Where to find data for your RFP, I detail the different places I might need to look to fulfill the RFP. For example, it’s a common misconception that emails are stored on one’s phone, but the best source for a complete picture of email is the email provider. The same is true for social media posts. They might seem to be “on the phone” because you can see them, but in reality, they are stored on the platform’s servers and sent to your phone when you open the app. These posts are never stored on the phone itself.

If the RFP tells me to look on the phone for something that isn’t on the phone, I’ll work with the attorney to get that point clarified in the RFP, and to set up any meetings with the client or data custodian (owner of the accounts) to obtain the additional information.

Keywords must be specified

I have received more than one RFP with vague search instructions such as, “Produce all emails pertaining to Jane Smith’s employment at XYZ company.” What does this mean, exactly? If I’m searching an archive of work emails, wouldn’t 99% of the emails be work-related, and thus “pertaining to employment”?

Ideally, I get a list of keywords to search that speak to the complaint. For example, if it’s a wrongful termination case, a good list of keywords might be:

• employment
• termination
• fired
• disciplinary action
• write-up
• personnel file

This doesn’t mean that these are the entirety of what I will search for — I often go above and beyond to see what I can find. However, if both sides can agree on this list of keywords, it gives me a baseline and a direction.

If keywords are not specified, I will often work with the attorney to come up with a proposed list.

Contacts’ information must be supplied

I have received more than one RFP that called for “all emails between Jane Smith and John Jones” with no email address specified for John Jones. Or it asks for all text messages with John Jones, and no phone number specified.

I can usually find an email address or phone number in the Contacts section, but I have no way of knowing whether there’s more than one email address or number, or whether a different phone number was being used at the time of the alleged crime (which might be several years earlier). Plus, my time spent searching for this information is billable time, which can add up quickly.

If counsel can’t or won’t provide email addresses and phone numbers, all I can do at that point is include in my report the email addresses and phone numbers I did manage to find.

In summary

The more complete and pertinent your RFP, the more I can get on with what I’ve been hired to do — search for data and write a report — rather than spending time in a back-and-forth that ultimately costs your client more money than it needs to.

Some of my clients have been surprised to learn that training in digital forensics includes a sizeable dose of training in Fourth Amendment rights, and the legal aspects of inspecting digital devices.

When I was training in digital forensics at Boston University in 2015, my mobile forensics professor, Dr. Yuting Zhang, particularly stressed to us the importance of knowing and following the law as an investigator and analyst.

This was a key takeaway from my Mobile Forensics & Security class with Dr. Zhang. While the majority of the class curriculum focused on the technology of mobile devices, teaching us file structure, extraction techniques, and approaches to analysis, a good chunk of it was devoted to the laws that we would need to make sure we followed when extracting and inspecting data from digital devices.

Going into the program, I had no idea this was the case — I had assumed that this was the responsibility of the person who handed me the phone or PC for extraction. It turns out that the responsibility falls on all of us in the chain of custody, from the judge who rules on a discovery request and the lawyer who sends me an RFP, all the way down to me.

But once I learned this fact, I grabbed it with both hands and hit the ground running. By the end of class I had memorized the Fourth Amendment to the U.S. Constitution, and was up to date on the still-fast-changing federal and state laws around law enforcement access to mobile devices.

This training has come in handy multiple times. While I’ve never had an attorney ask me to do something the violates the Fourth Amendment, I am regularly asked by lay persons to look at a device that doesn’t belong to them, usually because they suspect their significant other is cheating. I categorically do not take these jobs.

My training also prepared me for situations when, while inspecting data to look for evidence to support (or refute) a particular charge, I might find evidence of a completely different crime, sometimes of a far more serious nature. And, if this happens, that I am to immediately cease inspecting the data, and report it to the attorney who hired me. This has happened only once in my nine-year career, but Dr. Zhang had drummed this into me so thoroughly that I acted without hesitation.

We also engaged in discussions of ethics in class, much like a law curriculum (so I’ve heard). For example, what if we were asked to do a mobile analysis for a defense lawyer on a sexual assault case? Could we take the case and remain impartial, despite the heinous nature of the accusation? What if we think the person is guilty?

My take was that everyone deserves the best defense they can get, regardless of the crime or the evidence at hand. That our job is to get at the truth of the matter. Regardless of whether the text messages or emails or documents were inculpatory or exculpatory, it is our job to find them and include them in a coherent report that the judicial system can use as intended. That we are not the judges here — we are simply delivering information, and our opinion of guilt or innocence is not part of the equation.

At the time this was a bit of a revelation, but I incorporated it into my work as a digital forensics analyst, and I fiercely stand by it today. I have taken on cases of some pretty severe crimes, and I do my part: I deliver the exact and complete information, and let the court decide based on the evidence.