Legal Aspects of Taylan Sen, JD
Phillips Lytle, LLP
Purposes of Digital Forensics
Overview of legal system
Liability from improperly conducted Digital Forensic analyses
Legal Tools in helping to obtain evidence
Admissibility of Digital Evidence
Proactive actions that can be taken in light of eDiscovery
Guidelines on how to perform a Digital Forensic Analysis
-so that lawsuit is won, the right business decisions are made, and most importantly to
keep YOU out of legal trouble!
Purposes of Digital Forensics
U.S. Judicial System
Federal Court System
Federal Circuit Courts
Court’s job is
1. fact finding
2. interpretation of the law
Courts must follow not only follow written law but also
previous decisions (stare decisis).
Lower courts’ main job is fact finding
Higher courts’ main job is interpretation of law
Appeals go up
Lower level courts must follow the decisions of their parents.
Types of Criminal cases
Theft of trade secret
Case 1: Ex-employee left company to form his own
Is he violating company intellectual property in his new
Can we use a KeyStroke logger?
Case 2: Ex-Franchisee is currently violating company’s
trademark and copyright through their website
What kind of Digital Forensic evidence is admissible?
Whois/ DNS lookup?
Criminal Trial Overview
Criminal Trial must follow the “Federal Rules of Criminal
Haller: I don't want to
hear explanations. The
state of Alabama has a
procedure. And that
procedure is to have
an arraignment. Are
we clear on this?
Anatomy of a Criminal Trial
Probable cause warrant (search/arrest)
criminal complaint is accompanied by an affidavit that
summarizes the evidence against the defendant.
bail is set
Arraignment/Grand Jury Hearing
Pretrial Motions (motion in limine)
Investigation: 4th Amendment
“The right of the people to be secure in their persons, houses, papers, and effects, against
unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but
upon probable cause, supported by Oath or affirmation, and particularly describing the
place to be searched, and the persons or things to be seized.”
You do not have a carte blanche to perform a
Digital Forensic search.
Investigation: What is a Warrant?
A court order, issued by a judge
or magistrate, authorizing an act
which would otherwise be illegal
in violating an individual’s rights.
Affords the person executing the
warrant protection from
damages if the act is performed.
Obtaining a warrant
4th amendment – “no Warrants shall issue, but upon probable cause,
supported by Oath or affirmation, and particularly describing the
place to be searched, and the persons or things to be seized.”
Probable cause – “reasonable”, “prudent”:
Direct observation of officer or secondary information based
Totality of the circumstances
Reliable and credible
Knowledge of underlying circumstances
Digital Forensic Data is often the basis to obtain a warrant
A warrant must be specific to place being searched
Exceptions: Exigent circumstances, sufficiently attenuated
Warrants and the Aguilar-Spinelli
# The magistrate must be informed of the
reasons to support the conclusion that
such an informant is reliable and credible.
# The magistrate must be informed of
some of the underlying circumstances
relied on by the person providing the
Fruit of the poisonous tree
Evidence which is collected or analyzed in violation of
defendant’s constitutional rights is inadmissible for
criminal prosecution in a court of law unless the
evidence gathered is sufficiently attenuated from the
Your digital Forensic investigation must be conducted properly
Anatomy of a civil lawsuit
Types of civil cases
Breach of contract
Misuse of corporate resources
damages ($), injunction
Federal Rules of Civil Procedure
Rule #26 – (B) Specific Limitations on Electronically Stored Information. A party need
not provide discovery of electronically stored information from sources that the party
identifies as not reasonably accessible because of undue burden or cost. On motion
to compel discovery or for a protective order, the party from whom discovery is
sought must show that the information is not reasonably accessible because of
undue burden or cost. If that showing is made, the court may nonetheless order
discovery from such sources if the requesting party shows good cause, considering
the limitations of Rule 26(b)(2)(C). The court may specify conditions for the discovery.
Rule #34 - (A) any designated documents or electronically stored information —
including writings, drawings, graphs, charts, photographs, sound recordings, images,
and other data or data compilations — stored in any medium from which information
can be obtained either directly or, if necessary, after translation by the responding
party into a reasonably usable form; or
Federal Rules of Evidence
Authentication and identification
Original evidence rule
Expert Witnesses & Junk science
Fruit of the poisonous tree
General Rules of Evidence
Must not be unfairly prejudicial (previous
Subsequent remedial measures
Witnesses must hav personal knowledge
Federal Rule Evidence 901
“admissibility is satisfied by evidence sufficient
to support a finding that the matter in question
is what its proponent claims.”
Authentication and Identification
901(a) - General Rule: Evidence must be shown to be
authentic before allowed into trial.
Authenticity can be shown through:
901(b)(1) Testimony of witness with knowledge. Testimony that
a matter is what it is claimed to be.
901(b)(9) Process or system. Evidence describing a process or
system used to produce a result and showing that the process or
system produces an accurate result.
Example: Are Internet Archive pages admissible?
Authentication - In re Vee Vinhnee,
"...the focus is not on the circumstances of
the creation of the record, but rather on the
circumstances of the preservation of the
record during the time it is in the file so as
to assure that the document being proffered
is the same as the document that originally
American Express – credit card records.
In re Vee Vinhnee, 2005
"The logical questions extend beyond the identification of
the particular computer equipment and programs used.
The entity's policies and procedures for the use of the
equipment, database, and programs are important. How
access to the pertinent database is controlled and,
separately, how access to the specific program is
controlled are important questions. How changes in the
database are logged or recorded, as well as the
structure and implementation of backup systems and
audit procedures for assuring the continuing integrity of
the database, are pertinent to the question of whether
records have been changed since their creation.”
Factors for consideration of Digital
1. The business uses a computer.
2. The computer is reliable.
3. The business has developed a procedure for inserting data into the computer.
4. The procedure has built-in safeguards to ensure accuracy and identify errors.
5. The business keeps the computer in a good state of repair.
6. The witness had the computer readout certain data.
7. The witness used the proper procedures to obtain the readout.
8. The computer was in working order at the time the witness obtained the readout.
9. The witness recognizes the exhibit as the readout.
10. The witness explains how he or she recognizes the readout.
11. If the readout contains strange symbols or terms, the witness explains the meaning of the symbols or terms for the trier of fact.
Federal Rule of Evidence 801:
Hearsay is generally not allowed
"Hearsay" is a statement, other than one
made by the declarant while testifying at
the trial or hearing, offered in evidence to
prove the truth of the matter asserted.
Exception: business records
Should Internet Archive records be
Telewizja Polska USA, Inc. v. Echostar,
Polska granted EchoStar a license to use its trademarks to market the
subscription package to its customers.
Agreement ended, EchoStar continued to use Polska's name and
Polska sued for trademark infringement
Polska filed a motion in limine to exclude several Echostar trial exhibits,
including screenshot printouts of Polska’s website from the Internet
Archive’s “Wayback Machine”
Plaintiff then contends that the exhibit has not been properly authenticated.
1 Attached to the exhibits is an affidavit from Ms. Molly Davis, verifying that
the Internet Archive Company retrieved copies of the website as it appeared
on the dates in question from its electronic archives. Plaintiff labels the
Internet Archive an unreliable source and claims that Defendant has not,
therefore, met the threshold requirement for authentication.
Telewizja Polska USA, Inc. v. Echostar
OUTCOME: Court finds affidavit from Internet
Archive employee sufficient for laying a
foundation and authenticating the Internet
snapshots of Plaintiff’s website and thus denied
motion in limine to limit evidence.
St. Luke's Cataract & Laser
Institute, P.A. v. Sanderson
2006 U.S. Dist Fla., 2006
“… affidavit from a previous litigation, without
more, is insufficient … However, an affidavit by
Ms. Davis, or some other representative of
Internet Archive with personal knowledge of its
contents, verifying that the printouts Plaintiff
seeks to admit are true and accurate copies of
Internet Archive's records would satisfy
Plaintiff's obligation to this Court.”
Authentication and Digital
When gathering data, make sure it is done
in a way that can be later authenticated in
a court of law.
Chain of custody.
Records of who, when, where, and how
the forensic analysis is done.
Federal Rule of Evidence 702
“If scientific, technical, or other specialized
knowledge will assist the trier of fact to
understand the evidence or determine a fact in
issue, a witness qualified as an expert by
knowledge, skill, experience, training, or
education, may testify thereto in the form of an
opinion or otherwise."
Daubert v. Merrell Dow
U.S. Supreme Court, 1993
CLAIM: the drug Bendectin had caused the birth
EVIDENCE: Test tube and live animal studies were
conducted to show that Bendectin caused birth defects.
MOTION FOR SUMMARY JUDGMENT: no published
scientific study demonstrated a link between Bendectin
and birth defects
1. Empirical testing: the theory or technique must
be falsifiable, refutable, and testable.
2. Subjected to peer review and publication.
3. Known or potential error rate and the existence
4. The existence and maintenance of standards
and controls concerning its operation.
5. Degree to which the theory and technique is
generally accepted by a relevant scientific
Daubert and Digital Forensics
Selection of your forensic analysis tools and techniques should be made with the
Daubert factors in mind:
Has this software tool/procedure been tested?
Is there a known error rate of the procedure?
Tool Implementation Error is from bugs in the code or from using the wrong specification.
Abstraction Error is from the tool making decisions that do not have a 100% certainty: data reduction
techniques or by processing data in a way that it was not originally designed for.
Has the tool/procedure been published and subject to peer review?
Is this a commercially offered tool/technique or something developed in house?
OpenSource vs. proprietary software
“Diebold Admits to Decade-old Voting Machine Bug”
Is this tool technique used by experts in the field?
E Discovery Overview
What exactly is discovery? - “the pre-trial phase in a lawsuit in which each party through the law
of civil procedure can request documents and other evidence from other parties or can compel the
production of evidence by using a subpoena or through other discovery devices, such as requests
for production and depositions.”
Data types include: e-mail & documents on hard drives, backup tapes, PDA’s, CD’s, etc.
use in depth automated searches
Costly – especially when data storage infrastructure is not in place.
Noncompliance - Courts are very unforgiving to parties who show signs of noncompliance with
Qualcomm, Inc. v. Broadcom Corporation (S.D. Cal. August 6, 2007) $8.5 million fine for withholding emails.
Need forward planning through:
1. a document retention and destruction policy,
2. data storage tools, and when litigation comes,
3. efficient management of e-discovery process.
Document retention and destruction policy:
How does a company determine how long to retain
The retention period of documents will depend on a
number of considerations, including:
the retention periods specified in state or federal regulations
pending or reasonably foreseeable lawsuits or government
proceedings relating to the subject matter of the documents
statutes of limitations.
In the absence of a specific legal duty to retain
documents a company will need to determine whether
there are business reasons to retain the documents and,
if so, how long such reasons will remain viable.
Sources of the legal duty to retain data
State and federal tax, labor, employment, and
Sarbanes Oxley Act
Litigation – legal duty to preserve relevant
Federal Rules of Civil Procedure (amended
Zubulake v. UBS Warburg LLC, 2004 WL
1620866 (S.D.N.Y. July 20, 2004)
Violations shall be fined and/or imprisoned for up
to 20 years. (Section 802 of the Sarbanes-Oxley
Desired characteristics of a document
Should be specific
when to destroy
who should destroy
Should be written
Should be followed consistently
Should not retain data you don’t need
Should be distributed to employees
Should be re-evaluated annually
Example Document Retention and
Suspension of the document
"Once a party reasonably anticipates
litigation, it must suspend its routine
document retention/destruction policy
and put in place a ' litigation hold ' to
ensure the preservation of relevant
documents." (See Zubulake v. UBS
Warburg LLC, 2004 WL 1620866
(S.D.N.Y. July 20,2004)).
Other Digital Forensic Related
Electronic Communications Privacy Act of 1986
US Patriot Act
Computer Security Act of 1987
Federal Privacy Act of 1974
Computer Fraud and Abuse Act
Economic Espionage Act
Certain legal considerations must be made
when performing a digital forensic analysis
to ensure that
No laws are broken that would subject the
investigator to criminal or economic liability
The evidence obtained is admissible in court