Legal Process

Legal matters start before any legal filing takes place, and at any time, any system or content might be involved in some aspect of a sequence of events that ultimately leads to a legal matter. As a result, the processes associated with DFE should be part and parcel of every entity's operations at all times. There are defined legal duties to protect and preserve DFE and these have been substantially explored in the literature. [9] The discussion provided herein is based on a loose interpretation of the sequence of events that takes place in legal matters. The actual sequence depends on the specifics of the jurisdiction, the matter at hand, the parties involved, and other case-specific factors.

Pre-Legal: Before the first paper is filed for a legal proceeding, entities have responsibilities to preserve evidence that could be reasonably anticipated to be involved in litigation. For corporate entities, this entails the creation and operation of a policy and process associated with records retention and disposition. For individuals, the standards are far more lax; however, any situation in which a legal matter is anticipated leads to duties to preserve evidence. The simplest strategy for individuals is to do regular backups of digital information and, if a legal matter seems to be looming, make a copy of everything and put it somewhere safe. For corporate entities and other businesses, government entities, or organizations, the issue is far more complicated.

Entities have a responsibility to preserve their records for many legal reasons as well as for reasonable and prudent operations. [9] Some records, such as contracts, publications, historical data associated with patents and other intellectual property, prices charged, and fees paid, are retained for business and legal reasons as evidence of the activities of the entity. Other records, such as records of expenditures and income, are retained for external legal reasons such as government regulations and meeting reporting requirements. Still other records, such as electronic mail, internal memoranda, operating manuals, and notes on when what happened, are retained for internal use, entity long-term memory, and convenience.

Where there is a legal mandate to retain records associated with regulatory bodies, such as tax records, records of controlled substances, employee records, and so forth, entities must retain these records for the legally mandated period, and the entity record retention and disposition process should define these minimum times and identify disposition processes and times after legal limits are reached. Where no such mandate is in place, entities should operate for their own operational efficiency, effectiveness, and convenience, should codify these operational, efficiency, and effectiveness requirements and decisions, and should follow these decisions rigorously. In addition, statute of limitations requirements limit the utility of certain information in certain circumstances, and these statutes should be built into the records retention and disposition process in helping to make decisions about time frames. In all cases, a well-defined retention and disposition process should be in place, operated, and verified in its operation. A legal hold process should also be defined and put in place to assure that prior to disposition of any records that can reasonably be anticipated to be required for any legal proceeding, all legal holds on those records are cleared, and when a legal hold has cause to be in place, appropriate records are preserved and prevented from being disposed of.

Prior to the first filing, and contemporaneous to events of interest, it is important to identify, collect, and assure the proper storage and handling of any content that might be involved in a legal matter. Perhaps the most important things to do contemporaneously are things that can preserve evidence that tends to change over time or will not exist past a particular time frame. For example, network traffic and voices disappear as they are consumed unless explicit preservation is undertaken at the time they occur. When investigating or acting on digital forensic evidence or matters related thereto, it is often helpful to take notes at the time the activities are undertaken and to retain them as contemporaneous evidence of what took place. Similarly, things like network addresses and host names, network-based lookups, and related information, including versions of software in use and other related configuration information, should be collected contemporaneously because these things tend to change with time, and records of their changes are not uniformly kept. Contemporaneous time and date information, when relevant, performance levels, as measured at the time, and justifications for decisions, as they are made, are best documented contemporaneously.

Digital forensic experts brought in prior to the legal process may be used for a wide range of efforts, including without limit, internal investigations, preparation for potential legal work, the creation of forensic data collection and processing capabilities, analysis of potential evidence, and so forth. While these may seem like they have a lower standard of care than work during the legal process, the DFE expert should realize that the work they do in preparation may end up questioned at trial, and reasonable and prudent efforts should be applied, proper contemporaneous information should be collected as appropriate to the matter at hand, and all of the elements of the evidence process should be respected, even though no legal action has been filed.

Fist Filing: As of the first filing in a legal matter, a series of events with time limits start to occur. Historical events that apply to the legal matter are limited by statute of limitations limits depending on the nature of the charges and specifications and the jurisdictions that apply. The Constitution of the United States [15], as well as many other similar legal mandates from other jurisdictions, requires (in the 6th amendment) "In all criminal prosecutions, the accused shall enjoy the right to a speedy and public trial,...". The right to a timely trial means that from the first legal filing to the start of the trial must be speedy. But beyond this, courts set calendars and require that they be met. Late filings result in adverse rulings, and as a result, there is often a rush in the legal system for those who are working on issues related to evidence.

In most legal matters, before the force of legal process can be used to secure and process evidence, a legal action must be filed. For example, before a subpoena can be issued, a lawsuit normally has to be filed. The first filing then triggers notice and preservation requirements and allows legal papers to be filed to compel actions on parties.

Notice: Notice is given of various things during the legal process, starting with notice of the existence of a legal action. Various sorts of non-disclosure, confidentiality, work product, documentation, and other sorts of requirements are given in various forms throughout the legal process. Because the legal environment tends to be relatively unforgiving of those who fail to comply with judicial orders and similar things, it is important to respect all of the notices given and to communicate all such notices with appropriate legal staff in a timely fashion. In the case of an entity that is given notice of a legal matter, it is important to start the legal hold process within the data retention and disposition process, and to immediately and accurately identify, collect, and preserve all relevant evidence. Once notice is given, there is a duty to preserve evidence.

Preservation: In many cases, preservation orders are given with respect to evidence. It is important to get timely preservation orders in order to assure that critical evidence is not lost. The DFE expert is often called upon to assist the legal team in identifying the sources and nature of evidence that should be sought, and this is often codified in preservation orders and the language of demands for evidence. Timeliness requirements stem largely from the data retention and disposition issues related to different entities. For example, many Internet Service Providers (ISPs) only retain records for periods of days to weeks, and in some cases, intentionally avoid retaining records to facilitate anonymity for their clients. Jurisdictions sometimes mandate preservation of particular data, like calling information not including the content of calls, as part of their national security or other legal mechanisms, but gaining access to this sort of data requires effort on the part of the legal team, and the costs of such actions may exceed the value they bring to the legal matter. Courts often rule, particularly in civil matters, that the value of the evidence in terms of its probative utility is exceeded by the cost of production, and this effectively limits the preservation and production process in some cases.

Productions: Documents are typically produced either as part of disclosures made by the parties or as productions in response to legally authorized demands by parties. These productions and disclosures constitute the bulk of the digital forensic evidence in most cases, but they also include information that brings context to the evidence, including the claims being made, assertions by the parties, and the basis for those claims and assertions. Analysis of the evidence should yield results that are consistent with truthful disclosures. When there are inconsistencies, or when the basis is not adequate to support the contentions made in the claims or disclosures, the digital forensics expert is typically tasked with identifying and clarifying such inconsistencies and lack of basis, and the results of these efforts form the basis for effective challenges to the evidence and the legal case.

Disclosures and productions are often applied tactically by the parties to make their case while preventing challenges. For example, it is fairly common for parties to disclose printed copies of digital information but not offer the digital forensic evidence. In such a case, it is the responsibility of the other side to demand original writing in digital form so it can be forensically analyzed. Large volumes of data are sometimes provided and select data contained within those large volumes may contain the key information required to understand what took place. It is the responsibility of the party receiving such volumes of data to go through it all and, when that data indicates the presence of other systems or content, to identify those systems and content for further demands of disclosure.

Disclosures: To the extent that a disclosing party intentionally subverts the process and intentionally creates high levels of effort by the other party without basis, it is sometimes possible to get sanctions against the offending party, particularly when the aggrieved party can show that the other side knowingly and intentionally misled. The DFE expert that identifies such instances and helps to bring about those sanctions is bringing added value to their side of the case because the other party may have to pay for the cost of much of the legal effort and the fees of the expert in analyzing materials that were needlessly produced when they were known to be irrelevant, or productions that were contrary to the judicial orders in the matter.

The DFE expert will often write a report on a legal matter and this report will be disclosed to the other parties at some point in time. For a discussion of such reports, the reader is advised to review [1].

Depositions: Depositions are testimony given with lawyers present and a legal recording made of the proceedings. The questions are typically asked by the other side, and the answers are sworn testimony that bears all of the same requirements of testimony in open court. Witnesses, including experts, are typically deposed prior to trial so that the attorney's can gain valuable information related to the matter at hand and to which they have a right. The right to face one's accuser [15] (the fifth amendment) includes the right to question them and any and all witnesses that may be brought. The means that the DFE expert who will ultimately write a report or testify in open court will be deposed and that the DFE expert may be asked to offer assistance to lawyers who will be deposing the opposition when the issues relate to DFE.

DFE experts brought in to help lawyers prepare for depositions have a somewhat different role. For example, they may help to identify and prepare items of evidence that will be used in questioning a witness. They may help the legal team identify the proper sequence in which to present questions in order to make a series of legal points and provide specific items of evidence that allows those questions to be pursued one after the other. For example, to get a witness to admit that they don't know how a process used to develop evidence actually took place, they might provide an example for the lawyer to show the witness with a set of specific questions related to the piece of evidence. Depending on the answers given, different following items of evidence might be presented that show that the answers given were not correct. The witness may end up contradicting themselves, or admitting the limits of their knowledge of the facts in the case, and this might result in the evidence and the witness losing their credibility. Of course the same may be done by the opposition, and that's why the DFE has to understand these issues even if they are not being asked to help the lawyers prepare for a particular witness.

As the subject of depositions, the DFE expert has a legal obligation to tell the truth, and of course failure to do so may result in enormous problems and legal implications for the expert. But this is only the beginning of the issues that the expert faces. Great care should be taken in answering questions and great precision should be sought in the application of those answers. In many cases, experts answer too quickly, interrupt the questioner, don't answer fully, answer things that were not asked, and make other similar mistakes. [1] Preparation for depositions should be undertaken with the lawyers in the case, and it is always advisable to do a practice deposition the day before the real one to reduce the stress and get a sense of the sorts of questions that will be asked in the particular case and to make certain that the answers are precise, accurate, and address the questions. The DFE expert should think through the totality of issues involved in the matter and recognize the limits of what they may be able to testify about as well as the features so that they are prepared for the potential sequences of evidence and questions they may be asked.

Motions: Motions in legal matters are often accompanied by expert reports relating to the evidence, and when the evidence in question is digital in nature, the DFE expert will likely end up writing those reports, or at least signing off on declarations written by lawyers. It is vitally important that all such declarations and reports in support of motions or use din legal matters be carefully written and as precise and accurate as the expert can make them. While most non-legal environments instill a sense of coming to consensus and writing an agreeable work product that others will like or buy into, in the legal environment, and particularly in support of motions, it is the precision and accuracy of the product that matters. In such a situation, the DFE expert is writing an opinion based on facts and properly applying a scientific methodology. The DFE expert is the final authority on such a report and must not be convinced by others to say things that they do not truly believe to be the case or things that they do not believe can be demonstrated by the proper application of scientific methodology to evidence in the case.

Typically, the results of such writings are "facts" asserted to be true by the side proffering them. The other side has an opportunity to dispute these facts, but if they are undisputed, they become legal facts for the case, and as such, constitute the basis for the trier of fact to make a judgment. If they are disputed, the other side had better have an expert who also has a scientifically based methodological approach that, using the same evidence, shows that the things one expert asserts as fact are not in fact true. This direct sort of difference of opinion is relatively rare when properly qualified experts testify in legal matters, and in the case of DFE, it is almost never the case that the experts disagree on the bits. Almost all interpretation of the bits in the DFE arena are testable, and the other side may well test them as the DFE expert may be asked to test them when presented by the other side.

Sanctions: Motions can also result in the exclusion of evidence that may be vital to a case, limits on the interoperation of evidence, the removal of an expert from a case, or any of a wide range of other outcomes, including the end of the proceedings and termination of the case. Motions are used to get sanctions, limit admissibility, and for essentially all other aspects of a legal matter.

Admissibility: Admissibility is covered in more detail here.

Pre-Trial: In addition to motions and other legal maneuvering, before trial, DFE must be analyzed, interpreted, attributed, sometimes reconstructed, and prepared for presentation. This includes the preparation of reports, exhibits, and demonstrations, preparation for testimony, and assistance in challenging the testimony of others.

Report preparation consists largely of describing the context of the report and the background of the individual preparing it, the processes and tools used related to the evidence at hand, the interpretation and attribution of the evidence in light of the case, and expert opinions related to the evidence and the context of the case. Depending on the specifics in the matter and the interests and requirements of the legal situation, the report may contain many citations and attachments. In some cases, very short reports are provided, and many lawyers believe that judges will not read more than a few pages of an expert report, but some cases call for a great deal of detail, cover hundreds of thousands of claimed items of evidence, and involve many complex issues.

Preparation of exhibits that support expert opinions have to be accepted by the court and meet standards of admissibility, including being reviewed by the other parties to the case and challenged for all of the factors involved in admissibility. Complex areas of digital forensics may include a short tutorial given to the trier of fact on the underlying operation of the systems involved, such as a depiction of what an IP datagram consists of and how a particular protocol works, with examples provided that are relevant and that demonstrate the issues in the case. Demonstrations, such as a live session where an email is sent using manual entry of the protocol elements, it is received by a receiving computer, and the logs and output generated are shown to the jury are far less common than written reports with examples demonstrating these activities and assertions that these accurately represent the events that transpired. This is not only because live demonstrations are less reliable than pre-recorded ones, but also because these sorts of reconstructions are sometimes more prejudicial than probative, take a lot of time, and are rarely important enough to the legal matter to justify their use. They are also subject to challenges and live counter-demonstrations, and are thus problematic. The most common type of evidence shown to a jury is a computer printout or a large chart that is prepared before the trial and used to bring clarity to the trier of fact. Increasingly, courts are using video displays to show these sorts of charts and other similar evidence, and these technical means of presentation have to be prepared, shown to the opposition, and presented as evidence supported by expert testimony.

Notes, draft reports, emails, FAXes, and other exchanges of information of which there are records, are often subject to discovery by the other side. As a result, in the pre-trial phase, it is important to use special care in handling and creating these materials. In many cases, counsel makes the requirements for such handling clear in advance of the work by the expert. But in all cases, the well prepared expert should anticipate the needs of handling for DFE and have systems and processes in place to avoid the pitfalls before falling into them. [1]

Testimony: The expert or lay witness who presents digital forensic evidence in front of the triers of fact normally does so live and in person. The members of the jury or the judge trying the case are typically sitting within a few feet of the witness who is asked specific questions similar to those given in a deposition. Evidence is brought up in front of the court and is readily visible to the witness and trier of fact as the expert explains what it is, how it came to be, how it is interpreted, and what it means. Cross-examination allows other parties to ask questions about the evidence and the opinions, and to identify inconsistencies between what is said at trial and what was said in reports and depositions.

Most judges and juries do not have expertise in computers, programming, electronics, or other aspects of DFE, just as they usually know little about the chemistry of DNA or the fluid dynamics of blood as it splatters. As a result, the expert witness is tasked with educating the trier of fact about the underlying facts and the nature of the systems that create, process, store, communicate, and present the DFE. For this reason, the expert usually has a lot of explaining to do, and much of it is about things that most experts find to be rudimentary. However, this explaining lays the foundation for the detailed conclusions and opinions that the expert gives and that make the difference in the case, and it must be accurate and precise, while still explaining the issues to people who don't know much about the subject. As such, it is a challenge.

This explanation of detailed scientific methodology and its proper application applies to each and every step of the process associated with the evidence, and each of those steps may be challenged by the other parties to the case. It is vital that the expert testifying about such evidence be able to explain why they have the opinions they have, how they came to those opinions, and at a detailed level, the mechanisms that cause the opinion they give to be correct. Legal cases have turned on experts who were or were not able to explain the operation of the file system from which they collected DFE and how that file system is used by the low-level system calls within the operating system on the computer that was examined. It is all too easy to answer questions in such a way that they are easily challenged, to assert knowledge that is not really clear, to become sloppy and make guesses, to make a miscalculation, or to make other sorts of errors, particularly when answering complex questions in real-time in front of strangers.

Disposition: After all of the other aspects of a case are done, regardless of who wins or loses, the DFE often has to be disposed of in keeping with court orders. Legal matters rarely require that the evidence be destroyed using techniques that are difficult to apply, but it is common that confidential information must be removed using reasonably sound techniques so as to assure that it is no longer available to the expert or anyone else. This includes backup copies, data collected by internal search mechanisms, cached copies, copies on paper, tape, and other media, and residing on all affected systems and peripherals. For this reason, it is useful for the DFE expert to use special precautions when originating, processing, and storing matters related to legal cases so that the back-end process does not become complicated or overly burdensome. While it is prudent to keep backups, it also implies the need to remove copies from those backups.