United States: High-Stakes Digital CSI

Last Updated: May 31 2016
Article by Matthew S. Adams and Jordan Kaplan

Matthew S. Adams and Jordan Kaplan authored the New Jersey Law Journal article, "High-Stakes Digital CSI."

Much ink has been spilled addressing the privacy and security arguments surrounding Apple's showdown with the U.S. Department of Justice (DOJ) earlier this year in connection with the massive law enforcement response and investigation into the most deadly terrorist attack on U.S. soil since Sept. 11, 2001. This is not another examination of those heavily debated legal issues. Rather, drawing on the facts that have been revealed publicly about the San Bernardino investigation, we set out here to present a case study on what can go wrong when digital evidence is mishandled, and to present a series of best practices for handling ESI—an acronym for "electronically stored information" that has been known to evoke dread and angst in even the most seasoned legal and investigative teams.

On Dec. 2, 2015, 14 people were killed and 22 were seriously injured at the Inland Regional Center in San Bernardino, California, in a despicable, abhorrent act of terrorism. The attack was carried out by Syed Rizwan Farook and Tashfeen Malik, a married couple that apparently had become radicalized jihadists somewhere along the way, despite otherwise conducting themselves as ordinary residents of a California suburb. The pair carried out their attack during a training event and holiday party for the San Bernardino County Department of Public Health. Farook was an employee of the San Bernardino County Department of Public Health, fueling speculation that his actions were that of a disgruntled employee that had lost his mind. Americans collectively watched as initial reports suggested another mass shooting in yet another soon-to-be infamous corner of the country. Soon, however, our dread quickly got worse when an even more terrifying plot emerged, and the reality set in that a likely ISIS-inspired terror attack had occurred on American soil. That night, Farook and Malik were killed in a shoot-out with police, who confronted the pair on a California street. With their deaths, any chance that their motives and affiliations with larger plots would be uncovered through interrogation was lost. It would come down to the tedious investigative task of reconstructing the pair's entire lives, including their use of cellphones, computers and other digital media that have become the hallmarks of modern society.

That painstakingly laborious task unfolded largely out of the spotlight at first. Then, on Feb. 16, a U.S. magistrate judge sitting in the Central District of California entered an order requiring Apple, a purely private actor with no known involvement in the FBI's ongoing investigation other than to have designed, manufactured and sold the iPhone assigned to Farook by his employer, to assist the DOJ's investigation by overriding security features baked into the technology that drives the device occupying nearly 50 percent of the U.S. marketplace for smartphones. Apple, led by CEO Tim Cook, immediately took to an aggressive public relations campaign vehemently opposing the government's efforts, while Apple's lawyers sought to overturn the magistrate judge's Order in court. The story occupied headlines for nearly six weeks until, in late March, the DOJ announced that it had unlocked Farook's iPhone without Apple's help, and abruptly abandoned its quest to compel Apple's assistance with the investigation.

Like many issues with national security implications, one magistrate judge's ruling in California reverberated throughout Washington, D.C. In the midst of the legal battle between Apple and the DOJ, FBI Director James Comey testified before members of Congress regarding the San Bernardino investigation. Director Comey was forced to acknowledge that the FBI made significant missteps in how it handled Farook's iPhone in the investigation. Most specifically, Director Comey testified that when the shooter's iPhone was initially recovered, the FBI requested that the owner of the phone—Farook's employer, San Bernardino County—reset the password to the iCloud storage account linked to the phone. "I do think, as I understand from the experts, there was a mistake made in the ... 24 hours after the attack, where the county at the FBI's request, ... took steps that made it hard—impossible later to cause the phone to backup again to the iCloud." As a consequence of that early error in the investigation, a forensic examination of Farook's actual physical device became necessary for the most up to date version of the data contained thereon, setting off the very public debate that followed.

No person or agency is infallible. Setting aside the debate over privacy versus security that has flowed from the events of Dec. 2, 2015, there can be no question that the FBI's investigative intentions in the case were pure. Nonetheless, the FBI's acknowledged missteps in the San Bernardino terror case serve as a stark reminder that basic fluency in the collection of digital evidence is a prerequisite to practicing law in 2016. There are some very straightforward rules of the road that must always be followed when it comes to the collection of digital evidence that is to be used in a legal proceeding:

(1) Know the mechanics of the media upon which the evidence resides. The DOJ would not have been forced into the position it was with Apple had it thought through the precise way that data was stored on Farook's iPhone, and where duplicate copies of that data might reside. For lawyers, this does not mean obtaining a degree in computer science. Instead, it means using the skills of lawyering (questioning, deductive reasoning and critical analysis) to assemble the people most knowledgeable of the mechanics of the subject media to provide the necessary details. Where digital evidence can be secured from multiple sources, it should be secured from all of them to paint the most complete picture. Redundancy is never a bad thing when it comes to digital forensics, as backups frequently uncover data that was deleted in a more localized setting. With ESI, industry standard de-duplication processes can easily eliminate the burden of multiple copies of the same thing by comparing the unique digital identifiers assigned to each discrete file, like its MD-5 hash value.

(2) Learn how your media was secured and how it has been used.Just as the FBI no doubt learned early on that Farook's iPhone and related cloud storage accounts were actually the property of his employer, implicating a host of time-saving Fourth Amendment consent to search issues, an awareness of how media was secured and how it has been used can be the difference between a dump of meaningless data from a digital forensics analysis and finding the smoking gun. For example, one of the primary ways that data theft occurs is by use of portable storage media, like external hard drives and USB drives. So-called "link file analysis"—a means of creating a correlation between the use of such portable devices on a computer and access to certain data residing either on that computer or a server based upon forensically extracted time line data—is a powerful way to prove the where, when, how and sometimes who, pertaining to a breach. Yet, discrete digital media standing alone, without details on how they were used and procured, would not provide the details necessary to conduct such a useful correlative analysis.

(3) Prepare and rehearse a collection plan.The well-known axiom "measure twice, cut once" is very fitting here. The benefit of a table-top data collection exercise before an actual collection attempt is made cannot be overstated. A rehearsal will often point out flaws in your plan, or can identify weaknesses and vulnerabilities with the subject data. Even if certain variables cannot be overcome, knowing what they will be when it is time for the actual collection does not always come from abstractly pondering the plan alone. Live simulation tends to work out or at least identify the kinks before they impede your collection efforts.

(4) Execute the collection plan under forensically acceptable conditions.Collecting digital information is not like making a photocopy, unless, of course, forensically acceptable methods are employed. The simple reason for this is that digital evidence contains metadata, or descriptive data about the data. ESI is a multidimensional, layered composite of discoverable information, the totality of which is relevant and necessary to a complete understanding of the weight, scope and overall import of the ESI as a piece of evidence in the case. Without the multidimensional composite, the ESI lacks reliability, may not be capable of authentication, and, because of the manner in which ESI is maintained, is easily manipulated, corrupted and/or deleted. Simply stated, a one-dimensional snapshot of ESI is worse than a photocopy of only one side of a double-sided paper document. Because lawyers are not, for the most part, digital forensics experts, they are not accustomed to operating under forensically acceptable methods such as, for example, the use of a write block device when copying digital media to avoid alteration of metadata. This, coupled with the likely need for testimony to authenticate and lay the foundation for the evidence, invariably means that a digital forensics expert must be employed to collect the data. Beware, "dragging and dropping" files, copying and pasting information and saving open files onto a new drive or device do not constitute forensically acceptable conditions. The main problem with nonforensic data collection is that important metadata is overwritten and replaced, which could play a vital role in the over-arching investigation that has led to the data collection in the first place.

(5) Preserve originals and only conduct analysis from duplicates. There are frequently many layers of review necessary to a complete understanding of what, if any, role ESI will play. Some analysis, especially analysis by lawyers who frequently do not have the type of complex software packages that allow data to be reviewed without alteration of the underlying source data readily at their disposal, may modify aspects of ESI like metadata inadvertently. For example, a review of a USB drive's worth of Microsoft Excel spreadsheets will corrupt the underlying data if that review is conducted by a lawyer simply plugging the drive into his or her computer and exploring its contents. At the very least, if such a review is to take place, the review should be done from a forensically copied image of the source drive that is specifically designated as a "Review Copy Only" to make clear that its contents have not been altered or modified, and it is being used exclusively for informational purposes only while the original copy and any other forensic copies of the original are safely stashed away in a secure location.

Most lawyers will never be forced to reveal a data collection blunder to Congress the way that FBI Director Comey had to when discussing the San Bernardino terror attack investigation. Yet, as reflected in most modern frameworks for the collection and production of ESI, such as the protocols developed by the Joint Working Group on Electronic Technology in the Criminal Justice System (JETWG), which state as "Principal One" that "[l]awyers have a responsibility to have an adequate understanding of electronic discovery[,]" it is apparent that attorneys must have at least a basic grasp on electronic discovery—from collection to production—in order to carry out their ethical responsibilities to their clients. Accordingly, the basic principles for ESI collection discussed herein are a necessary starting point considering the abundance of ESI that has become such a ubiquitous component of our daily lives.

Previously published in the May 23 issue of New Jersey Law Journal.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Matthew S. Adams
Jordan Kaplan
In association with
Related Topics
Related Articles
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions