Picture this scenario: You’re navigating a case that requires you to dive deep into the information stored within the opposition’s cell phone. The judge has issued an order for the examination, and now it’s time to establish a protocol that outlines how this process will unfold. Each case presents its own unique challenges and nuances, which is why crafting a tailored protocol is essential. While courts may have their preferences, certain elements of the protocol should be rooted in industry best practices. In this post, we’ll explore various scenarios, share practical considerations, and offer valuable insights to help you navigate the intricate world of cell phone examination protocols.
Example Scenarios
Let’s take a look at a few example scenarios. In these scenarios, we’ll say the defendant’s phone is the evidence device to be examined. Certainly, the plaintiff’s phone could be an evidence device, but in most of the cases I’ve worked on, the defendant’s phone contained the evidence in question.
One Expert, No Protocol
In this scenario, the plaintiff has an expert, but the defense does not. The defense doesn’t object and has not requested any limitation on the examination. This one is easy. The defendant can surrender the phone defendant’s counsel, who transfers it to plaintiff’s counsel, who can ship it to the expert. The expert can then extract a forensic image at a time and place of the expert’s choice. The expert can return the evidence device and examine the forensic image at his or her leisure and produce reports without restriction.
One Expert, Limited Production
This scenario is basically the same as the first with the exception that the defense counsel has limited the production to a certain timeframe and protects privileged information. The expert can not limit the forensic image to certain timeframes or certain types of data, but he or she can limit what is produced in the reports.
Two Experts, One Extraction
In this scenario, both plaintiff and defense have experts. The defense expert extracts a forensic image from the evidence device, and either provides reports or the entire forensic image to the plaintiff expert. This can be done remotely, or at a time and place agreed upon by both parties with both experts present. In a case like this, both experts must have access to the same forensic tool. I use the Cellebrite Universal Forensic Extraction Device (UFED), which is the industry standard and the best tool I’ve found. There are other forensic tools for cell phones, like Oxygen, XRY, Blacklight, and more. If the defense expert’s uses UFED to obtain a forensic image, the plaintiff’s expert may not be able to examine the image if he or she is using Oxygen. If you are in the plaintiff counsel position for a case like this, I would strongly recommend arguing for receiving the forensic image rather than just the reports.
Two Experts, Two Extractions
In this case, both experts appear at an agreed time and place and each conducts his or her own extractions. The location could be a conference room in one attorney’s office, one expert’s office, or a neutral location. Both experts would bring their equipment and obtain the forensic image from the evidence device. The experts can take the forensic images and examine then at their leisure. In this case, the experts would not need to have access to the same forensic tools.
Issues to Consider
Collaborating with Experts
Developing a solid protocol requires collaboration with experts who are well-versed in the nuances of digital forensics. Your expert can provide invaluable insights into industry best practices and the latest techniques for evidence extraction. By leveraging their expertise, you can create a protocol that not only aligns with legal requirements but also stands up to the scrutiny of the court.
A non-disclosure agreement
Data security is a top concern when it comes to cell phone examinations. Non-disclosure agreements play a pivotal role in maintaining trust and protecting sensitive information. By implementing these agreements, you provide your client with the assurance that their data will be handled confidentially. Whether there’s privileged information or potentially embarrassing data on the phone, a well-structured non-disclosure agreement can set the tone for the entire examination process.
Secure Preservation Methods prior to the extraction
But before diving into the examination itself, there’s the critical step of evidence device preservation. Preserving the device ensures that the information you’re about to extract remains intact and unaltered. We recommend advising the user to stop using the phone as soon as a preservation letter is sent. Additionally, having legal counsel take custody of the phone adds an extra layer of security. This step prevents unintentional data loss caused by continued use of the device.
Chain of Custody
Maintaining a secure chain of custody is paramount. It’s not just about following legal standards; it’s about demonstrating the integrity of the evidence throughout the entire process. If there is only one expert, the chain of custody might look like this: User to defense counsel to plaintiff counsel to FedEx to plaintiff’s expert. Returning the phone would be the reverse. If this case has multiple experts and the extraction is to be held at a certain location, the user’s counsel could provide the phone at the time of the extraction. This ensures that the evidence remains untainted, and its authenticity can be upheld in court.
The location of the extraction of a forensic image of the evidence device
Determine the location of the extraction. If there is only one expert, it can be the expert’s office. If there are multiple experts, and the extractions are to be done at the same time, identify a location most convenient to all parties. This may be one attorney’s office, one expert’s office, or a neutral location such as the court’s conference room.
Date of extraction, or timeframe
Identify the date of the extraction, or a timeframe. In a case with multiple experts, coordinate with all parties to determine an acceptable date. If there is only one expert, a no-later-than date to complete the extraction would be appropriate.
Parties to be present for the extraction of the forensic image
Sometimes the attorneys would like to be present for the extraction. If at least one attorney from one side is present, I recommend having an attorney from the other side present as well. If the extraction is to be done remotely at the expert’s convenience, this is not an issue for the protocol.
Tools to use to obtain the forensic image
Contact your expert to see what forensic tool he or she prefers and contact the opposition to see what tool their expert prefers. Hopefully both experts have a tool in common. If not, have the experts speak with each other so they can find some common ground. Your expert should not be limited to one tool, but tools common to both experts should be considered.
Parties to receive a copy of the forensic image
If only one of the experts is to perform the extraction, find agreement with the opposition as to who may retain a copy of the forensic image.
Location of the examination of the forensic image
If both experts were present for the extraction, but only one party is authorized to keep a copy of the forensic image, the opposition may want their expert present for the examination as well. The easiest way to schedule this is to go straight from the extraction to the examination. Consider this when scheduling a location for the examination.
Limitations of time and privileged information in the report
If the party representing the user of the phone wants to limit production, ensure the terms of limitation are agreed upon and included in the protocol.
Who received copies of the report
Determine who receives copies of the report and how. The expert should provide the completed report to his or her client/attorney. From there, the report can be submitted to the court, and the opposition can obtain their copy from the court. You can follow your normal procedure for dissemination of the report, but I don’t recommend having your expert provide a copy of the completed report directly to the opposition.
A timeline with no-later-than dates for each event
I recommend having no-later-than dates included in the protocol to ensure it progresses without delays. Start with the report date and work backwards. Consult with your expert to see how much time each step would reasonably take and add a buffer.
Who maintains custody of the evidence device after the extraction
Determine where the evidence device will go after the examination. If the user is present, and you don’t intend to maintain the phone as evidence, it can go directly back to the user. Other options are to have the expert, the attorney representing the user, or the court maintain it.
If and when the extraction is to be deleted from the expert’s files
Almost all of our phones have some kind of confidential or potentially embarrassing information on them. That could range from banking information to pictures taken during a night of overindulgence. You may have it written into the protocol that all copies of the extraction are to be deleted after the expert has had a reasonable time to examine it.
Conclusion
In crafting a cell phone examination protocol, there’s no one-size-fits-all solution. The protocol must be tailored to the unique circumstances of each case, guided by industry best practices and legal standards. Make sure to include your expert when developing the protocol. I hope you find these recommendations valuable. By developing a protocol that embodies these principles, you’ll be better equipped to navigate the intricacies of evidence extraction in the digital age.