What Every Attorney Needs to Know about Computer Forensics, Part 3: What Criminal Defense Attorneys Need to Know about Computer Forensics

July 6, 2016 - from DisputeSoft's G. Hunter Jones

When our computer forensics experts are engaged on a criminal case, our client is almost always counsel for the defense. Most law enforcement jurisdictions have in-house Computer Forensics specialists; thus most of our forensic engagements come from defense counsel rather than the prosecution. Thus, most of the work performed by our Computer Forensics experts is directed toward rebutting or challenging evidence presented by the prosecution.

Evidence derived from Computer Forensics can come from a wide array of sources – computers, tablets, smart phones, cameras (including surveillance cameras), GPS units, cell towers, or any other digital device that tracks and retains information about its user or its user’s activities. This information can be used to show where a person was at a specific time, what the person searched for, looked at, or took pictures of, who the person corresponded with and what he/she said, and, in the case of surveillance footage, exactly what a person was doing at a specific time in a specific place. TV crime shows usually tell us how such information is used by law enforcement to find and convict perpetrators, but sometimes such evidence can aid the defense by demonstrating, e.g., alibi, or rebutting the prosecution’s theory by showing that it has misinterpreted the forensic evidence.

In many cases, the best defense-related evidence comes from data overlooked or misinterpreted by the prosecution. Consider the following situations, which DisputeSoft forensic experts regularly encounter during their investigations:

• Alibi evidence – At the time of an alleged robbery, the defendant was online at his home computer updating his own website, adding material clearly of his own theme and style. Capturing this evidence from his computer and from the website showed that he was posting those updates and not committing the robbery at the time in question;
• Alibi evidence – During the evening of a charged assault, usage and activity data in the alleged victim’s laptop showed that she was so busy with online games, social media, and e-mail that there was no time at which she could have been attacked as claimed;
• Interpretation of evidence – The prosecution relied on cell-tower data to show that the defendant was in the vicinity of the crime. However, an independent review of the data showed that the prosecution’s cell tower analysis ignored the sector information, which shows in which direction the user of the phone was located from the tower. In fact, while the cell-tower data shows that the defendant was in the vicinity, it also shows that that the he was in a sector well removed from the specific site of the robbery.

When the defense needs to rebut or challenge forensic evidence presented by the prosecution, analysis by a computer forensics defense expert can provide essential information about a person’s activities and location at a particular date and time.

However, more often than not, the prosecution’s forensic digital evidence is compelling, and the defendant is far more likely to be convicted than he has recognized. In such cases, the forensic defense expert’s greatest value is in assisting defense counsel to understand the forensic evidence and how it is likely to be seen by the trier of fact. Sometimes, the greatest value of the defense expert is to assist defense counsel in persuading the defendant to seek a reasonable plea, rather than going to trial.

DisputeSoft has been involved in such an outcome on a wide range of criminal cases, such as cases involving collecting and trafficking in pirated movies (and similarly with child pornography), creating a false identity on social networks to use in seeking underage partners, and destroying digital evidence in order to conceal illegal activity.

Oracle v. Google Update: Ninth Circuit Declares Google’s Actions Fair Use

June 7, 2016 - from Ars Technica

As reported by Ars Technica, the District Court for the Northern District of California has determined that Google’s use of 37 Java API’s in the creation of Android was fair use.

Google’s arguments proceeded on two primary points: that the Java language and APIs are and always have been treated as “open and free”; and that “Android was a brand-new use for the Java APIs, ‘a use that no other company, before or since, has been able to achieve.’” In essence, Google argued that what was used was freely available for all, that the use of the Java APIs differed greatly from how they were intended to be used, and that because of Android’s great success, Oracle sought to cash-in and take credit for what Android has accomplished in the mobile phone market.

Oracle argued that each factor of the fair use analysis weighed heavily in its favor. Oracle stated that “Google copied the heart of that platform” when it copied the Java API’s and noted that “[i]f [what they copied] wasn’t important, why did Google copy it?” Oracle also maintained that they had “suffered serious harm as their Java-licensing business cratered.” Oracle argued that Google’s use of the Java API’s failed to fit any of the classic examples of fair use, such as comment, criticism, scholarship, and research; rather, Oracle asserted that Google’s use was “the height of commerciality,” a reference to Google’s $42 billion gross revenue between 2008 and 2015.

The case and the controversy over the legal issue of fair use are far from settled. Oracle is sure to appeal the District Court’s decision, and, as we noted in a previous blog, this ruling by the District Court “leave[s] open the question of the exact extent to which copying of an API would constitute fair use.”


Google’s closing argument: Android was built from scratch, the fair way – http://arstechnica.com/tech-policy/2016/05/googles-closing-argument-android-was-built-from-scratch-the-fair-way/

Oracle slams Google to jury: “You don’t take people’s property” – http://arstechnica.com/tech-policy/2016/05/oracle-slams-google-to-jury-you-dont-take-peoples-property/

Google beats Oracle – Android makes “fair use of Java APIs – http://arstechnica.com/tech-policy/2016/05/google-wins-trial-against-oracle-as-jury-finds-android-is-fair-use/

What Every Attorney Needs to Know about Computer Forensics, Part 2: The Difference between Electronic Discovery and Computer Forensics

May 12, 2016 - from DisputeSoft's G. Hunter Jones

Electronic Discovery and Computer Forensics seem pretty similar at first glance: both involve the location, recovery, and review of electronically stored information (ESI), and both deal with the responsible preservation of that data. But the two fields are actually quite different; they require different types of expertise, and they have markedly different goals and outcomes.

“E-Discovery” refers to the identification and preservation of electronic files for litigation with the goal of allowing counsel to make determinations about which electronic files are relevant or privileged. Specialized software from E-Discovery vendors allows for the identification, capture, de-duplication, indexing, storage, retrieval and commenting of electronically stored documents, including emails.

“Computer Forensics,” on the other hand, refers to the investigation and analysis of computers, networks, and digital storage devices to determine how that device was used (e.g., to access terrorist websites; to send threatening emails; to distribute pornography). Such uses, historically the realm of law enforcement, are now used extensively in (a) investigations (e.g., does examination of a CEO’s computer indicate she had knowledge of and approved a particular decision?); and (b) litigation (e.g., was a will modified after the decedent’s death?; was a medical report altered after the patient’s death?).

Specialized equipment and software is also used in the computer forensics field, but it is quite different from E-Discovery software. Computer forensics equipment and software provides tools for “imaging” a computer’s hard drive (i.e., making an exact bit-for-bit copy without turning on the computer and without altering any data on the hard drive). Computer forensics software also provides tools for analyzing the hard drive and reporting on the results of the analysis. A qualified computer forensics expert reports the source and content of the data and may also offer opinions and interpretations about its meaning in deposition or at trial.

If the objective is to identify and preserve electronic data and to make a determination about its relevance and privilege for production purposes, the situation requires E-Discovery. If counsel needs an expert to find evidence of computer-related actions, such as data alteration or deletion, and to provide opinions or interpretations of forensically acquired data, the situation requires a computer forensics expert. Equally often, a computer forensics expert will be needed to assist counsel in understanding reports or testimony by an opposing expert, including forensic specialists working for law enforcement, and to provide rebuttal reports or testimony.