Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Obtaining and Admitting Cell Phone Evidence at
Trial: Call Logs, Text Messages, and Location Data
Today’s faculty features:
1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific
The audio portion of the conference may be accessed via the telephone or by using your computer's speakers. Please refer to the instructions emailed to registrants for additional information. If you have any questions, please contact Customer Service at 1-800-926-7926 ext. 1.
WEDNESDAY, FEBRUARY 20, 2019
Presenting a live 90-minute webinar with interactive Q&A
Michael I. Frankel, Senior Attorney, Pepper Hamilton, Philadelphia
Laurence D. Lieb, CCPA, CASA, COSFE, CBE, FEXE, Managing Director, HaystackID, Chicago
Charles B. Molster, III, Founder, The Law Offices of Charles B. Molster III, Washington, D.C.
Tips for Optimal Quality
Sound Quality
If you are listening via your computer speakers, please note that the quality
of your sound will vary depending on the speed and quality of your internet
connection.
If the sound quality is not satisfactory, you may listen via the phone: dial
1-866-869-6667 and enter your PIN when prompted. Otherwise, please
send us a chat or e-mail [email protected] immediately so we can address
the problem.
If you dialed in and have any difficulties during the call, press *0 for assistance.
Viewing Quality
To maximize your screen, press the F11 key on your keyboard. To exit full screen,
press the F11 key again.
FOR LIVE EVENT ONLY
Continuing Education Credits
In order for us to process your continuing education credit, you must confirm your
participation in this webinar by completing and submitting the Attendance
Affirmation/Evaluation after the webinar.
A link to the Attendance Affirmation/Evaluation will be in the thank you email
that you will receive immediately following the program.
For additional information about continuing education, call us at 1-800-926-7926
ext. 2.
FOR LIVE EVENT ONLY
Program Materials
If you have not printed the conference materials for this program, please
complete the following steps:
• Click on the ^ symbol next to “Conference Materials” in the middle of the left-
hand column on your screen.
• Click on the tab labeled “Handouts” that appears, and there you will see a
PDF of the slides for today's program.
• Double click on the PDF and a separate page will open.
• Print the slides by clicking on the printer icon.
FOR LIVE EVENT ONLY
Larry Lieb, CASA
I. Michigan P.I. License # 3701206704
II. Cellebrite Advanced Smartphone Analytics (CASA) Examiner
III. Fluent in Japanese. Performed Forensic Collections in Japan.
IV. Worked in Computer Forensics and Electronic Discovery since 1998
V. Qualified as a computer forensic expert in both Federal and State courts
5
Smartphones are Basically Big File Cabinets
6
Smartphones are basically big file cabinets
=
7
All Smartphones Contain 10 Basic Cabinet Drawers
1. Contacts
2. Call Records
3. Voice Messages
4. Email and Text Messages
5. Documents
6. Calendar
7. Internet Browsing History
8. Songs, Photographs and Movies
9. WiFi History
10. Social Media (Facebook, Instagram et al)
8
By Default, Some Cabinet Drawers are Locked
Apple and Google sell their phones with inaccessible-to-the-end-
user locked drawers as a security measure. Only Google or Apple
own and have access to the keys that can unlock your phone’s
locked drawers.
Some end-users choose to remove this security measure by “Jail
Breaking” or “Rooting” their phones.
Jail Breaking/Rooting is the process of changing all of the locks
and keys to your phone which will allow one to access all locked
cabinet drawers.
9
Contents of the Locked Drawers
I. Sensitive information such as passwords and credit card
information.
II. Some categories of deleted information.
III. System files that support the normal usage of the
smartphone.
“Jailbreaking” or “Rooting” a phone can allow a malicious
application to access the content of these formerly locked
drawers!
10
Some Deleted Evidence Can Be Recovered From The Unlocked Drawers
I. iPhones store incoming and outgoing SMS text and iMessage
messages in a file called SMS.db.
II. The “SMS.db” file is stored in one of the iPhone’s “unlocked”
drawers.
I. When an end user “deletes” an iMessage, the “deleted”
message is not destroyed, but simply made invisible to the
end user. Forensic tools can recover these deleted messages
easily.
11
Practice Point
Laptop and desktop computer hard drives do not come from the
factory with locked and inaccessible to the end user drawers.
This allows for forensic search and recovery of all possible
deleted information.
Smartphones come with inaccessible locked drawers as security
measures to protect the phone owners.
The amount of evidence, such as some deleted information, that
can be recovered with forensic tools is more limited with
smartphones.
12
Three Locations From Which Smartphone Evidence Can Be Recovered: The Device Itself, Mobile Backups
on Personal Computers and Mobile Backups in The Cloud
13
A Complete Backup of One’s iPhone in iTunes or Apple’s iCloud
iDevices are backed up to Apple’s iCloud storage by default.
iTunes file cabinet drawer locations on computers:
I. Mac: ~/Library/Application Support/MobileSync/Backup/
II. Windows XP: \Documents and Settings\(username)\Application
Data\Apple Computer\MobileSync\Backup\
III. Windows Vista, Windows 7, Windows 8 & Windows 10:
\Users\(username)\AppData\Roaming\Apple
Computer\MobileSync\Backup\
14
Examples of Evidence Stored in iTunes and iCloud Mobile Backups
I. Photos, Contacts, Calendar, Internet Browsing
History, Notes, Call history, Messages (iMessage and
carrier SMS or MMS pictures and videos), Voice
memos, Network settings (saved Wi-Fi hotspots, VPN
settings, and network preferences), Email account
passwords, Wi-Fi passwords, and passwords you enter
into websites and some apps, Map bookmarks, recent
searches, and the current location displayed in Maps.
(http://support.apple.com/kb/ht4946)
15
Practice Point
Even if your client’s former employee took their personal
iPhone and/or iPad with them when they left to work for a
competitor, if the employee synchronized their personal
iDevice with your client’s computer while working for your
client, you have access to that iDevice; no subpoena required!
Forensic software can recover deleted voice messages as well
as deleted text messages from Mobile Backups.
16
Examples of Smartphone File Cabinet
Drawer Contents
17
Photograph Drawer Details
18
Call Records Drawer
19
Text Message Drawer
20
Location Based Evidence
21
Photos and Facebook Message Locations
22
Map Queries
23
Location Based Evidence War Story
Investigation of client’s former employee’s iPhone revealed
multiple meetings at opponent’s headquarters in the months
prior to former employee’s resignation.
Signing into a Wifi network creates a time/date/location stamp
on a workstation
24
Location Based Evidence Practice Point
Forensic analysis of two apparently unrelated parties’
smartphones and laptop computers could reveal location
based evidence that could establish a relationship does in fact
exist.
Example: Party A’s smartphone connected to the Starbuck’s
WiFi in Party B’s office building on dates both parties were at
the same address.
25
Strafford Webinar, February 20, 2019
Michael Frankel, Senior AttorneyDiscovery Services Practice [email protected]
Obtaining and Admitting Cell Phone Evidence at Trial
My Background
Litigator and E-discovery attorney since 2002
Pepper Hamilton’s Discovery Services Practice Group since 2013
Software/database engineer from 1986-1999
Managed ESI collections, reviews and productions on cases of all sizes
Managed Mobile Device collections and investigations for client employees and individual clients in matters involving:
- employee/workplace harassment matters
- wage and hour class actions
- trade secret misappropriation by departing employees
- internal fraud investigations
27
“I would rather not collect cell phones.”
All things being equal, most clients and lawyers prefer to avoid mobile phone ESI collections
- unfamiliar territory
- rights not clear
- privacy considerations of employees
- inconvenience to employees
- review and production can be challenging
28
How to get “off the hook” on cell phone collection
Ways to legitimately take cell phone ESI off the table
- establish cell phone content is not relevant within scope of Rule 26
- establish relevant cell phone content is entirely redundant with other ESI sources such that discovery is not proportional to the needs of the case
- establish particular custodians didn’t use cell phones in manner at issue
- get ESI agreement with other side to mutually:
• not preserve and/or collect from mobile device sources
• treat mobile device ESI in later phase of discovery, perhaps with showing of good cause
- establish that employee mobile devices are not within company’s possession, custody or control
29
Possession, custody, or control
FRCP 34(a): “A party may serve on any other party a request within the scope of Rule 26(b) to produce and permit the requesting party or its representative to inspect, copy, test, or sample the following items in the responding party’s possession, custody, or control . . .”
“Legal Right” vs. “Practical Ability” standards
The Third Circuit defined control in 1988 Gerling case as “the legal right to obtain documents on demand,” but lower court sometimes inconsistently apply the rule to include practical ability.
- e.g., Barton v. RCI, LLC (D.N.J. Apr. 1, 2013) (“‘If the producing party has the legal right or practical ability to obtain the documents, then it is deemed to have “control” . . . even if the documents are actually in the possession of a non-party.”
1st and 4th Circuits include a requirement to notify other side of relevant, requested documents known to be in the possession of third parties it does not control
30
Factors to consider:
- Does company own mobile device or does user bring their own?
- Does company subsidize payment of carrier mobile data plan?
- Is there a BYOD policy that notifies employees of company right to access company data from mobile devices?
- Do employees actually use text messages, etc. for business purposes
- Does the company expressly or impliedly endorse and/or benefit from employee use of mobile phones for business?
A company’s “duty to preserve/collect” may be higher than its practical ability to do so – it still should try and document attempt
In some jurisdictions, may be required to notify other side that employee may have relevant data and refuses to comply with discovery
Who Controls an Employee Mobile Phone?
31
Cotton v. Costco Wholesale Corp. (D. Kan. July 24, 2013)
- Employer did not have P/C/C over employee cell phones where no evidence that (a) employer issued the phones, (b) employees used the phones for work, or (c) employer had legal right to obtain phone contents
In re Pradaxa Prods. Liab. Litig. (S.D. Ill. (Dec 9, 2013)
- P/C/C implied in decision that “scope of preservation” included company-issued and personal employee phones, where company documents directed employees to use text messages for work
H.J. Heinz, Co. v. Starr Surplus Lines, Ins. Co. (W.D. Pa. July 28, 2015)
- company had P/C/C of personal employee device based on BYOD policy stating that company owns the company property on the devices and that it can delete content from devices in its sole discretion.
Matthew Enterprise, Inc. v. Chrysler Grp. LLC (N.D. Cal. Dec. 10, 2015)
- company did not have P/C/C of personal employee phones, absent evidence of a legal right to access the data
Who Controls an Employee Mobile Phone?
32
Preserve in place
- rely on phone owner to preserve
- pros: low burden; allows for future data where relevant
- cons: settings different across devices and O/S’s; phone can be damaged, upgraded or repurposed inadvertently
Preserve via collection
- iphone cloud/itunes backup; forensic device imaging
- pros: preservation guaranteed
- cons: higher cost; future data may require re-collection
Decision may be custodian-specific, and should be proportional to the needs of the case
How to preserve mobile device data
33
If party took “reasonable steps to preserve,” there can be no sanctions/curative measures regardless of prejudice
If lost ESI can be “restored or replaced through additional discovery,” no sanctions regardless of reasonable steps
Absent prejudice (which can only be presumed where intent to deprive is shown), sanctions are off the table
Intent to deprive is necessary to impose adverse inferences or other severe sanctions
Fed. R. Civ. P. 37(e): Implications of Spoliation
34
Living Color Enters., Inc. v. New Era Aquaculture, Ltd. (S.D. Fla. Mar. 22, 2016)
- No sanction for “an individual who appears to be a relatively unsophisticated litigant” who was at worst, “negligent” in deleting text messages regularly
- Note that “the great majority” of the messages were capable of being produced from another source
Shaffer v. Gaither (W.D.N.C. Sept. 1, 2016)
- One year after threatening to sue, but before filing, employment discrimination plaintiff dropped phone in bathroom and returned device containing relevant text messages
- Court declined to find “intent to deprive” under Rule 37(e)(2), but did find that “plaintiff and her counsel failed to take reasonable steps to preserve” text messages
- Court left open possibility of adverse inference instruction
NFL v. NFL Players Association (2d Cir. Apr. 25, 2016)
- Tom Brady’s suspension upheld in part due to the destruction of his cell phone
Mobile data decisions are mixed
35
Search/Filtering of Cell Phone Content
User recollection of cell phone content can be unreliable
Review of full content may sometimes be necessary
Targeted review may be proportional to needs of the case
Cooperation with user may be possible, for example: - user identifies contacts at issue
- text messages extracted for only those contacts
- review by user/counsel of targeted text messages
Search terms not as effective for text messages:- text of messages can be without context
- acronyms and cryptic references used
- search terms may help find “other texts”
Need to extract accompanying attachments /pictures/ metadata
36
Review of Cell Phone Content
Review most efficient when tailored to type of data
- e.g., text messages by conversation thread
- e.g., GPS locations on a map by route sequence
- e.g., phone use timeline view (all activity)
Some device app data may reside on cloud service and/or be encrypted
Export to traditional document review platform may or may not make sense
Look for forensic tools that provide native-like review
May not play well with ESI textual analytics tools
Think about manner of production and how to apply control numbers
37
Why is metadata important?
Enhances ability to cull and review data
Can be central to the determination of relevance or privilege
Courts have said so:
- Document productions are not “reasonably usable” without basic metadata
• Nat’l Day Laborer Org. Network v. U.S. Immigration & Customs Enforcement Agency (S.D.N.Y. Feb. 07, 2011)
- Altering metadata (typically during collection) may be akin to spoliation
38
Chain of custody:
- Validates how a piece of evidence has been gathered, tracked, and protected from beginning to end
- Written forms important for evidence admissibility and authentication
Interview memoranda:
- Documents custodian interviews
- Important to defend scope of collection and filtering
Chain of custody & interview memos
39
Fed. Rule of Evidence 902: The following items of evidence are self-authenticating; they require no extrinsic evidence of authenticity in order to be admitted:
- (13) Certified Records Generated by an Electronic Process or System. A record generated by an electronic process or system that produces an accurate result, as shown by a certification of a qualified person that complies with the certification requirements of Rule 902(11) or (12). The proponent must also meet the notice requirements of Rule 902(11).
- (14) Certified Data Copied from an Electronic Device, Storage Medium, or File. Data copied from an electronic device, storage medium, or file, if authenticated by a process of digital identification, as shown by a certification of a qualified person that complies with the certification requirements of Rule (902(11) or (12). The proponent also must meet the notice requirements of Rule 902 (11).
Electronic records and mobile device data more easily authenticated to admit at trial if collected forensically with appropriate chain of evidence documentation.
Chain of custody & interview memos
40
Thank You
41
ADMITTING ELECTRONIC CELL PHONE INFORMATION
INTO EVIDENCE
Charles B. Molster, III
Law Office of Charles B. Molster, III PLLC
2141 Wisconsin Avenue, N.W. Suite M
Washington, D.C. 20007
(202) 787 - 1312
My Background
• Federal Law Clerk, EDVA 1983-84
• Practicing Trial Lawyer for 35 Years
• Extensive Experience Handling Complex Commercial Litigation in Federal
Courts Across the Country, Including:
− Patent Infringement Cases
− Trademark and Copyright Cases
− Antitrust Cases (including Twombly v. Bell Atlantic)
− Trade Secrets Cases
− Employment Cases
− Corporate Governance/Shareholder Cases
• Frequent CLE Lecturer Around the Country, Often with Sitting Federal
Judges
43
Discussion Topics
I. Authenticity
A. FRE 901
II. Potential Objections
A. Hearsay
B. Rule 403
C. Best Evidence Rule
D. Others?
III. Self-Authenticating Evidence
A. New FRE Rule 902(14)
B. Notice Requirement
C. Chain of Custody Evidence/Witnesses No Longer Necessary?
IV. Use of Expert Witnesses
V. Examples of Trial Exhibits
44
Authenticity
• Authenticity Is the First Hurdle to Clear
• FRE 901(a):
− The proponent must produce evidence sufficient to
support a finding that the item is what the proponent
claims it to be.
• Free 901(b):
− Examples:
• Testimony of a witness with knowledge
• Comparison by an expert witness
• Distinctive characteristics and the like
• Evidence about a telephone conversation
• Evidence about a process or system
45
Potential Objections
A.Hearsay
B. FRE 403 – Prejudice v. Probative Value
C.Best Evidence Rule
D.Others?
46
Self-Authenticating Evidence
A.New FRE Rule 902(14)- Effective December 1,
2017:
• Certified Data Copied from an Electronic
Device, Storage Medium, or File. Data copied
from an electronic device . . . if authenticated
by a process of digital identification, as shown
by a certification of a qualified person that
complies with the certification requirements of
Rule 902(11) or (12).
• The proponent also must meet the notice
requirements of Rule 902(11).
47
Self-Authenticating Evidence (Con’t.)
B. Notice Requirement – From FRE 902(11):
• Before the trial or hearing, the
proponent must give an adverse party
reasonable written notice of the intent
to offer the record — and must make
the record and certification available
for inspection — so that the party has a
fair opportunity to challenge them.
48
Self-Authenticating Evidence (Con’t.)
Are Chain of Custody Evidence/Witnesses
No Longer Necessary?
49
Use of Expert Witnesses
• FRE 901(b)(3) - Authentication:
− The following are examples of
evidence that satisfies the
authentication requirement:
− (3) Comparison by an Expert
Witness. A comparison with an
authenticated specimen by an expert
witness.
50
Use of Expert Witnesses (Con’t.)
• Certificate Per FRE 902(14):
− “ . . . as shown by a certification
of a qualified person that
complies with the certification
requirements of Rule 902(11) or
(12).”
51
Use of Expert Witnesses (Con’t.)
Evidence Regarding Hashing/Chain of
Evidence?
52
Use of Expert Witnesses (Con’t.)
Other Uses of Expert Witnesses to Admit
Cell Phone Data?
53
Trial Exhibit - Email
54
abctech.com
abctech.com
Trial Exhibit – Email (Con’t.)
55
abctech.com
abctech.com
Trial Exhibit – Email (Con’t.)
56
Thanks Vladamir, I have spoken to Robert and he stated as follows: “In the immortal words of Ronald Reagan. – ‘Stay the Course’ and ‘Damn the Torpedoes’.”
abctech.com
abctech.com
abctech.com
abctech.com11:30 AM
11:45 AM
Trial Exhibit – Email (Con’t.)
57
Should we let the world know that the CEO of MicroTech has been accused of sexual abuse?
Thanks Vladamir, I have spoken to Robert and he stated as follows: “In the immortal words of Ronald Regan. – ‘Stay the Course’ and ‘Damn the Torpedoes’.”
Should we let the world know that the CEO of MicroTech has been accused of sexual abuse?
11:50 AM
11:45 AM
abctech.com
abctech.com
abctech.com
abctech.com
Trial Exhibit – Facebook Post - ABCTech Co.
58
Trial Exhibit – Instagram Post
59
Trial Exhibit – Twitter Post
60
Trial Exhibit – Twitter Post (Con’t.)
61
Trial Exhibit – Cell Site Analysis
CASE# 50-MM-110931
TARGET# 561-574-8987
Date Range: 2/21/2009-2/22/2009
Time Range: 1:00 PM (2/21/2009) to 3:00 PM (2/22/2009)
62
63
64
65
66
67
QUESTIONS?
68