Pro Digital Forensic Consulting: attorney

Showing posts with label attorney. Show all posts

Friday, October 2, 2015

Five Tips for Effective Technical Warrant-Writing

October 2, 2015

Five Tips for Effective Technical Warrant-Writing

Having worked in law enforcement at the level of investigator and forensic examiner and subsequently transitioning to a trainer/private practitioner role, I’m starting to gather the benefit of something many law enforcement (LE) agents may well overlook – diversity of experience. While many of my friends in LE may scoff at some of my professional choices, I have actually grown to appreciate both sides of the issue with regard to investigation and digital forensics. After all, what we’re really after is the truth!

Along with the diversity of experience comes the opportunity to review and scrutinize various legal documents submitted on behalf of the government (or other parties) to obtain information and other suspected relevant materials from businesses, individuals and other involved parties in both criminal and civil litigation. Unfortunately, I’m not always “impressed” with what I read. I attribute this to many factors including the lack of adequate training, lack of updated training, lack of writing ability, lack of experience and the simple fact that the law is always several steps behind technology. In order to help out burgeoning investigators of electronically-facilitated crime and increase the effectiveness of search warrants, court orders and other legal filings that may become necessary in these types of investigations, here are five tips to keep in mind when constructing your affidavits:

1) More is More

Yes, I know in the police academy you are taught that less is more. Just the facts. Don’t elaborate. Don’t get too detailed. Write like a cave man. The problem is, the more ambiguous you are in your affidavit, the more holes the defense can drive through your facts. Be specific, deliberate and write as if someone is actually going to read the darn thing! In other words, make it flow well, like a story. If it helps, think about the fact that the outcome may very well be to potentially punish someone for a good portion of their life rests in your hands as the architect of that document. If that authority and responsibility is something that you appreciate, then you should be as verbose as you need to be in order to establish the facts surrounding your probable cause. You owe it to your case, your reputation and, believe it or not, you owe it to the suspect.

2) Don’t Assume Your Audience Knows Anything

When composing warrant affidavits for legal tech items or information, you have to develop the ability to explain very technical items to very non-technical people. This may be your supervisor, magistrate, prosecutor, defense attorney, judge, or the jury. Don’t assume that everyone knows what a smart phone is or what you can do with it or that apps can be used for a myriad of purposes. Don’t assume that people know what Craigs List is or the multitude of items or services you can get from it. The first Magistrate I went before with my first electronic search warrant affidavit was a dinosaur. He literally pecked one letter at a time on the keyboard and when he saw how lengthy my PC was, he literally cursed me. But he also appreciated the authority and comes with the ability to invade someone’s home or business and what an awesome responsibility it is to make sure we get it right.

3) Get With Someone Who Knows More

The value of mentorship cannot be understated when investigating crimes that are complex in nature. No man (or woman) is an island, so don’t think you know everything and try to go it alone. Drop your ego, realize what you don’t know and ask for help. I had several mentors starting out and still look upon them as far more knowledgeable than I. They just can’t get online and publish a blog because their command staff would have a [proverbial] cow.

Use every resource at your disposal – colleagues, list serves, online articles… You’ll learn more and grow infinitely more than you’ll ever realize.

4) Know What You’re Talking About & Don’t Fudge

The term “fake it till you make it” is a fairly tried and true business practice, but it has no place in law enforcement or investigations. “Faking it” might as well be lying on an affidavit. I once knew an investigator who fudged data from an electric company to beef-up his PC for a search warrant in a drug case. When it was discovered during his testimony at a pre-trial hearing, the judge understandably didn’t care for it too much. Even worse, his credibility was shot… and it’s all on the record.

The stats aren’t worth it. If you don’t know, say you don’t know. Don’t make it up and don’t embellish.

5) Proofread, Review, Repeat

Many investigators are over-worked, there’s no doubt about that. In order to save time and effort, “boiler-plate” affidavits are often used to streamline the process. There’s nothing wrong with this, but you must review the items every single time you construct your document. It only takes one word to completely screw up the efficacy of your warrant in a suppression hearing, so do yourself a favor and take the time to really review, scrutinize and revise your documentation, facts and application for warrant. When you’ve done it, do it (at least) one more time just to be sure. When that’s done, ask yourself if it passes the “mirror test” – if you can look yourself in the mirror and know that everything is the way it should be, you’re in a good place.

Writing decent affidavits and other legal paperwork is part of your legacy as an investigator and/or examiner. Whatever other mistakes you may make along the way, you will ultimately be assessed by others on your professional reputation by judges, juries, defense attorneys, prosecutors and other investigators. That reputation is something that needs to be nurtured, honed and never taken for granted. Step one is to know how to articulate yourself in such a manner to shore up that reputation as time goes on.

I recently spoke with the prosecutor with whom I used to work many, many cases. He said he’s received several inquiries about me from other attorneys since I transitioned to the private sector and has told them “He’s thorough, he knows his stuff and he doesn’t lie.” I appreciate those words more than almost any award or certification. Hopefully, you’re well on your way to having the same said about you!

Author:

Patrick J. Siewert, SCERS, BCERT, LCE

Principal Consultant

Professional Digital Forensic Consulting, LLC

Based in Richmond, Virginia

Available Globally

About the Author:

Patrick Siewert is the Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia. In 15 years of law enforcement, he investigated hundreds of high-tech crimes, incorporating digital forensics into the investigations, and was responsible for investigating some of the highest jury and plea bargain child exploitation cases in Virginia court history. A graduate of both SCERS and BCERT (among others), Siewert continues to hone his digital forensic expertise in the private sector while growing his consulting business marketed toward litigators, professional investigators and corporations.

Email: ProDigitalConsulting@gmail.com

Web: www.ProDigital4n6.com

Twitter: @ProDigital4n6

Thursday, July 2, 2015

Digital Device Seizure Tips for Attorneys & Legal Staff

July 2, 2015

Digital Device Seizure Tips for Attorneys & Legal Staff

As a private digital forensic practitioner, our clients come from several different areas. Pro Digital markets our services to private investigators, information security professionals, human resource practitioners and our biggest segment of clientele, attorneys involved in litigation practice, both civil and criminal. As a natural first step in the digital forensic process, attorneys offices and legal staff will often obtain possession of laptop computers, cell phones, tablets, etc. and call a digital forensic practitioner for advice, to retain services and consult generally. What unfortunately happens in the meantime is that the digital device may be manipulated, "examined" or otherwise used by folks in the attorneys office in between device acquisition by the staff and data acquisition by the digital forensic practitioner. Because the government has been (and still is) pretty much at the forefront of digital forensics, this doesn't happen very much in prosecutor's offices and other government sectors, but it does happen in private legal practice quite a bit. To help close this gap, I'm offering a few easy tips for digital device seizure and secure storage for attorneys and their staff when cases arise necessitating a digital forensic examiner.

Computer Seizure & Secure Storage

1) Note the date, time and person from whom you received the computer

This tip may seem simplistic, but it's the first step in the chain-of-custody. This also helps answer some questions the digital forensic examiner may have right off the bat. As with most things, if it's not documented, it didn't happen, so initiating the documentation chain from the beginning is a great first step.

2) Ask the client about the system (and document their answers)

Does the computer have a password? If so, what is it? Is the hard drive encrypted? How big is the hard drive? Is the computer still currently in use? How many users have access to the computer? All of these questions are important and may serve to provide valuable information not only for the examiner, but for evidentiary purposes later in the litigation process.

3) DO NOT turn the computer on and start looking through the file system

This is extremely important to prevent spoliation of the data. Every time you turn a computer on, settings are changed, file dates and times are updated and the data starts traveling down the dirty road toward being tainted. Curiosity is a very powerful human instinct. For the sake of acquiring the best possible data, please try to quell your curiosity.

It's also important to note that doing this may put YOU in the hot seat because you are now a witness. As we already know, it's inappropriate (at best) for attorneys and their staff to be witnesses in clients cases, so the best way to prevent this is to not even put yourself in that position.

4) Secure the computer in a locked area with limited access

This may also seem simplistic, but think about how desperate the other side is in your case. In divorce and custody cases, the opposing party may have a large sum of money and/or child custody on the line. In criminal cases, there may be evidence on that computer that implicates someone else. There are very few avenues a truly desperate person won't go down to preserve their way of life or their freedom, up to and including breaking into your office to steal or destroy the computer that contains the digital nail in their coffin.

Securing these items in an area that not everyone in your office has access to (or even is aware of) is the best practice for digital evidence storage. Documenting all of these things in the file goes hand-in-hand with secure storage and is also highly advisable.

Mobile Device Seizure

Many of the same rules above pertain to mobile devices as well, particularly with regard to documentation of when, where and from whom you received the device and secure storage. There are a few additional considerations and some marked differences, however.

1) Immediately put the device into airplane mode and make sure all network connections (wi-fi, bluetooth, etc.) are turned OFF.

This is also extremely important to prevent any unwanted destruction of data and to preserve the data on the device in the best possible form for subsequent data acquisition. Will this in effect change some settings and data on the device? Yes. But it's also the most effective and universally accepted way to prevent unwanted destruction of the data on the device.

2) Make sure to obtain any pass code information for the device from the person you received it from.

This is absolutely imperative for certain devices. So imperative that if we don't get it, we aren't getting the data you need from certain popular mobile devices. While it may be true that you can just call the client later and get this information, it will make the digital forensic examiners job a little easier to have this information from the start.

3) Don't manipulate (or "examine") the device to try and get answers to your questions immediately.

This tip is very similar to the one with regard to computers, but it seems that the ease of use of mobile devices makes quelling your curiosity much more difficult. The bottom line is, the data isn't going anywhere (especially if you followed steps 1 and 2), so turn it off, lock it up and don't play with it. We'll find out what's on the device soon enough and you won't have the added heartache of being a potential witness in your case.

Once all of these tips have been followed, you can confidently call in your digital forensic expert to obtain possession of the device(s) involved in your case and/or perform the forensic data acquisition. Some of these tips may be seem overly simplistic to the point of being obvious, but I share them because I've repeatedly seen where there may be a gap in knowledge about what legal professionals should do with these items when they're received in the office and before they call the digital forensic expert.

By following these simple tips, you help increase the effectiveness of your digital forensic expert and take a huge step forward in properly obtaining the data that could be the proverbial smoking gun in your case.

Please share these tips with friends and contacts in the legal community and, as always, please don't hesitate to call with any questions.