Home Invasion Search Warrant: Two Knocks is One Too Many

April 20, 2017

Screen Shot 2017-04-20 at 12.02.57 PM(United States v. Juan Olaya, D-2, Case No. 15-cr-20200, EASTERN DISTRICT OF MICHIGAN SOUTHERN DIVISION)

On December 5, 2014 a group of 6 that was attached to a spree of home invasions was finally broken after arrests were made in a home-invasion in Flower Mound, TX. The group was attributed to home invasions in New Jersey, Michigan, and Texas and charges varied from federal racketeering to weapons, kidnapping and violent assault.

In Texas, one of the group’s members left a cell phone in a vehicle that was found to be associated with the crimes. According to court documents (linked below), Texas’ officer Mark Esparza obtained a warrant to examine the Samsung phone and photo documented a number of text messages and other evidence related to the crimes. The phone did not, however, have a full forensic acquisition.  After photo documenting the evidentiary information, officer Esparza returned the warrant. Nine months after Esparza’s search, the FBI, without obtaining a new warrant, searched the cell phone again and this time they did a full forensic acquisition of the phone.

This final acquisition of the phone brought the number of searches of the phone to three: Pre-warrant search for IMEI and phone number, warranted search for the phone evidence, and Federal search through the acquired phone image. Presumably, the search through a forensically acquired phone would yield additional information, and reading between the lines I am guessing this was the case for the evidentiary Samsung phone. Certainly it would assist in authenticating the evidence.

Defendant Jaun Olaya, the owner of the phone and one of the group members charged, moved to suppress the results of all three searches.  Mr. Olaya argued that “even if the screenshots that Esparza obtained should not be suppressed, the results of the more comprehensive FBI search should be.” On 4/19/2017 the Eastern District of Michigan, Southern Division court agreed with Olaya: The FBI’s acquisition of the phone and subsequent search was found to be warrantless and a violation of Olaya’s 4th amendment.  Pages 14 through to the end of the Court’s opinion and order contain the Court’s reasoning on this point.

What would be interesting to me (and potentially to criminal defense attorneys) is whether the same logic of the court could be applied if officer Esparza HAD done a full forensic acquisition of Olaya’s phone: Under those conditions, would the government’s use of Esparza’s acquisition required a second warrant?  The fact is, there is a lot of data in a phone acquisition that has nothing to do with specific crimes so I am guessing that the argument could be made.  If any criminal attorneys know of some good cases to answer the question, feel free to post below!

 

United States v. Juan Olaya, D-2, Case No. 15-cr-20200, EASTERN DISTRICT OF MICHIGAN SOUTHERN DIVISION

 

 

 


Weekly Highlights: September 17, 2012

September 17, 2012

Things You Might Have Missed Last Week

(Highlights in legal, forensics, and electronic discovery news for the past week)

Interesting Electronic Evidence Cases

Inhalation Plastics, Inc. v. Medex Cardio-Pulmonary, Inc., No. 2:07-CV-116, 2012 WL 3731483 (S.D. Ohio Aug. 28, 2012)

The defendant inadvertently produced almost 350 pages of email. Even though, after in camera review, the court found that many of the produced materials were “within the ambit of attorney-client privilege”, the court found that privilege had been waived.

Weekly Highlighted Article

From E-Discovery Beat:

Experts Consider E-Discovery Implications of New ABA Ethics Rules Amendments

From BowTieLaw.com:

Forensically Examining a Lawyer’s Computer

Electronic Evidence News

Twitter Gives Occupy Protester’s Tweets to U.S. Judge

Court Issues 20-Year Product Injunction in Trade Secret Theft/eDiscovery Sanctions Case

Samsung Flexes Litigation Muscles at Apple Ahead of iPhone 5 Launch-Again


Quick Tips For Preserving Social Media

June 6, 2011

There is no arguing that social media sites are a boon for information related to a case, and not just for Family law, but also for corporate litigation as well.  We have had tremendous success with using social sites to tie component pieces of  a hard drive or cell phone investigation together.

The proliferation of social websites like Facebook can create discovery issues, though: How do you properly preserve a social site?  How do you deal with the opposing side arguing that the request to preserve is “overly burdensome”?

In this article I will walk you through three of the most popular social media sites and some techniques to preserve them easily.

1: Facebook (www.FaceBook.com):  Facebook is probably the easiest site to preserve.  The user can simply go to “Account Settings”, scroll down to “Download Your Information”, and click on “learn more”.  From the Facebook description:

“This tool lets you download a copy of your information, including your photos and videos, posts on your Wall, all of your messages, your friend list and other content you have shared on your profile. Within this zip file you will have access to your data in a simple, browseable manner.”

Once the user clicks “Download”, FaceBook will aggregate the information and email a link to the download.  Depending on how much information is there, this can take several minutes or even hours.

2: LinkedIn (www.LinkedIN.com):  LinkedIN is a site geared more towards a professional profile than Facebook.  We have been successful in using it to uncover additional email addresses, business documents, associations and affiliations primarily in Corporate cases, but it has factored into family law cases before.

The good news is that, while the Facebook preservation method is only useful if you are the specific user, LinkedIN can be documented for the profile information of other users.  The bad news is that it is slightly more complex than Facebook to preserve (but not much more!).

The easiest way to archive a LinkedIN account is to already have one yourself, or to create one.  NOTE: If the person you are archiving has LinkedIN’s upgraded service, or has agreed to let others see when they view a profile, they will be able to see that you viewed their profile.  I’m not going to encourage you to break the Terms of Service by creating an archive account, but that is one way to get around this.

Next, you will want to navigate to Profile-> Profile Organizer.  This is actually a paid service offered by LinkedIN, but usually it has a free 30-day trial.  More importantly, the free trial does not require a credit card.

Once you sign up for the Profile Organizer, you will be able to search for specific individuals, companies, etc.  When you find a profile you can save it to your organizer, archive it, and print it to a PDF.

3: Twitter (www.Twitter.com): Unlike the others, Twitter doesn’t have an actual built-in archiving functionality.  Twitter DOES have a great advanced search function that you can access at: search.twitter.com

Once on the Twitter search site, look for the “Advanced Search” link.  This will allow you to drill into searches by user, dates, topics, specific words or phrases, locations, etc.
Once you have search results, you can print to PDF, save the list, or use the nifty RSS link in the upper right called “Feed for this query”.


Changes to FRCP 8, 26 and 56 Just Around The Corner

November 16, 2010

December 1, 2010 marks the date that some important changes to Federal Rules of Civil Procedure will take effect.

The changes will affect the following:

1. Rule 8:  General Rules of Pleading  (Last amended Aug. 1, 1987)

2. Rule 26:  Duty to Disclose; General Provisions Regarding Discovery (Last amended Dec. 1, 1993)

3. Rule 56: Summary Judgment (Last amended Dec. 1, 2009)

As an expert witness, Rule 26 is the change that has most impact to me and how I interact with my cases and my clients.  For this reason I have focused on outlining the more significant changes.  I have provided a link to the full House Document 111-111 at the bottom of this post.

The biggest change is in the wording and interpretation of Rule 26(a)(2)(C) regarding disclosures of draft copies and communication of the expert witness.  While the previous 1993 interpretation meant that all drafts, notes and communications are to be disclosed, the new Rule 26 fixes this interpretation.

Citing the “profoundly practical” argument for extending work-product protection to certain communications and all drafts of the written report, the Civil Rules Committee went on to point out the loss of “robust communication” between the attorney and the expert [1] (we all know the wild gyrations we take to avoid discoverable material) , the “tortuous steps to avoid having the expert take any notes”, and the “often futile” attempts to show that the expert was unduly influenced by the retaining lawyer. [2]

On a real-life level, I never take notes unless they are to document methodology, and unless given specific permission I avoid email and other written communication to my retaining attorney.  Report generation (unless it violates a specific order) means that I generate a report without saving it and have a remote viewing session with my retaining attorney.  This tends to create:

  • Extra phone calls to verify recollection of information,
  • Unnecessary phone tag,
  • Additional report generation time, and
  • A decrease in the retaining litigant’s view of the efficiency and effectiveness of the process.

Here are some of the highlights of the Rule 26 changes that fix the above issues:

  1. 26(a)(2)(B)(ii) has been amended to read that disclosure is to include all “facts or data considered by the witness in forming” their opinions.  This changes the previous wording of “the data or other information” verbiage that was used to imply all communications, written notes and drafts.
  2. The “Time to Disclose Expert Testimony” has been shifted to 26(a)(2)(D) and specifies the time limit for rebuttal evidence for both 26(a)(2)(B) and 26(a)(2)(C).  The new 26(a)(2)(C) deals with witnesses that are not required to provide a report.
  3. 26 (b)(4)(B) protects “drafts of any report or disclosure required under 26(a)(2), regardless of the form in which the draft is recorded.”  Essentially this makes the verbiage change in 26(a)(2) explicit.
  4. 26 (b)(4)(C) provides protection for “communications between the party’s attorney and any witness required to provide a report under Rule 26(a)(2)(B), regardless of the form of the communications”.  There are three types of communications that are exempted from this protection, though:
  • Communications that relate to compensation for the expert’s study or testimony;
  • Communications that identify facts or data that the party’s attorney provided and that the expert considered in forming the opinions to be expressed (emphasis added)
  • Communications that identify assumptions that the party’s attorney provided and the the expert relied on in forming the opinions to be expressed (emphasis added)

In short – better communication, less wild gyrations by the experts and their retaining attorney and shorter deposition without all the attempts to show undue influence. I was excited to see this discussed at Sedona and am thrilled to see the results just around the corner.

The only thing I will miss is the competitive advantage actually knowing FRCP gave me in this area vs. the numerous experts that didn’t seem to take the time.

The benefits, though, definitely outweigh this one advantage.

The link to the Supreme Court’s Approved Rules page is here:

Approved Rules Page

Direct links to the component PDF documents are below:

Rules (Clean Version)

Excerpt of the Judicial Conference Report

Excerpt of the Report of the Advisory Committee on Civil Rules

[1] 111th Congress, 2d Session House Document 111-111, page 35
Civil Rules Committee Report 5/8/2009, page 3

[2] 111th Congress, 2d Session House Document 111-111, page 25
Excerpt From The Report of the Judicial Conference 12/18/2009, page 3


A Simple Plan to Ruin Your Boss: Plant Child Porn On His PC

August 10, 2010

A simple plan to ruin your boss: plant child porn on his PC.

This occurred in the UK in 2006 (it is just now working its way through the courts), and seems extreme.  The reality is that planted evidence can occur in many different forms:  Planted documents, images, and even emails.

While the deception in the UK case was broken through cell phone activity (the perpetrator made an “anonymous” phone call, and had been heard bragging about his exploits at a BBQ), a good forensic examiner goes beyond simple modified, accessed and created times to review other system information that backs up the method of arrival of the information on the system itself:

  • The insertion of USB devices: USB devices can leave quite a trail on a system, including the device manufacturer, type, even sometimes serial numbers.  Further activity supporting the insertion of the device can sometimes be correlated between file history analysis and searches for activity surrounding the specific device ID.
  • Metadata contained within the purported documents: Images, videos, audio files, PDF documents and other file types often have information regarding the date of creation (not necessarily introduction to the system), authorship, serial or license numbers of the product used, sometimes even information about the system that created them.
  • System files: Sometimes the introduction or generation of a file triggers other supporting files on the system.  Examination of these files can tell an investigator whether the file information matches up with what the system knows about the file.
  • Surrounding activity: Other activity on the system related to usage can be an indicator as well.  For example: If a file was supposedly downloaded from the internet, one would expect to see certain other activity surrounding the download if it was generated by the user.

A lot of these same techniques can be used to attack or defend other claims of the so-called “trojan defense” (aka “A Virus must have done it”).

Researching deliberate obfuscation CAN be a challenge, but in situations similar to the UK case a client is not at all dead in the water if an information forensics analyst is competent and able to look at the “Evidence Beyond the Hard Drive”™.


DEA Proposes Allowing Electronic Prescriptions for Narcotics

April 6, 2010

On March 31 the DEA published a proposal to allow electronic prescriptions for narcotics (Docket No. DEA-218I).

The effective date for this is June 1, 2010 pending congressional review.  The RFC section gives insight into how they plan to implement (bold text added by yours truly):  Identity proofing, access control, authentication, biometric subsystems and testing of those subsystems, internal audit trails for electronic prescription applications, and third-party auditors and certification organizations.

It looks like there will be a requirement to be “certified” to perform electronic fill of narcotic prescriptions, but is that really enough (think Heartland)?

There are several really interesting tidbits that can be derived from this document that I did not realize:

1. “The responsibility for the proper prescribing and dispensing of controlled substances is upon the prescribing practitioner, but a corresponding responsibility rests with the pharmacist who fills the prescription.” – This makes sense, but also indicates that they will likely follow a path where the responsible parties determine the means by which they accomplish an outline of requirements surrounding security related to narcotics prescription.  Ask yourself this:  Did HIPAA end internal patient record theft?

2. “[M]ost electronic prescriptions are routed from the electronic prescription or EHR application through intermediaries, at least one of which determines whether the prescription file needs to be converted from one software version to another so that the receiving pharmacy application can correctly import the data. There are generally three to five intermediaries that route prescriptions between practitioners and pharmacies.” – This points to the lack of standards, potential for screw ups and also multiple points of potential abuse.

I am still reviewing the text document (it is long) but I am also preparing and educating myself in this area – I feel some cases coming.

Original Federal Register Text:

FR Doc 2010-6687


Crimes Against Children Research Center: Trends in Arrests of “Online Predators”

April 2, 2009

The Crimes Against Children Research Center has released a new report noting that the types of online sex crime  offenses haven’t changed much, but the profile of your average online predator has been shifting.

I have read the actual report as well as the methodology (methodology available here, report available here) and, while I am no expert in report methodology, I can not spot any serious flaws.  This seems to be a well thought out study that avoids the typical hysteria and FUD that is oh-so-common in this type of work.

Some notable findings:

  • Online sex crimes only account for 1% of all arrests for sex crimes committed against children and youth.
  • Most of the arrests involved solicitation of undercover officers and not actual youth.
  • The percentage of internet users ages 12-17 rose by 20% between 2000 and 2006, at the same time there was a 21% increase in arrests of offenders who solicited youth online for sex and a 381% increase in arrests of offenders who solicited undercover officers.
  • There was a significant increase in arrests of offenders between the ages of 18-25.

There were some distinct differences between this report’s findings and my own perceptions:

  • Most offenders were open about their motives in their online communication with youth.
  • Only 4% of those arrested (in total) were registered sex offenders.
  • The majority of contacts did not occur through social network sites (social network sites accounted for just over 30%).

For those that have kids or are involved in family law, internet crime or data forensics and investigations this is likely to be an interesting read.

Any further comments and observations would be great too!