Home Invasion Search Warrant: Two Knocks is One Too Many

April 20, 2017

Screen Shot 2017-04-20 at 12.02.57 PM(United States v. Juan Olaya, D-2, Case No. 15-cr-20200, EASTERN DISTRICT OF MICHIGAN SOUTHERN DIVISION)

On December 5, 2014 a group of 6 that was attached to a spree of home invasions was finally broken after arrests were made in a home-invasion in Flower Mound, TX. The group was attributed to home invasions in New Jersey, Michigan, and Texas and charges varied from federal racketeering to weapons, kidnapping and violent assault.

In Texas, one of the group’s members left a cell phone in a vehicle that was found to be associated with the crimes. According to court documents (linked below), Texas’ officer Mark Esparza obtained a warrant to examine the Samsung phone and photo documented a number of text messages and other evidence related to the crimes. The phone did not, however, have a full forensic acquisition.  After photo documenting the evidentiary information, officer Esparza returned the warrant. Nine months after Esparza’s search, the FBI, without obtaining a new warrant, searched the cell phone again and this time they did a full forensic acquisition of the phone.

This final acquisition of the phone brought the number of searches of the phone to three: Pre-warrant search for IMEI and phone number, warranted search for the phone evidence, and Federal search through the acquired phone image. Presumably, the search through a forensically acquired phone would yield additional information, and reading between the lines I am guessing this was the case for the evidentiary Samsung phone. Certainly it would assist in authenticating the evidence.

Defendant Jaun Olaya, the owner of the phone and one of the group members charged, moved to suppress the results of all three searches.  Mr. Olaya argued that “even if the screenshots that Esparza obtained should not be suppressed, the results of the more comprehensive FBI search should be.” On 4/19/2017 the Eastern District of Michigan, Southern Division court agreed with Olaya: The FBI’s acquisition of the phone and subsequent search was found to be warrantless and a violation of Olaya’s 4th amendment.  Pages 14 through to the end of the Court’s opinion and order contain the Court’s reasoning on this point.

What would be interesting to me (and potentially to criminal defense attorneys) is whether the same logic of the court could be applied if officer Esparza HAD done a full forensic acquisition of Olaya’s phone: Under those conditions, would the government’s use of Esparza’s acquisition required a second warrant?  The fact is, there is a lot of data in a phone acquisition that has nothing to do with specific crimes so I am guessing that the argument could be made.  If any criminal attorneys know of some good cases to answer the question, feel free to post below!

 

United States v. Juan Olaya, D-2, Case No. 15-cr-20200, EASTERN DISTRICT OF MICHIGAN SOUTHERN DIVISION

 

 

 

Leave a Comment » | Admissibility, Cases, Uncategorized | Tagged: , , , , , , , , | Permalink
Posted by inforensics

Weekly Highlights: September 17, 2012

September 17, 2012

Things You Might Have Missed Last Week

(Highlights in legal, forensics, and electronic discovery news for the past week)

Interesting Electronic Evidence Cases

Inhalation Plastics, Inc. v. Medex Cardio-Pulmonary, Inc., No. 2:07-CV-116, 2012 WL 3731483 (S.D. Ohio Aug. 28, 2012)

The defendant inadvertently produced almost 350 pages of email. Even though, after in camera review, the court found that many of the produced materials were “within the ambit of attorney-client privilege”, the court found that privilege had been waived.

Weekly Highlighted Article

From E-Discovery Beat:

Experts Consider E-Discovery Implications of New ABA Ethics Rules Amendments

From BowTieLaw.com:

Forensically Examining a Lawyer’s Computer

Electronic Evidence News

Twitter Gives Occupy Protester’s Tweets to U.S. Judge

Court Issues 20-Year Product Injunction in Trade Secret Theft/eDiscovery Sanctions Case

Samsung Flexes Litigation Muscles at Apple Ahead of iPhone 5 Launch-Again

Leave a Comment » | Inforensics News, Inforensics Opinion, Reading | Tagged: , , , , , | Permalink
Posted by inforensics

Quick Tips For Preserving Social Media

June 6, 2011

There is no arguing that social media sites are a boon for information related to a case, and not just for Family law, but also for corporate litigation as well.  We have had tremendous success with using social sites to tie component pieces of  a hard drive or cell phone investigation together.

The proliferation of social websites like Facebook can create discovery issues, though: How do you properly preserve a social site?  How do you deal with the opposing side arguing that the request to preserve is “overly burdensome”?

In this article I will walk you through three of the most popular social media sites and some techniques to preserve them easily.

1: Facebook (www.FaceBook.com):  Facebook is probably the easiest site to preserve.  The user can simply go to “Account Settings”, scroll down to “Download Your Information”, and click on “learn more”.  From the Facebook description:

“This tool lets you download a copy of your information, including your photos and videos, posts on your Wall, all of your messages, your friend list and other content you have shared on your profile. Within this zip file you will have access to your data in a simple, browseable manner.”

Once the user clicks “Download”, FaceBook will aggregate the information and email a link to the download.  Depending on how much information is there, this can take several minutes or even hours.

2: LinkedIn (www.LinkedIN.com):  LinkedIN is a site geared more towards a professional profile than Facebook.  We have been successful in using it to uncover additional email addresses, business documents, associations and affiliations primarily in Corporate cases, but it has factored into family law cases before.

The good news is that, while the Facebook preservation method is only useful if you are the specific user, LinkedIN can be documented for the profile information of other users.  The bad news is that it is slightly more complex than Facebook to preserve (but not much more!).

The easiest way to archive a LinkedIN account is to already have one yourself, or to create one.  NOTE: If the person you are archiving has LinkedIN’s upgraded service, or has agreed to let others see when they view a profile, they will be able to see that you viewed their profile.  I’m not going to encourage you to break the Terms of Service by creating an archive account, but that is one way to get around this.

Next, you will want to navigate to Profile-> Profile Organizer.  This is actually a paid service offered by LinkedIN, but usually it has a free 30-day trial.  More importantly, the free trial does not require a credit card.

Once you sign up for the Profile Organizer, you will be able to search for specific individuals, companies, etc.  When you find a profile you can save it to your organizer, archive it, and print it to a PDF.

3: Twitter (www.Twitter.com): Unlike the others, Twitter doesn’t have an actual built-in archiving functionality.  Twitter DOES have a great advanced search function that you can access at: search.twitter.com

Once on the Twitter search site, look for the “Advanced Search” link.  This will allow you to drill into searches by user, dates, topics, specific words or phrases, locations, etc.
Once you have search results, you can print to PDF, save the list, or use the nifty RSS link in the upper right called “Feed for this query”.

Leave a Comment » | Forensics Beyond the Hard Drive, Tools and Tips | Tagged: , , , , , , | Permalink
Posted by inforensics

Changes to FRCP 8, 26 and 56 Just Around The Corner

November 16, 2010

December 1, 2010 marks the date that some important changes to Federal Rules of Civil Procedure will take effect.

The changes will affect the following:

1. Rule 8:  General Rules of Pleading  (Last amended Aug. 1, 1987)

2. Rule 26:  Duty to Disclose; General Provisions Regarding Discovery (Last amended Dec. 1, 1993)

3. Rule 56: Summary Judgment (Last amended Dec. 1, 2009)

As an expert witness, Rule 26 is the change that has most impact to me and how I interact with my cases and my clients.  For this reason I have focused on outlining the more significant changes.  I have provided a link to the full House Document 111-111 at the bottom of this post.

The biggest change is in the wording and interpretation of Rule 26(a)(2)(C) regarding disclosures of draft copies and communication of the expert witness.  While the previous 1993 interpretation meant that all drafts, notes and communications are to be disclosed, the new Rule 26 fixes this interpretation.

Citing the “profoundly practical” argument for extending work-product protection to certain communications and all drafts of the written report, the Civil Rules Committee went on to point out the loss of “robust communication” between the attorney and the expert [1] (we all know the wild gyrations we take to avoid discoverable material) , the “tortuous steps to avoid having the expert take any notes”, and the “often futile” attempts to show that the expert was unduly influenced by the retaining lawyer. [2]

On a real-life level, I never take notes unless they are to document methodology, and unless given specific permission I avoid email and other written communication to my retaining attorney.  Report generation (unless it violates a specific order) means that I generate a report without saving it and have a remote viewing session with my retaining attorney.  This tends to create:

  • Extra phone calls to verify recollection of information,
  • Unnecessary phone tag,
  • Additional report generation time, and
  • A decrease in the retaining litigant’s view of the efficiency and effectiveness of the process.

Here are some of the highlights of the Rule 26 changes that fix the above issues:

  1. 26(a)(2)(B)(ii) has been amended to read that disclosure is to include all “facts or data considered by the witness in forming” their opinions.  This changes the previous wording of “the data or other information” verbiage that was used to imply all communications, written notes and drafts.
  2. The “Time to Disclose Expert Testimony” has been shifted to 26(a)(2)(D) and specifies the time limit for rebuttal evidence for both 26(a)(2)(B) and 26(a)(2)(C).  The new 26(a)(2)(C) deals with witnesses that are not required to provide a report.
  3. 26 (b)(4)(B) protects “drafts of any report or disclosure required under 26(a)(2), regardless of the form in which the draft is recorded.”  Essentially this makes the verbiage change in 26(a)(2) explicit.
  4. 26 (b)(4)(C) provides protection for “communications between the party’s attorney and any witness required to provide a report under Rule 26(a)(2)(B), regardless of the form of the communications”.  There are three types of communications that are exempted from this protection, though:
  • Communications that relate to compensation for the expert’s study or testimony;
  • Communications that identify facts or data that the party’s attorney provided and that the expert considered in forming the opinions to be expressed (emphasis added)
  • Communications that identify assumptions that the party’s attorney provided and the the expert relied on in forming the opinions to be expressed (emphasis added)

In short – better communication, less wild gyrations by the experts and their retaining attorney and shorter deposition without all the attempts to show undue influence. I was excited to see this discussed at Sedona and am thrilled to see the results just around the corner.

The only thing I will miss is the competitive advantage actually knowing FRCP gave me in this area vs. the numerous experts that didn’t seem to take the time.

The benefits, though, definitely outweigh this one advantage.

The link to the Supreme Court’s Approved Rules page is here:

Approved Rules Page

Direct links to the component PDF documents are below:

Rules (Clean Version)

Excerpt of the Judicial Conference Report

Excerpt of the Report of the Advisory Committee on Civil Rules

[1] 111th Congress, 2d Session House Document 111-111, page 35
Civil Rules Committee Report 5/8/2009, page 3

[2] 111th Congress, 2d Session House Document 111-111, page 25
Excerpt From The Report of the Judicial Conference 12/18/2009, page 3

2 Comments | Inforensics News | Tagged: , , , , , , | Permalink
Posted by inforensics

A Simple Plan to Ruin Your Boss: Plant Child Porn On His PC

August 10, 2010

A simple plan to ruin your boss: plant child porn on his PC.

This occurred in the UK in 2006 (it is just now working its way through the courts), and seems extreme.  The reality is that planted evidence can occur in many different forms:  Planted documents, images, and even emails.

While the deception in the UK case was broken through cell phone activity (the perpetrator made an “anonymous” phone call, and had been heard bragging about his exploits at a BBQ), a good forensic examiner goes beyond simple modified, accessed and created times to review other system information that backs up the method of arrival of the information on the system itself:

  • The insertion of USB devices: USB devices can leave quite a trail on a system, including the device manufacturer, type, even sometimes serial numbers.  Further activity supporting the insertion of the device can sometimes be correlated between file history analysis and searches for activity surrounding the specific device ID.
  • Metadata contained within the purported documents: Images, videos, audio files, PDF documents and other file types often have information regarding the date of creation (not necessarily introduction to the system), authorship, serial or license numbers of the product used, sometimes even information about the system that created them.
  • System files: Sometimes the introduction or generation of a file triggers other supporting files on the system.  Examination of these files can tell an investigator whether the file information matches up with what the system knows about the file.
  • Surrounding activity: Other activity on the system related to usage can be an indicator as well.  For example: If a file was supposedly downloaded from the internet, one would expect to see certain other activity surrounding the download if it was generated by the user.

A lot of these same techniques can be used to attack or defend other claims of the so-called “trojan defense” (aka “A Virus must have done it”).

Researching deliberate obfuscation CAN be a challenge, but in situations similar to the UK case a client is not at all dead in the water if an information forensics analyst is competent and able to look at the “Evidence Beyond the Hard Drive”™.

Leave a Comment » | Cases, Investigation | Tagged: , , , , | Permalink
Posted by inforensics

DEA Proposes Allowing Electronic Prescriptions for Narcotics

April 6, 2010

On March 31 the DEA published a proposal to allow electronic prescriptions for narcotics (Docket No. DEA-218I).

The effective date for this is June 1, 2010 pending congressional review.  The RFC section gives insight into how they plan to implement (bold text added by yours truly):  Identity proofing, access control, authentication, biometric subsystems and testing of those subsystems, internal audit trails for electronic prescription applications, and third-party auditors and certification organizations.

It looks like there will be a requirement to be “certified” to perform electronic fill of narcotic prescriptions, but is that really enough (think Heartland)?

There are several really interesting tidbits that can be derived from this document that I did not realize:

1. “The responsibility for the proper prescribing and dispensing of controlled substances is upon the prescribing practitioner, but a corresponding responsibility rests with the pharmacist who fills the prescription.” – This makes sense, but also indicates that they will likely follow a path where the responsible parties determine the means by which they accomplish an outline of requirements surrounding security related to narcotics prescription.  Ask yourself this:  Did HIPAA end internal patient record theft?

2. “[M]ost electronic prescriptions are routed from the electronic prescription or EHR application through intermediaries, at least one of which determines whether the prescription file needs to be converted from one software version to another so that the receiving pharmacy application can correctly import the data. There are generally three to five intermediaries that route prescriptions between practitioners and pharmacies.” – This points to the lack of standards, potential for screw ups and also multiple points of potential abuse.

I am still reviewing the text document (it is long) but I am also preparing and educating myself in this area – I feel some cases coming.

Original Federal Register Text:

FR Doc 2010-6687

Leave a Comment » | Inforensics News | Tagged: , , , , | Permalink
Posted by inforensics

Crimes Against Children Research Center: Trends in Arrests of “Online Predators”

April 2, 2009

The Crimes Against Children Research Center has released a new report noting that the types of online sex crime  offenses haven’t changed much, but the profile of your average online predator has been shifting.

I have read the actual report as well as the methodology (methodology available here, report available here) and, while I am no expert in report methodology, I can not spot any serious flaws.  This seems to be a well thought out study that avoids the typical hysteria and FUD that is oh-so-common in this type of work.

Some notable findings:

  • Online sex crimes only account for 1% of all arrests for sex crimes committed against children and youth.
  • Most of the arrests involved solicitation of undercover officers and not actual youth.
  • The percentage of internet users ages 12-17 rose by 20% between 2000 and 2006, at the same time there was a 21% increase in arrests of offenders who solicited youth online for sex and a 381% increase in arrests of offenders who solicited undercover officers.
  • There was a significant increase in arrests of offenders between the ages of 18-25.

There were some distinct differences between this report’s findings and my own perceptions:

  • Most offenders were open about their motives in their online communication with youth.
  • Only 4% of those arrested (in total) were registered sex offenders.
  • The majority of contacts did not occur through social network sites (social network sites accounted for just over 30%).

For those that have kids or are involved in family law, internet crime or data forensics and investigations this is likely to be an interesting read.

Any further comments and observations would be great too!

Leave a Comment » | Inforensics News | Tagged: , , , , , , , | Permalink
Posted by inforensics

Open Source and the Digital Forensics Lab

March 18, 2009

A while back I wrote an article for Evidence Technology magazine entitled “Seven Uses of Open-Source Software for the Digital Forensic Lab.” The article was primarily targeted towards law enforcement agencies that were having trouble getting funding for their labs.  In addition to building the case regarding cost savings, I discussed other advantages to running open sourced tools.

At recent conferences I have been increasingly approached by law enforcement as well as corporate investigation teams for advice on dealing with budgetary constraints, so it seems time to resurrect the topic.

Here is a summary of the “Seven”, the original article is here:

  1. Case Management: Although designed for CRM functions, SugarCRM actually makes a great inexpensive case management system.  It has the added advantage of allowing you to maintain a local copy instead of “the cloud”.
  2. Acquisition: The flexibility of “dd” for everything from imaging to memory and file carving makes it the number one contender in this category.  If you must have a MS based solution then you can also try FTK’s Imager lite (not mentioned in the original article).
  3. Analysis: Brian Carrier’s work on The Sleuth Kit with the optional graphical front-end of Autopsy is very worthy of support (tip of the hat to Dan Farmer and Wietse Venema for their original work on “The Coroner’s Toolkit”).  TSK has the added benefit of being scriptable (I use shell or PERL to get the job done).  You can check out TSK here.
  4. Miscellaneous: Stegdetect for dealing with steganography, Ophcrack for system passwords, Foremost or Scalpel for scriptable file carving.
  5. OS support: Linux.  You have access to libraries for NTFS, HFS++, etc. as well as everything you need for MS documents via OpenOffice 3.0. I have had great success with Ubuntu and variations (Mint).
  6. Virtual Platforms: At the time I wrote the article VMWare was offering their player and pre-made virtual systems for download.  If you are running off of a Mac you can use Parallels (not free, but very inexpensive) to run various pre-builds of Linux.  Even more compelling is Live View, which allows you to virtually mount and run a dd image without modifying the underlying image.  You can find Live View here.
  7. Mobile Acquisition and Analysis: Helix is no longer free, but those guys at e-fense  have given so much value to the rest of the world for so long via Helix that I say “Good on them!”.   You can also check out Backtrack 3 – just be aware that you run the risk of altering data if you boot up incorrectly with Backtrack.

What are some other “Can’t miss tools”?  Drop a comment in and tell the rest of us.

1 Comment | Tools and Tips | Tagged: , , , , , , , | Permalink
Posted by inforensics

Kwame Kilpatrick Asks Skytel for $100M

March 10, 2009

It is being reported that Mayor Kwame Kilpatrick is going after Skytel for the release of the text messages that led to the settlement of the police whistleblower lawsuit against him.

(source: The Detroit News)

It appears that the grounds for this action is the Stored Communications Act.  As a non-attorney I am guessing that this will boil down to a few factors:

  1. Was the police department involved in the production of the text messages (4th amendment),
  2. Was the contract with Skytel to provide messaging services, or storage/retrieval and reporting?

The Stored Communication Act does differentiate between a provider of services, and a provider of storage, so the Skytel contract wording will likely make a difference.

With all of the Kwame Drama aside, this could actually be interesting for providers, contract attorneys, e-discovery and forensics folks as well.

Here is a reference to another case with similar characteristics:

Quon v. Arch Wireless

Leave a Comment » | Admissibility | Tagged: , , , , | Permalink
Posted by inforensics

The Fifth Amendment and Sebastien Boucher: Beyond Knee-Jerk Response

February 27, 2009

In December of 2006, Sebastien Boucher was crossing the US border when he was stopped and his laptop was reviewed by ICE officials.   The laptop was in his backseat and, according to documents, the drive containing the child pornography was accessible without requiring a password.

Mr. Boucher was Mirandized, but waived his rights and continued to talk to the agent.  During this conversation Mr. Boucher told the agent that he sometimes accidentally downloaded child pornography but would then delete the files when he realized what they were.  The agent requested that Mr. Boucher show him where he stored the files that he downloaded and Mr. Boucher directed him to a drive “Z”.

The agent continued to search the laptop and found several more instances of child pornography.  Mr. Boucher was subsequently arrested and the laptop seized (it was shutdown).

Nine days later a forensic bit image was made of the drive and the drive “Z” was found to be encrypted by PGP, and the content unaccessible without the encryption key which, curiously enough, Mr. Boucher has refused to turn over.

In November 2007 Judge Jerome J. Niedermeier granted Sebastien Boucher’s motion to quash the subpoena directing him to turn over his encryption key for the drive, citing his fifth amendment rights.

An appeal was filed and U.S. District Judge William Sessions in Vermont ruled this week that Mr. Boucher does not have a fifth amendment right to keep the files encrypted.

What motivates me most to write about this case is the knee-jerk response that will surely follow by those that only read news releases and not the actual filings in the case.  Both judges have raised some fascinating issues regarding the fifth amendment and this specific case, and both the granting of the motion to quash and the subsequent reversal hinged on specific facts in this case, and NOT a blanket decision as some blogs will have you believe.

Judge Niedermeier weighed issues regarding compulsion to testify (subpoena) and the various components that make up a valid fifth amendment argument. In pondering these points the judge notes:

Both parties agree that the contents of the laptop do not enjoy Fifth Amendment
protection as the contents were voluntarily prepared and are not testimonial. See id. at 409-10 (holding previously created work documents not privileged under the Fifth Amendment). Also, the government concedes that it cannot compel Boucher to disclose the password to the grand jury because the disclosure would be testimonial. The question remains whether entry of the password, giving the government access to drive Z, would be testimonial and therefore privileged.

The state evidently agreed to “not use the production of the password against Boucher.”  In so doing the state felt it would remove the testimonial aspect of entering the password.  Judge Niedermeier rejected this outright, citing United States v. Hubbell, 530 U.S. 27 (2000).

In rejecting further arguments, Judge Niedermeier pointed out that the password was something in Boucher’s mind, and further stated:

This information is unlike a document, to which the foregone conclusion doctrine usually applies, and unlike any physical evidence the government could already know of. It is pure testimonial production rather than physical evidence having testimonial aspects. Compelling Boucher to produce the password compels him to display the contents of his mind to incriminate himself.

In his reversal, Judge Sessions notes that neither side questions the fact that “the contents of the laptop were voluntarily prepared or compiled and are not testimonial, and therefore do not enjoy Fifth Amendment protection.”, but notes that the root of the issue is the production of the password that in effect causes the accused to “‘disclose the contents of his own mind’”.

He also mentions the “compelling” aspect of the subpoena and notes that there are two scenarios under which the act of production in response to a subpoena may communicate incriminating facts:

(1) ‘if the existence and location of the subpoenaed papers are unknown to the government’; or (2) where production would ‘implicitly authenticate’ the documents.” Id. (quoting United States v. Fox, 721 F.2d 32, 36 (2d Cir.1983)).

Drawing from this the judge concludes that because Boucher already let the Government see the drive and the contents (unencrypted) and because the Government does not require Boucher’s production of the unencrypted drive to link him to the files on his computer, then the production is not considered incriminating and so the fifth amendment protection is not valid.

I have to say that without reading the opinions I would assume that because Mr. Boucher was Mirandized, willingly volunteered information regarding the existence and contents of the drive (prior to shutdown and encryption) and willingly allowed a Government agent to browse his drive I would have assumed that he had rung a bell that could not be unrung.

[  Copies of the opinions will be uploaded soon]

1 Comment | Cases, Production | Tagged: , , , , , | Permalink
Posted by inforensics

« Previous Entries