Extracting, Preserving, and Authenticating Digital Evidence: What’s discoverable, how to obtain, and more

Session l – Preservation and Protection of Electronic Evidence – Daniel Larry

The purpose of this class is to educate claims professionals on how digital evidence is extracted from cell phones, computers, and other electronic devices. Explanations will be given on the various methods of how this data is extracted, what is in accordance with forensic best practices, and how this evidence is properly preserved. In addition, attendees will learn about the fragile nature of digital evidence, and the extent to which this information can be changed if not handled correctly.

Given the rising instances of fake text messages and call spoofing, a section of this class will explain how this is commonly done, even by people with little technical knowledge, and how an investigation is performed to determine the authenticity of such evidence.

Using actual case examples, attendees will see how protecting digital evidence can be vital in an investigation. Upon completion of this class, attendees will have a working knowledge of how data collections are performed, how data is preserved, the types of forensic artifacts that are recoverable, how data is authenticated, and how such evidence can be used for their purposes when working on a case.

Key topics to be discussed:

• Differences and similarities between cell phone forensics and computer forensics
  • The technology will be explained so that attendees understand the differences and similarities between cell phone forensics and computer forensics. The purpose of this explanation is so they can understand the different issues related to evidence preservation according to digital forensics best practices.
• Forensic acquisition and preservation of digital evidence
  • The unique preservation issues concerning cell phone forensic evidence will be covered. This includes the necessary use of faraday bags to block radio waves from reaching the cell phone in order to preserve the evidence so that phones cannot be remotely wiped, and so that cell phones data is not lost via the ingestion of new data (thereby potentially deleting the oldest).
  • The three primary forms of cell phone acquisition will be explained. These include a logical, file system, and physical extraction of data. These three forms of acquisition work differently technologically speaking, but they also recover different types of data, and at different levels of depth. Using plain language, these technical concepts will be explained in an approachable manner.
  • A special explanation will be given to manual examinations. This is done in particular because this is most likely what a legal professional is likely to encounter in their daily work. This is also the most problematic form of digital evidence collection as it lacks a forensic method of verification. A manual examination is where a forensic examiner (or even layperson) has to actually take pictures of a cell phone in order to capture the data on it.
• When Data Collection Go Won
  • In the section, the attendee will learn how data can be lost and the implications that can follow, which include the possibility for spoliation claims and sanctions. This will be explained utilizing real case examples.

Session ll – The Importance of Electronic Evidence and Digital Forensics – Anthony Diosdi

There is a tremendous knowledge gap in our legal system when it comes to matters involving digital evidence. In many cases, this knowledge gap has put attorneys in the position of not knowing that digital evidence could make a difference in their cases. The purpose of the seminar is to fill that knowledge gap so that lawyers will have a better chance to understand evidence that is involved and presented in cases and in courts.

Key topics to be discussed:

• Pursuing computers, cloud storage, social media platforms and legacy storage for useful evidence
• Problems of preservation and authentication
• Best Practices for Preserving and Retrieving Deleted Data
• Smart Phone and Mobile Device Evidence – What to Look for and Where to Find It
• Overview on how and when to subpoena phone, social media, and other records
• Essential rules, objections, statutes, and case law
• What is discoverable and what is not, the proper procedures to follow
• How a lawyer can obtain the same evidence without using a subpoena
• Confidentiality concerns related to electronic discover

This course is co-sponsored with myLawCLE.

Date: October 17, 2022

Closed-captioning available