Chris Edquist

Chris Edquist is the chief digital forensic examiner with Third Chair Digital Forensics LLC. Chris is a Certified Forensic Computer Examiner (CFCE) and holds mobile forensic certifications through Cellebrite and Paraben Corpo ration. Chris has been a member of the International Association of Computer Investigative Specialists (IACIS) since 2007. Chris is also a licensed private investigator in Texas.

Don’t Leave Exculpatory Digital Evidence on the (Lab) Table

It is common in today’s criminal law practice for the State to possess cell phone data that they claim inculpates our client. Many times, it does actually implicate our client. We all know that one of the first steps a law enforcement agency takes per their investigation is to locate and seize relevant mobile devices and computers. We can then expect to see in the discovery materials a search warrant for the mobile device or computer, and/or a search warrant to obtain additional digital devices. This first round of search warrants is often followed up with search warrants to cell phone service providers and social media sites such as Facebook, Instagram, etc., for relevant digital information in the possession of these entities.

This article will discuss the steps that a criminal defense attorney may have to take to receive complete discovery of the data recovered by a digital forensic extraction from a cell phone, tablet, or computer.

Data is forensically copied from a cell phone or other mobile device in a process called an extraction. There are three types of cell phone extractions seen in the industry: a file system extraction, a physical extraction, and a logical extraction. The principles discussed in this article apply to all three types of extractions. In fact, the logical extraction which directly outputs limited data to a ready‑to‑review .html web page is particularly problematic for discovery purposes because it is often used in a pinch by untrained law enforcement to quickly (but not thoroughly) identify information on a cell phone.

Numerous software providers make cell phone extraction and analytics software. The most common and state‑of‑the‑art software is manufactured by Cellebrite, an Israeli digital intelligence company. Cellebrite software is used by most law enforcement agencies. There are also private digital labs that perform cell phone extractions using Cellebrite software.

To conduct a cell phone extraction, the cell phone is connected to forensic hardware which could be a computer or a standalone device such as a Universal Forensic Extraction Device (UFED) that runs the extraction software. The files from the cell phone are then copied to the computer or a target drive connected to the UFED. The extraction software stores cell phone data into a container file or files with an extension of .zip, .bin, .tar, etc. These file types contain many raw folders and files such as database files that contain the digital information on the cell phone. Special forensic software is needed to open these files. These files cannot be opened in a way that can be understood by most attorneys. It takes specialized training and knowledge to understand their contents. A trained and qualified examiner uses the extraction software to examine the cell phone data. An especially important file type created by an extraction is .pas files which are project session files used by Cellebrite to store the work performed by the examiner (i.e., the “bench notes” of a forensic extraction). Another example of a propriety storage file type that may be encountered is .xfc files created by X‑ways which is a computer forensic program in widespread use in the industry.

Most lawyers do not have a background in digital forensics. Therefore, lawyers may not intuitively understand the many forms of digital forensic data that may present in our cases. Since lawyers may not understand the nature of the data, we also may not understand that there is often more extracted evidence in possession of law enforcement than we receive from the State via typical discovery disclosures.

In many cases, the State still provides discovery of cell phone extraction data in the form of a .pdf, Excel, or Word document. A document in one of these formats may or may not contain active links that take the reader to further information about the cell phone extraction. If the document does contain active links, the active link often does not work or links to a page that reads “file not found.” These .pdf, Excel, and Word documents are typically prepared by the law enforcement agency that conducts the cell phone extraction.

When the State turns over cell phone reports in .pdf, Excel, or Word format, they are only providing a fraction of the data in law enforcement possession. Due to the limitations of these formats, the State is not providing a valuable trove of files containing potentially exculpatory information. When the State provides discovery in this limited format, they are potentially violating C.C.P. art. 39.14 and Brady. This is because many of the formats used by the State to provide digital discovery omit valuable categories of digital files.

Due to the limited knowledge of most lawyers of file types generated by a cell phone extraction, it is likely that prosecutors do not know they are not turning over all of the data generated by law enforcement. Since the relevant law enforcement agency is using a format for providing the data that seems to satisfy the State, it may not occur to the law enforcement agency that they are not putting the prosecutors in a position of being able to provide full discovery.

As defense attorneys, we have the task of educating the prosecution, law enforcement, and the courts as to the existence of this additional data. We have the task of demanding that the prosecutor seeks this data from law enforcement; or more commonly, the task of petitioning the court to order the State to inquire of law enforcement as to the existence of this additional data.

Other ways that a complete set of data from a device is not provided to the defense attorney arises where law enforcement has not performed a complete extraction of the device (i.e. their original extraction criteria only sought certain file types and omitted others) and where law enforcement used out‑of‑date extraction software to perform the extraction. There are many different methods for extracting data from digital devices such as cell phones and computers. Law enforcement agencies and individual forensic examiners conduct different levels of extraction and also employ extraction software that may not be completely updated in their extraction capabilities. Even if a forensic examiner uses up‑to‑date extraction software at the time of the original extraction, later versions of the extraction software often make it possible to retrieve more date from the device via an extraction performed with the updated extraction software.

Thus, a subsequent forensic examiner can discover more data from an earlier extraction by analyzing file types that were not previously extracted. It is also possible to perform a “re‑extraction” of the original device with fully updated extraction software to reveal additional files and data. (If a cell phone extraction was performed as little as a year ago, the extraction software used by the law enforcement agency has likely been updated 12‑15 times by the manufacturer.) This additional data may contain exculpatory or mitigating information.

This same scenario occurs with the extraction of data from a computer. Not only are the formats used by the State to provide discovery limited in their ability to provide a complete set of data; but subsequent extraction software updates make a more complete extraction possible.

Defense counsel should engage a trained and qualified digital forensic expert to assist in evaluating any discovery received from the State. The expert can determine from the discovery provided whether file types and data have been omitted. Expert assistance will enable defense counsel to obtain and evaluate additional data.

To obtain this data, defense counsel will likely need to make an additional discovery request of the State and/ or request to take possession of the device in question to perform another extraction. Although the State has a duty to provide all of the potentially exculpatory, mitigating, and impeaching evidence in the possession of law enforcement, they often do not understand how this evidence could have been omitted from discovery.

Defense counsel should make their filing in the form of a request for additional discovery which puts the onus directly on the State to comply. Filing a motion that requires court intervention may be necessary in the event that the State does not voluntarily comply with the request. Counsel can also file a joint request and motion seeking further evidence.

Another facet of cell phone forensics that is becoming more prevalent is law enforcement’s use of a device called GrayKey. GrayKey is a forensic access tool that extracts encrypted or inaccessible data from mobile devices. GrayKey is currently only available to law enforcement. By employing GrayKey, law enforcement officers are able to access locked mobile devices. These writers are aware of a couple of North Texas law enforcement agencies that are employing GrayKey. The use of GrayKey to access a locked or encrypted mobile device should be attacked on Fourth and Fifth Amendment grounds. In discovery motions, defense attorneys should request and move for discovery revealing and detailing the use of GrayKey.

An additional discovery request should ask for:

  1. First instance copies of all files and data produced during any method of extraction of any mobile digital device, cell phone or SD card; including but not limited to any .tar files, .zip files, and any .bin files.
  2. The request or motion should also ask for .pas files and any project session files used to store the work performed by the examiner (i.e., the “bench notes” of a forensic extraction).
  3. First  instance copies of all forensic image files generated from a computer extraction; including but not limited to .E01, .EX01, .AD1, .DD, .001, .AFF, .CTR formats of any device that may have been imaged into these formats such as computer hard drives, thumb drives, or memory cards.
  4. First instance copies of any and all information, files, and first instance and/or original metadata about the use of “GrayKey” or any other spyware program employed by law enforcement to access any digital device in the case.
  5. Any and all other evidence and information held by law enforcement in connection with this case that has not previously been provided to the defense through discovery.

“First instance” means the original extraction file or files generated by the original examiner or exact copies thereof. Later copies of an extraction file or files could be altered by file compression or by the limitations of a subsequent proprietary viewer.

“Metadata” is simply data about data. For example, an image file will contain metadata that describes how large the file is, the color depth, the image resolution, and when the image was created. Metadata is important in the forensic realm because it is often how a digital file can be authenticated.

Third Chair Digital Forensics LLC has drafted a subsequent discovery motion carefully setting out the above requests in formal discovery language. A copy of the motion appears at the end of this article and will be available in the TCDLA motions bank.

Endnotes

  1. The individual prosecutor has a duty to learn of any favorable evidence known to the others acting on the government’s behalf in the case, including the police. Kyles v. Whitley, 514 U.S. 419, 437–38, 115 S.Ct. 1555, 1567, 131 L.Ed.2d 490 (1995); Harm v. State, 183 S.W.3d 403, 406 (Tex. Crim. App. 2006).

NO. _______

THE STATE OF TEXAS                            IN THE             JUDICIAL

VS.                                                                 DISTRICT COURT OF

_______________                                              ______ COUNTY, TEXAS

DEFENDANT’S REQUEST AND MOTION FOR ADDITIONAL DISCOVERY AND PRESERVATION OF EVIDENCE

TO THE CRIMINAL DISTRICT ATTORNEY OF                               COUNTY, TEXAS; AND TO THE HONORABLE JUDGE OF SAID COURT (IN THE EVENT THE STATE FAILS TO COMPLY):

Undersigned Counsel for Defendant having been provided some discovery in this case under Texas Code of Criminal Procedure art. 39.14, requests further compliance with said article from the State of Texas.

Counsel’s review of the materials provided thus far reveals that several additional items are likely in possession, custody, or control of the State of Texas or a law enforcement agency and are, therefore, discoverable under art. 39.14, but have not yet been provided to Defendant by the State of Texas. Article 39.14 specifies that the Defendant shall be allowed to inspect, electronically duplicate, copy and photograph said items; and that the State may provide electronic duplicates of said items to Defendant. The State of Texas has an on-going obligation to timely furnish discovery under this article.

The individual prosecutor has a duty to learn of any favorable evidence known to the others acting on the government’s behalf in the case, including the police. Kyles v. Whitley, 514 U.S. 419, 437–38, 115 S.Ct. 1555, 1567, 131 L.Ed.2d 490 (1995); Harm v. State, 183 S.W.3d 403, 406 (Tex. Crim. App. 2006). It is irrelevant whether suppression of favorable evi- dence was done willfully or inadvertently. Harm, 183 S.W.3d at 406.

Similarly, under the Texas Disciplinary Rules of Professional Conduct Rule 3.09(d) a prosecutor in a criminal case is required to “make timely disclosure to the defense of all evidence or information known to the prosecutor that tends to negate the guilt of the accused or mitigates the offense . . .” Rule 3.09(d) is broader than Brady because the materiality element of the Brady line of cases does not apply to Rule 3.09(d). Schultz v. Comm’n for Lawyer Discipline, 2015 WL 9855916 at *2 (Texas Bd. Disp. App. 55649, December 17, 2015). A failure of a prosecutor to disclose evidence under Rule 3.09(d) is a vio- lation of Texas Disciplinary Rules of Professional Conduct Rule 3.04(a) which makes it a disciplinary violation to unlawfully obstruct another party’s access to evidence. Id. at *4.

The State of Texas can only except requested items from discovery under the “work product” rule when the requested item contains only comments by the attorney concerning his trial strategy or opinions of the strengths and weaknesses of the case. The United States Supreme Court has described the work product doctrine as sheltering “[a]t its core … the mental processes of the attorney, providing a privileged area within which [an attorney] can analyze and prepare his client’s case.” Washington v. State, 856 S.W.2d 184, 187 (Tex.Crim.App.1993)(quoting United States v. Nobles, 422 U.S. 225, 238, 95 S.Ct. 2160, 2170, 45 L.Ed.2d 141 (1975)). Material that reflects the attorney’s personal thought processes is “core work product” and receives absolute protection, while other materials, such as documents, reports, or memoranda compiled by the attorney or his agents and communications made in anticipation of litigation or trial are “other work product” and receive qualified protection. While the work-product doctrine protects the communications of parties, attorneys, and agents, the underly- ing factual information is not protected. For example, descriptions of potential witnesses and statements that would reveal whether the party had spoken to potential witnesses are not work product and are discoverable. Pope v. State, 207 S.W.3d 352, 358 (Tex. Crim. App. 2006). If counsel’s efforts do not create or enhance the substantive information, that information— or the form in which it is preserved—does not become protected work product. That is, facts that are divulged or exist inde- pendent of the attorney or his agents are not protected, but statements or documents that set out their thoughts concerning the significance of these facts or the strategic conclusions that the attorney or his agents draw from them may well be protected. Pope, 207 S.W.3d at 358-9. For example, a recording of a statement made by a witness is discoverable unless it contains only comments by the attorney concerning his trial strategy or opinions of the strengths and weaknesses of the case. Cullen v. State, 719 S.W.2d 195, 198 (Tex.Crim.App.1986).

Additionally, the government is constitutionally required to preserve evidence that might be expected to play a signifi- cant role in the suspect’s defense. Little v. State, 991 S.W.2d 864, 866 (Tex. Crim. App. 1999).

Undersigned counsel knows from experience and through consultation with experts in the field that there are many different methods for extracting data from digital devices such as cell phones and computers. Different law enforcement agencies and different forensic examiners conduct different types of extractions and also employ extraction devices that may or may not be completely up to date in their extraction capabilities.

Due to these variations, it is possible for another expert to extract more data from a device than by another, earlier ex- traction. It is also possible for a subsequent examination of the original data to reveal additional data and information. These later examinations may discover exculpatory and/or mitigating information not discovered in an analysis of the original extraction.

In order to perform a subsequent analysis of the extraction, a forensic expert needs access to first instance copies of the files created during the extraction.

For purposes of this request and motion “first instance” means the original extraction file or files generated by the original examiner or exact copies thereof. Later copies of an extraction file or files could be altered by file compression or by the limitations of a subsequent proprietary viewer.

The Scientific Working Group on Digital Evidence defines “metadata” as “data, frequently embedded within a file, that describes a file or directory, which can include the locations where the content is stored, dates and times, application specific information, and permissions.” For example, an image file will contain metadata which describes how large the file is, the color depth, the image resolution and when the image was created. Metadata is important in the forensic realm because it is often the means by which a digital file can be authenticated.

The original data, information and evidence sought to be discovered and/or preserved consists of:

  1. First instance copies of all files and data produced during any method of extraction of any mobile digital device, cell phone or SD card; including but not limited to any .tar files, .zip files, .bin files, and any .pas files (project session files used by Cellebrite to store the work performed by the examiner).
  2. First instance copies of all .E01, .EX01, .AD1, .DD, .001, .AFF, .CTR acquisition files generated during any method of extraction or imaging of any computer hard drive or thumb drive;
  3. First instance copies of any and all information, files and first instance and / or original metadata pertaining to the use of “GrayKey” or any other spyware program employed by law enforcement to access any digital device in this case;
  4. Any and all “case notes” whether written or electronic created by any law enforcement agent whether or not included in any supplemental report; and
  5. Any and all other evidence and information held by law enforcement in connection with this case that has not previously been provided to the defense through discovery.

WHEREFORE, PREMISES CONSIDERED, the Defendant hereby requests that the Court grant a hearing on this Re- quest and Motion in the instant cause; and that subsequent to the hearing of said Request and Motion that the Court ORDER that the State of Texas provide the individualized items to the Defendant.

Respectfully submitted,

S.B.O.T. No.                                  

Law Offices of                               
(Not a Partnership)

Address
City, Texas
Zip Code
Phone
Facsimile
Email

ATTORNEY FOR DEFENDANT