Implementing Best Practices in Mobile Device Seizure - Part 3 Comply with Legal Expectations

Disclaimer: The contents of this section are intended to convey general information only and not to provide legal advice or opinions. The contents of this section should not be construed as, or be relied upon for, legal advice in any particular circumstance or fact situation.?The information presented in this section may not reflect the most current legal developments.?An attorney should be contacted for advice on specific legal issues and to ensure you are following proper procedures as outlined by your legal department.

Search Authority

A forensic examination of a mobile device is considered a search. In order for evidence to be admissible in court, the examination must be conducted within the scope of legal authority.

As a forensic examiner, you must be granted authority to conduct a search on a mobile device. Authority may be as simple as an owner providing consent to search a device, such as the CEO of a corporation or it may require a federal court order granting an agent of the government authority to search a device. For internal investigations, the authority to search will be governed by the policies of the private entity. The Fourth Amendment of the US Constitution protects the people of the United States from unreasonable searches and seizures by the government. However, the Fourth Amendment does not regulate searches by private citizens such as private investigators. Each state provides legal limitations on searches, and it is important for examiners to understand what the laws are in the state where they are performing the examination.

The 4th Amendment to the U.S. Constitution

“The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”

Understanding search authority is an important aspect of forensic analysis. As the examiner, it is up to you to understand the legal limits of your search authority. If you fail to understand the limits, it is likely you may exceed the scope of your search authority. This failure to adhere to search authority may lead to inadmissible search results if taken to trial.

Types of Search Authorities

In criminal cases, a competent authority will provide authorization to search in one of three forms:

·?????Search Warrants

·?????Valid exceptions to the Warrant Clause

·?????No Reasonable Expectation of Privacy (REP)

Search Warrants

A search warrant is a court order to conduct a search of a specifically designated place for specific item(s) to be seized. Prosecutors and law enforcement officers in criminal investigations use search warrants to establish authorization, a scope of the place to be searched, and the persons or things to be seized.

Warrants are supported by an oath of affirmation that comes in the form of an affidavit. An affidavit is a signed, sworn statement of probable cause providing specific facts to prove a crime was committed; evidence of that crime will be located in the place to be searched. Examiners may have to assist criminal investigators in drafting a search warrant. Once a warrant is approved, it may be limited in scope of the search authority. Make sure to read the warrant carefully to ensure your search is within the scope of the warrant.

Valid Exceptions to the Warrant Clause

There are certain circumstances where a warrant is not needed by the government to conduct a search. There are seven exceptions to the Fourth Amendment:

·?????Exigent circumstances

·?????Search incidental to a lawful arrest

·?????Stop and frisk

·?????Consent

·?????Plain view

·?????Caretaker function

·?????Vehicle exception

For the purposes of this course, we will focus on the most common exemption for forensic examiners; consent.

Consent

Consent is authorization and agreement to allow something to be done. The owner of the device typically provides consent. (In Topic B we discussed which questions to ask to identify ownership of a device). Once ownership is established, examiners can ask for consent to search the device. Consent will not always come from the owner.?

Consent can be provided verbally or in writing and must be given knowingly and voluntarily by a person with actual or even apparent authority over the device to be searched. It is a best practice to get consent in writing. The person consenting to the search can limit the scope of the search as well as withdraw their consent at any time.

A third party can also give consent. Regarding a husband and wife, the court system has typically understood that either spouse has the authority to consent to a search of all property. This consent can become invalid if both parties are present and one does not give consent.

Parents and children also have multiple factors to consider such as if the child is a minor versus eighteen years old. The court system has generally understood that if the child is a minor, a parent can consent to a search of the child’s belongings.

When the child is an adult and living at home, the situation becomes more complex. The court system uses specific tests to determine the child’s reasonable expectation of privacy and in turn, decides who can give consent to search.

As with all legal issues, it is a best practice to seek counsel from a legal professional. Do not make the call on your own unless you are a legal professional. Each state has different laws governing privacy rights and, as the forensic examiner, it is important you conduct all aspects of the search within your legal authority.

No Reasonable Expectation of Privacy

There are situations when a person has no Reasonable Expectation of Privacy (REP). The Supreme Court established standards to determine whether a reasonable expectation of privacy exists. The test has two parts: first, the individual must have demonstrated an actual expectation of privacy; second, society must agree that the expectation of privacy is objectively reasonable.

For example, a corporate or government employee signs a user agreement for a mobile device or computer use acknowledging he or she has no expectation of privacy while using the company-provided device. The corporation must also provide a banner at the initial login screen that states the same. If this was the case, it is best to obtain the user agreement before you conduct your analysis of the device.???

Another standard of REP is abandoned property. Property is considered abandoned when the individual, through his or her actions or words, indicates the property is not his or hers or shows no interest in the item or place. An example would involve an individual previously seen with a particular iPhone and then denying ownership of that iPhone. There is no REP in any abandoned property.

Elements of the Crime

In order to successfully prosecute a case, there are many factors required to meet strict guidelines to ensure evidence is admissible in court proceedings. These factors include using best practices to seize and preserve the evidence in its original state and ensuring a search of the device is within the legal limits defined by the search authority. The elements of the crime outline what needs to be proven in order to gain a conviction.

In order to identify the elements of the crime, examiners need to research the identity of the crime and its elements. Make sure your analysis remains unbiased and neutral. Many examiners only search to prove the elements of the crime, overlooking critical evidence that may disprove the elements. Remember, as an examiner your job is to prove or disprove the allegation through facts found on the evidence you are analyzing.?

Example:

The following text provides an example of the elements of the crime for Criminal Copyright Infringement 17 U.S.C. § 506 and 18 U.S.C. § 2319:

Elements:

1.????Willful infringement “for purposes of commercial advantage or private financial gain,” 17 U.S.C. § 506(a) (1) (A).

2.????Willful infringement by “the reproduction or distribution, including by electronic means, during any 180-day period, of 1 or more copies or phono records of 1 or more copyrighted works, which have a total retail value of more than $1,000,” 17 U.S.C. § 506(a)(1)(B). Note that this type of infringement does not have a financial component.

3.????Willful infringement “by the distribution of a work being prepared for commercial distribution, by making it available on a computer network accessible to members of the public, if such person knew or should have known that the work was intended for commercial distribution,” 17 U.S.C. § 506(a)(1)(C) (enacted in 2005). This violation, enacted in 2005, is commonly referred to as “pre-release” piracy and also does not have a financial component.

The common factors for all criminal copyright offenses are that (1) there must be a valid copyright, (2) there must be an infringement, and (3) the infringement must be willful. Some courts also require that the government prove an extra element: that the infringing items at issue were not permissible “first sales,” although most courts hold the issue of “first sale” to be an affirmative defense. See Section C.4. of this Chapter.

Felony copyright infringement only occurs when the defendant willfully infringed a copyright by reproduction and distribution and only in the following ways:

by (a) reproducing or distributing, “including by electronic means;” (b) “during any 180-day period;” (c) “at least 10 copies or phone records, of 1 or more copyrighted works;” (d) that have a “total retail value of more than $2,500.” 18 U.S.C. § 2319(b)(1); OR

by (a) distributing a work; (b) that is “being prepared for commercial distribution;” (c) by “making it available on a computer network;” (d) “[knowing it] was intended for commercial distribution.” 17 U.S.C. § 506(a)(1)(C); 18 U.S.C. § 2319(d).

Civil Litigation

Civil litigation is a legal argument between two or more parties that seek monetary damages or specific actions, rather than criminal charges. As a forensic examiner, you will need to understand the civil process as well as the criminal process. Civil matters usually come in the form of torts, which are private matters that do not typically involve the government. A tort is a civil wrong for which a court will provide a solution, typically in the form of an action that will compensate the plaintiff for damages incurred. Often times the resolution involves payment for the damages incurred because of the criminal act.

Apple versus Samsung is a civil litigation case in which Apple accuses Samsung of larceny for the technology used in iPhones. Samsung was found guilty of plotting to steal the iPhone appearance and technology for which Apple was awarded nearly one billion dollars for damages from Samsung.?

An injunction is another remedy for tort resolution. An injunction is a firm order or warning. Injunctions prohibit someone from doing something. Apple requested an injunction to prevent Samsung from selling products that infringed on Apple’s patents.

Civil lawsuits are generally between businesses, corporations, or individuals, but the government can be part of a civil case if it is a party to that case. In civil matters, the injured party is known as the plaintiff and the wrongdoer is known as the defendant.?

Burden of Proof

Criminal prosecution and civil suits both require proving the elements of the crime. The difference lies within the burden of proof. In criminal matters, the government is responsible for providing evidence proving the elements of the crime beyond a reasonable doubt to obtain a conviction. In civil matters, the petitioner is responsible for proving elements of the tort by a preponderance of the evidence. Civil cases can fall into five different categories: contract law, property law, family law, law of succession, and tort law.

Electronic Discovery

Electronic Discovery (eDiscovery) is identifying, collecting, preserving, and producing Electronically Stored Information (ESI) as part of a discovery request for production in lawsuits or investigations. ESI is any information stored electronically. Some examples include but are not limited to text messages, emails, documents, video, audio, social media post, websites, and databases. ESI may be found in any location capable of storing data such as mobile devices, in the cloud, on a computer system, or in a corporate network.?

eDiscovery follows a general framework known as the Electronic Discovery Reference Model (EDRM). As with all courtroom evidence, the ESI must be preserved during collection to retain the original content and metadata of the file. This is done to eliminate the potential claim of spoliation or altering evidence during litigation. Civil discovery in federal cases follows the Federal Rules of Civil Procedure (FRCP). Every state has individual rules for civil practice that detail civil discovery.

Once ESI is identified as relevant and collected, it continues through the EDRM framework to be reviewed ensuring the documents for production are relevant and do not contain privileged information. The end goal of eDiscovery is to produce relevant documents as evidence for litigation and to do so in a defensible manner.

Motions

During the civil process, lawyers will submit a motion to the court in order to invoke an action. An example of a motion would be to request dismissal of the case or compel the other party to produce ESI. It is highly likely the opposing counsel will submit a motion to disallow the examiner's expert testimony. Avoid taking any actions made against you personally. These types of motions are common since the opposing counsel has nothing to lose by filing the motion. It is up to the judge to make the final decision to admit the examiner's testimony or have it thrown out. As an expert witness, your job is to articulate the facts as clearly and as simply as possible so the jury and/or the judge will understand your findings.

Investigation Outcomes

Criminal and civil investigations may culminate in one of several different ways:?

·?????The case may be deemed to be unfounded, and no action is taken.

·?????The suspect being charged may plead guilty. This could lead to what is known as a plea bargain where a lesser charge is given.

·?????Mediation may take place where both parties come to an agreement and settle out of court.

·?????In felony-level cases, an indictment may be filed to determine the probability a felony crime was committed. If it is determined a crime was committed, is it a felony-level crime or misdemeanor.?

·?????The case may be referred to trial.

Testifying

To testify is to act as a witness in court providing evidence of a case. Keep in mind that over 94% of all federal and state cases end in a plea bargain and never see a courtroom. However, if you are involved in a case that goes to trial, and you need to testify, you will need to know the following:

The Federal Rules of Evidence 701 prohibits lay witnesses from offering an opinion on scientific and/or technical issues unless their testimony is based on firsthand knowledge or an observation. A lay witness is simply a person who is untrained or not deemed an expert on the subject matter.

The Federal Rules of Evidence 702 defines the requirements to provide testimony as an expert witness. Any person who is deemed qualified as an expert by the court via knowledge, skill, experience, training, or education may give testimony in the form of an opinion.

To provide expert witness testimony, the examiner must have more knowledge than the average person on the subject matter. The testimony given must assist the jury or judge and the testimony must be constructed on scientific methods and principles. There is no requirement for an expert witness to have a license or a degree to testify.

Testifying as an Expert Witness

Preparation is the key to success when appearing before a judge or jury to testify. It is imperative you work closely with counsel to prepare for your testimony. Prepare in such a way to ensure your testimony is understandable and believable. Your job is not to make or break the case; it is simply to answer the questions asked to the best of your knowledge and present factual data based on your analysis of the evidence.

Below are a few guidelines to follow when testifying as an expert witness:

·?????When articulating your facts, focus on the judge/jury, not the person asking the questions.?

·?????If you made or make a mistake, admit you did so. If you know a mistake was made, tell your counsel upfront before the trial, giving counsel the ability to prepare and possibly resolve the issue.

·?????DO NOT lie or exaggerate the truth under any circumstance. Doing so will not only ruin your credibility and reputation as an expert but also possibly lead to criminal charges for lying under oath.

·?????During cross-examination, the defense counsel or prosecution (if testifying for the defense) will attempt to discredit you as a witness. Be objective and do not take sides.?

·?????Maintain your composure and stay calm even if counsel is attacking your character or attempting to discredit you, your methodology or your conclusions.

Failure to conduct yourself in a professional manner may have negative consequences such as having your testimony completely stricken from the record. In some cases, it may even cause a mistrial.?