Digital forensics is the forensic science encompassing the recovery, analysis and presentation of electronically stored information (ESI). The results of a forensic analysis are often provided in the form of expert testimony in court, an expert report or some other legal document. Often cases may require both a written expert report and testimony at a hearing.
Digital forensics can be relevant to many different types of matters that involve electronic devices. Family law matters are no exception to the use of digital forensics.
Electronic Evidence in Family Law Matters
It’s no surprise that electronic evidence exists in family law matters. In fact, it’s possible that a hidden trove of data could exist. There are many sources where data can live and it’s critically important to identify them. Typical electronic devices include smart phones, tablets, and computers. We are seeing more requests for social media preservation and searching, along with personal email accounts and cloud-based storage sites. Determining what types of electronic devices need to be preserved and examined is the very first step of the digital forensic process.
A digital forensics examiner will ask what type of devices are involved so they can provide you with accurate estimates for both timing and costs, as well as an overview of their forensic capabilities with that type of device. Is a computer involved, and if so, if so, what type? Does it run the Windows operating system or is it running MacOS? If it’s a smart phone or tablet, what is the make and model of the device? Is it a Samsung Galaxy smart phone running the Android operating system or is it an Apple iPhone with iOS?
There are a lot of details to gather but knowing them will help the digital forensic examiner gauge their support for the device and figure out what data they can extract and recover from the device.
The other common source of digital evidence in family law cases is personal email. Why is this source separate from computers and mobile devices? Depending on how the email is accessed may determine the process of its preservation and analysis. When an email client such as Outlook is used, typically this indicates that email is stored locally on the computer system and will be preserved when the forensic image of the computer is made.
With webmail accounts like Gmail, Yahoo and Hotmail, email messages aren’t stored locally on the user’s device (unless there’s a program pulling the data down like Microsoft Outlook or Mozilla Thunderbird). The data is typically stored in the cloud with the email provider. But wait, I look at my email on my smart phone so isn’t it stored on my phone?
That’s a great question. It really depends on the type of phone and the support the forensic tools have to collect the data from the mobile device. Email is generally not included. These email accounts are still accessible and collectable, don’t fret. To collect webmail accounts the forensic examiner is going to need the username and password for the account.
What Types of Data are Commonly Requested in Family Law Cases?
There is usually a lot of data on a computer, smartphone or tablet. So much so that it’s hard to review everything without feeling like you are drowning in a mountain of information. The good news is that the data from these devices can be searched and filtered based on specific criteria. What data is commonly requested?
The most sought-after information in family law cases is communications. This includes native text messages, calls, emails, third-party app messages (WhatsApp, Facebook Messenger, Snapchat, etc.), and voicemails. On devices, especially mobile devices such as smart phones, communications can make up a lot of the data on the device. It’s not uncommon to see several thousand to hundreds of thousands of messages on a device.
The data that can be extracted from a device is dependent on the support for the device and the messaging application. In some cases, data from unsupported messaging applications may not be extracted or parsed. Therefore, it is important to know what type of messages are being sought.
Sometimes, in cases where ephemeral messaging applications are used, message data may not be stored on the device at all or for only very short periods of time. Ephemeral messages are ones that disappear after being read. Some applications such as Snapchat and Instagram’s Messaging feature make use of this.
While the message content may not exist on the device, there may be some indicators that messages were sent/received through the recovery of other artifacts. There is also a possibility that the vendor of the app maintains some records of the messages or even the content for a period before it is purged from their systems. If that is the case, then a timely subpoena or legal request may be worth trying.
After messages, the next most popular artifact is internet history. Browser history, including searches and the websites visited by a user, is often of great interest. It is often possible to recover the dates and times associated with a visit to a website. Frequently, dating websites and pornography sites are of concern. While it is possible to show that a device was used to visit a particular website it’s not always possible to put a specific person on the keyboard. In some cases, deleted browser history data may be recoverable as well.
Another common request is to examine a device for spyware or monitoring programs. There are applications out there for both computers and mobile devices that track locations and can look at screens or capture communications. It’s important to always be mindful of who has access to your devices as well as the usernames and passwords for your accounts.
Often, spyware isn’t the reason behind the monitoring. Sometimes it can be as simple as another person has gained access to a cloud account where data like calls, messages, browser history and documents are being backed up. This is most seen with Apple devices where the user’s iCloud account credentials have been shared and/or used across multiple devices. If that is the case, another Apple device could be receiving the data as it’s synchronized across all the devices attached to the iCloud account
Luckily, users can log into their iCloud account and check where they are signed in. This can show any other devices that are linked to the Apple iCloud account. Users can also open the Settings on their iPhone and click on the iCloud account name at the top to see what devices are currently attached to the account as well. Before making any changes, it is always recommended to document the devices attached to the account, including serial number, before removing any devices that may have access. A screenshot of the account and the unknown device’s information can be helpful.
I Have My Spouse’s Device, Can You Give Me Information From it?
Generally, the answer is no. It will depend on the local laws of your jurisdiction, and it is always best to consult with an attorney on the legality of the request. Usually, any data or a device that is protected by a password is off limits without the party’s authorization or a court order,
Most examiners are familiar with this question and will maintain that a court order or written permission from the device owner is needed to turn over data from a device that is not used by the person providing the device, or that has a password unknown to that person.
We often see this with smart phones and personal email accounts. Sometimes it is possible to preserve the data from the device or account, but generally with email and cellphones, credentials are needed to even start the preservation process. Examiners can’t do much with a smart phone that cannot be unlocked or an email account that cannot be logged into with the account credentials.
Family law cases can contain a trove of data, and without consulting with a digital forensic examiner, you could be missing critical data for your case. Information such as messages, calls, emails, browser history, and location data are becoming more and more prominent in family law matters. Most people carry a smartphone with them everywhere they go – having it within arm’s reach 24/7.