By Anthony Diosdi
Whether criminal or civil, digital evidence impacts just about all areas of the legal profession. This article is designed to provide attorneys and other legal professionals with an overview on how to obtain phone, social media, and other records. Hopefully this article will educate its readers on how digital evidence may be obtained from computers, cell phones, and social media platforms. This article will also discuss the proper forensic practices to preserve digital evidence.
Creating and Storing Digital Evidence
We will begin this article by talking about the creation of digital data or evidence and where digital data is stored. Digital data is created whenever someone sends an email, drafts a document on a computer or a portable device, makes a call on a smartphone, posts on social media, surfs the internet, or uses a global positioning unit to find an address. These are just some examples as to how digital evidence is created.
In the not too distant past, digital data could only be found on personal computers, floppy disks, or cassette tapes. As technology changed, so did the growth in storage options for digital data. Today digital data can be stored on memory sticks, hard drives, cell phones, network attached storage devices, game consoles, media players, hard drives, and the internet cloud.
Defining Digital Forensics
Digital forensics is the process of identifying, preserving, examining, and analyzing the digital evidence by validating the procedures and its final representation of that digital evidence in court. It is a method of discovering proofs from digital media like a personal computer, cellular devices, servers, or networks. Digital evidence follows a pattern where each case is first identified then preserved to analyze to document in court. Digital forensics involves the following steps:
The first step in the process is to identify the evidence, where the evidence is preserved, and then the way it is stored.
In this process, the evidence is stored in an isolated and secure place.
In this phase, the inspection of the digital evidence will take place.
In this stage, the digital evidence is documented.
In this final step, the digital evidence is summarized and explained and a conclusion is drawn.
Foundations of Digital Forensics: Best Practices
Over the years, guidelines for the best practices in analyzing digital forensics have developed. The guidelines for the analysis of digital forensics were initially developed by the National Institute of Justice, Association of the Chiefs of Police, the government, academics, and practitioners. These organizations set the minimum standards to be applied when collecting and preserving digital evidence. Eventually, certifications for practitioners in this field were developed. These cCertifications for persons in the field include EnCase Certified Examiner (“ENCE”), the Computer Certified Examiner (“CCE”), the Access Certified Examiner (“ACE”), the Computer Forensics Certified Examiner (“CFCE”), and the GIAC Certified Forensic Analyst (GCFA).
The Need for Expert and Expert Testimony
Digital evidence and digital forensics encompasses matters of scientific, technical or other specialized concerns which are beyond the comprehension of most people. Digital evidence and digital forensics is also beyond the comprehension of most courts. Consequently, an expert witness with special training or knowledge in digital evidence or digital forensics must typically be selected attorneys in cases involving digital evidence and/or digital forensics.
The expert will ultimately need to establish the logical relenancy of the scientific evidence of the digital evidence is logically relevant with the actual events associated with the dispositive issues before the court. Most jurisdictions apply the normal test for logical relevancy- does existence of the evidence make the factual proposition to be proved more likely than if the evidence did not exist.
In order to assess the logical relevancy of scientific evidence, the proponent must establish:
1) The scientific foundation for the evidence; and
2) the degree of acceptance in the relevant scientific community.
The lawyer utilizing a digital forensic expert must establish a foundation that the procedures used by the expert were performed in accordance with the accepted standards of the scientific field being applied. Besides showing that proper procedures were followed, the trial judge must determine that the validity and reliability of those procedures, even when properly applied, are accepted by the experts knowledgeable in the digital evidence or digital forensic field. The modern trend, followed by the majority of jurisdictions, is to regard as suitable for judicial use scientific principles and procedures accepted by experts in the relevant field. When the recognition of scientific principles is widespread, the judge may take judicial notice of the validity of the procedures involved.
A majority of the Supreme Court held in Daubert v. Merrell Dow Pharmaceuticals, Inc (1993), that the restrictive Frye test (discussed below) had not been adopted when the Federal Rules were promulgated. Federal Rule of Evidence 702 governs admissibility of scientific evidence, and does not impose a prerequisite of general acceptance. Faced with expert scientific testimony from a digital expert or digital forensic expert, a federal trial court must determine, using a flexible approach, that the expert’s testimony will be “scientific knowledge.” “Scientific” means grounded in the methods and procedures of science; “knowledge” connotes more than subjective belief or unsupported speculation. Factors a court may consider include:
1) Whether the scientific knowledge has been tested;
2) Whether it has been subjected to peer review and publication;
3) What is the evidence’s known rate of error; and
4) Whether the evidence has a particular degree of acceptance in the relevant community.
A minority of states such as California still adhere to the Frye test, which accepts as relevant only those scientific principles which have gained general acceptance among the authorities in the applicable field.
Regardless of whether a court applies the Daubert v. Merrell Dow Pharmaceuticals, Inc or Frye test, the trial judge makes the initial decision as to whether a particular witness is qualified to testify as an expert.
We will now discuss how digital evidence can be obtained from a computer through forensics. Computer forensics deals with the preservation, identification, extraction, and documentation of computer evidence. Computer forensics investigations take advantage of the way computers store and retrieve data. Relevant computer data usually includes information stored in files on a hard drive, as well as information in files that were “erased” from the hard drive. Computer forensics also takes advantage of the way personal computers operate, and the temporary and/or permanent information recorded by the operating system during normal operations. During normal operation, a Windows System on a personal computer will record data identifying thumb drives that were connected to a computer, the date and time a file was last accessed or modified, Internet searches, Internet websites visited, email read or sent or sent using the computer, and computer programs that were installed or used on the computer.
Beginning with the Windows 2000 operating systems, Microsoft introduced the thumbnail cache. The thumbnail cache assists the computer user in reviewing a large number of images at once by taking the full-sized images and making miniature representations of them. Instead of having to look at each image individually within a folder to find a particular picture you are looking for, the thumbnail cache displays all the images at once as “thumbnail”-sized pictures. The thumbnail cache also speeds up how quickly pictures will display; it reduces the load time of images because the smaller thumbnail images no longer have to be recalculated every time they are accessed by a user, unlike the original images. Courts have held that electronic data, including forensic imaging of hard drives, is within the scope of discoverable material.
Computer Forensic Evidence
One of the foundations of digital forensics is data recovery. Anyone attempting to delete data from a computer’s hard drive should understand that erasing digital data from a computer’s harddrive is difficult. A computer forensic expert can analyze a forensic image of a storage device to determine what was stored on the device, what files were accessed, and when the files were last accessed or modified. In addition, a forensic image of a computer’s hard drive includes data from which an investigator can determine what peripheral devices have been connected to the computer.
The Recycle Bin
In Windows, a recycle bin is a folder or directory where deleted items are temporarily stored. Deleted files are not permanently removed from the hard drive but are sent instead to the Recycle Bin, unless they are too large. The files in the Recycle Bin can be restored to their original location. They cannot be used directly while they are in the Recycle Bin. The Recycle Bin comes in handy when an item has been accidentally deleted. When a file is deleted, the system does not actually remove it from the system; it sends it instead to the Recycle Bin where it can be restored if necessary. If a file is deleted from the Recycle Bin, it is permanently deleted and cannot be recovered.
Consequently, when a file is deleted in Windows, the file is normally only moved from the folder where it was previously located to the Recycle Bin. The file is not actually deleted, and the space where the file is physically located on the hard disk continues to be regarded as used space that cannot be overwritten by the operating system. If a hard drive does not have sufficient storage space to store a large file without emptying the Recycle Bin, the operating system will report to the user that the disk has insufficient space to store the file. In addition, a file in the Recycle Bin cannot be opened or used. Thus, a file moved to the Recycle Bin is actually preserved, cannot be used or opened, and can later be completely restored.
Unallocated Storage Space
When a file is permanently deleted by a user, for example when the Recycle Bin is emptied, the data contained on a hard drive is not actually erased. All that Windows does is to designate that space on a hard drive as unallocated space, (and to mark the directory entry for the file as deleted). The next time that a file needs to be saved on the hard drive, some part of unallocated space will be used to store the electronic data. Whatever old data may be contained in the space used to record the new file will be overwritten by the electronic data for the new file.
However, until the storage space on the hard drive is reused, and the old data has not been overwritten, the electronic data can be recovered in a forensic examination of the hard drive. A forensic examination of unallocated space on a hard drive will uncover files and data that were once stored on the hard drive, and then permanently deleted, as long as the space on the hard drive has not been overwritten.
Slack Storage Space
Slack space is the leftover storage that exists on a computer’s hard drive when a computer file does not need all the space it has been allocated by the operating system. The examination of slack space is an important aspect of computer forensics.
To understand why slack space plays an important role in computer forensics, one must first understand how data is stored on computers that have hard disk drives. Computers with hard disk drives store data in a sealed unit that contains a stack of circular, spinning disks called platters. Each platter is composed of logically defined spaces called sectors and by default, most operating systems sectors are configured to hold no more than 512 bytes of data. If a text file that is 400 bytes is saved to disk, the sector will have 112 bytes of extra space left over. When the computer’s hard drive is brand new, the space in a sector is not used- the slack space- is blank, but that changes as the computer gets used.
When a file is deleted, the operating system does not erase the file, it simply makes the sector the file occupied available for reallocation. Should a new file that is only 200 bytes be allocated to the original sector, the sector’s slack space will now contain 200 bytes of leftover data from the first file in addition to the original 112 bytes of extra space. That leftover data, which is called latent data or ambient data, can provide an expert or investigator with clues as to prior uses of the computer in question as well as leads for further inquiries. In 2016, for example, the Federal Bureau of Investigation (“FBI”) revealed that it had reviewed millions of email fragments that resided in the slack space of former Secretary of State Hillary Clinton’s personal servers in order to determine whether or not the servers have improperly stored or transmitted classified information.
Technically, a file’s slack space is the difference between its logical and physical size. The logical size of a file is determined by the file’s actual size of a file is determined by the number of sectors that are allocated to the file.
In other words, each time a file is recorded, a sheet of paper is selected from the stack and used to store the file. If a file does not completely fill up the page, the remaining space on the sheet of paper will not be used to store any other file, because it cannot be addressed by the operating system. If the remainder of that page has something recorded on it from a previous file, the information written on the piece of paper still exists and can be found by a forensic expert. For example, let’s assume a plaintiff’s attorney wants to know whether a departing employee copied a large database containing trade secret information onto his company owned laptop so he could take it home and secretly copy it onto another storage device. And in this hypothetical example, assume the departing employee deleted the large database after he copied it, and then copied a large number of small files onto the hard drive in order to overwrite the deleted file. An analysis of a forensic image of the hard drive in question could include a search for unique file fragments of the database. File fragments that uniquely correspond to the database may be found in slack space even when the employee saved a large number of smaller files on the hard drive after the database was deleted.
Metadata is data that provides information about other data, but not the content of the data, such as the text of a message or the image itself. The information stored within metadata can be used to build timelines and so much more. Metadata can shed light on a particular issue in a case, or it can be the turning point altogether. In many cases, tiny snippets of metadata can change how entire sequences of events are interesting. However, a word of caution about metadata: Metadata alone, like any other snippet of digital evidence, is rarely enough to “prove” something. Nearly all digital evidence requires some type of corroboration through a combination of evidence, electronic or otherwise. The purpose of metadata is to store information about other data. This can help with the organization and retrieval of data.
An example of document metadata as evidence is involving a “C” student who submitted an excellent term paper to a university professor. The professor did not believe that the student could have written the paper and accused the student of purchasing the term paper online. Upon further review of the metadata, it was determined that the term paper was written over a period of several weeks, including 50 editing sessions. It was also determined that it took over 800 minutes to draft the term paper. In this case, metadata evidence could be used to establish that the student drafted the term paper. In general, metadata is relevant when the process by which a document was created is in issue or there are questions concerning a document’s authenticity; metadata may reveal when a document was created, how many times it was edited, when it was edited and the nature of the edits.” See Kingsway Financial Services, Inc. v. PricewaterhouseCoopers, LLP, 2008 WL 5423316, at *6 (S.D.N.Y. 2008).
A Computer’s Internal Clock
A computer contains an internal clock that provides a date and time. This clock is accessible by the computer’s user, and can be readily set to any date and time chosen by the user. A user is asked to set the date and time for the computer’s internal clock when Windows is started for the first time. The user may also select the time zone. If configured properly, Windows can automatically adjust the computer’s clock for daylight saving time. A user can, at any time, change the date and time set for the computer’s internal clock. Windows uses the computer’s internal clock to record three dates for each file, i.e., a “date created,” a “date accessed,” and a “date modified.” If a computer’s internal clock is set incorrectly, the date and time of the files contained in the forensic image will be incorrect. Normally, the data recorded by the operating system will be offset from the correct time by the same amount that the computer’s internal clock is in error. Therefore, the dates provided by a forensic examination of a hard drive cannot be immediately assumed to be accurate. In most cases, the dates need to be verified or otherwise authenticated before the recorded dates are relied upon to establish the time that the associated events actually took place.
The “date created” is the date the specific copy of the file contained at that location on the hard drive was created. Different copies of the same file can have different dates recorded for “date created.” For example, if a file is opened and then saved with a new file name, the “date created” for the file with the new name will be the date it was saved with the new file name, even though the contents of the file may otherwise be identical to the original file that was opened. In this example, the original file will have a different “date created,” which will be the date that the original file was first stored on the hard drive.
The modified date is the date a file was edited, altered, or changed. For example, if a Word file is opened, the document is edited, and then resaved, this will change the “data modified” for that file. When the “date modified” is changed, the previous date that had been recorded for the “date modified” is lost. Therefore, the “date modified” is more accurately the date the file was last modified. The document contents need not be changed in order for the “date modified” to be changed. If metadata saved with the file is changed, then the “date modified” will be changed for that file. If the properties of a Word document are changed to change the author, and the file is saved, the “date modified” will be changed. If a flexible image transport system or (“FITS”) image file is opened, and the information in the fits header is changed, the “date modified” will be changed even though the fits image itself was not changed. Interestingly, a file can have a “date created” that is a later date for the “date modified,” suggesting that something was modified before it was created. Thus, it is important to understand the significance of the “date created” and the “date modified” values, because it is not that uncommon for a file to have a “date created” that is a later date for the “date modified.” This may happen if a file is copied to the hard drive from external media. The new copy of the file on the hard drive will have as its “date created” the date that the file was copied onto the hard drive. The “date modified” will usually not be changed when the file is copied.
The date accessed is the last date a program was run (or executed) or a file was looked at without being changed. The “date accessed” is sometimes used as evidence to support an inference that a file was copied. If a departing employee used Windows Explorer to copy several files containing proprietary information, a forensic examination of a hard drive may show that the files in question were sequentially accessed only a few seconds apart. If you are the plaintiff for the company accusing the employee of copying files, you may argue that sequential access times for a large number of files containing proprietary information supports an inference that the files were copied by the ex-employee before he or she left the company. If you are the attorney for the employee, it is important to know the many other computer actions that also change the “date accessed,” in addition to copying the file.
Dates for Files in the Recycle Bin
Files moved to the Recycle Bin have a “date created,” a “date accessed,” and a “date modified.” A file cannot be opened while it is in the Recycle Bin. Thus, no one can accuse a defendant of using or “accessing” a file during the time that the file was in the Recycle Bin. However, Windows maintains a record for the Recycle Bin that shows every file that was permanently deleted from the Recycle Bin in this manner, every file that was moved into the Recycle Bin, and every file that was restored from the Recycle Bin, since the date and time that the Recycle Bin was last emptied. Once the Recycle Bin is emptied, this record is lost, and Windows creates a new record for the Recycle Bin from that time forward. A forensic examination will show the date and time when the Recycle Bin was last emptied, and will reveal the files that were contained in the Recycle Bin at any time subsequent to the last time it was emptied.
CRC and Hash Values
As indicated earlier, the most commonly used computer forensic software package is EnCase Forensic. The integrity of the EnCase evidence file is protected by a hash value (a hash value is a numeric value of a fixed length that uniquely identifies data) that is generated when the forensic image is created. The hash value that is generated represents a unique identifier for the data contained in the evidence file or forensic image. If anyone attempted to alter the data contained in the evidence file, the hash value for the altered evidence file would not be the same as the hash value that was generated for the original unaltered evidence file. Any time that the hash value of a suspect copy of an evidence file does not exactly match the hash value generated for the original evidence file, the suspect evidence file should be deemed to be unreliable and inadmissible because something in the data has been altered.
A write blocker is a hardware device used to prevent any changes to a hard drive, while at the same time allowing a forensic investigator to read from the device. When a hard drive is imaged, it is imperative that a write blocker is used when connection is made to the hard drive during the imaging process. The write blocker allows a forensic expert to create a forensic image of the contents of the hard drive without altering the data in any way during the process. It is virtually impossible to alter the data in a forensic image made with EnCase software without such alteration being easily detected.
The registry files contained on a Windows program should be included in any computer forensic examination. The registry is a database that contains the hardware and software settings for a Windows computer. When a software program is installed, entries are made for that software in the registry files. More importantly, when a thumb drive is connected to a computer, or any other hardware containing storage media is connected, entries are made in the registry files. Windows stores information in the registry files that identifies every thumb drive or external storage device connected to the computer’s USB ports. Windows records a serial number and other information specifically identifying a plug-and-play device that was connected to a USB port. For example, when a thumb drive is connected to a computer, a thumb drive iSerial number may be recorded that is unique to a particular thumb drive. The recorded data includes the date and time that the device was last plugged into the computer. The registry files will usually identify the devices that were connected or attached to the computer. A forensic image of each such device may be performed to locate relevant electronic data that may be stored on them, as well as data that may have been stored on them and then deleted.
If a person copies files onto a thumb drive, and then opens the copy on the thumb drive (e.g., to make sure the file was copied correctly), Windows creates a shortcut to the original file, and the shortcut is stored as a “lnk” file. The “lnk” shortcut file is stored and it remains on the computer after the file is closed and the thumb drive is removed. Embedded within a shortcut file is information such as the date and time of the target file that the shortcut points to, and the volume label of the storage device. In an appropriate case, a “lnk” file may be solid evidence that a file was copied onto the thumb drive.
Email and Digital Forensics
Modern litigation commonly involves the production of email messages. It has become a common form of communication. Sometimes people say things in an email message that they might not otherwise say in writing, because they assume that electronic communications are ephemeral things that disappear without a trace. Just the opposite is true. Numerous copies of an email message are often stored in multiple locations, and copies of email messages are often preserved on the sender’s email server, on back-up tapes for the sender’s computer system, on the recipient’s computer, on the recipient’s email server (if the recipient is outside the company), and on back-up tapes for the recipient’s computer system. A copy of a sent email message is often included in a reply email message, and in a reply to the reply, and so forth, until copies of the same email message may be multiplied many times and can be found in scores of emails. In addition, an email message may be forwarded to others, which also may create additional copies of the email message.
Most companies use a centralized email server. The logs on that email server can record what email is sent or received by anyone using the system, even if the information was deleted via Outlook right after it was sent. Even when a message is deleted, the actual contents of the messages (such as file attachments) may still be stored on the server. Microsoft Exchange comes with an option that retains messages on the server or on backup media for a few days – even after emptying the deleted items – as an emergency recovery capability. In addition, email messages may be preserved on back-up tapes of the centralized email server. For example, if a message was sent on Monday and then deleted on Tuesday, the Monday night backup will still have a copy of the message – until the backup is over-written or erased. Microsoft Outlook creates a “pst” file, which is a data file where electronic copies of email generated by Outlook are stored on a hard drive. In some cases, parties seeking discovery have been successful in compelling an adversary to produce electronic “pst” files. See Optowave Co. v. Nikitin, No. 6:05-cv-1803-Orl-22DAB, 2006 WL 3231422, at *9 (M.D. Fla. 2006) (compelling production of “pst” file containing email). Emails commonly include attachments. Attachments to email messages must also be produced when production of the email is required. See United States v. New York Metropolitan Transportation Authority, No. CV-2004-4237(SLT)(MDG), 2006 WL 3833120, at *3 (E.D.N.Y. Dec. 29, 2006) (“attachments must be produced.”); CP Solutions PTE, Ltd. v. General Electric Co., No. 3:04cv2150(JBA)(WIG), 2006 WL 1272615, at *4 (D. Conn. Feb. 6, 2006) (“Attachments should have been produced with their corresponding emails.).
We will now discuss the application of forensic digital evidence to cellular phones. Cellular phones are essentially small computers. The amount of information that one is capable of containing is staggering. They can contain text messages, emails. Social media information, voicemails, chat logs, photos, and videos just as computers do.
It is important to remember that cell phones do not operate in the same way as computers do. When a cell phone is powered on and has service, it is constantly receiving new data. On modern cell phones, there is a constant stream of data such as phone calls, text messages, email, and social media updates, along with pushed data from various other applications.
Depending on the make and model of the phone and whether or not supplemental storage is installed on the phone, many cell phones can store only a limited amount of information, which means that as new data is received on your phone, the oldest data is being deleted. In other cases, cell phones can interface with a computer in order to transfer data and create backup files. This can be an excellent source of evidence. For example, backup files for an iPhone can contain almost all of the data that exists on the phone. An iPhone backup contains both deleted and existing text messages and emails.
Cell Phone Evidence
Like all digital evidence, the data on cell phones must be protected from being changed or destroyed during the examination process that can occur if the cell phone is allowed to connect to a cellular network. Obtaining digital evidence from a cell phone is different from obtaining digital evidence from a personal computer. Unlike a personal computer, a cell phone must be isolated from all networks to prevent the phone from sending or receiving information. This is done through a Faraday bag. A Faraday bag blocks radio signals from reaching the phone. There are three types of forensic acquisition or collection methods for cellular phones: logical, physical, and/or manual. Depending on the type of acquisition performed on a cell phone, the amount and type of evidence that can be collected will vary due to the limitations that can be imposed by the method being used.
Sometimes attorneys will need to obtain cellular phone information. But, call detail records in and of themselves provide minimal information. This is because the call detail records are for the purposes of financial transactions such as generating bills to the subscriber. However, when call detail records are needed for the purpose of evidence such as the whereabouts of an individuals. This may be extremely important in a criminal case to establish an alibi or the whereabouts of someone. In such a case, an attorney should not only subpoena call records, the location of the cell phone on a particular date. A subpoena to a cell phone provider should include the following information:
We request the following information providing cell phone communications for cell phone numbers 000-000-0000 for the period of time between 9:00 AM and 9:00 PM on July 23, 2022.
Any information included but not limited to:
1. Subscriber information for the above listed numbers, not limited to financially responsible parties, billing address, features and services, and equipment.
2. All call originations, call terminations, call attempts, voice communications.
3. All stored browser cache information.
4. Beginning and ending cell phone tower identifiers for each cell phone tower/cell site location information including latitude and longitude for the coverage area, specifically location information including latitude and longitude for the coverage area, specifically for city, state, for the time period requested.
5. Central office identifiers for the area of coverage for the time period requested.
6. All connection attempts including completed and failed connections and call duration times to one one-hundredth of a second.
7. A complete table of cell towers/cell site information for all cell towers/cell sites in the service area. This will include cell tower location information, cell tower/cell site designation information for each tower/site, and date of service termination for each tower/site.
8. A detail of the coverage radius and configuration of the cell towers/sites as of the time period requested.
9. A radio Frequency Plan map for the service area for the phone numbers for the time period requested.
10. Originating and receiving phone numbers or network IDs for all incoming and outgoing call transactions, data transactions, and push-to-talk sessions.
11. Date and time information for all transactions to one one-hundredth of a second.
12. A legend and definition for any and all abbreviations used in the reports provided.
13. Any information regarding roaming agreements and other carries in the area that were in effect as of the time period requested.
14. Any information regarding default or pushed to phone preferred roaming lists in effect for the time period requested and for six months leading up to the time period requested.
15. Any trouble tickets within the area designated herein for the dates and times designated herein.
16. Any stored handset identification data for any cell phones related to the call detail records.
See Digital Forensics for Legal Professionals, Understanding Digital Evidence from the Warrant to the Courtroom, Larry E. Daniel and Lars E. Daniel (2012).
Common Forms of Social Networking (Social Media)
There are more ways for people to connect with one another than ever before. The widespread use of social media outlets such as Facebook, Instagram, Twitter, and LinkedIn ultimately means that evidence is being created, and is often available right in the open. However, many cases will require that an attorney obtain more information than is available in the open on public profiles, such as the Internet address of the computer that created or updated a webpost, or a Facebook profile blog post. To get this information an attorney will need to subpoena the custodian of the social media service.
In order to obtain information from social media services via a subpoena, an attorney will need to gather and send to them the information they need to identify the information being requested.
For example, in order for Facebook to comply with a subpoena request, they must have the information they need to identify the profile. Profile identification can be in either of two forms, either a numeric ID or an alpha ID chosen by the Facebook user. It looks like this https://www.facebook.com/username. The part after the forward slash [/] at the end of the web address is the actual profile ID. To locate these IDs, you only need to be able to find the user’s profile on Facebook, or they can be gathered from the Internet cache on the user’s hard drive. Even if the person is not sharing their profile with the public, you can still see their profile ID in the web address in the browser if you can locate the profile on Facebook.
The attorney will need to include the period of activity he or she is interested in having Facebook retrieve, as this will assist in getting back information more quickly. Also, any other identifying information the attorney can supply can assist with locating and retrieving the online records, including birth date, email addresses that may be associated with the account, and the person’s name.
Any subpoena to Facebook (or other social media sites) should include the following:
1. For Facebook user account identified by the Facebook ID http://.facebook.com/user.name, birth date of June 20, 1988, with the following email addresses that may be connected to the Facebook user account firstname.lastname@example.org, email@example.com.
2. For the period January 1, 2021 through January 1, 2022.
a. All activity for the user account including wall posts, chat logs, profile and album pictures, friend lists, and profile pages.
b. Original creation date of the user account and profile.
c. A log of all IP addresses used to access the account with date and time for each access and including the address of the connecting computer for each connection.
See Digital Forensics for Legal Professionals, Understanding Digital Evidence from the Warrant to the Courtroom, Larry E. Daniel and Lars E. Daniel (2012).
Sometimes an attorney will need to obtain information regarding a blogger that uses a google platform in a demational or other related case. In order to subpoena Google for information about blog, the following information should be obtained before issuing the subpoena:
1. The web address of the blog.
2. The internal ID of the blog. This is found in the source content of the page from the blog.
3. The date, time of blog post and the individual post ID.
The subpoena should include the following:
1. This is a request for historical records, including the originating Internet Protocol (IP) address for the creation of the blog, http://nameof theblog, identified by Google Blog ID:
2. This request is for the timeframe beginning 1 May 2020 or beginning upon the creation date of the blog and continuing through 30 July 2021.
a. We specifically request the dates, times, and originating IP addresses for any actions by the author of the blog, http://nameoftheblog.blogspot.com, identified by Google Blog ID: 123, further identified by Blogger Profile ID, http//www.blogger.com/profile/123, including the blog creation, and any posting activity, any post editing activity, and/or any activity requiring that the blogger “log in” as the owner of the blog for any purpose.
b. We specifically request the date, time, and originating IP address for the blog post identified as post ID=123, including the original posting and the IP address of the connections for any subsequent edits of this post.
c. We request any user-provided identification, such as the blog owner’s e-mail address used when creating the blog http://nameoftheblog.blogspot.com, identified as Google blog ID= 124 and Blogger Profile ID: 123.
d. Attached to this subpoena is a copy of the blog text as captured from the Google Blogger website for this blog.
See Digital Forensics for Legal Professionals, Understanding Digital Evidence from the Warrant to the Courtroom, Larry E. Daniel and Lars E. Daniel (2012).
Many companies cite the Stored Communication Act as a reason not to comply with a subpoena requesting information. The Stored Communication Act which is part of the Electronic Communications Privacy Act. It is codified as 18 United States Code, Subsections 2701 to 2712. The Stored Communications Act prohibits entities that provide electronic communication services from divulging contents of communications that are in their electronic storage. The Stored Communications Act makes no mention of its protection applying to information requests from non government agencies. In many cases the Stored Communications Act should not prevent a company from complying with a properly drafted subpoena.
Anthony Diosdi is tax attorney at Diosdi Ching & Liu, LLP. He focuses his practice in civil and criminal tax controversies and the defense of white-collar criminal cases. His experience covers a broad range of engagements at all stages of the IRS administrative process, including assisting with audits and representing clients at Appeals, as well as litigation in the federal courts. He has also represented clients in all aspects of grand jury investigations, including the production of information, witness preparation, and pre-indictment presentations to the Department of Justice accused of white-collar crimes. Anthony is a member of the California and Florida bars. He can be reached at 415-318-3990 or firstname.lastname@example.org.
This article is not legal or tax advice. If you are in need of legal or tax advice, you should immediately consult a licensed attorney.