Digital Evidence Discovery

Digital evidence is now a large part of civil, family, and criminal law, and its importance is only going to increase as we all add online content and devices into our lives. This article will go through key points of discovery review, analysis, and proper collection of digital evidence and will also touch on the challenges of privacy concerns.


Discovery that is sent to an attorney can be filled with technical details from digital forensic tools and sometimes very complex technical issues. An attorney can make use of a digital forensic expert for guidance in understanding the digital evidence referred to in the files.

A digital forensic expert can put together what data has been collected, how it was collected and what conclusions may have already been drawn by opposing counsel. This information can be presented clearly for an attorney so that they understand what will likely be presented and what the steps were in their process.

For example, a criminal defense attorney has a case where there was inappropriate activity in an online chat. Discovery arrives from the District Attorney and is filled with subpoena responses and technical details. A forensic expert may interpret and distill the evidence to lay out the following chain of events to clarify how law enforcement came to knock on the client’s door:

I. Law enforcement subpoenas website used for chatting with a suspect’s username.
II. Chat website responds with email address used to register for that account.
III. Law enforcement subpoenas email provider with the email address.
IV. Email provider responds with the IP address of the user logging into that mail account.
V. The IP address is found to belong to a specific Internet Service Provider.VI. Internet service provider responds to subpoena with subscriber’s name that used that IP address.

If in that example the subscriber’s name is the attorney’s client, then it can initially look quite incriminating. We see many examples of conclusions being drawn from this kind of evidence, however there are often important gaps in the chain of events.

In the above case the IP Address data only points to the home’s Wi-Fi router. Anyone using the subscriber’s router to access the chat website would have left the same evidence as being presented by the District Attorney. The missing steps in this case would be:

a) what device connected to the router and went to the chat website,
b) who was using that device at the time of the incident, and
c) was it collected by law enforcement.

These gaps are key and bring us on to the next section.


Once discovery has been reviewed, it can be used as a guide along with the other details of the case as to how the other side will present their case and what their narrative may be. It is then up to the attorney to think about their own narrative and key points and consult with the digital forensic expert as to what additional evidence can be found.



Digital devices have many different forms of text-based communications. These vary from the basic SMS message through to the latest chat applications being released almost daily. With forensic collection of a cellphone an expert can produce the messages for the attorney to search and review. This production can also include deleted messages and conversations that the expert was able to recover. The digital forensic expert should attempt recovery of deleted messages using techniques to search the raw code and not rely solely on the forensic tools to recover the data. The messages should be presented clearly for use in court and show the definitive timestamps associated with each message.

Some chat applications such as WhatsApp state that they have ‘End to End Encryption’ which implies that there may be difficulty collecting this data. This is not the case however as the encryption only prevents interception of the data and the messages are saved on the cellphone without encryption.

Snapchat is a chat application where messages and media can be sent and then disappear after a stated time. Unfortunately, this application has gone to great lengths to prevent traces being left on the cellphone after they are viewed and disappear. Data is also deleted from the Snap Inc. servers so legal requests are unlikely to provide useful evidence. The only data we have historically been able to use is the snapchat contacts that can be recovered. The list of contact usernames or ‘handles’ can be used to show that two parties possibly knew each other. In addition to that, there have been times where the user has either screenshot manually to preserve the photos or messages they have received or they have downloaded specific applications designed to automatically save shared photos or videos.

Activity and Frame of Mind

Social Media data can show not only what a person was doing at a specific time, e.g. Looking at posts, posting photos etc. but also can be used to show a relationship between two people. Whether the attorney wants to show that two people hated each other, loved each other, or even just knew each other, social media is a good place to start.

For information about what a person was doing over a certain timeframe, the cellphone can hold key evidence. Parties of the case will likely have been carrying and using a cellphone during key timeframes and the data can be forensically collected and analyzed to show what activity occurred. In cases of vehicular accidents or injuries at work just confirmation of the use of the cellphone itself may be enough. But activity can be broken down into detail even to a point where it can show frame of mind during that timeframe. For example, a person who is in fear of their life is unlikely to download a mobile video game at that time or send a sweet message to someone with laughing emojis.

The expert can produce the cellphone activity in chronological order as a timeline. The image below is a snapshot of a typical cellphone timeline.

A good example of this kind of analysis being used effectively is in the case against Tony Scott Cercy. In this sexual assault case, the defendant had stated under oath that he was asleep during the key timeframe. Digital forensic experts examined his cellphone and the activity within the timeframe contradicted his testimony and showed he must have been awake. 

Location -on phone

Proving that a person was somewhere or wasn’t somewhere can be a key part of many cases and digital data can provide useful evidence in this regard. A cellphone can store location information within its navigation apps data showing routes and journeys along with the timing of those trips. Image or Video files on the cellphone can also store location information in what is called ‘metadata’. This is data about the image or video that is embedded in the file such as the time it was created, what type of camera was used and in some cases longitude and latitude coordinates.

In addition to navigation and metadata, another source of location information can be found in Wi-Fi Network data stored on the phone. This should contain details of Wi-Fi networks that the cellphone has been connected to, along with a last connected timestamp. As with the examples in the image below, some of the records are identifiable locations such as the Holiday Inn Express etc.

Location – in cloud

Online sources of data can also show location information such as Google’s Timeline feature. The image below shows the extensive information that can be gathered should this be an active feature of the persons Google account.

Location – Cell Site Data

Cell site data is commonly collected and used for location evidence and a Digital Forensic expert can help map these locations that the cell network has provided. The location data comes in two key forms, the first being GPS data that’s collected by the provider consisting of a longitude, latitude coordinate and a degree of accuracy as to that location.

For example:

Connection DateConnection Time (GMT)LongitudeLatitudeLocation Accuracy
2019-08-1400:44:13-121.27167838.768428Location accuracy likely better than 100 meters

The second form is based on cellphone activity such as sending or receiving a call or SMS message. This will show which section of which cell tower was used to process that activity.

This second form of data is always provided with the caveat that it is not to be used for location purposes. This is put on this data because sporadically due to high traffic the cell network can use other tower sectors to process a call or SMS message. It can be argued that although one single data point cannot be relied on, a mapping of multiple points over a short timespan can be used with a high degree of surety. Many factors come into play with cell tower location evidence, necessitating expert review before accepting conclusions.


Digital evidence is extremely volatile and can be corrupted or lost very easily. It is of the utmost importance that evidence is secured, collected and preserved at the earliest possibility.  In addition to the danger of it being lost before collection, improper collection may result in inadmissibility and even inadvertent destruction of key data. As we mentioned before in the section covering location data, files have information embedded in them called metadata. This data also stores the dates and times of creation, access and modification. This can provide key evidence in cases and non-forensic collection can change this data damaging the evidence.

Special tools and training are needed to collect computer and cellphone data in such a way as to preserve the integrity of any evidence in that data. Trained professionals should create what is called a ‘forensic image’ of the computer or server. This forensic image is an exact copy of the data on those devices and can be used for analysis and accepted as ‘best evidence’ in court.

Cellphone data is collected via a digital forensic extraction. This can be a technical process that collects the data from the phone to the computer. There is a large amount of information that the cellphone stores but does not display which is key to collect and why cellphone screenshots should not be used.

We recently testified to challenge a video that was submitted of someone browsing an iPhones chat conversation and showing in the video the contact name and number that was being chatted to. This video was offered to prove inappropriate conduct by one of the chat participants. In order to challenge this evidence, we produced a demonstrative video illustrating that it was possible to fake a chat conversation on a similar iPhone. The image below are some screenshots of the fake chat we produced.

The above-mentioned case highlights an issue in terms of how evidence is collected and presented in court. As in the video of the conversation shows, screenshots of digital data, videos showing browsing either of websites or cellphone evidence is far from ideal. These can be at best unverifiable and at worst manipulated to show incorrect activity or data.

In the case of State v. Kolanowski, (Wash: Court of Appeals, January 30, 2017) the defense intended to include digital evidence that showed that the alleged victim had Facebook activity during the crime which contradicted sworn testimony. Unfortunately, the defense used a screenshot that the State successfully argued lacked foundation. Metadata that could have been obtained during the collection was not obtained and the evidence was ruled inadmissible. This is the trend of courts recently when it comes to digital evidence.

It is important to know that many of the social media websites have specific computer code that allows trained specialists to download public data along with metadata to reinforce its integrity. Digital forensic experts can use these codes or ‘APIs’ as they are called to extract entire public profiles and preserve them for use in a case.


In order to retrieve all the relevant data from the cellphone including recovery of deleted data, a digital forensic expert must collect all possible data from the phone. They cannot select what data types to extract prior to the extraction without severely limiting the results. This can cause a flurry of objections from opposing counsel regarding irrelevant items, personal medical data and privileged attorney communications. In order to mitigate the objections and navigate this issue one method that’s proved consistently successful is to use specific protocols that act as a ‘Triangle Agreement’.

The Triangle Agreement is a document signed by the forensic team, the attorneys requesting the cellphone and opposing counsel. Its function is to ensure that only the forensic team sees the entirety of the cellphone data and below is breakdown of the steps involved:

  1. The forensic team performs the best possible extraction of data from the cellphone,
  2. This data is not reviewed until both sets of attorneys agree on search stipulations,
  3. Agreement is reached on what data is deemed relevant (e.g. Searches for terms, Specific timeframes, or specific datatypes such as communications),
  4. The forensic team uses the agreed upon search stipulations to filter and export relevant data from the cellphone extraction,
  5. The results are sent to opposing counsel for review,
  6. This review is given an agreed upon timeframe (e.g. two weeks),
  7. Opposing counsel send back comments on items that classify as privilege or irrelevant,
  8. The forensic team will remove those items before sending the remaining results to the requesting attorneys.