Tag Archives: digital forensics

Fourth Circuit Blesses Use of Forensic Image to Examine Data

The U.S Court of Appeals for the Fourth Circuit recently approved the use of a forensic “mirror” image of a laptop computer in order to examine its contents. While such use of a forensic image is common in the e-Discovery industry, this recent case represents formal approval by one of the most significant appellate courts in the United States, and is binding precedent upon trial courts in the Eastern District of Virginia.

U.S. v. Stanley, __ Fed. Appx. __, No. 12-4572, 2013 WL 3770713 (4th Cir. July 19, 2013), was a criminal case resulting from an investigation that uncovered child pornography on the defendant’s computer. During trial, the Government presented expert testimony of a law enforcement agent who specialized in computer forensics. During voir dire examination of the agent prior to qualification, the agent testified extensively about the process she used to examine the defendant’s laptop. She testified that she used a software program called “EnCase” to make a forensic image of the defendant’s laptop. She then examined the forensic image rather than the original laptop, according to the Fourth Circuit’s opinion, so as to avoid “risking damage to the original” data.

The agent then testified that her review of the forensic image uncovered a peer-to-peer file sharing progam called FrostWire, and that this program had been used to search for, download, and share child pornography. The Fourth Circuit’s opinion accepts without further comment that the data found in the forensic image is also present on the defendant’s original laptop, and that the defendant’s guilty verdict can be amply supported by the forensic image.

During voir dire of the agent, the defense unsuccessfully attempted to exclude her as an expert witness. The Fourth Circuit affirmed the agent’s qualification as an expert, noting that the district court acted well within the “wide bounds of its discretion” under the Fed. R. Evid. 702 and the Daubert analysis. The court also recognized that the “process of forensic data extraction requires specialized knowledge or skill conducive to expert testimony.” The court then went on to review the voir dire examination of the agent, noting that it was lengthy and included several rounds of cross-examination which covered the agent’s education, training, experience, knowledge of the forensic tools, procedures utilized, as well as “detailed explanations of her use of the forensic software in this particular case.” Finally, the court noted the agent’s testimony that the “forensic tools she used to examine the contents of [the defendant’s] laptop had been accepted as reliable procedures by her law enforcement agency.” Taken in total, the Fourth Circuit found this more than sufficient to support the agent’s qualification as an expert.

Practitioners can read Stanley as the Fourth Circuit’s affirmation of the use of forensic images in data preservation. Making a forensic image of a single laptop or desktop computer is relatively inexpensive, and many e-Discovery vendors can perform the operation within a single day and for an expense between $300 – $1,000. The vendor then usually provides a copy of the image to counsel on an external hard drive. Counsel can simply connect the hard drive to a desktop computer via a USB connection, and browse through the hard drive using normal Windows system tools. Counsel need not worry about altering the metadata of the forensic image during this review because the e-Discovery vendor will maintain a “master” image which can be reproduced multiple times in the future with unaltered metadata. Considering the relatively low-expense, an early forensic image of computer data should be made if there is any suggestion that the data will become evidence in court or produced in discovery.

Please note:  This blog/Web site is made available by the firm of Redmon, Peyton & Braswell, LLP (“RPB”) solely for educational purposes to provide general information about general legal principles and not to provide specific legal advice applicable to any particular circumstance. By using this blog/Web site, you understand that there is no attorney client relationship intended or formed between you and RPB. The blog/Web site should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.