FALL 2018: Digital Forensics in Family Law

by James Berriman, Esq., EnCE, CEO, Evidox Corporation

Introduction: Forensic Ediscovery vs Active-File Ediscovery

Forensic ediscovery is a subset of the larger field of electronic discovery. It is therefore helpful to begin by distinguishing forensic ediscovery from other forms of ediscovery.

Many cases do not involve digital forensics. Many, especially in the context of ordinary civil litigation, focus on traditional "active-file" ediscovery. This involves collecting, reviewing, and producing the relevant, active (non-deleted), user (non-system) digital files of the parties.

Such files are the electronic equivalent of hardcopy business records. They include emails, word-processed documents, spreadsheets, presentations, database reports, and media files. They comprise a party's correspondence, administrative records, financials, and the like.

Characteristics of Active-file Ediscovery. Active-file ediscovery, like traditional paper discovery, focuses on the substantive content on the face of each document: What are the representations made in this communication? What are the terms of this agreement? What are the amounts on this bank statement?

These determinations do not require technical expertise regarding the digital format of the document itself. They are based instead on the facial content readily apparent to the reader. They require only that the document be accessed and reviewed in the ordinary course.

The lawyer is fully capable of assessing the content of such documents to determine relevance, materiality, and significance. Although the lawyer might rely on ediscovery specialists to collect, process, and host the documents, and although the lawyer might use software tools to review the documents, the lawyer is still using traditional legal expertise and issue-spotting — not technical expertise — to assess their meaning.

Characteristics of Forensic Ediscovery. Forensic ediscovery, on the other hand, has a different goal and a different methodology. It is performed when you need to look behind the face of the documents to assess the circumstances of their existence or to assess the user's activities. Such circumstances might include:

  • Spoliation: Has relevant evidence been deleted? When? By whom? Can it be recovered?
  • Authenticity: Is this document authentic? Was it fabricated? Altered?
  • History: When was this file created? Last revised? Are there earlier versions?
  • Access: What network locations or accounts did the user access? What files?
  • Transmittal: Did this file travel? Was it copied to a memory key or external drive? Was it uploaded to a cloud repository? Attached to a webmail?
  • User Activity: What was the user doing with the computer at a certain date and time? What applications did the user install? What web sites did the user visit? What searches did the user run?

Forensic ediscovery answers these questions by looking at technical clues in the digital environment in which the evidence resides. It involves examining things like metadata (data about a file that does not appear on its face), system caches that contain "working copies" of old files, system logs and databases that preserve evidence of user activity, artifacts of deleted files and past disk activity, and other types of "under the hood" analysis. It involves ferreting out evidence that the ordinary user cannot see simply by looking at the facial content of the active user files.

These circumstances typically implicate the conduct — or misconduct — of the user. They show what a user did with the files, or did with the computer. Most lawyers cannot assess such forensic evidence unassisted.

Summary of Distinctions. The table below provides a summary of the major differences between active-file ediscovery and forensic ediscovery:

When Each Approach is Appropriate. If we make a rough analogy to traditional paper discovery, then active-file ediscovery is similar to looking through the client's file cabinets, desk drawers, and folders to find relevant business records. Forensic ediscovery, on the other hand, is more like looking through the user's wastebaskets or shred bins to piece together what has been lost or hidden, or dusting the documents for fingerprints to see who touched them. In sum:

  • Active-file ediscovery is part of virtually every litigation, since almost every case involves ordinary communications, financials, records, and other documentary evidence that has substantive facial relevance.
  • Forensic ediscovery, on the other hand, is used in cases that also involve issues of spoliation, authenticity, fabrication, or questions of user conduct or misconduct involving the computers or documents at issue.

Mobile Forensics. Cellphones and tablets are also amenable to forensic analysis. They typically do not store data in the same way as is found on computer hard drives, since mobile applications often store content as database entries rather than as freestanding files. Nevertheless, the data associated with each application is often recoverable and forensically useful. The data found on a cellphone or tablet may include:

  • Contacts. These contain the contact information associated with the various email addresses and telephone numbers on the phone.
  • Call logs. These show the datestamps, timestamps, durations, telephone numbers, and contact names associated with phone call activity.
  • Text messages. These show the full text of the user's incoming and outgoing text messages, along with datestamps, timestamps, telephone numbers, and the associated contact names.
  • Emails. Although a user's entire mailbox might not be stored or accessible on the cellphone, a log of recent emails is typically present showing dates, times, addresses, and other metadata.
  • Web artifacts. These include evidence of the user's web activity, which may include browser history, search history, and cookie data.
  • Connection data. These include the history and name of the WiFi locations that were accessed with the device.
  • Location data. Mobile devices can store location data. In addition, photos taken with mobile devices may contain embedded location coordinates.
  • Media files. These include the user's locally-stored photographs and videos.
  • Downloads. These include the files downloaded by the user.
  • Specific application data. This includes the data and history associated with the specific apps that the user has installed and used on the phone.

Online (Cloud-Based) Repositories. Another potential source of digital evidence can be found in online repositories. These include webmail accounts, social media sites, Dropbox and Google Docs repositories, and the like.

Family Law Scenarios for Forensic Ediscovery

In the specific context of family law, forensic ediscovery can be useful in a number of scenarios. Several of these are summarized as examples below:

  • Harassment. A court order might provide that one party is not permitted to contact the other at all, or only in limited circumstances. A forensic examination of a cellphone, tablet, or computer can be useful to preserve and present evidence of telephone calls, text messages, emails, application data (e.g., messaging apps), social media postings, and other modes of harassing contact, along with the associated datestamps and timestamps.
  • Stalking. Mobile devices can contain forensic evidence of geolocation data, web map data, WiFi connection data, photographs (with datestamps and timestamps), and other artifacts that could support a claim of stalking. Computers as well as mobile devices can contain evidence of web searches conducted by the user (such as searching on a party's name or searching for an address) as well as attempts to obtain unauthorized access to a party's email account or other online accounts.
  • Contempt (Violation of Court Order). There are a number of scenarios in which forensic data can use used to support a motion for contempt. For example, a court order might provide that the children are not to be taken from the jurisdiction, or that their locations when traveling must always be disclosed to the other parent. A forensic examination can provide evidence of that such provisions have been violated.
  • Recovery of Lost Evidence. It is not unusual for critical evidence to be lost, either accidentally or maliciously. For example, a party might have taken photographs to document the misconduct of the other (e.g., photographs of bruises). The other party, upon learning of this, might have accessed the victim's phone or computer and deleted the photos to eliminate evidence of the misconduct. Deleted evidence can often be recovered.
  • Financial Misconduct. A party might have failed to disclose all of their assets in connection with a court-ordered financial statement. A forensic examination could reveal that the party has accessed bank accounts, brokerage accounts, cryptocurrency accounts, and other assets that have been wrongfully hidden.
  • Impropriety. A forensic examination might reveal that a party has accessed web sites or used applications that are associated with illegal, harmful, or inappropriate conduct that is relevant to the case.
  • Spyware. A forensic examination might reveal that spyware has been installed on the user's computer or device.
  • Alibi Evidence. Forensic examination can also provide evidence to corroborate an alibi. This could include evidence that the user was in another location or engaged in other activities at the time the alleged misconduct occurred.

There are many similar situations in which a forensic examination may be critical to the outcome of a family law matter. The example scenarios described above are intended only to raise the awareness and to sharpen the issue-spotting instincts of the family law practitioner.

Gaining Access to the Evidence

When conducting forensic ediscovery (especially in the context of family law) it is essential to ensure that the examination is lawful. This is usually not an issue if the client owns the devices or the accounts at issue or has legitimate access to them. If the devices or accounts are owned by a third party, then it will be necessary either to obtain the consent of the owner or else to obtain a court order that authorizes the examination. Another approach is to have the adverse party retain their own forensic expert to find and produce the evidence in accordance with an ediscovery agreement, or to have a neutral or court-appointed expert be retained on behalf of both parties.

This article was written to provide a basic overview of the possible uses of forensic ediscovery in the practice of family law. The descriptions have been simplified for easy reading and are not intended to be technically complete or exhaustive.


James Berriman, Esq., EnCE, is the CEO and founder of Evidox, a provider of ediscovery and computer forensic services. Mr. Berriman has been in the field of litigation technology since 1982. He was a litigation attorney at Goodwin Procter from 1990 to 2006 where he founded the firm's Litigation Technology Group. He founded Evidox in 2006. He has conducted and overseen hundreds of ediscovery and computer forensics matters.

Mr. Berriman is an EnCase Certified Examiner in digital forensics. He has taught Ediscovery at Boston University School of Law and has presented over 40 CLE programs on ediscovery and computer forensics.

Mr. Berriman received his J.D. from Boston University School of Law (1990) and his B.A. from SUNY Potsdam (1980). He admitted to practice in the State and Federal courts of Massachusetts.