Mar 172018

Technology-Related Courtroom Testimony

The purpose of this page is to generate and maintain a resource for digital forensic and eDiscovery practitioners, lawyers and legal professionals, and anyone generally looking to understand and/or explain (by way of analogy) some of the technology concepts that may arise during expert testimony.  As a digital forensic practitioner, I often find difficult the task of adequately explaining technology concepts such that attorneys, judges, and jurors “get it”.  In my experience, the best means for creating clear understanding in these situations is through the use of analogies.

Although there may be better analogies for these terms/concepts (suggestions are welcomed), remember the analogies are not intended to be absolutely technically accurate.  Instead, they are intended to provide a means to communicate and establish a general understanding of technical concepts.  Everyone is encouraged to send their favorite analogies by posting them in the comments section below, or via email (analogies(at)sjdcforensics(dot)com).  This is meant to be a community driven list for the benefit of all and citations/credit will be given for all submissions (unless the contributor desires to remain anonymous).   Be sure to also send/post any information you would like included in the credit (e.g., website, email address, name, etc).

As this page evolves, I will be creating a parallel reference sheet (in .pdf format) to download and/or print for court.

I will be frequently updating this page, and the related .pdf document, with additional analogies as they are suggested.  There can be numerous analogies for a single term or concept.

Digital Forensic Analogies for the Courtroom

Artifacts –

CPU (Central Processing Unit) (See also CPU/RAM/Hard Drive)

CPU/RAM/Hard Drive (HDD) – CPU=Carpenter, RAM=Workbench, HDD=Woodshed; CPU=Plane, RAM=Airport, HDD=Town (credit to various respondents in this thread)

Data Recovery –   (See also File Deletion)

Digital Evidence (AKA Electronic Evidence) –

Disk Cloning  – (See also E01, Disk Image, Forensic Image, Image)

Disk Image  – (See also E01, Disk Cloning, Forensic Image, Image, Raw Image)

E01 (AKA – Encase Image File Format) – (See also,

Electronic Discovery – (AKA eDiscovery)



File Allocation Table – A file allocation table system is like a filing cabinet full of hanging folders. At the front of the cabinet is list of all the files, and within which folders they are contained. When a file is deleted, the entry for that file on the list is marked as available to be used, but the folder is not emptied until you replace it with a new file (reference thread here).

File Analysis –

File Deletion – File deletion is generally removing the index entry for a file (like removing the reference card for a book in a library).  When you delete a file (by-passing the recycle bin) you are removing the reference to the data for that file from the MFT.  This is like removing the card from the card catalog in a library (or the reference data in the library database – for you not-so-dated folks), but leaving the book on the shelf.  Referring to how deleted data can be recovered from a disk, recovering data is like finding a book in the library without having the card from the card catalog (see also Data Recovery).

Another analogy, discovered here, is that data on a hard drive is like houses in a neighborhood.  Data deletion is like removing the address number of the houses. That makes the houses difficult to reference/distinguish, be directed to or to find, but the house itself remains. See also MFT or Data Recovery.

File Signature

File System – (See also File Deletion)

Forensic Image  – (See also E01, Disk Image, ImageRaw Image)

Hard Disk Drive (HDD)

Image (AKA – Disk image, Forensic Image, Raw Image)

Metadata – Metadata: Your biography would contain information about where you were born, when you were born, who your parents were, and a bunch of other things about you. This is what metadata is, the biography of a file, and, just as the amount of information recorded about a person in a biography can vary, the same is true of files and their metadata (credit to Sam).

MFT (Master File Table) – Analogous to the old card catalog used in a library.  This is where most of the information (metadata) regarding a file (the book) is stored.  See also File Deletion or Data Recovery.


RAM (Random Access Memory) – Hard drive data is like a book (data) on a bookshelf that can be accessed at anytime, whereas data in RAM is like having the book in your hand (credit to various respondents in this thread).

Raw Image 

Solid State Drive (AKA- SSD) –

SSD Wear Leveling – SSD drives use flash memory which, similar to the tires on your car, has a shelf-life.   SSDs use wear leveling to wear flash storage evenly.  (credit to SANS –



Apr 262015

SJDC is often hired to perform a digital forensic analysis of a cell phone and/or another type of mobile device that was present during a traffic accident.  The goal of the exam may be to determine the possibility of distracted driving, the location of a driver prior to or after the accident, the calls placed before or after the crash, or the travel route and/or approximate speed of a vehicle. In other words, mobile devices have become a rich source of evidence.  Oftentimes, locating and producing the Electronically Stored Information (ESI – aka data) of interest is relatively straight-forward.  Yet, in some cases the ESI sought, and often known to have existed on the device at one point in time, is not readily present at the time of a digital forensic examination.  This creates legal issues for both the client and opposing party (or parties) during the discovery process.  The client is often the party seeking cell phone or mobile device ESI because they are interested in user activity at or near the time of the accident.  However, clients have also requested forensic analyses of mobile devices because they have received a preservation order, or request, from the opposing party; or they become aware that a party to the case may have been using a device at/near the time of an accident.  In either case, prompt preservation of ESI is imperative in accident cases.

**NOTE: THIS IS NOT INTENDED AS LEGAL ADVICE.  One should always consult with an attorney before making decisions with potential legal ramifications.**

The following question and answer narrative is intended to provide responses to common questions asked by those involved in traffic crash cases when mobile devices (i.e. cell phones) are present in the vehicle at the time of the crash:

What type of potentially relevant ESI is available on mobile devices?

There are many types of ESI present on cell phones, or other mobile devices, that may be relevant to a traffic accident case.  Perhaps the most commonly requested types of ESI in accident cases (and most other cases) are text messages (SMS and/or MMS), call logs, chat/messenger data, GPS waypoints (latitude/longitude recorded at various times, including the drive up to the point of the accident), application data (e.g., Facebook, Twitter, Instagram), and web browsing data.  There is an immense amount of potentially relevant ESI present in these forms, and many others, on these devices.  To gain an appreciation for the amount of ESI potentially relevant to an accident case you need only consider the various uses of your own device, keeping in mind that each type could, and often does, occur while operating a vehicle.

Can deleted data be recovered?

The short answer is yes.  The longer answer is that the likelihood of recovering deleted data is influenced by a number of factors, the most common of which is the continued use (and amount of use) of the device after data deletion.  Another factor is whether or not the user “reset” or “restored” the device.  With some exceptions, a restore of newer devices will usually result in irreversible data deletion.    Reregistering the device to a different user, provider, or number will also cause the irreversible deletion of a small amount of data.

What should I do first?

Regardless of fault, if you or your client was involved in a car accident with injuries, and a device was in the vehicle at the time, you should immediately preserve the ESI.  This can be accomplished by simply placing the phone in “airplane mode”, powering off the device, and storing it.  Of course, this will result in some expense to a custodian, company, insurance company, or representing attorney because the custodian will want a replacement.  However, the cost of a new device compared to the potential liability due to spoliation sanctions should make this a relatively easy decision.

In the same regard, you should promptly make a written request to the opposing party for preservation of any mobile device ESI, including cell phone and GPS devices that may have been present in the other driver’s vehicle. The preservation request should state clearly that the device should be placed into airplane mode and usage should cease immediately, because without doing so data destruction will occur.

I was recently told that in an effort to deal with the potential liability of a spoliation claim, a large commercial carrier started replacing an employee owned cell phone with a new one (at the company’s expense) if the employee was involved in a traffic crash while driving a company vehicle.  This decision was based upon consideration that employers may be held liable for spoliation if employees delete potentially relevant ESI.  The employer subsequently stores the employee’s previously owned cell phone and produces it with little concern of spoliation when obligated to do so as part of litigation.

Cell phone custodians are often interested in transferring the data to a new device and have asked if this transfer could cause the destruction of data.  The short answer is yes.  By simply turning on the device, ESI is overwritten.  However, reasonable steps taken by a prudent custodian to preserve the ESI would, in my opinion, be viewed favorably by the court.  Placing the device in airplane mode blocks most radio signals to the device thereby preventing incoming calls, text messages, etc., that may overwrite older and/or previously deleted, but potentially pertinent, ESI.  This should be done; 1) as soon as practical, and 2) before turning off the device because without placing it in airplane mode the device will communicate with the network and data destruction will occur when it is powered back on for a transfer of data.

Next, potential litigants should send preservation requests to cell phone providers (i.e. AT&T, Sprint, Verizon, etc.) for any and all logs and content (i.e. text messages) available for all vehicle drivers.  The preservation request serves to notify recipients that ESI in their possession is of interest in litigation and a proper subpoena or court order is forthcoming.  At this point, it is the ESI custodian’s (in this case the cell service provider) responsibility to preserve logs and/or content in anticipation of the required legal documents.   The promptness of this request is especially important to secure content (i.e., the message itself) from providers.  Normally, providers do not store content beyond a few days, but the ESI is available if preserved promptly, then followed by a reasonably prompt court order.  Taking such a step may circumvent the need for an examination of the device itself.  However, keep in mind that providers do not store log or transaction ESI relative to chats, web browsing, Facebook, or other web-based activity.  Instead, provider records will only reflect the usage of data during some timeframe that may or may not include the time of the accident.

How can cell phone data (contacts, text messages, call logs, etc.) be transferred from one phone, with potentially relevant ESI, to another?       

Most providers will transfer data from one phone to another (new) phone as a service to their customers if a custodian must have his/her data transferred prior to storage of the relevant device.  Should a custodian insist on this transfer, it is important for him/her to inform the technician making the transfer that data should not be deleted from the relevant device.  In most cases, irreversible deletion will occur if the technician “resets”, or “restores”, the phone subsequent to a transfer of data.  Keep in mind that this is not a suggestion to make this transfer of data.  The best approach would be to keep the phone in the possession of the custodian, or custodian’s representative, without giving it to another person, including a technician, for any reason.

Am I required to retain the services of a digital forensic examiner (DFE) if I, or a client, has been involved in a vehicle accident and a mobile device is present?

No!  In cases where device usage is questionable, I suggest simply storing the device until such time as it is established as potentially relevant to the traffic crash litigation.  This is primarily because the user’s right to privacy is not automatically superseded by the facts regarding the possible use of the cell phone at the time of an accident.  In other words, if there are not sufficient facts to establish that the cell phone was being used at or near the time of the accident, a motion for production may not be successful.  Florida’s 1st District Court of Appeals addressed the balance of privacy rights versus the discovery of potentially pertinent data in the Antico v. Sindt decision in October of 2014.

What if I determine that the cell phone or GPS device is potentially relevant?

Once you determined that the device is potentially relevant, you should secure the services of a digital forensic examiner (DFE).  A well-trained, experienced, and licensed DFE will follow best practices to ensure that the evidence is admissible in a court of law.  Oftentimes, clients will secure the services of a DFE to get insight regarding the presence of ESI before the opposing party requests access to the device.  And, production of the device may be unnecessary if a DFE acquires the cell phone ESI using well-established best practices.  In this case the previously acquired cell phone data, rather than the actual device, is provided to the opposing party as part of the discovery process.

What about the privacy of my, or my client’s, personal data?

As stated above, the user’s right to privacy is not automatically superseded by the facts regarding the possible use of the cell phone at the time of an accident.  In other words, if there are not sufficient facts to establish that the cell phone was being used at or near the time of the accident, a motion for production may not be successful.  Florida’s 1st District Court of Appeals addressed the balance of privacy rights versus the discovery of potentially pertinent ESI in the Antico v. Sindt decision in October of 2014.

Furthermore, if your (or your client’s) cell phone is of interest to an opposing party, you may ask the court to allow an examination and limited production of cell phone ESI by your own DFE, or one appointed by the court.

A well-trained, experienced, and licensed DFE will take steps to ensure data security and privacy before, during, and after the exam.

What is the cost of a digital forensic exam of a mobile device and how long does it take?

Unfortunately, all devices are not the same.  Therefore, the amount of time it takes to examine a device varies.  Some devices take little time, and others take a significant amount of time.  SJDC can usually examine the device and produce “technical reports” that provide clients most of the information needed for their case in about 4 billable hours.   This amount will vary if the exam is required to take place at a different location (i.e. at a custodian’s home or office).  Although the exam is expected to take 4 billable hours, custodians should expect the device to be unavailable for about 24 hours.  Unless the exam is performed at a different location, SJDC does not charge for machine time, meaning that clients only get charged for hands-on examination time attributed to the case.  Additional time is expected if SJDC is required to filter, additionally or iteratively produce, interpret, or testify about the data.  More information regarding SJDC rates/terms can be found at our rates/terms page.

In closing, those involved in traffic crashes, or the resulting litigation, should seriously consider mobile devices used by either party as sources of evidence.  If the device is owned by you (or your client), it should be preserved as soon as practical to avoid a future spoliation ruling.  If the device is owned by an opposing party, a request for preservation of cell phone ESI should be promptly sent.  In either case, a request for preservation of provider records should be sent promptly and followed by either a subpoena or court order.

Feel free to comment or post questions below.

Oct 062014


Three months after the Supreme Court’s Riley v. California decision mandating police to secure a search warrant prior to searching an arrestee’s cell phone, and the world is apparently still turning.  Many, present company included, believed this decision would be detrimental to the effectiveness of law enforcement.  Law enforcement officers know the value of Electronically Stored Information (ESI) in cell phones and oftentimes depend on this ESI as the primary evidence, or lead generator, in many of their cases.  Privacy issues aside, limiting access to this primary source of evidence will certainly inhibit efforts by police to protect the public and put bad guys in jail.

There is good reason for officers to value this ESI.  People use cell phones to store more personal information than is recorded by any other means.  It is unlikely that many users even know the extent to which newer cell phones capture personal information.  Anecdotes abound, but suffice it to say that few clients for whom I have performed analyses are not surprised by the richness of the personal data available, even after the user takes steps to delete data.  Our dependence on cell phones as the primary means to store this information has led to the devices being ubiquitous to modern society.  Delivering the opinion for the Court in Riley, Chief Justice Roberts colorfully described the prevalence of cell phones as, “…such a pervasive and insistent part of daily life that the proverbial visitor from Mars might conclude they were an important feature of human anatomy.” (p. 9).  Indeed, one would be hard-pressed to walk down a pedestrian filled city street and not see a majority of people actively using their cell phones.  People store their most intimate personal data regarding even the most mundane aspects of their lives in their cell phones, and that information can become evidence in court.

Prior to the Riley decision, as a matter of practice, law enforcement officers in most jurisdictions lawfully seized and subsequently searched arrestee’s cell phones for evidence of criminal activity without obtaining search warrants.  ESI is highly valued in criminal cases and its discovery is often prioritized over other types of evidence (as an example, see this recent case).  I am personally aware of a number of cases in which cell phone ESI is either the first significant evidence discovered in the case, or the only evidence connecting arrestees to the crime, yet there was no authorization by a court for the search.  That’s not to say these were illegal searches; just that the law and practice of the respective jurisdiction did not require court authorization prior to the search.  That all changes with the Riley decision.   Now, absent exigent circumstances, a search warrant is required before the police can search the cell phone of an arrestee.

Understandably, police are concerned that the extra time it takes to secure a search warrant will jeopardize the investigation or, more importantly, public safety.  Search warrants have become a more time-intensive process for investigators over the years. I recall years ago drafting my first search warrant and bringing it to the local courthouse where I shuffled between judges chambers looking for the first judge who had time and was willing to review/sign the warrant.  I used to call this the courthouse shuffle.  Back then search warrant affidavits were short and thus reviewed in little time.  Of course, some officers had their favorite judges who took the least amount of time reviewing search warrants.  One judge was known for his swiftness in turning to the signature page.   Many avoided him for this reason, but when he was the on-call judge I made many after-hours visits to his residence knowing that I would only be asked the following two questions as he turned to the signature page: 1) It’s not my house, is it?; and 2) Do you swear this is the truth?  Even then, the steps it took to get authorization for a search were considered cumbersome (as they should be).

Nowadays things are a bit different.  Absent exigent circumstances, police are oftentimes required to send search warrants for review and/or set appointments with prosecutors and judges.  And, due to advances in technology and the law, search warrant affidavits have become much lengthier.  However, these technological advances have also helped law enforcement become more efficient with this process; a point not missed by the majority in Riley v. California.  Some jurisdictions have even enabled completely electronic review/filing services for their legal processes (e.g. court orders, search warrants, subpoenas, etc). In these jurisdictions warrants can be sent/reviewed/signed electronically thereby allowing for authorization to occur in minutes instead of hours or days.  In this light one can see the double-edged sword that is technology.  Technology makes us more efficient, yet over time adds layers of requirement; technology allows us to store more data, yet can limit our access to this data (e.g., encryption, cloud computing); technology makes life more convenient, yet this convenience can lead to apathy and requires us to store immense amounts of accessible personal data. 

Over the years I have seen many legal and technological Y2K (end of the world) moments in policing.  These include Miranda (limiting police interviews), Gant (limiting police searches of vehicles), Encryption (limiting access to data), and cloud computing (limiting venue authority or access to local data) that, at their time, were all seen as being immediately and severely detrimental to the continued effectiveness of the police.  I see the Riley decision as another Y2K moment.  Prior to Riley law enforcement officers enjoyed the benefit of timely access to an arrestee’s cell phone ESI.  Now, the Court has limited that access to protect our individual right to privacy.  We will never know the extent to which this decision inhibits justice or jeopardizes public safety, but we do know that the Court is working in our favor by protecting our individual right to privacy in our persons, places, and effects.  Hopefully the decision will push a greater portion of the criminal justice system further into the 21st century.  As with Y2K, Miranda, Gant, Encryption, and Cloud Computing, the Riley decision will not stop police from enforcing the law.  Law enforcement will adapt and will continue to make the best possible cases within the right-protecting restrictions imposed……and the world will still turn.

What do you think?


Jul 132014

Located in Jacksonville, Florida, St. Johns Data Consulting, LLC (SJDC) provides digital forensic analysis, consulting, training, and expert testimony in support of litigation. We strive to bring our clients the most secure, professional, confidential, and competent assistance to support various types of litigation.

  • Computer Forensics
  • eDiscovery
  • Data Theft
  • Intellectual Property Theft
  • Employer/Employee Disputes
  • Digital Forensic Imaging
  • Targeted Collections
  • Drone Data Extraction and Analysis
  • E-mail Recovery/Analysis
  • Web History Analysis
  • Document Analysis
  • Timeline Analysis
  • User History/Access Analysis
  • Image Analysis
  • Keyword/Phrase Searching
  • Data Recovery
  • Data/Evidence Preservation and Storage
  • Trial/Litigation Support
  • Evidence/Chain-of-Custody Documentation
  • On-Site and Lab Acquisitions
  • Cross-Validation of Litigant/Defense Findings
Call Now Button