How NOT to Investigate Questionable Online Behavior

pexels-photo-534204We are being inundated with news of high profile misconduct incidents, notably sexual assault and/or harassment. Many of the reports pertain to dated allegations and most if not, all were never officially reported to the authorities. However, there is one recent case involving 9th Circuit federal Judge Alex Kozinski that did have an “official” inquiry and highlights how NOT to investigate an online case.


Washington Post journalist Matt Zapotosky reported on December 8, 2017,  that Judge Kozinski had allegedly sexually harass court employees. Specifically, he would show porn to staff and ask for their input, including whether it excited them. He also allegedly made sexual suggestive comments, like publicly telling a female court employee she you should workout naked. These incidents were never reported for fear that there would be reprisals from the powerful judge.

However, as noted by Zapotosky the judge was investigated in 2008 for misconduct of a sexual nature.  I would argue that had this investigation been conducted differently it could very well have lead to his undoing and may have detected or prevented conduct that has since been discovered.

The 2008 misconduct came to light after the LA Times ran a story  that Judge Kozinski was running a public website that maintained pornography. By they way this was not just any pornography but involved images which included;

a photo of naked women on all fours painted to look like cows and a video of a half-dressed man cavorting with a sexually aroused farm animal.”

At the time Judge Kozinski was presiding over an obscenity case. After the LA Time story appeared Judge Kozinski declared a mistrial and recuse himself. He also reported his conduct for investigation by the 9th Circuit Judicial Conference.

The matter ended up being investigated by a committee in the 3rd Circuit and not the 9th Circuit, which is kind of interesting. Why that circuit? Why not another? I will get back to that later. Judge Anthony J. Scirica was chair of the committee charged with doing the investigation and noted they completed the following investigative steps:

… by making written and telephonic inquiries; reviewing relevant documents and the image, audio, and video files provided by the Judge; engaging a consultant to advise the Special Committee on certain computer technology issues; and examining the Judge in person, under oath, and on the record.’

pexels-photo-207580The thing that stands out in all this is no one apparently actually examined Judge Kozinski’s server. Let me repeat that for a moment. The case involved a website and no digital evidence was apparently independently collected or forensically examined.  They took the judge’s word for what was on it and received images he provided. There was no forensic examination of this server, which might shed light on the following:

  • What exactly was on the sever, was it legal or illegal pornography?
  • Who accessed the sever and when? (Such as during normal court business hours)
  • More specifically were pornographic images on the server accessed during court hours and by someone working in the judiciary?

Equally troubling is the investigating committee never bothered to ask the 9th Circuit Court for information on whether court systems were used to access Judge Kozinski’s server. We know he admitted that he used the server for sharing files with other judges etc. but we have only his word on what was shared and accessed.

The 9th Circuit system could have provided independent information about what was shared/accessed and when. Imagine how this information might shed a bright light on the allegations being made today. For instance, the 9th Circuit court might have shown that their systems were used to access the judge’s server on a specific time and location (directory). Which would have raised questions about what was accessed and by whom and why.  Remember we now have allegations that the Judge Kozinski was accessing pornography and showing it to court employees.

By examining the 9th Circuit systems in 2008, there might have been evidence of sexual harassment. For instance, logs might have reflected that the court’s systems were used to access the judge’s server at 10:00 a.m. on a workday and the access was to a specific directory and/or file. What was in that directory and what was the file? Was it the judge and who was he with at the time? But those inquires were not made because they never apparently thought computer logs were important in an investigation concerning a website.

At a minimum, one would have thought the investigation would have asked the 9th Circuit for an examination of Judge Kozinski’s work computer to see when and how it interacted with his server. Again, this might have shown access to directories and files that might lead to inquiries of a more troubling nature for the judge.

The investigative report reflects actual digital evidence was not as important as Judge Kozinski’s “unbiased” statements on what occurred. This case had all the earmarks of something requiring computer forensics but that was not done. Imagine any obscenity or child pornography investigation only being conducted by asking the target what they did.

Now one might argue that Judge Scirica committee was trying to be narrow the investigation’s scope and only asking questions pertaining to certain issues. They didn’t want to pry into his personal or private life. Equally compelling is that Judge Sciricia did not want to push the issue about accessing the judge’s work computer and the 9th Circuit system as Judge Kozinski was at the forefront of forcibly objecting to Internet monitoring of judges as reflected by the LA Times in 2001.

Gee, we can only speculate now why he was objecting to monitoring. Maybe, that was why he had the personal server in the first place. He could access porn without fear of an alert because his sever did not have “porn” titles in files and directories that would triggered a notification by a monitoring program.  He noted in his sworn testify that he did not maintain images with suggestive titles making it a tough task to remove porn from various directories. Maybe that was to avoid getting caught looking at porn during working hours.

The accommodation given to Judge Kozinski is the exact opposite of how a Sixth Circuit misconduct committee operated in Judge John Adam’s case. His case centered not on sexual misconduct or financial/ethical concerns but that he was considered recalcitrant by a small minority of his judicial colleagues. Judge Scirica was also involved in a review of that investigation. His committee agreed that is was entirely appropriate for the Sixth Circuit tribunal to demand Judge Adams’ medical records as well as order him to submit to a mental health evaluation as they had broad investigative authority.

So, under Judge Sciria’s thinking it is okay to expand an investigation into one judge’s medical records and compel a mental health evaluation, but it is not appropriate or justified to look at another judge’s work computer and/or personal server concerning inappropriate online conduct. Am I the only one puzzled by that reasoning?

As a side, why agree that Judge Adams should be subject to a mental health evaluation for conduct that basically centers around him being independent minded with his colleagues but not suggesting or ordering a mental health evaluation for a judge who apparently was maintaining images that had an obscene if not bestiality theme? It is any wonder that Judge Adams, with the support of Judicial Watch, has filed suit to have the law allowing such disparate and unjustified actions by the judicial branch declared unconstitutional.

Now recall I mentioned that Judge Scirica is in the 3rd Circuit and Judge Kozinski is in the 9th Circuit. Well Judge Adams is in the 6th Circuit. Considering the apparent differences in how Judge Scirica operates in two different cases one must wonder if his investigative actives are “picked” not based upon his record of thoroughness but on his track record of steering the investigation to the desired conclusion. Based upon the allegations now being made against Judge Kozinski, one can only speculate that these newly disclosed victims could have been spared had a proper and through inquiry been completed in 2008 by Judge Scirica and his committee.

It is troubling that the 2008 “investigation” was completed by a federal judiciary body that should have known better. Investigations involving computer activity must involve the independent forensic collection of all available digital evidence and the examination of that evidence in a forensic manner. To do otherwise is call into question the legitimacy of the activity and the motives of the parties involved. Judge Scirica’s involvement in these two cases support that the judiciary cannot police itself. An independent Inspector General’s Office, with investigative procedures and protocols, needs enacted to ensure that the public is objectively protected against individuals who are appointed for life. On that note I left a cigar lit somewhere. Take care.


Collecting Electronically Stored Information (ESI): Traditional Computer Forensics vs. Online Captures

Modern investigators and litigators are no stranger to computer investigations. Electronically stored information (ESI) is becoming more and more a part of both criminal and civil cases. Often the first question asked is, “What incriminating piece of information was found by the computer forensics examiner?” But ESI is more that just data found on a computer. It can and does involve a growing number of cases in which data was collected off the Internet. What is the difference between the two? To consider that question we first need to define ESI. A good definition is:

Any information created, stored, or utilized with digital technology. Examples include, but are not limited to, word-processing files, e-mail and text messages (including attachments); voicemail; information accessed via the Internet, including social networking sites; information stored on cell phones; information stored on computers, computer systems, thumb drives, flash drives, CDs, tapes, and other digital media.” (Department of Justice (DOJ) and Administrative Office of the U.S. Courts (AO) Joint Working Group on Electronic Technology in the Criminal Justice System (JETWG), 2012, pg. 12)

Notice this definition includes “information accessed via the Internet, including social networking sites.” Lets refer to this type as online ESI and data collected from computers, cell phone or other storage devices as digital ESI. We started this discussion assuming that online ESI was different from digital ESI. But are they really? They both can contain metadata and can be quite voluminous. The difference between the two involves the dissimilar manner in which they are collected as well as how each are susceptible to modification in a different manner.

The computer forensics benchmark for years has been to avoid acquiring data from a live machine and to never examine original data. In recent years this gold standard has been relaxed but not eliminated. We are starting to see some acquisitions and even examinations of computers that are “on”. Additionally, the computer forensics examiner, even in remote data acquisitions, has control over the target system. Online ESI acquisitions are quite different. They are always “live.” The investigator has no control over the original media that hosts the online data. The original data is on a server, which might not even be in the same jurisdiction, let alone the same state, province, or country, as the investigator.

Both digital evidence and online evidence are susceptible to modification. However, digital ESI found on a hard drive or electronic media can be seized and maintained. Even in a civil setting, once pertinent digital ESI is identified, it is secured until it can be provided to opposing parties, with potential penalties for spoliation. Seizing digital ESI is either done by an on scene computer forensic examiner or by “pulling the plug” and providing the device to an expert for later acquisition and examination. As long as chain of custody and proper procedures are in place there is little chance the data will be altered and/or done so without detection.

Contrast this to online ESI collection, which is merely a snapshot on a particular date and time, of a website, social networking site, etc. The online ESI may also only exist temporarily, such as in the case of instant messaging or chat session, and could be gone unless it is captured in some manner. The best computer forensic examiner might not retrieve the entire chat or instant message communication. A website or social networking site might change minutes after it was first captured. Online ESI can be changed remotely, such as with a mobile device, because the media containing the data has not been secured. Even if there were enough computer forensics examiners available, investigators can’t wait for them because online ESI is subject to change at any moment. If it not captured when it is discovered it might not be there again.

Both Todd and I believe investigators can be trained in the proper methods and procedures to not only collect online ESI but do so in a manner that it can be used as evidence in any legal proceeding. Online ESI can be preserved after its capture and “hashed” to answer any questions about it possibly being later altered. We discuss these methods and procedures and tools to accomplish this important investigative task in our book. On that thought, I am going to lite up a cigar and contemplate my next blog entry.


U.S. Department of Justice (DOJ) and Administrative Office of the U.S. Courts (AO) (Joint Working Group on Electronic Technology in the Criminal Justice System (JETWG)). Recommendations for Electronically Stored Information (ESI) Discovery Production in Federal Criminal Cases. (2012). Washington, D.C. Retrieved from