According to surveys of U.S. and U.K. matrimonial attorneys, more and more of them are asking (or requiring) their clients to disclose Facebook, Twitter, LinkedIn, and other social media credentials to the attorney start of the case. The retained counsel has no wish to be surprised in court, by finding out that his or her client said or posted things online that are detrimental to the case.1


As a Cyberforensics consultant, I ask the following questions when working with lawyers in order for my clients to get the best results possible when fighting matrimonial cases:

1) Does your client (the wife, husband or partner) have a legal right to the computer or smartphone? If the device is jointly owned, then we can image and analyze it. If the device is owned by the other person’s employer, or is somehow construed as private property, then we do not have the legal right to analyze it, without a court order.


2) Has a PRESERVATION LETTER been issued to the opposing side?


3) Has either side retained an expert to acquire multiple copies of legally compliant forensics images? If both sides agree that the image is forensically sound, then both sides can invest resources in evidence analysis, not re-acquisition.


4) How many devices are owned by the couple? Computers, laptops, smartphones, etc.


5) Do they have any shared passwords to e-mail, online banking, Facebook, LinkedIn, etc? If yes, then we ask the attorney retaining us to determine (and advise us in writing) whether their client still has a legal right to those passwords, now that the divorce process has started.


6) What are we looking for? Financial records? Evidence of online romances? Deleted files and documents?

The best way to minimize forensics costs is to limit what we need to look for.

Every client has something to hide.

Guide your forensics investigator – frame the request as narrowly as possible. For example, “find me financial records” or “we suspect he’s hiding funds offshore” or “she’s got a shopping addiction” or “we suspect he’s having an affair.”


7) Has anyone used non-forensics software to try an undelete files or used a non-forensic computer technician to gather evidence? If so, then there’s a possibility that the evidence is spoiled and cannot be used in court. Based on my experience, even when the evidence cannot be presented in court, it often results in negotiated settlements.

8 ) Is there any suspicion of child pornography (CP) on the device(s)?

Under current Federal laws, if we encounter more than three items of CP, we are legally obligated to stop work and report it to the FBI, Secret Service and ICE. Unlike any other form of evidence, mere possession of CP by an attorney (or their consultants) is illegal under federal law2,3 and attorneys have been prosecuted for possessing CP while they were conducting research on behalf of their clients.

 See the case of Attorney Leo Thomas Flynn at


 Below are several case studies that illustrate the above points:

 1) In a case, the family kept using the shared computer(s) months after the divorce was filed. Analysis of the data revealed that the husband had lied to the wife, and his attorney, about what he did with the couple’s sex tapes, which were on the shared computer. Since the entire family (husband, wife, children, guests, etc.) used the same user name and password to log in to the computer, it was forensically impossible to tell who created, modified or deleted files — this evidence was considered polluted and could not be used in court. While this evidence could not be used in court, it assisted the wife’s attorney in negotiating a favorable settlement.

2) In another case, the husband fled from his native country to the U.S. 18 months ago. The wife followed suit six months later. She brought the family laptop with her, and presented it to her U.S. attorney as evidence.  Having established the dates of his departure, and her departure from their native country, we started the analysis. We located some financial records. We also found large stashes of adult imagery from dating sites–both male and female dating profiles.  The initial conclusion we drew was that the husband was having a homosexual affair, or was bisexual, due to the prevalence of both male and female dating profiles. Upon review, the wife rejected the analysis. The discrepancies in the dates of profiles led us to re-interview the wife, with counsel present. During this re-interview, we discovered that after the husband had fled, the wife’s sister has used the laptop to engage in online dating for the intervening six months. Because the client allowed her sister to use the laptop for six months, and did not communicate this with the attorney, all digital evidence had to be thrown out, because it was spoiled.


Defending Against Cyber Evidence

When defending against cyber-evidence, determine the legality of the evidence. In most cases, the evidence was spoiled or may have been collected illegally. Determine the correctness of evidence – the data may have been collected legally – but was it collected and analyzed correctly?


In one case, the client was charged with 107 counts, based on the fact that he clicked on one link, and the popup downloaded 50 images on the hard drive. Analysis by the author was able to prove that these were the result of popups downloading multiple images per click, and should therefore be counted as one violation per popup or web page. In the end, the client was charged with five counts–a far cry from the initial 107.


Social Media and Cloud Evidence


While we cannot gather forensic evidence from cloud providers (Facebook, Gmail, Twitter, World-of-Warcraft (WOW), Farmville, etc.), in many cases, once references to these services have been located on the clients’ hard drives, you can subpoena log files from these providers. Facebook, WOW, and EZ-pass are great places to acquire digital evidence.


Raj Goel is founder and CTO of Brainlink International, Inc.  Learn more at



 1. 08/facebook-us-divorces,,



This article appears in the April 2012 issue of New York County Lawyers Association (NYCLA)  Newspaper on pages 5 & 15.  The PDF is available at