January 26, 2018
Do you have a legal matter that could end up in court? Does your case involve any type of electronic evidence, such as emails, attachments, text messages, documents, internet history, spreadsheets, pictures from a camera, social media posts or website content as an example?
The bar for the digital evidence presented in court has been raised. It establishes the need for qualified experts and qualified tools to be used to authenticate collected data. It replaces the need for an expert to testify in court to establish electronic authenticity with a written certification.
For years Eide Bailly has used best practices when collecting digital evidence and we have educated our clients on the importance of collecting digital evidence in a defensible manner.
The legitimacy of a data collection is an incredibly important topic that started to gain traction when the Federal Rules of Evidence were amended recently. Please allow me a few moments to cover the rules themselves and what they mean from the opinion of a digital forensic expert as well as the cost of doing this and the cost of not doing this from a monetary standpoint and practice standpoint. If you have ever dealt with electronically stored information, electronic evidence, cell phone data, email, spreadsheets, social media or any other type of electronic evidence you will want to read this before you get going with your day.
(13) Certified Records Generated by an Electronic Process or System.
A record generated by an electronic process or system that produces an accurate result, as shown by a certification of a qualified person that complies with the certification requirements of Rule 902(11) or (12). The proponent must also meet the notice requirements of Rule 902(11).
(14) Certified Data Copied from an Electronic Device, Storage Medium, or File.
Data copied from an electronic device, storage medium, or file, if authenticated by a process of digital identification, as shown by a certification of a qualified person that complies with the certification requirements of Rule 902(11) or (12). The proponent also must meet the notice requirements of Rule 902(11).
Any attorney should look at this as a good move. Because a digital forensic best practice must now be used in all cases. This will reduce the amount of data that would fall prey to spoliation. This is simply taking an already existing best practice in our industry and enforcing it. To prevent an expert from testifying on how data was collected at trial or simply challenging the data itself, standards must be followed in both forensic and eDiscovery cases.
Industry standard means that software and hardware used to collect the data must be an industry accepted tool. Eide Bailly has practiced this since we began performing digital forensics. Our rule has always been, if the F.B.I. uses it, then we can and should use it as well. As a former F.B.I. contractor we saw firsthand not only which tools are used, but the vetting process for those tools.
Not only must industry tools be used, but they need to be used by a qualified expert. Contrary to common believe just because you work in I.T. doesn’t make you a qualified expert. Do you have a proper chain of custody to document when data was handed over and handed back? Has the person been specifically trained in forensic data collections? Do they have the hardware such as a write-blocker or software to properly collect data and verify the hash values that authenticate the data being collected? Can they collect data from cell phones, tablets, laptops, desktops, servers, RAM captures, CDs, DVDs, thumb drives, gaming systems, email accounts, social media accounts and cloud storage repositories? Knowing the importance of this Eide Bailly invested heavily early on to have the tools and the skills to properly acquire data from nearly any type of device.
902 (13) & (14) does far more than keep experts out of the courtroom to certify that what they collected is authentic and that nothing in the data changed while under their control.
In the past, we have dealt with hundreds of cases where data was provided to us by the client. It had come in the form of data on a CD, DVD, thumb drive, emailed to us as well as screenshots of text messages from a cell phone (a personal favorite). We have always cringed each time we are told that “this is the data that we are working with and that everyone involved (including the digital forensics team) needs to be comfortable with it.” However, these days are over. Data handed over in this fashion will no longer be admissible in court. So it would be prudent for an attorney to ask for the chain of custody of the data provided and the hash values as well when dealing with opposing counsel. From the largest corporate litigation to the smallest divorce case involving text messages. Collecting data under (13) & (14) guidelines will also ensure that metadata is preserved along with the data.
Authentic and defensible data collections can range in price from a few hundred dollars to several thousands of dollars depending on the scope of the collection and the number of custodians involved. A defensible data collection with a chain of custody and proper hardware, software and qualified technicians should be a standard expectation in all your cases. Because of the implementation of this new rule, it now must become the standard for the entire legal industry. Although this will add an additional cost to your client, it also reduces the cost in not requiring a forensic expert appear in court to authenticate what has been done in the process of the data collection.
There is no known digital media source that cannot be collected forensically and defensibly. Email accounts, servers, tablets, laptops, cell phones, cloud storage, gaming systems and even drones can now have their data harvested in a forensic and defensible manner.
These amendments shine a light on the importance of using best practices for electronic evidence. This includes a “qualified person” that can demonstrate the process that created a document or exhibit and its authenticity. It’s now more important than ever to see that defensible collection methods are used and just as important to employ an experienced eDiscovery or digital forensic expert from Decipher Forensics when collecting electronic evidence.
A hash value can be thought of as fingerprints for files. The contents of a file are processed through a cryptographic algorithm, and a unique numerical value – the hash value - is produced identifying the contents of the file. If the contents are modified in any way, the value of the hash will also change significantly. Two algorithms are currently widely used to produce hash values: the MD5 and SHA1 algorithms.
Metadata is simply data about data. When data is properly acquired, then metadata is saved and is highly useful in numerous cases of all shapes and sizes. It can show when a document was created, altered or copied to a new computer. It tells the truth of when a text message was sent or when a picture was taken and on what type of phone or camera it was taken on. This is just a few of the metadata fields, out of dozens, depending on the type of electronic file you are dealing with.
For more information or to get in touch, check out our Digital Forensics page here.