In December 2017 an amendment was made to Rule 902 for Federal Rules of Evidence, specifically relating to the process for authenticating Electronically Stored Information (ESI). Until this amendment was passed, now included as subsections 13 and 14, litigants had to have any electronic evidence authenticated through trial testimony. This was an expensive process. While our company has taken on quite a bit of eDiscovery work, being asked to testify as an expert witness was rare due to the time and cost involved for litigants.
The new Subsection 14 reads:
“Certified Data Copied from an Electronic Device, Storage Medium, or File. Data copied from an electronic device, storage medium, or file, if authenticated by a process of digital identification, as shown by a certification of a qualified person that complies with the certification requirements of Rule 902(11) or (12). The proponent also must meet the notice requirements of Rule 902(11).”
The committee who passed the amendments made the following notes,
“As with the provisions on business records in Rules 902(11) and (12), the Committee has found that the expense and inconvenience of producing an authenticating witness for the evidence is often unnecessary. It is often the case that a party goes to the expense of producing an authentication witness, and then the adversary either stipulates authenticity before the witness is called or fails to challenge the authentication testimony once it is presented. The amendment provides a procedure in which the parties can determine in advance of trial whether a real challenge to authenticity will be made and can then plan accordingly.”
With the amendments and the clarifying notes from the Committee this paves the way for simplifying the process and cutting the costs of providing an authentication to electronic evidence. The important part is utilizing the services of an IT professional who would be qualified to walk into court and testify to the authenticity if necessary; a professional who has the “requisite knowledge, expertise to properly collect, verify & preserve”.
So what goes into authenticating electronically stored information? The three key factors, collect, verify, preserve may seem simple, but done incorrectly you’ve lost or destroyed the information you’re trying to authenticate. Electronic evidence is considered a special kind of evidence in the general evidence field as it has a higher concealment, complexity, and technical requirements when compared with the collection of traditional evidence. Correct methods and tools must be utilized to protect electronic evidence. Consider the difference between collecting a shell casing from a scene vs the authenticating surveillance video to the time of the event and verifying it has in no way been altered.
The first step is the most important, and lasts throughout the proceeding - preserving the electronic evidence. When any device is presented a clone or exact duplicate of the evidence is created. No further action is taken on the original device, preserving the device as is for additional clones to be made by the opposing sides IT professional if they require or plan on disputing authentication. The clone is done in a manner that makes it readable, but not writeable, as write-protection is enabled, so no alterations to the copied data can be made. This preserves the original device, as well as preserving the data that was cloned off in exactly the state it was presented to us in.
The second step is collecting the data. You might think that having made a clone you have “collected” the data, but in the case of a criminal proceeding where the scope of a warrant may be limited, having a full copy of the data does not mean you have collected what is required. A warrant for videos from January 1, 2018, does not mean you get to peruse the device as you see fit. It means only the videos from January 1, 2018 are collected. Many people believe (as TV shows and movies tend to inaccurately depict eDiscovery this way) that once a device is in the hands of a forensic IT professional it’s wide open. Having worked cases with very narrow warrants we can say this is absolutely not the case. Devices provided for authentication in a civil case may not be as limited as a warrant. For instance, if the request is for all emails from a certain person or the authentication of all videos that may contain a certain location or group of people more work is required narrowing that down and other evidence may service.
Lastly comes verifying the authenticity of the electronic evidence and providing the certification to the ESI’s authenticity. As provided in the Committee’s notes authentication is provided using the hash values. “Today, data copied from electronic devices, storage media, and electronic files are ordinarily authenticated by "hash value". A hash value is a number that is often represented as a sequence of characters and is produced by an algorithm based upon the digital contents of a drive, medium, or file.” As there is editing software available on most smart devices now, additional verification is made as to whether images or videos have been altered after having originally been taken or made on the device. Once the data is verified as authentic the certification is completed. Obviously, if the data cannot be verified as authentic a certification is not provided.
As IT professionals we are always prepared to testify in court as to our findings of authenticity should that become necessary, but as infrequent as that has been in the past, it will now likely be even more rare to need to provide authenticating testimony.
If you find yourself in need of a Certification of Authenticity pursuant to the new Federal Rule of Evidence 902(14) contact us today.