Federal Rules of Evidence Have Changed Simplifying the Authentication of Electronic Evidence

In December 2017 an amendment was made to Rule 902 for Federal Rules of Evidence, specifically relating to the process for authenticating Electronically Stored Information (ESI).  Until this amendment was passed, now included as subsections 13 and 14, litigants had to have any electronic evidence authenticated through trial testimony.  This was an expensive process.  While our company has taken on quite a bit of eDiscovery work, being asked to testify as an expert witness was rare due to the time and cost involved for litigants.

The new Subsection 14 reads:

“Certified Data Copied from an Electronic Device, Storage Medium, or File.  Data copied from an electronic device, storage medium, or file, if authenticated by a process of digital identification, as shown by a certification of a qualified person that complies with the certification requirements of Rule 902(11) or (12). The proponent also must meet the notice requirements of Rule 902(11).”

The committee who passed the amendments made the following notes,

“As with the provisions on business records in Rules 902(11) and (12), the Committee has found that the expense and inconvenience of producing an authenticating witness for the evidence is often unnecessary.  It is often the case that a party goes to the expense of producing an authentication witness, and then the adversary either stipulates authenticity before the witness is called or fails to challenge the authentication testimony once it is presented.  The amendment provides a procedure in which the parties can determine in advance of trial whether a real challenge to authenticity will be made and can then plan accordingly.”

With the amendments and the clarifying notes from the Committee this paves the way for simplifying the process and cutting the costs of providing an authentication to electronic evidence.  The important part is utilizing the services of an IT professional who would be qualified to walk into court and testify to the authenticity if necessary; a professional who has the “requisite knowledge, expertise to properly collect, verify & preserve”. 

So what goes into authenticating electronically stored information?  The three key factors, collect, verify, preserve may seem simple, but done incorrectly you’ve lost or destroyed the information you’re trying to authenticate.  Electronic evidence is considered a special kind of evidence in the general evidence field as it has a higher concealment, complexity, and technical requirements when compared with the collection of traditional evidence.  Correct methods and tools must be utilized to protect electronic evidence.  Consider the difference between collecting a shell casing from a scene vs the authenticating surveillance video to the time of the event and verifying it has in no way been altered.  

The first step is the most important, and lasts throughout the proceeding - preserving the electronic evidence.  When any device is presented a clone or exact duplicate of the evidence is created.  No further action is taken on the original device, preserving the device as is for additional clones to be made by the opposing sides IT professional if they require or plan on disputing authentication.  The clone is done in a manner that makes it readable, but not writeable, as write-protection is enabled, so no alterations to the copied data can be made.  This preserves the original device, as well as preserving the data that was cloned off in exactly the state it was presented to us in.

The second step is collecting the data.  You might think that having made a clone you have “collected” the data, but in the case of a criminal proceeding where the scope of a warrant may be limited, having a full copy of the data does not mean you have collected what is required.  A warrant for videos from January 1, 2018, does not mean you get to peruse the device as you see fit.  It means only the videos from January 1, 2018 are collected.  Many people believe (as TV shows and movies tend to inaccurately depict eDiscovery this way) that once a device is in the hands of a forensic IT professional it’s wide open.  Having worked cases with very narrow warrants we can say this is absolutely not the case.  Devices provided for authentication in a civil case may not be as limited as a warrant.  For instance, if the request is for all emails from a certain person or the authentication of all videos that may contain a certain location or group of people more work is required narrowing that down and other evidence may service.

Lastly comes verifying the authenticity of the electronic evidence and providing the certification to the ESI’s authenticity.  As provided in the Committee’s notes authentication is provided using the hash values.  “Today, data copied from electronic devices, storage media, and electronic files are ordinarily authenticated by "hash value".  A hash value is a number that is often represented as a sequence of characters and is produced by an algorithm based upon the digital contents of a drive, medium, or file.” As there is editing software available on most smart devices now, additional verification is made as to whether images or videos have been altered after having originally been taken or made on the device.  Once the data is verified as authentic the certification is completed.  Obviously, if the data cannot be verified as authentic a certification is not provided.

As IT professionals we are always prepared to testify in court as to our findings of authenticity should that become necessary, but as infrequent as that has been in the past, it will now likely be even more rare to need to provide authenticating testimony. 

If you find yourself in need of a Certification of Authenticity pursuant to the new Federal Rule of Evidence 902(14) contact us today.

Read more

Malware Being Delivered Through Ask Toolbar

The Ask Toolbar is possibly one of the most insidious software addons in existence. Most people find they have the Ask Toolbar and aren’t even really sure how it happened.

Now that Ask has been exploited it’s even more important to get rid of it. Most people acquire the Ask Toolbar as an addon to something they intended to download, but didn’t read the fine print and remove the check next to “Add the Search App by Ask.”

Read more

Beware This Google Drive Phishing Scam Is Making Another Round

We originally published this blog on our DataBits News site in early 2014, but as it appears to be making the rounds again we want to make sure everyone has been forewarned. 

With sharing of documents becoming more and more common this phishing scam is trying to scam people on a platform many people are comfortable using and sharing information through on a daily basis.

Like most phishing scams this one arrives via email with the subject of “Documents” "Invoice" or "Tracking Information". Naturally once you look at the body of the email it tells you to click on what looks like a Google Drive link to an important document.

This is where it gets particularly scary, if you click on this link you are taken to a login page that looks exactly like every other Google login page you’ve ever seen. This “fake page is actually hosted on Google’s servers and is served over SSL, making the page even more convincing,” Nick Johnston of Symantec wrote in his blog.  Johnston continued, “The scammers have simply created a folder inside a Google Drive account, marked it as public, loaded a file there, and then used Google Drive’s preview feature to get a publicly-accessible URL to include in their messages.”

So it has a URL, and it looks like a Google login.  Unfortunately many people are likely to enter their login credentials without a second thought – and just like that their credentials will be compromised.

What can you do to protect yourself?  First is to stay alert.  If an email comes to you with the subject of “Documents” or "Invoice" but you don’t know the sender there is no reason to click that link.  If an email comes to you with the subject of “Documents” or "Invoice" and you do know the sender think before opening it, would this person be sending me a document like this, even if they do send me docs do they ever just call them “documents” or "invoice"?

Second you may notice that something is slightly off with how a login is happening, for instance in this case when you click the link it asks you to sign in to a Google account.  Most Google users right now could type in or and it won’t ask for your credentials.  Certain parts of Google, like the merchant login, always ask for you to re-enter your password, but most won’t.  This is a very subtle hint that not all is right with this link, but it is one you might pick up on.

Johnston went on to say, “Google accounts are a valuable target for phishers, as they can be used to access many services…”  Not only will they now have access to your Gmail, Google Drive, and Google Merchant accounts, they will have access to what is becoming more and more important in the land of cyber crime and phishing scams – access to the contact list associated with your email address!

Why is that connection so important and valuable?  It’s simple, people are getting more wary of emails with links and attachments that come from Jane Smith, but if that email is from an old college friend or a neighbor down the block, you're more likely to click on the link or attachment it contains.  Compromised contact lists are becoming a hot commodity to really increase the effectiveness of phishing scams, generally referred to as spear phishing as they are now aiming for a specific person or group of people connected to the compromised account.

What can you do to make sure your account stays secure.  Be careful with any link or attachment that arrives via email.  Don’t feel embarrassed about contacting a sender to make sure the email you’ve received is legitimate, it’s always better to ask than have your information stolen.  And make sure you have taken steps to secure your password and that it’s not “password”.  If that seems too obvious keep in mind in 2013 when Facebook accounts were hacked the most common password exposed was “password”.

To learn more about securing your password read here.

Read more

Tech Support Scams Are Constantly Adapting

Tech support scammers are always working to create the next great financial windfall for themselves.  These scams can arrive on your screen as fake popups from Apple, Paypal, Microsoft, your Internet Service Provider, basically anything that the scammers think you'll find believable.

In an effort to educate our readers on the variety of ways tech support scams might appear on their screens, we're providing a series of screenshots illustrating some of the different scams.

We'll start with a couple of examples of Apple specific scams.  This one even sort of has the Apple logo.  

Read more

Why Tech Support Scams Are So Prolific

As most people realize the first reason there are so many tech support scams is they are a cash cow for those perpetrating them. The second reason is those who are working to profit off of tech support scams are not just running a single scam website, they are running scams across multiple websites, all the time.  

As recently reported by MalwareHunterTeam (@malwrhunterteam) an individual with 135 known domain registrations was using many of them to "host tech support scams". Additionally MalwareHunterTeam reports that 120 of these domains are registered with We tested a handful of the 135 websites and all sites we tested are blocked or taken down.  To see the full list of domains click here

Prior to the sites being taken down, MalwareHunterTeam took a screenshot from one of the tech support scams, see below.  Looks legit, right?  The more legitimate the popup looks the more likely they are to get someone to click.  These guys are constantly working to make sure their sites look reputable and trustworthy.

Read more

TheDarkOverlord is Attempting to Sell Information on 655,000 Patients

It's likely about to be a very bad day for three medical facilities and 655,000 patients whose information has been put up for sale on the TheRealDeal market, a marketplace, located on TOR, that specializes in selling numerous illegal items.  

In an interview from 2015 with the market's admin, "...basically we consist of 4 partners who have a lot of experience in infosec...We decided it would be much better if there was a place where people can trade such pieces of information and code combined with a system that will prevent fraud and also provide high anonymity."  Fantastic!  We certainly wouldn't want those in the business of perpetrating fraud on others to be defrauded themselves... (Yes, that's sarcasm.)  Included in the list of items for sale are a variety of exploits (both known and unknown / not yet patched), databases (like the ones TheDarkOverlord is selling), code, drugs, hardware including physical hacking tools, and specialty services offered by hackers (such as paying for a hacker to access a specific email account or acquisition of a specific document - think corporate espionage).

Read more

The FBI's Warrant to Apple and Apple's Security Concerns

So nearly everyone is talking about Apple and security, but almost no one is providing the facts in the conversation.  On the one side you have SECURITY, PRIVACY, GOVERNMENT OVERREACH, on the other side you have NATIONAL SECURITY and SAFETY OF ALL AMERICANS.  But around the hype what are the actual facts?

For anyone unfamiliar with the case, this surrounds an iPhone recovered by the FBI that belonged to one of the San Bernadino terrorist's who attacked a holiday party, December 2, 2015, killing 14 and wounding 22.  The phone in question is reported to have belonged to Syed Farook.

Tim Cook wrote in a letter issued to their customers, "We have great respect for the professionals at the FBI, and we believe their intentions are good. Up to this point, we have done everything that is both within our power and within the law to help them. But now the U.S. government has asked us for something we simply do not have, and something we consider too dangerous to create. They have asked us to build a backdoor to the iPhone."  That reads so pro Apple customers and the protection of their devices that how can you possible disagree with Apple?  

Read more

A Look at an IRS Email Scam

A client of ours arrived at work to discover an email from the IRS in her inbox.  Concerned about it's legitimacy she contacted us.  Below is a copy of the email.

The first hint that this is fake, for those who haven't heard the IRS announcements that they will never email you, is the email was in her Junk mail. Typically important / legitimate emails don't get routed directly to the Junk mail box.  Sure it happens occasionally, but it's certainly an easy first test of legitimacy.

As per their MO we see the scammers are hoping to work on people's fear instead of common sense, with the last line being the threat of "Failure to comply..."

Read more

One is Paypal, One is Definitely Not

So you're busy shopping on the Internet when for one reason or another, you've clicked on a website link, clicked on a link in an email, etc, and this Paypal page opens. But did you check to see if it's really Paypal before attempting to put in your username and password?

While this website is an awfully good imitation of Paypal the domain name / web address is the giveaway. is most certainly not Paypal.

For reference, here is what Paypal's website currently looks like.  Notably, until very recently Paypal did have the login on the top right of the front page of the site, however as their website is being spoofed frequently it is good to make frequent changes, like this, to help consumers differentiate their site from the fake ones.

Read more

Log in