Category Archives: Authentication

New Federal Rule of Evidence to Directly Impact Computer Forensics and eDiscovery Preservation Best Practices

At X1, an essential component of our mission is to develop and support exceptional technology for collecting electronic evidence to meet eDiscovery, investigative and compliance requirements. It is also our goal to keep you abreast of important developments in the industry that could ultimately impact collection strategies in the future and, consequently, your business.  To that end, I recently learned about a crucial new legal development scheduled to take place on December 1, 2017, which we believe will have a very significant impact on the practices of our customers and partners.

In a nutshell, the new development is a significant planned amendment to Federal Rule of Evidence 902 that will go into effect one year from now. This amendment, in the form of new subsection (14), is anticipated by the legal community to significantly impact eDiscovery and computer forensics software and its use by establishing that electronic data recovered “by a process of digfederalrulesofevidence-188x300_flat2ital identification” is to be self-authenticating, thereby not routinely necessitating the trial testimony of a forensic or technical expert where best practices are employed, as certified through a written affidavit by a “qualified person.” Notably, the accompanying official Advisory Committee notes specifically reference the importance of both generating “hash values” and verifying them post-collection as a means to meet this standard for self-authentication. This digital identification and verification process can only be achieved with purpose-built computer forensics or eDiscovery collection and preservation tools.

Rule 902, in its current form, enumerates a variety of documents that are presumed to be self-authenticating without other evidence of authenticity. These include public records and other government documents, notarized documents, newspapers and periodicals, and records kept in the ordinary course of business. New subpart (14) will now include electronic data collected via a process of digital identification as a key addition to this important rule.

Amended Rule 902, in pertinent part, reads as follows:

Rule 902. Evidence That Is Self-Authenticating
The following items of evidence are self-authenticating; they require no extrinsic evidence of authenticity in order to be admitted:
* * *
(14) Certified Data Copied from an Electronic Device, Storage Medium, or File.
Data copied from an electronic device, storage medium, or file, if authenticated by a process of digital identification, as shown by a certification of a qualified person that complies with the certification requirements of Rule 902(11) or (12).

The reference to the “certification requirements of Rule 902(11) or (12)” is a process by which a proponent seeking to introduce electronic data into evidence must present a certification in the form of a written affidavit that would be sufficient to establish authenticity were that information provided by a witness at trial. This affidavit must be provided by a “qualified person,” which generally would be a computer forensics, eDiscovery or information technology practitioner, who collected the evidence and can attest to the requisite process of digital identification utilized.

In applying Rule 902(14), the courts will heavily rely on the accompanying Judicial Conference Advisory Committee notes, which provide guidance and insight concerning the intent of the laws and how they should be applied. The Advisory Committee notes are published alongside the statute and are essentially considered an extension of the rule. The second paragraph of committee note to Rule 902(14) states, in its entirety, as follows:

“Today, data copied from electronic devices, storage media, and electronic files are ordinarily authenticated by ‘hash value.’ A hash value is a number that is often represented as a sequence of characters and is produced by an algorithm based upon the digital contents of a drive, medium, or file. If the hash values for the original and copy are different, then the copy is not identical to the original. If the hash values for the original and copy are the same, it is highly improbable that the original and copy are not identical. Thus, identical hash values for the original and copy reliably attest to the fact that they are exact duplicates. This amendment allows self-authentication by a certification of a qualified person that she checked the hash value of the proffered item and that it was identical to the original. The rule is flexible enough to allow certifications through processes other than comparison of hash value, including by other reliable means of identification provided by future technology.”

The Advisory Committee notes further state that Rule 902(14) is designed to streamline the admission of electronic evidence where its foundation is not at issue, while providing a notice procedure where “the parties can determine in advance of trial whether a real challenge to authenticity will be made, and can then plan accordingly.” While this rule provides that properly certified electronic data is now afforded a strong presumption of authenticity, the opponent may still lodge an objection, but the opponent now has the burden to overcome that presumption.  Additionally, the opponent remains free to object to admissibility on other grounds, such as relevance or hearsay.

Significant Impact Expected

While Rule 902(14) applies to the Federal Courts, the Rules of Evidence for most states either mirror or closely resemble the Federal Rules of Evidence, and it is thus expected that most if not all 50 states will soon adapt this amendment.

Rule 902(14) will most certainly and significantly impact computer forensics and eDiscovery practitioners by reinforcing best practices. The written certification required by Rule 902(14) must be provided by a “qualified person” who utilized best practices for the collection, preservation and verification of the digital evidence sought to be admitted. At the same time, this rule will in effect call into question electronic evidence collection methods that do not enable a defensible “digital identification” and verification process. In fact, the Advisory Committee notes specifically reference the importance of computer forensics experts, noting that a “challenge to the authenticity of electronic evidence may require technical information about the system or process at issue, including possibly retaining a forensic technical expert.”

In the eDiscovery context, I have previously highlighted the perils of both custodian self-collection for enterprise ESI collection and “print screen” methods for social media and website preservation. Rule 902(14) should provide the final nail in the coffin for those practices. For instance, if key social media evidence is collected through manual print screen, which is not a “process of digital identification” under Rule 902(14), then not only will the proponent of that evidence fail to take advantage of the efficiencies and cost-savings provided by the rule, they will also invite heightened scrutiny for not preserving the evidence utilizing best practices. The same is true for custodian self-collection in the enterprise. Many emails and other electronic documents preserved and disclosed by the producing party are often favorable to their case.  Without best practices utilized for enterprise data collection, such as with X1 Distributed Discovery, that information may not be deemed self-authenticating under this new rule.

In the law enforcement field, untrained patrol officers or field investigators are too often collecting electronic evidence in a manual and haphazard fashion, without utilizing the right tools that qualify as a “process of digital identification.” So for an example, if an untrained investigator collects a web page via the computer’s print screen process, that printout will not be deemed to be self-authenticating under Rule 902(14), and will face significant evidentiary hurdles compared to a properly collected web page via a solution such as X1 Social Discovery.

Also being added to Federal Rule of Evidence 902 is subpart (13), which provides that “a record generated by an electronic process or system that produces an accurate result” is similarly self-authenticating. This subpart will also have a beneficial impact on the computer forensics and eDiscovery field, but to a lesser degree than subpart (14). I will be addressing Rule 902(13) in a future post. The public comment period on amendments (13) and (14) is now closed and the Judicial Conference of the United States has issued its final approval. The amendments are currently under review by the US Supreme Court. If the Supreme Court approves these amendments as expected, they will become effective on December 1, 2017 absent Congressional intervention.

To learn more about this Rule 902(14) and other related topics, we’d like to invite you to watch this 45 minute webinar discussion led by David Cohen, Partner and Chair of Records & eDiscovery Group at Reed Smith LLP. The 45 minute webinar includes a Q&A following the discussion. We look forward to your participation.

Watch now > 

Leave a comment

Filed under Authentication, Best Practices, eDiscovery, eDiscovery & Compliance, Enterprise eDiscovery, Information Governance, Social Media Investigations

Authenticating Internet Web Pages as Evidence: a New Approach

By John Patzakis and Brent Botta

In recent posts, we have addressed the issue of evidentiary authentication of social media data. (See previous entries here and here). General Internet site data available through standard web browsing, instead of social media data provided by APIs or user credentials, presents slightly different but just as compelling challenges.

The Internet provides torrential amounts of evidence potentially relevant to litigation matters, with courts routinely facing proffers of data preserved from various websites. This evidence must be authenticated in all cases, and the authentication standard is no different for website data or chat room evidence than for any other. Under Federal Rule of Evidence 901(a), “The requirement of authentication … is satisfied by evidence sufficient to support a finding that the matter in question is what its proponent claims.” United States v. Simpson, 152 F.3d 1241, 1249 (10th Cir. 1998).

Ideally, a proponent of the evidence can rely on uncontroverted direct testimony from the creator of the web page in question. In many cases, however, that option is not available. In such situations, the testimony of the viewer/collector of the Internet evidence “in combination with circumstantial indicia of authenticity (such as the dates and web addresses), would support a finding” that the website documents are what the proponent asserts. Perfect 10, Inc. v. Cybernet Ventures, Inc. (C.D.Cal.2002) 213 F.Supp.2d 1146, 1154. (emphasis added) (See also, Lorraine v. Markel American Insurance Company, 241 F.R.D. 534, 546 (D.Md. May 4, 2007) (citing Perfect 10, and referencing MD5 hash values as an additional element of potential “circumstantial indicia” for authentication of electronic evidence).

One of the many benefits of X1 Social Discovery is its ability to preserve and display all the available “circumstantial indicia” – to borrow the Perfect 10 court’s term — to the user in order to present the best case possible for the authenticity of Internet-based evidence collected with the software. This includes collecting all available metadata and generating a MD5 checksum or “hash value” of the preserved data.

But html web pages pose unique authentication challenges and merely generating an MD5 checksum of the entire web page, or just the web page source file, provides limited value because web pages are constantly changing due to their very fluid and dynamic nature. In fact, a web page collected from the Internet in immediate succession would very likely calculate two different MD5 checksums. This is because web pages typically feature links to many external items that are dynamically loaded upon each page view. These external links take the form of cascading style sheets (CSS), graphical images, JavaScripts and other supporting files. This linked content can be stored on another server in the same domain, but is often located somewhere else on the Internet.

When the Web browser loads a web page, it consolidates all these items into one viewable page for the user. Since the Web page source file contains only the links to the files to be loaded, the MD5 checksum of the source file can remain unchanged even if the content of the linked files become completely different.  Therefore, the content of the linked items must be considered in the authenticity of the Web page. X1 Social Discovery addresses these challenges by first generating an MD5 checksum log representing each item that constitutes the Web page, including the main Web page’s source. Then an MD5 representing the content of all the items contained within the web page is generated and preserved.

To further complicate Web collections, entire sections of a Web page are often not visible to the viewer. These hidden areas serve various purposes, including metatagging for Internet search engine optimization. The servers that host Websites can either store static Web pages or dynamically created pages that usually change each time a user visits the Website, even though the actual content may appear unchanged.

In order to address this additional challenge, X1 Social Discovery utilizes two different MD5 fields for each item that makes a Web page.  The first is the acquisition hash that is from the actual collected information.  The second is the content hash.  The content hash is based on the actual “BODY” of a Web page and ignores the hidden metadata.  By taking this approach, the content hash will show if the user viewable content has actually changed, not just a hidden metadata tag provided by the server. To illustrate, below is a screenshot from the metadata view of X1 Social Discovery for website capture evidence, reflecting the generation of MD5 checksums for individual objects on a single webpage:

The time stamp of the capture and url of the web page is also documented in the case. By generating hash values of all individual objects within the web page, the examiner is better able to pinpoint any changes that may have occurred in subsequent captures. Additionally, if there is specific item appearing on the web page, such as an incriminating image, then is it is important to have an individual MD5 checksum of that key piece of evidence. Finally, any document file found on a captured web page, such as a pdf, Powerpoint, or Word document, will also be individually collected by X1 Social Discovery with corresponding acquisition and content hash values generated.

We believe this approach to authentication of website evidence is unique in its detail and presents a new standard. This authentication process supports the equally innovative automated and integrated web collection capabilities of X1 Social Discovery, which is the only solution of its kind to collect website evidence both through a one-off capture or full crawling, including on a scheduled basis, and have that information instantly reviewable in native file format through a federated search that includes multiple pieces of social media and website evidence in a single case. In all, X1 Social Discovery is a powerful solution to effectively collect from social media and general websites across the web for both relevant content and all available “circumstantial indicia.”

Leave a comment

Filed under Authentication, Best Practices, Preservation & Collection