BLOG

Top

New Rules Streamline Digital Forensics Experts’ Authentication Testimony

By Carolyn Casey

Feb 7 2017

Certification Instead of  In-Person Testimony
Late last year, the Judicial Advisory Committee for the Federal Rules of Evidence (FRE) issued new rules aimed at streamlining the admission of electronic evidence to court proceedings. The new rules 902(13) and (14) replace in-person testimony to establish electronic evidence authenticity with a written certification. This is important because it means forensic technicians will literally no longer have to be in a courtroom to articulate to a judge why s/he should admit the evidence as authentic. Under the new rules, a party will only have to provide a written certification by a qualified person that describes the process and technical basis for authenticity.  Barring any action by the Supreme Court or Congress, which is not expected, the new rules will take effect on December 1, 2017.  

Win-Win-Win
The Advisory Committee stated that its goal was to make it easier to authenticate certain types of electronic data, and to eliminate wasted costs and efforts. The Committee Notes show that they found the expense and inconvenience of producing a witness to authenticate an item of electronic evidence was mostly unnecessary. “It is often the case that a party goes to the expense of producing an authentication witness and then the adversary either stipulates authenticity before the witness is called or fails to challenge the authentication testimony once it is presented.”

Courts, law enforcement and corporations should all benefit from the new rules. Clients who hire forensic experts to assist in forensic investigations will no longer have to pay for their travel and in-person testimony. Though there will be charges for the certification, it would seem there will be cost savings. The hassles of coordinating expert testimony, logistics, etc., also would diminish if not disappear. Law enforcement digital forensic examiners can submit a certification,and stay at the lab working on massive caseloads. Judges will relish this change that speeds up proceedings and clogged dockets with less time spent on authentication testimony.

Keep in mind that the adverse party can still challenge the evidence authenticity or object to it on hearsay, right to confront and other grounds. They will have ample opportunity, as the new rules require a party to give the adverse party reasonable notice of intent to use the electronic evidence before trial. They also must make the record and certification available for inspection and possible challenge.

Hashing Viable Self-Authentication Means
The amendments modernize the rules. They are a recognition of the growing proportion of digital content in court proceedings and the authentication advances in digital forensics. For example, new Rule 902(14) authorizes certification of evidence “authenticated by a process of digital identification.” The Advisory Committee Notes specifically call out that checking hash values is an allowable authentication process that could be certified by a qualified person. “Hashing,” in basic terms, is a process where algorithms are used to create a unique “fingerprint” of a digital content. Forensic experts use the fingerprint or “hash value” of the original document to show that the copy is an identical representation.  The Committee also indicates certification will be possible with future identification technology that may come along.

“… [t]his amendment allows self-authentication by a certification of a qualified person that she checked the hash value of the proffered item and that it was identical to the original. The rule is flexible enough to allow certifications through processes other than comparison of hash value, including by other reliable means of identification provided by future technology.”
Advisory Committee on Rules of Evidence, Fall 2016 Meeting, 308

The Letter of the Law
Here’s a bit more on the self-authentication evidence rule that the new rules will become part of, and the new rules text.

FRE Rule 902 – Evidence That Is Self-Authenticating – currently lists 12 evidence items that are “self-authenticating; they require no extrinsic evidence of authenticity to be admitted.” These items include evidence such as certified public documents, newspaper articles and business records.

The amendments add two more items of evidence to this list. New 902(13) adds “machine generated” electronic evidence such as printouts of system logs and Internet browser histories to the list, along with “data copied” from devices, storage media or files in new 902(14). The exact text from the packet submitted to the Supreme Court is:

 (13) Certified Records Generated by an Electronic Process or System. A record generated by an electronic process or system that produces an accurate result, as shown by a certification of a qualified person that complies with the certification requirements of Rule 902(11) or (12). The proponent must also meet the notice requirements of Rule 902(11).

(14) Certified Data Copied from an Electronic Device, Storage Medium, or File. Data copied from an electronic device, storage medium, or file, if authenticated by a process of digital identification, as shown by a certification of a qualified person that complies with the certification requirements of Rule 902(11) or (12).  The proponent also must meet the notice requirements of Rule 902(11).

Qualified Persons and Technology for the New Rules
The Examples point to forensic technicians and examiners as “qualified persons” for certifications. Under the prior rules, it is very common for corporations to have outside forensic experts testify as to electronic evidence authenticity, especially in large cases. However, at times employees from IT or information security/forensics who conduct collections and analysis may testify. Further analysis of “qualified person” is outside the scope of this blog.

  One thing corporate and law enforcement teams can do to prepare for the new rules is to consider training for staff to obtain or update certifications on forensic techniques and use of court-cited technology  with reliable hashing. External consultant certifications are also important in establishing credentials to support the new written certifications to authenticate electronic evidence. So be sure to confirm they are certified in the leading forensic solutions.

The true impact of the new rules on certifying electronic evidence will become known as practioners begin to use them and courts rule on their proper use.  We will certainly be following these happenings and will keep you informed. It is an exciting time to be in digital forensics and e-discovery!

In addition, I recommend a read of the implementation examples the Committee Notes provide. Here they are for your convenience.

“1. Proving that a USB device was connected to (i.e., plugged into) a computer
In a hypothetical civil or criminal case in Chicago, a disputed issue is whether Devera Hall used her computer to access files stored on a USB thumb drive owned by a co-worker. Ms. Hall’s computer uses

the Windows operating system, which automatically records information about every USB device connected to her computer in a database known as the “Windows registry.” The Windows registry database is maintained on the computer by the Windows operating system in order to facilitate the computer’s operations. A forensic technician, located in Dallas, Texas, has provided a printout from the Windows registry that indicates that a USB thumb drive, identified by manufacturer, model, and serial number, was last connected to Ms. Hall’s computer at a specific date and time.

Without Rule 902(13)
Without Rule 902(13), the proponent of the evidence would need to call the forensic technician who obtained the printout as a witness, in order to establish the authenticity of the evidence. During his or her testimony, the forensic technician would typically be asked to testify about his or her background and qualifications; the process by which digital forensic examinations are conducted in general; the steps taken by the forensic technician during the examination of Ms. Hall’s computer in particular; the process by which the Windows operating system maintains information in the Windows registry, including information about USB devices connected to the computer; and the steps taken by the forensic examiner to examine the Windows registry and to produce the printout identifying the USB device.

Impact of Rule 902(13)
With Rule 902(13), the proponent of the evidence could obtain a written certification from the forensic technician, stating that the Windows operating system regularly records information in the Windows registry about USB devices connected to a computer; that the process by which such information is recorded produces an accurate result; and that the printout accurately reflected information stored in the Windows registry of Ms. Hall’s computer. The proponent would be required to provide reasonable written notice of its intent to offer the printout as an exhibit and to make the written certification and proposed exhibit available for inspection. If the opposing party did not dispute the accuracy or reliability of the process that produced the exhibit, the proponent would not need to call the forensic technician as a witness to establish the authenticity of the exhibit. (There are many other examples of the same types of machine generated information on computers, for example, internet browser histories and wifi access logs.)

2. Proving that a server was used to connect to a particular webpage
Hypothetically, a malicious hacker executed a denial-of-service attack against Acme’s website. Acme’s server maintained an Internet Information Services (IIS) log that automatically records information about every internet connection routed to the web server to view a web page, including the IP address, webpage, user agent string and what was requested from the website. The IIS logs reflected repeated access to Acme’s website from an IP address known to be used by the hacker. The proponent wants to introduce the IIS log to prove that the hacker’s IP address was an instrument of the attack.

Without Rule 902(13)
The proponent would have to call a website expert to testify about the mechanics of the server’s operating system; his search of the IIS log; how the IIS log works; and that the exhibit is an accurate record of the IIS log.

With Rule 902(13)
The proponent would obtain the website expert’s certification of the facts establishing authenticity of the exhibit and provide the certification and exhibit to the opposing party with reasonable notice that it intends to offer the exhibit at trial. If the opposing party does not timely dispute the reliability of the process that produced the registry key, then the proponent would not need to call the website expert to establish authenticity.

3. Proving that a person was or was not near the scene of an event.
Hypothetically, Robert Jackson is a defendant in a civil (or criminal) action alleging that he was the driver in a hit-and-run collision with a U.S. Postal Service mail carrier in Atlanta at 2:15 p.m. on March 6, 2015. Mr. Jackson owns an iPhone, which has software that records machine-generated dates, times, and GPS coordinates of each picture he takes with his iPhone. Mr. Jackson’s iPhone contains two pictures of his home in an Atlanta suburb at about 1 p.m. on March 6. He wants to introduce into evidence the photos together with the metadata, including the date, time, and GPS coordinates, recovered forensically from his iPhone to corroborate his alibi that he was at home several miles from the scene at the time of the collision.

Without Rule 902(13)
The proponent would have to call the forensic technician to testify about Mr. Jackson’s iPhone’s operating system; his search of the phone; how the metadata was created and stored with each photograph; and that the exhibit is an accurate record of the photographs.

With Rule 902(13)
The proponent would obtain the forensic technician’s certification of the facts establishing authenticity of the exhibits and provide the certification and exhibit to the opposing party with reasonable notice that it intends to offer the exhibit at trial. If the opposing party does not timely dispute the reliability of the process that produced the iPhone’s logs, then the proponent would not have to call the technician to establish authenticity.

4. Proving association and activity between alleged coconspirators
Hypothetically, Ian Nichols is charged with conspiracy to commit the robbery of First National Bank that occurred in San Diego on January 30, 2015. Two robbers drove away in a silver Ford Taurus. The alleged co-conspirator was Dain Miller. Dain was arrested on an outstanding warrant on February 1, 2015, and in his pocket was his Samsung Galaxy phone. The Samsung phone’s software automatically maintains a log of text messages that includes the text content, date, time, and number of the other phone involved. Pursuant to a warrant, forensic technicians examined Dain’s phone and located four text messages to Ian’s phone from January 29: “Meet my house @9”; “Is Taurus the Bull out of shop?”; “Sheri says you have some blow”; and “see ya tomorrow.” In the separate trial of Ian, the government wants to offer the four text messages to prove the conspiracy.

Without Rule 902(13)
The proponent would have to call the forensic technician to testify about Dain’s phone’s operating system; his search of the phone’s text message log; how logs are created; and that the exhibit is an accurate record of the iPhone’s logs.

With Rule 902(13)
The proponent would obtain the forensic technician’s certification of the facts establishing authenticity of the exhibit and provide the certification and exhibit to the opposing party with reasonable notice that it intends to offer the exhibit at trial. If the opposing party does not timely dispute the reliability of the process that produced the iPhone’s logs, then the court would make the Rule 104 threshold authenticity finding and admit the exhibits, absent other proper objection.

Hearsay Objection Retained
Under Rule 902(13), the opponent—here, criminal defendant Ian—would retain his hearsay objections to the text messages found on Dain’s phone. For example, the judge would evaluate the text “Sheri says you have some blow” under F.R.E. 801(d)(2)(E) to determine whether it was a coconspirator’s statement during and in furtherance of a conspiracy, and under F.R.E. 805, to assess the hearsay within hearsay. The court might exclude the text “Sheri says you have some blow” under either rule or both.

5. In the armed robbery hypothetical, above
Forensic technician Smith made a forensic copy of Dain’s Samsung Galaxy phone in the field. Smith verified that the forensic copy was identical to the original phone’s text logs using an industry standard methodology (e.g., hash value or other means). Smith gave the copy to forensic technician Jones, who performed his examination at his lab. Jones used the copy to conduct his entire forensic examination so that he would not inadvertently alter the data on the phone. Jones found the text messages. The government wants to offer the copy into evidence as part of the basis of Jones’s testimony about the text messages he found.

Without Rule 902(14)
The government would have to call two witnesses. First, forensic technician Smith would need to testify about making the forensic copy of information from Dain’s phone, and about the methodology that he used to verify that the copy was an exact copy of information inside the phone. Second, the government would have to call Jones to testify about his examination.

With Rule 902(14)
The proponent would obtain Smith’s certification of the facts establishing how he copied the phone’s information and then verified the copy was true and accurate. Before trial the government would provide the certification and exhibit to the opposing party—here defendant Ian—with reasonable notice that it intends to offer the exhibit at trial. If Ian’s attorney does not timely dispute the reliability of the process that produced the Samsung Galaxy’s text message logs, then the proponent would only call Jones.”

 

Contact us today to learn more about our products and our
approach to improving how you collect, analyze and use data.
Tell Me More