Blog

Certification Instead of In-Person Testimony
Late last year, the Judicial Advisory Committee for the Federal Rules of Evidence (FRE) issued new rules aimed at streamlining the admission of electronic evidence to court proceedings. The new rules 902(13) and (14) replace in-person testimony to establish electronic evidence authenticity with a written certification. This is important because it means forensic technicians will literally no longer have to be in a courtroom to articulate to a judge why s/he should admit the evidence as authentic. Under the new rules, a party will only have to provide a written certification by a qualified person that describes the process and technical basis for authenticity. Barring any action by the Supreme Court or Congress, which is not expected, the new rules will take effect on December 1, 2017.

Win-Win-Win
The Advisory Committee stated that its goal was to make it easier to authenticate certain types of electronic data, and to eliminate wasted costs and efforts. The Committee Notes show that they found the expense and inconvenience of producing a witness to authenticate an item of electronic evidence was mostly unnecessary. “It is often the case that a party goes to the expense of producing an authentication witness and then the adversary either stipulates authenticity before the witness is called or fails to challenge the authentication testimony once it is presented.”

Courts, law enforcement and corporations should all benefit from the new rules. Clients who hire forensic experts to assist in forensic investigations will no longer have to pay for their travel and in-person testimony. Though there will be charges for the certification, it would seem there will be cost savings. The hassles of coordinating expert testimony, logistics, etc., also would diminish if not disappear. Law enforcement digital forensic examiners can submit a certification,and stay at the lab working on massive caseloads. Judges will relish this change that speeds up proceedings and clogged dockets with less time spent on authentication testimony.

Keep in mind that the adverse party can still challenge the evidence authenticity or object to it on hearsay, right to confront and other grounds. They will have ample opportunity, as the new rules require a party to give the adverse party reasonable notice of intent to use the electronic evidence before trial. They also must make the record and certification available for inspection and possible challenge.

Hashing Viable Self-Authentication Means
The amendments modernize the rules. They are a recognition of the growing proportion of digital content in court proceedings and the authentication advances in digital forensics. For example, new Rule 902(14) authorizes certification of evidence “authenticated by a process of digital identification.” The Advisory Committee Notes specifically call out that checking hash values is an allowable authentication process that could be certified by a qualified person. “Hashing,” in basic terms, is a process where algorithms are used to create a unique “fingerprint” of a digital content. Forensic experts use the fingerprint or “hash value” of the original document to show that the copy is an identical representation. The Committee also indicates certification will be possible with future identification technology that may come along.

“… [t]his amendment allows self-authentication by a certification of a qualified person that she checked the hash value of the proffered item and that it was identical to the original. The rule is flexible enough to allow certifications through processes other than comparison of hash value, including by other reliable means of identification provided by future technology.”
Advisory Committee on Rules of Evidence, Fall 2016 Meeting, 308

The Letter of the Law
Here’s a bit more on the self-authentication evidence rule that the new rules will become part of, and the new rules text.

FRE Rule 902 – Evidence That Is Self-Authenticating – currently lists 12 evidence items that are “self-authenticating; they require no extrinsic evidence of authenticity to be admitted.” These items include evidence such as certified public documents, newspaper articles and business records.

The amendments add two more items of evidence to this list. New 902(13) adds “machine generated” electronic evidence such as printouts of system logs and Internet browser histories to the list, along with “data copied” from devices, storage media or files in new 902(14). The exact text from the packet submitted to the Supreme Court is:

(13) Certified Records Generated by an Electronic Process or System. A record generated by an electronic process or system that produces an accurate result, as shown by a certification of a qualified person that complies with the certification requirements of Rule 902(11) or (12). The proponent must also meet the notice requirements of Rule 902(11).

Qualified Persons and Technology for the New Rules
The Examples point to forensic technicians and examiners as “qualified persons” for certifications. Under the prior rules, it is very common for corporations to have outside forensic experts testify as to electronic evidence authenticity, especially in large cases. However, at times employees from IT or information security/forensics who conduct collections and analysis may testify. Further analysis of “qualified person” is outside the scope of this blog.

One thing corporate and law enforcement teams can do to prepare for the new rules is to consider training for staff to obtain or update certifications on forensic techniques and use of court-cited technology with reliable hashing. External consultant certifications are also important in establishing credentials to support the new written certifications to authenticate electronic evidence. So be sure to confirm they are certified in the leading forensic solutions.

The true impact of the new rules on certifying electronic evidence will become known as practioners begin to use them and courts rule on their proper use. We will certainly be following these happenings and will keep you informed. It is an exciting time to be in digital forensics and e-discovery!

In addition, I recommend a read of the implementation examples the Committee Notes provide. Here they are for your convenience.

“1. Proving that a USB device was connected to (i.e., plugged into) a computer
In a hypothetical civil or criminal case in Chicago, a disputed issue is whether Devera Hall used her computer to access files stored on a USB thumb drive owned by a co-worker. Ms. Hall’s computer uses

the Windows operating system, which automatically records information about every USB device connected to her computer in a database known as the “Windows registry.” The Windows registry database is maintained on the computer by the Windows operating system in order to facilitate the computer’s operations. A forensic technician, located in Dallas, Texas, has provided a printout from the Windows registry that indicates that a USB thumb drive, identified by manufacturer, model, and serial number, was last connected to Ms. Hall’s computer at a specific date and time.

2. Proving that a server was used to connect to a particular webpage
Hypothetically, a malicious hacker executed a denial-of-service attack against Acme’s website. Acme’s server maintained an Internet Information Services (IIS) log that automatically records information about every internet connection routed to the web server to view a web page, including the IP address, webpage, user agent string and what was requested from the website. The IIS logs reflected repeated access to Acme’s website from an IP address known to be used by the hacker. The proponent wants to introduce the IIS log to prove that the hacker’s IP address was an instrument of the attack.

3. Proving that a person was or was not near the scene of an event.
Hypothetically, Robert Jackson is a defendant in a civil (or criminal) action alleging that he was the driver in a hit-and-run collision with a U.S. Postal Service mail carrier in Atlanta at 2:15 p.m. on March 6, 2015. Mr. Jackson owns an iPhone, which has software that records machine-generated dates, times, and GPS coordinates of each picture he takes with his iPhone. Mr. Jackson’s iPhone contains two pictures of his home in an Atlanta suburb at about 1 p.m. on March 6. He wants to introduce into evidence the photos together with the metadata, including the date, time, and GPS coordinates, recovered forensically from his iPhone to corroborate his alibi that he was at home several miles from the scene at the time of the collision.

4. Proving association and activity between alleged coconspirators
Hypothetically, Ian Nichols is charged with conspiracy to commit the robbery of First National Bank that occurred in San Diego on January 30, 2015. Two robbers drove away in a silver Ford Taurus. The alleged co-conspirator was Dain Miller. Dain was arrested on an outstanding warrant on February 1, 2015, and in his pocket was his Samsung Galaxy phone. The Samsung phone’s software automatically maintains a log of text messages that includes the text content, date, time, and number of the other phone involved. Pursuant to a warrant, forensic technicians examined Dain’s phone and located four text messages to Ian’s phone from January 29: “Meet my house @9”; “Is Taurus the Bull out of shop?”; “Sheri says you have some blow”; and “see ya tomorrow.” In the separate trial of Ian, the government wants to offer the four text messages to prove the conspiracy.

Hearsay Objection Retained
Under Rule 902(13), the opponent—here, criminal defendant Ian—would retain his hearsay objections to the text messages found on Dain’s phone. For example, the judge would evaluate the text “Sheri says you have some blow” under F.R.E. 801(d)(2)(E) to determine whether it was a coconspirator’s statement during and in furtherance of a conspiracy, and under F.R.E. 805, to assess the hearsay within hearsay. The court might exclude the text “Sheri says you have some blow” under either rule or both.

5. In the armed robbery hypothetical, above
Forensic technician Smith made a forensic copy of Dain’s Samsung Galaxy phone in the field. Smith verified that the forensic copy was identical to the original phone’s text logs using an industry standard methodology (e.g., hash value or other means). Smith gave the copy to forensic technician Jones, who performed his examination at his lab. Jones used the copy to conduct his entire forensic examination so that he would not inadvertently alter the data on the phone. Jones found the text messages. The government wants to offer the copy into evidence as part of the basis of Jones’s testimony about the text messages he found.