Self-Collection of ESI may not be Self-Authenticating

The Radicati group, a technology market research firm, estimates that 269 BILLION emails are sent daily and according to Forbes, there are 16 million text messages sent every MINUTE.

With majority of communications conducted in a digital format…it’s no wonder why electronically stored information (or ESI) has been so prevalent in civil litigation matters. From relevant files on laptops, desktops and servers to cloud storage to text messages or calls on smart devices to notable social media posts, ESI has an omnipresence that is undeniable. At times it may be easier to have custodians self-collect their data. However, amendments to the Federal Rules of Evidence (FRE) 902 may discourage self-collection of data.

Historically, a vast majority of electronically stored data (or even paper documents) had to be authenticated by an expert witness (or the custodian of record) via live courtroom testimony. However, recently there has been an influx of declarations and affidavits and that is due to additions to FRE 902.

Rule 902: Evidence That Is Self-Authenticating

Rule 902: Evidence That Is Self-Authenticating, means evidence subject to this Rules does not require any additional evidence of authenticity to be admitted. This was great, but prior to 2017 it dealt mainly with paper documents and records. And with the increasing number of digital devices and the data created using them; there was a need to address ESI in a way that was not cumbersome nor required testimony of the custodian of record or an expert witness, which can be costly.

Rule 902 Amendments

On December 1, 2017, Rule 902 was amended to included two new sections addressing electronic systems, devices and the files created using and collected from them. The two new sections are FRE 902 (13) and (14). Those sections read as follows:

(13) Certified Records Generated by an Electronic Process or System. A record generated by an electronic process or system that produces an accurate result, as shown by a certification of a qualified person that complies with the certification requirements of Rule 902(11) or (12). The proponent must also meet the notice requirements of Rule 902(11).

(14) Certified Data Copied from an Electronic Device, Storage Medium, or File. Data copied from an electronic device, storage medium, or file, if authenticated by a process of digital identification, as shown by a certification of a qualified person that complies with the certification requirements of Rule (902(11) or (12). The proponent also must meet the notice requirements of Rule 902 (11).

NOTE: These amendments refer to other Sections and Rules. Specifically, 902 (11 & 12) AND 803 (6) A-C. Therefore, evidence must also comply with those Rules/Sections as well.

A “qualified person” could be a certified eDiscovery, Forensic, or IT professional; however, the Advisory Committee Notes on Rules-2017 Amendment holds a key piece of information that highlights a necessary step in the collection process to authenticate the integrity of data – generating hash values.

“Today, data copied from electronic devices, storage media, and electronic files are ordinarily authenticated by “hash value”…”

Hash Algorithms

Hashing algorithms (or hash values), such as MD5 and SHA1, are one-way mathematical computations using the contents of a file, drive, or other medium to generate either a 16byte or 20byte value. A hash value is calculated of an original source file, drive, or medium and of the copied/collected file, drive, or medium. When both values match, the integrity of the data has been authenticated. For example, a Notepad text file consisting of only five characters–Hello– will generate a SHA1 hash value of F7FF9E8B7BB2E09B70935A5D785E0CC5D9D0ABF0. Therefore, any copy this file should produce the same SHA1 hash value to confirm that no data was changed during the collection process.

Employing Best Practices

The amendment allows the data to be self-authenticating, when best practices are employed and verified and confirmed using hashes and written certification (e.g., Declaration or Affidavit) from a qualified person. Therefore, it would be beneficial to utilize a trained and certified computer forensic examiner who has the proper forensic knowledge, software and/or hardware tools to protect the data from spoliation and produce hash values to ensure no alterations occurred during collection.

A custodian nor their IT professional may not possess the knowledge of how to collect data in a manner that avoids spoliation of file contents and its metadata. Furthermore, they may not possess the tools necessary to produce the authenticating hash values. Also, it is important to keep in mind that the Windows copy & paste function, often used to copy relevant files from one location to another, or a screen print of posts and images on social media sites are not forensically-sound practices. The copy & paste function can alter pertinent metadata (e.g., created, accessed, and modified dates) and simple print screen captures do not collect the associated metadata (e.g., posting creation and edited dates and times). Therefore, careful consideration must be given when deciding if self-collection is worth the price of inadmissibility of crucial evidence.

The Bottom Line

To conclude, be sure to choose a professional who understands (and utilizes) the tools necessary to perform forensically-sound collections with hashing, and who follows industry best practices to protect the data when performing collections. With those in place, there is a “qualified person” who can provide the written certification necessary to establish authenticity under FRE 902 (13) and (14); thus reducing (or even eliminating) the need for live testimony for majority of data collections.