View stunning SlideShares in full-screen with the new iOS app!Introducing SlideShare for AndroidExplore all your favorite topics in the SlideShare appGet the SlideShare app to Save for Later — even offline
View stunning SlideShares in full-screen with the new Android app!View stunning SlideShares in full-screen with the new iOS app!
Rule 901(2)(a)-testimony by a witness with knowledge that a matter is what it is claimed to be
Rule 901(2)(c)-comparisons by the trier of fact or expert witnesses with specimens which have been authenticated. Safavian , 435 F. Supp. 2d at 40 (federal rule)
Rule 901(2)(d)-identified by “appearance, contents, substance, internal pattern, or other distinctive characteristics, taken in conjunction with the circumstance.” United States v. Siddiqui , 235 F.3 rd 1318 (11 th Cir. 2000) (federal rule)
Challenge the authenticity of both computer-generated and computer-stored records by questioning whether the records were altered, manipulated, or damaged after they were created.
Question the authenticity of computer-generated records by challenging the reliability of the computer program that generated the records.
Challenge the authenticity of computer-stored records by questioning the identity of their author.
Authentication of ESI: Record a Chain of Custody
Shows data was not changed. The less susceptible an exhibit is to alteration or tampering, the less strictly the chain of custody rule is applied
Evidence is not readily identifiable,
No witness with personal knowledge to identify, or
Evidence susceptible to alteration by tampering or contamination.
Particularly important when:
Searching for creation/alteration data (e.g., date created),or
Searching for any evidence of fabrication.
United States v. Howard-Arias, 679 F.2d. 363,366 (4 th Cir. 1982)
Authentication of ESI: experts under Rule 901(2)(c)
Expert Qualification – "a person who generally understands the system's operation and possesses sufficient knowledge and skill to properly use the system and explain the resulting data" is a "qualified witness" and may need to authenticate data or interpret recovered data.
What is the evidence, or what does it purport to be? Forensics Expert: "This is a printout of data that I recovered on 4/26/07 from the hard disk drive primarily used by John Doe of the Acme Corporation."
Where did it allegedly come from? Forensics Expert: "The hard drive was taken from the office of John Doe on 1/1/07. It was contained within a Generic PC bearing model XXXX and S/N YYYY."
Who created, discovered, or recovered it? Forensics Expert: "The data appears to have been created by John Doe. I discovered and recovered it from his hard disk drive using computer forensic techniques."
How was it created, discovered, or recovered? Forensics Expert: "I made an image of the hard disk drive using a forensic imaging device. This device is designed to make a perfect copy of a disk and does not alter the data on the disk being copied."
Disk Area of Concentration Allocated Space Allocated by operating system for active user files, system files, all space available to user Unallocated Space Space that is recognized by the operating system but not currently assigned. Area for deleted files, temp files used by programs, etc..
Other Areas of Concentration Dear Byron and Don, please accept my resignation because you work me too hard, don’t pay me enough and by the way I am taking my clients with me, sincerely yours, The disgruntled employee. Customer Lists: Aon, Symantek $%#*&^%Jack Walker is a January 1, 2001..This letter will serve as an agreement between Jack in the box and Deloitte Dear Byron and Don, I love my job and want to stay here forever! Mr. Happy File Slack Disk Slack 512 bytes 512 bytes
Gates Rubber Co. v. Bando Chemical Indus., Ltd., 167 F.R.D. 90, 112 (D.C. Col., 1996).
court defined a legal duty on the part of litigants or potential litigants to perform proper computer forensic examinations.
examiner failed to do a mirror image copy of the target hard drive and instead did a file-by-file copy resulting in the loss of data.
evidentiary sanctions and criticized the examiner for failing to make an image copy of the hard drive finding that when processing evidence for judicial purposes a party has “a duty to utilize the method which would yield the most complete and accurate results ”
EnCase Recognized By Courts State v. Morris, 2005 WL 356801 (Ohio App. 9 Dist. Feb. 16, 2005). In this appellate case from Ohio, the original hard drive, which belonged to a third party was overwritten. 8 All that was available at the time of trial was the EnCase Evidence File containing the image of the drive. The courts decision in this case validates the MD5 hash process and considers forensic disk images to be exact copies and admissible when the “original” is no longer available.
State v. Cook , 777 N.E.2d 882, 886 (Ohio App. 2002)
In this case the defendant appealed his conviction of possessing child pornography and designation as a sexual predator challenging what he claimed “the lack of reliability of processes used to create two mirror images of the hard drive. The Ohio Appellate court addressed this argument by describing in detail how the EnCase software was used to make the image of the hard drive. The court further noted that the investigator was trained in the use of EnCase and in upholding the validity of the images stated “In the present case, there is no doubt that the mirror image was an authentic copy of what was present on the computers hard drive”.
Coleman (Parent) Holdings, Inc v. Morgan Stanley & Co., Inc., 2005 WL 679071 at *4 (Fla.Cir.Ct. Mar. 1, 2005)., subsequent decision, 2005 WL 674885 (Fla.Cir.Ct. Mar. 23, 2005). Morgan Stanley decided to collect electronic documents themselves, using software they developed in-house. [A Morgan Stanley employee] reported that…she and her team had discovered a flaw in the software they had written and that flaw had prevented [Morgan Stanley] from locating all responsive email attachments. [She also] reported that [Morgan Stanley] discovered…that the date-range searches for email users who had a Lotus Notes platform were flawed, so there were at least 7,000 additional e-mail messages that appeared to fall within the scope of [existing orders]... * * * Sanctions! * * * “ DIY” Collection Programs