Electronic Evidence Power Point V6 Final

  • 1,298 views
Uploaded on

From ESI to Evidence

From ESI to Evidence

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
1,298
On Slideshare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
55
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. From ESI to Evidence Presented by: William F. Hamilton Tampa, Florida
  • 2. “Documents” Are Now Electronic
    • “Documents” are now electronically created and stored
    • =
    • New admissibility issues
  • 3.
    • Emails
    • Web pages
    • Text messages
    • Digital voice recordings
    • Data base compilations
    • Digital photographs
    • Computer logs
    ESI Comes in Numerous Flavors
  • 4. Admissibility of ESI
    • The New Paradigm: Data is Everywhere
      • Paper printing is a partial glimpse of the underlying data
    • Three characteristics of ESI:
      • Volatile and easily alterable
      • Voluminous and variegated
      • Dispersed and co-located
  • 5. Admissibility of ESI
    • The “Final Frontier”:
      • “ [C]onsidering the significant costs associated with the discovery of ESI, it makes little sense to go through all the bother and expense to get electronic information only to have it excluded from evidence or rejected from consideration at summary judgment because the proponent cannot lay a sufficient foundation to get it admitted .“ J. Grimm.
    *
  • 6. Admissibility of ESI
    • The Five Hurdles
      • Relevance
      • Authenticity
      • Hearsay
      • Original Writing Rule
      • Unfair Prejudice
      • Lorraine v. Markel , 241 F.R.D. 534 (D. Md., 2007)
  • 7. The First Hurdle
    • Is the Evidence Relevant?
  • 8. Relevance of ESI
    • Rules 401, 402, and 105
      • Does the ESI have ”any tendency to make the existence of any fact that is of consequence to the determination of the action more probable or less probable than it would be without the evidence.”
      • Relatively low threshold ; once admitted, the trier of fact determines the weight of the evidence.
      • Practice tip: ESI may be relevant for many reasons--state them all.
  • 9. Second Hurdle
    • Is the document authentic?
  • 10. ESI – Inauthentic
    • What is real?
      • Fishing email
      • phishing
    Consumers
  • 11. ESI Inauthentic
    • What is Real?
      • Sources Altered
        • Websites – Home page hijacked
        • Photos – Cosmetic adjustments or more….
        • Photo-shopping the verb
      • Software bugs and application failures
        • Programmed incorrectly
        • Calculated incorrectly
  • 12. ESI Inauthentic
    • What is Real?
      • Fake Google results
      • Identity theft
      • Data alteration
        • Forging; creation of electronic data after the fact
      • Chatroom Spoofing
        • Who are you really chatting with?
  • 13. Authentication of ESI: FRE 901(a)
    • Provides that the authentication of a document is "satisfied by evidence sufficient to support a finding that the matter in question is what its proponent claims."
    • Rule 901 requires a “foundation from which a jury could reasonably find that the evidence is what the proponent says it is...”
    • United States v. Safavian , 435 F. Supp. 2d 36 (D.C.C. 2006).
  • 14. Authentication of ESI
    • Easy to overlook
      • “…[C]ounsel often fail to meet even this minimal showing when attempting to introduce ESI, which underscores the need to pay careful attention to this requirement. Indeed, the inability to get evidence admitted because of a failure to authenticate it almost always is a self-inflicted injury which can be avoided by thoughtful advance preparation.”
      • Lorraine, 241 F.R.D at 534, 542
  • 15. Authentication of ESI
    • Circumstances count
      • Evidentiary showing required to introduce electronic data evidence varies among courts
        • United States v. Whitaker , 127 F.3d 595 (7th Cir.1997). FBI agent obtained printout of business records for drug business from suspect's computer by operating computer, installing Microsoft Money and printing records. The court found testimony of agent with personal knowledge of process used to retrieve and print data provided sufficient authentication of the records.
        • Gates Rubber Co. v. Bando Chemical Industries, Ltd. , 167 F.R.D. 90 (D. Colo. 1996) T he court imposed sanctions for the failure to use the most current forensic technology available to perform the work, which was imaged copy, not the file-by-file copy used.
  • 16. Authentication of ESI: FRE 901(b)
    • Rule 901(b)(1)-testimony by a witness with knowledge that a matter is what it is claimed to be
    • Rule 901(b)(3)-comparisons by the trier of fact or expert witnesses with specimens which have been authenticated. Safavian , 435 F. Supp. 2d at 40
    • Rule 901(b)(4)-identified by “appearance, contents, substance, internal pattern, or other distinctive characteristics, taken in conjunction with the circumstance. United States v. Siddiqui , 235 F.3 rd 1318 (11 th Cir. 2000)
  • 17. Authentication of ESI: FRE 901(b)(9)
    • Rule 901(b)(9)- authentication by evidence “describing a process or system used to produce a result and showing that the process or system produces an accurate result.”
    • A safe foundation can be established with the strict approach of In re Vee Vinhnee , 336 B.R. 437,(9 th Cir. BAP., CA 2005)
  • 18. Authentication of ESI: FRE 901(b)(9)
    • The business uses a computer and the computer is reliable
    • The business has developed a procedure for inserting data into the computer
    • The procedure has built-in safeguards to ensure accuracy and identify errors
    • The business keeps the computer in a good state of repair
    • The witness had the computer readout certain data
    • The witness used the proper procedure to obtained the readout
    • The witness explains how he or she recognizes the readout
    • If the readout contains strange symbols or terms, the witness explains the meaning
    • Imwinkelried, Evidentiary Foundations , at 4.03[2]
  • 19. Authentication of ESI: Typical Challenges
    • Challenge the authenticity of both computer-generated and computer-stored records by questioning whether the records were altered, manipulated, or damaged after they were created.
    • Question the authenticity of computer-generated records by challenging the reliability of the computer program that generated the records.
    • Challenge the authenticity of computer-stored records by questioning the identity of their author.
  • 20. Authentication of ESI: Record a Chain of Custody
    • Shows data was not changed. The less susceptible an exhibit is to alteration or tampering, the less strictly the chain of custody rule is applied
    • Needed when:
      • Evidence is not readily identifiable,
      • No witness with personal knowledge to identify, or
      • Evidence susceptible to alteration by tampering or contamination.
    • Particularly important when:
      • Preserving/storing data
      • Searching for creation/alteration data (e.g., date created),or
      • Searching for any evidence of fabrication.
    • United States v. Howard-Arias, 679 F.2d. 363,366 (4 th Cir. 1982)
  • 21. Authentication of ESI
    • Technical Aspects of Chain of Custody
      • Establish chain of custody by making copy of data and immediately storing original in a controlled access location.
        • Use reliable copying process that meets industry standards for reliability, is capable of independent verification, and can create tamper proof copies, like “mirror image” or bit-by-bit image
        • Image of data includes all unused and partially overwritten spaces on electronic media where important evidence may reside
        • When properly done, forensically sound image does not alter information on the original hard drive or electronic media.
        • Use of forensic expert to assist in assuring chain of custody and authentication is highly recommended.
        • To ensure security, all copies and originals should be write-protected, properly labeled by time, date and source, and securely stored.
      • Never work on original data, only copy
  • 22. Authentication of ESI
    • Maintain Data Integrity
      • Must be able to demonstrate in court that the information obtained from the media is a true and accurate representation of the information originally contained in the media.
      • Issues surrounding Chain of Custody:
        • Physical
        • Acquisition
  • 23.
    • Creates a specific alpha-numeric identifier for each file. Any change in the file will produce a dramatically different hash value.
    • http://ralphlosey.wordpress.com/2007/09/07/law-review-article-published-on-the-mathematics-underlying-e-discovery-hash-the-new-bates-stamp/
    Authentication of ESI: Hash Technology
  • 24. Authentication of ESI: Experts under 901(b)(3)
    • Expert Qualification – "a person who generally understands the system's operation and possesses sufficient knowledge and skill to properly use the system and explain the resulting data" is a "qualified witness" and may need to authenticate data or interpret recovered data.
  • 25. Authentication of ESI: Expert Questions
    • What is the evidence, or what does it purport to be? Forensics Expert: "This is a printout of data that I recovered on 4/26/07 from the hard disk drive primarily used by John Doe of the Acme Corporation."
    • Where did it allegedly come from? Forensics Expert: "The hard drive was taken from the office of John Doe on 1/1/07. It was contained within a Generic PC bearing model XXXX and S/N YYYY."
    • Who created, discovered, or recovered it? Forensics Expert: "The data appears to have been created by John Doe. I discovered and recovered it from his hard disk drive using computer forensic techniques."
    • How was it created, discovered, or recovered? Forensics Expert: "I made an image of the hard disk drive using a forensic imaging device. This device is designed to make a perfect copy of a disk and does not alter the data on the disk being copied."
  • 26. Authentication of ESI: Expert Questions
    • Were there any material changes, alterations, or modifications during the recovery of the evidence such that it may no longer be what it once was? Forensics Expert: "No. Our processes as well as the tools that we use are designed to ensure that no changes whatsoever occur to the original media and data we work on. We use write-blocking devices as an extra precaution in this regard. We test our tools, both software and hardware in order to validate that no changes are made to the original media, and to insure that a perfect image is made of that media."
    • What has happened to it since the time it was created, discovered, or recovered? Is there any chance that the evidence was changed, altered, or modified between the time you imaged the drive and today? Forensics Expert: "Here is our 'chain of custody' documentation which indicates where the media has been, whose possession it has been in, and the reason for that possession. There is no chance that during that time any of the evidence was changed/altered/modified from the form in which it existed on the drive that we imaged on 12/15/03.
  • 27. Authentication of ESI: Data Acquisition
    • Document process followed to create the copy. The basic framework to follow is who, what, when, where, and how.
      • Start by documenting who is extracting data, including date and time of extraction, and who is present.
      • Briefly describe the steps necessary to start the extraction process.
      • Document when extraction completed. If software displays a window that shows extraction 100% successful, capture screenshot.
      • Once copy is created, secure and preserve it. Do NOT try to open it or attach the file to an Outlook profile.
      • Right-click the file and review its file properties. (Document the properties by capturing a screenshot at beginning and end of process)
      • If the file needs to be copied to a secure server area before being copied to storage media, just document the steps. Each time it is copied, capture a screenshot of the file properties and compare it to the original.
  • 28. Authentication of ESI: “Mirror Image” Challenges
    • State v. Cook , 149 Ohio App.3d 422, 777 N.E.2d 882 (2002).
    • Def. claimed State didn’t establish reliability of mirror-image, citing:
      • Lack of testimony about forensic vendor’s qualifications;
      • Failure of protective measures like antistatic bags;
      • Failure to check time on computer when first image made;
      • Whether proper procedures followed for pulling plug and maintaining energy to internal battery; and
      • Did not know how hard drive removed.
    • Court held data was properly authenticated; conflicting testimony went to weight of evidence, not admission.
  • 29. Authentication of ESI: Ubiquitous Email
    • “There is no form of ESI more ubiquitous than email, and it is the category of ESI at issue in this case. Although courts today have more or less resigned themselves to the fact the “we live in an age of technology and computer use where e-mail communication now is a normal and frequent fact for the majority of this nation’s populations, and is of particular importance I the profession world, it was not very long ago that they took a contrary view.” Lorraine, 241 F.R.D. at 554.
  • 30. Authentication of ESI: Produced Documents
    • Documents introduced against a party which produced them are deemed authentic.
    • “The emails in question were produced by Defendants during the discovery process. Such documents are deemed authentic when offered by a party opponent. “ Sklar v. Clough , 2007 WL 2049698 (N.D. Ga)
  • 31. Authentication of ESI: Ubiquitous Email
    • Direct knowledge of participant in exchange is best- 901(b)(1)
    • Circumstantial evidence (FRE 901(b)(4)): “content and circumstances” -901(b)(4)
    • Circumstantial evidence: markings, addresses, logos- 901(b)(4)
    • Expert testimony and comparison- 901(b)(3)
  • 32. Authentication of ESI: Websites
    • Witness with personal knowledge- 901(b)(1)
    • Expert testimony- 901(b)(3)
    • Distinctive characteristics- 901(b)(4)
    • Public records- 901(b)(7)
    • System results- 901(b)(9)
    • Official publication- 902(5)
    • Lorraine , 241 F.R.D. at 556.
  • 33. Authentication of ESI: Websites
    • Hutchens v. Hutchens-Collins , 2006 WL 3490999 (D.Or. 2006)
      • Defendant hired forensic vendor to download content of website pages to “write-only” CD-ROM’s.
      • Website freely available on internet.
      • Vendor tracked registered domain name to plaintiff’s corporation through publicly available WHOIS system.
      • Court held that totality of circumstances sufficient to authenticate website documents.
  • 34. Authentication of ESI: Chat Rooms
    • Most commonly utilized:
      • 901(b) (1)-witness with personal knowledge
      • 901(b)(4)-circumstantial evidence of distinctive characteristics
  • 35. Authentication of ESI: Chat Rooms
    • United States v. Tank , 200 F.3rd 627 (9th Cir. 2000).
    • The court held gov’t. adequately authenticated chat room log printouts maintained by a co-defendant.
    • The government evidence included testimony from the co-defendant about the procedure he used to create logs and his recollection that logs appeared to be accurate representation of conversations among members.
    • Despite co-defendant’s deletion of portion of log to free up space, log was authenticated. Deletions would go to weight of evidence, not admissibility.
  • 36. Authentication of ESI: Chat Rooms
    • United States v. Simpson, 152 F.3 rd 1241
      • Circumstantial evidence
        • “ The evidence introduced at trial clearly satisfies this standard. In the printout of the chat room discussion, the individual using the identity “Stavron” gave Detective Rehman his name as B. Simpson and his correct street address. The discussion and subsequent e-mail exchanges indicated an e-mail address which belonged to Simpson. And the pages found near the computer in Simpson's home and introduced as evidence as Plaintiff's Exhibit 6 contain a notation of the name, street address, e-mail address, and telephone number that Detective Rehman gave to the individual in the chat room. Based on this evidence, the exhibit was properly authenticated and admitted as evidence”
  • 37. Third Hurdle: Hearsay (Rules 801-807)
  • 38. The Hearsay Hurdle: Is it Hearsay?
    • A Statement
    • By a Declarant
    • Offered to Prove contents
    • Not excluded from Hearsay definition, and
    • Not covered by one of the exceptions.
  • 39. The Hearsay Hurdle: ESI
    • ESI has unique attributes that create unique problems for admission as evidence
      • What parts are “statements” or machine created?
      • What statements are defined as non-hearsay? -801(d)
      • What exclusions apply? -803 and 804
  • 40. The Hearsay Hurdle: Email Admitted as Admissions
    • Siddiqui , 235 F.3 rd at 1323 –admission: authored by defendant
    • Safavian , 435 F. Supp. 2d at 43-adoptive admission
    • Perfect 10 , 213 F. Supp. 2d at 1155-admissions of employee emails against defendant
  • 41. The Hearsay Hurdle: Websites
    • Images and text introduced to show the images and text found on the websites are not statements at all, thus fall outside the ambit of the hearsay rule.
    • Telewizja Polska Usa, Inc., V. Echostar Satellite Corp., 2004 WL 2367740, *6 (N.D.Ill. 2004)
    • Contents of a website may be considered an admission of a party-opponent, and are not barred by the hearsay rule.
    • See Van Westrienen v. Americontinental Collection Corp., 94 F.Supp.2d 1087, 1109 (D.Or.2000).
  • 42. Hearsay Hurdle: Business Records Exception
    • FRE 803(6): made at or near time of acts; by a person with knowledge; kept in the course of a regularly conducted business activity; regular practice of business to make the report
    • Timing and personal knowledge applied liberally
    • “Regularity and continuity” requirement more problematic—must show that the author had a routine practice of using email in the manner shown and of recording events within a short time to bolster accuracy – “habits of precision”
    • United States v. Ferber , 966 F. Supp. 90, 98 (D. Mass. 1997)
  • 43. Hearsay Hurdle: Regular Practice of Business
    • Committee notes: where employee has a duty to make an accurate record, more likely to be admitted under exception
    • So, even when it is the employee’s regular practice, if the employer does not require that the record be made or have any policy that email is to be used for that purpose, this prong not satisfied.
    • United States v. Ferber , 966 F. Supp. 90, 98 (D. Mass. 1997)
  • 44. Hearsay Hurdle: Regular Practice of Business
    • Monotype Corp. v. International Typeface Corp. , 43 F. 3d 443 (9 th Cir. 1994)
      • Distinguished email from electronic inventory or database system
      • Email is “communications between employees” and not “records of company activity” – “casual and informal in nature” – “result of . . . individual judgment and discretion”
    • Westfed Holdings, Inc. v. United States , 55 Fed. C1. 544 (2003) (echoing concerns about informality and author’s discretion)
  • 45. Hearsay Hurdle: Regular Practice of Business
    • United States v. Goodchild , 25 F.3d 55 (1 st Cir. 1994) (court admitted electronic notes of credit card company employees of conversations)
    • DirecTV v. Murray , 307 F.Supp.2d 764 (D.S.C. 2004): authentication and business record exception established by affidavit testimony that email orders for products regularly received and retained as record of the order
    • New York v. Microsoft Corp. , 2002 WL 649951 (D.D.C. Apr. 12, 2002)(failure to show regular practice of employee-email string excluded).
  • 46. Other Hearsay Exceptions
    • Excited utterance – in act of writing email declarant likely not to still be under stress/excitement – also most business events not “shocking” enough
      • United States v. Ferber, 966 F. Supp. 90 (D. Mass. 1997)(present sense impression, but not excited utterance)
      • State of New York v. Microsoft, 2002 WL 649951(D.D.C. 2002)
    • IM and Text Messaging – the new frontier in applying the exception?
  • 47. Other Hearsay Exceptions
    • Present state of mind: e.g. in trademark litigation, email from customers indicating confusion
      • Microwave Systems Corp. v. Apple Computer, Inc. , 126 F. Supp. 2d 1207 (S.D. Iowa 2000)
  • 48. Hearsay Hurdle: Word and Excel Documents
    • Hearsay/Business Record exception: more likely to apply
    • United States v. Catabran , 836 F.2d 453 (9 th Cir. 1988): computer printouts are business records
    • United States v. Hamilton , 413 F.3d 1138 (10th Cir. 2005): metadata is not hearsay – hearsay only covers statement by "a person"
    • Does not matter that printout made for purpose of litigation - United States v. Sanders , 749 F.2d 195, 198 (5th Cir. 1984)
  • 49. Fourth Hurdle:
    • The Original Writing Rule aka Best Evidence Rule
  • 50. The Original Writing Rules: Rules 1001-1008
    • Rule 1002. Requirement of Original
    • To prove the content of a writing, recording, or photograph, the original writing, recording, or photograph is required , except as otherwise provided in these rules or by Act of Congress.
  • 51. Rule 1003: Duplicates are Admissible
    • A duplicate is admissible to the same extent as an original unless (1) a genuine question is raised as to the authenticity of the original or (2) in the circumstances it would be unfair to admit the duplicate in lieu of the original.
  • 52. Original Evidence Rule: Printouts
    • Printouts of ESI are admissible pursuant to the best evidence rule.
    • “ If data are stored in a computer or similar device, any printout or other output readable by sight, shown to reflect the data accurately, is an "original". “ Rule 1001(3).
    • Perfect 10, Inc. v. Cybernet Ventures, Inc. , 213 F.Supp.2d 1146, 1155 (C.D.Cal.2002)
  • 53. Rule 1004: Other Evidence of Contents
    • Rule 1004. Admissibility of Other Evidence of Contents
    • The original is not required, and other evidence of the contents of a writing, recording, or photograph is admissible if--
    • (1) Originals lost or destroyed . All originals are lost or have been destroyed, unless the proponent lost or destroyed them in bad faith; or
    • (2) Original not obtainable . No original can be obtained by any available judicial process or procedure; or
    • (3) Original in possession of opponent . At a time when an original was under the control of the party against whom offered, that party was put on notice, by the pleadings or otherwise, that the contents would be a subject of proof at the hearing, and that party does not produce the original at the hearing; or
    • (4) Collateral matters . The writing, recording, or photograph is not closely related to a controlling issue.
  • 54. Rule 1004 and Electronic Evidence
    • Rule 1004 has special relevance to ESI.
    • ESI is volatile; data is destroyed on a routine basis under document and data management protocols pursuant to FRCP 37(e).
    • Lost email may be reconstructed from secondary sources: (a) written descriptions, (b) oral testimony, (c) recovered drafts , (d) email threads, and (e) any other admissible evidence tending to prove the contents.
    • Must under take reasonable efforts to obtain original or duplicates.
  • 55. Last Hurdle: Fed. R. Evid. 403
    • Unfair prejudice
    • Misleading
    • Confusion
    • Undue delay
    • Waste of time
    • Cumulative
  • 56. Examples:
    • “…highly derogatory and offensive description”, Monotype Corporation , 43 F.3d at 450.
    • Confusion of animation with actual events, Friend v. Time Manufacturing Co ., 2006 WL 2135807
    • Animation admitted with cautionary instruction, State v. Sayles , 662 N.W. 2d 1(Iowa 2003),
    • Unreliable “voodoo information,” St. Clair v. Johnnys Oyster and Shrimp Inc ., 76 F. Supp. 2d 773 (S.D. Tx. 1999).
  • 57. Rule 403 Has Limited Application
    • Rule 403 is an “extraordinary remedy” whose “major function…is limited to excluding matters of scant or cumulative probative force, dragged in by the heels for the sake of its prejudicial effect.” Sklar v. Clough , 2007 WL 2049698 (N.C. Ga. 2007), citing United States v. Grant, 256 F.3 rd 1146,1155 (11 th Cir. 2001)(denying motion to exclude emails and compilation of emails)
    • Most evidence proffered by the opposition is “prejudicial”
    • Court prefer rely on instructions, curative directions and admonishments to the jury rather than excluding evidence
  • 58. Conclusion: The Courts and Electronic Evidence
    • Know your Judge: Is the Court comfortable with ESI.
    • Know thyself and the sources of your own ESI and follow the chain of custody.
    • Push the opposition to stipulate to authenticity early and often.
    • Offer multiple grounds for the
    • admission of all evidence
    • Follow the “Grimm” 5 Hurdle Approach