“ [C]onsidering the significant costs associated with the discovery of ESI, it makes little sense to go through all the bother and expense to get electronic information only to have it excluded from evidence or rejected from consideration at summary judgment because the proponent cannot lay a sufficient foundation to get it admitted .“ J. Grimm.
“…[C]ounsel often fail to meet even this minimal showing when attempting to introduce ESI, which underscores the need to pay careful attention to this requirement. Indeed, the inability to get evidence admitted because of a failure to authenticate it almost always is a self-inflicted injury which can be avoided by thoughtful advance preparation.”
Evidentiary showing required to introduce electronic data evidence varies among courts
United States v. Whitaker , 127 F.3d 595 (7th Cir.1997). FBI agent obtained printout of business records for drug business from suspect's computer by operating computer, installing Microsoft Money and printing records. The court found testimony of agent with personal knowledge of process used to retrieve and print data provided sufficient authentication of the records.
Gates Rubber Co. v. Bando Chemical Industries, Ltd. , 167 F.R.D. 90 (D. Colo. 1996) T he court imposed sanctions for the failure to use the most current forensic technology available to perform the work, which was imaged copy, not the file-by-file copy used.
Rule 901(b)(1)-testimony by a witness with knowledge that a matter is what it is claimed to be
Rule 901(b)(3)-comparisons by the trier of fact or expert witnesses with specimens which have been authenticated. Safavian , 435 F. Supp. 2d at 40
Rule 901(b)(4)-identified by “appearance, contents, substance, internal pattern, or other distinctive characteristics, taken in conjunction with the circumstance. United States v. Siddiqui , 235 F.3 rd 1318 (11 th Cir. 2000)
Authentication of ESI: Experts under 901(b)(3)
Expert Qualification – "a person who generally understands the system's operation and possesses sufficient knowledge and skill to properly use the system and explain the resulting data" is a "qualified witness" and may need to authenticate data or interpret recovered data.
What is the evidence, or what does it purport to be? Forensics Expert: "This is a printout of data that I recovered on 4/26/07 from the hard disk drive primarily used by John Doe of the Acme Corporation."
Where did it allegedly come from? Forensics Expert: "The hard drive was taken from the office of John Doe on 1/1/07. It was contained within a Generic PC bearing model XXXX and S/N YYYY."
Who created, discovered, or recovered it? Forensics Expert: "The data appears to have been created by John Doe. I discovered and recovered it from his hard disk drive using computer forensic techniques."
How was it created, discovered, or recovered? Forensics Expert: "I made an image of the hard disk drive using a forensic imaging device. This device is designed to make a perfect copy of a disk and does not alter the data on the disk being copied."
Were there any material changes, alterations, or modifications during the recovery of the evidence such that it may no longer be what it once was? Forensics Expert: "No. Our processes as well as the tools that we use are designed to ensure that no changes whatsoever occur to the original media and data we work on. We use write-blocking devices as an extra precaution in this regard. We test our tools, both software and hardware in order to validate that no changes are made to the original media, and to insure that a perfect image is made of that media."
What has happened to it since the time it was created, discovered, or recovered? Is there any chance that the evidence was changed, altered, or modified between the time you imaged the drive and today? Forensics Expert: "Here is our 'chain of custody' documentation which indicates where the media has been, whose possession it has been in, and the reason for that possession. There is no chance that during that time any of the evidence was changed/altered/modified from the form in which it existed on the drive that we imaged on 12/15/03.
Document process followed to create the copy. The basic framework to follow is who, what, when, where, and how.
Start by documenting who is extracting data, including date and time of extraction, and who is present.
Briefly describe the steps necessary to start the extraction process.
Document when extraction completed. If software displays a window that shows extraction 100% successful, capture screenshot.
Once copy is created, secure and preserve it. Do NOT try to open it or attach the file to an Outlook profile.
Right-click the file and review its file properties. (Document the properties by capturing a screenshot at beginning and end of process)
If the file needs to be copied to a secure server area before being copied to storage media, just document the steps. Each time it is copied, capture a screenshot of the file properties and compare it to the original.
Authentication of ESI: “Mirror Image” Challenges
State v. Cook , 149 Ohio App.3d 422, 777 N.E.2d 882 (2002).
Def. claimed State didn’t establish reliability of mirror-image, citing:
Lack of testimony about forensic vendor’s qualifications;
Failure of protective measures like antistatic bags;
Failure to check time on computer when first image made;
Whether proper procedures followed for pulling plug and maintaining energy to internal battery; and
Did not know how hard drive removed.
Court held data was properly authenticated; conflicting testimony went to weight of evidence, not admission.
“There is no form of ESI more ubiquitous than email, and it is the category of ESI at issue in this case. Although courts today have more or less resigned themselves to the fact the “we live in an age of technology and computer use where e-mail communication now is a normal and frequent fact for the majority of this nation’s populations, and is of particular importance I the profession world, it was not very long ago that they took a contrary view.” Lorraine, 241 F.R.D. at 554.
United States v. Tank , 200 F.3rd 627 (9th Cir. 2000).
The court held gov’t. adequately authenticated chat room log printouts maintained by a co-defendant.
The government evidence included testimony from the co-defendant about the procedure he used to create logs and his recollection that logs appeared to be accurate representation of conversations among members.
Despite co-defendant’s deletion of portion of log to free up space, log was authenticated. Deletions would go to weight of evidence, not admissibility.
“ The evidence introduced at trial clearly satisfies this standard. In the printout of the chat room discussion, the individual using the identity “Stavron” gave Detective Rehman his name as B. Simpson and his correct street address. The discussion and subsequent e-mail exchanges indicated an e-mail address which belonged to Simpson. And the pages found near the computer in Simpson's home and introduced as evidence as Plaintiff's Exhibit 6 contain a notation of the name, street address, e-mail address, and telephone number that Detective Rehman gave to the individual in the chat room. Based on this evidence, the exhibit was properly authenticated and admitted as evidence”
FRE 803(6): made at or near time of acts; by a person with knowledge; kept in the course of a regularly conducted business activity; regular practice of business to make the report
Timing and personal knowledge applied liberally
“Regularity and continuity” requirement more problematic—must show that the author had a routine practice of using email in the manner shown and of recording events within a short time to bolster accuracy – “habits of precision”
United States v. Ferber , 966 F. Supp. 90, 98 (D. Mass. 1997)
United States v. Goodchild , 25 F.3d 55 (1 st Cir. 1994) (court admitted electronic notes of credit card company employees of conversations)
DirecTV v. Murray , 307 F.Supp.2d 764 (D.S.C. 2004): authentication and business record exception established by affidavit testimony that email orders for products regularly received and retained as record of the order
New York v. Microsoft Corp. , 2002 WL 649951 (D.D.C. Apr. 12, 2002)(failure to show regular practice of employee-email string excluded).
A duplicate is admissible to the same extent as an original unless (1) a genuine question is raised as to the authenticity of the original or (2) in the circumstances it would be unfair to admit the duplicate in lieu of the original.
Rule 1004. Admissibility of Other Evidence of Contents
The original is not required, and other evidence of the contents of a writing, recording, or photograph is admissible if--
(1) Originals lost or destroyed . All originals are lost or have been destroyed, unless the proponent lost or destroyed them in bad faith; or
(2) Original not obtainable . No original can be obtained by any available judicial process or procedure; or
(3) Original in possession of opponent . At a time when an original was under the control of the party against whom offered, that party was put on notice, by the pleadings or otherwise, that the contents would be a subject of proof at the hearing, and that party does not produce the original at the hearing; or
(4) Collateral matters . The writing, recording, or photograph is not closely related to a controlling issue.
ESI is volatile; data is destroyed on a routine basis under document and data management protocols pursuant to FRCP 37(e).
Lost email may be reconstructed from secondary sources: (a) written descriptions, (b) oral testimony, (c) recovered drafts , (d) email threads, and (e) any other admissible evidence tending to prove the contents.
Must under take reasonable efforts to obtain original or duplicates.
Rule 403 is an “extraordinary remedy” whose “major function…is limited to excluding matters of scant or cumulative probative force, dragged in by the heels for the sake of its prejudicial effect.” Sklar v. Clough , 2007 WL 2049698 (N.C. Ga. 2007), citing United States v. Grant, 256 F.3 rd 1146,1155 (11 th Cir. 2001)(denying motion to exclude emails and compilation of emails)
Most evidence proffered by the opposition is “prejudicial”
Court prefer rely on instructions, curative directions and admonishments to the jury rather than excluding evidence
Conclusion: The Courts and Electronic Evidence
Know your Judge: Is the Court comfortable with ESI.
Know thyself and the sources of your own ESI and follow the chain of custody.
Push the opposition to stipulate to authenticity early and often.