Brian Chase: Hello and welcome. My name is Brian Chase, I am
director of digital forensics at Archer Hall. Today we're going to be talking
about the admissibility of digital evidence at trial. Before I get into our
topic, I want to give you a little background on who we are here at Archer
Hall, who I am, and why I'm even qualified to tell you about the admissibility
of digital evidence. Archer Hall is a digital forensics company. That means we
collect data from digital sources, things like cell phones, computers, tablets,
email accounts, social media accounts, electronic medical records. We collect
that data, we analyze it, and we testify about it at trial. My personal
background, I'm a licensed attorney in the state of Arizona. I practiced law
for about 10 years doing plaintiff personal injury work and criminal defense.
I've been doing digital forensics work for about eight years.
I have tried cases as an attorney. I have testified about 20
as an expert witness, and I teach at the University of Arizona Law School. I
actually teach a trial skills course there at the law school. This topic today
of admissibility of digital evidence really combines all aspects of my
background, that legal background, that trial background, and the digital
forensics experience that I have. We're going to start today by going over the
Federal Rules of Evidence that generally apply when we're talking about digital
evidence. From there, we're going to talk about some cases where courts have
ruled on the admissibility of digital evidence. I'm going to talk about them
fact-by-fact, introduce the case, and then we'll go over the court's reason in
their ruling. This is based on the Federal Rules of Evidence. If you are
practicing in a state court, make sure you check for your state court
equivalence, or state court case law. Additionally, almost all of the cases
we're going to discuss today are criminal cases. That's just because more
criminal cases go up on appeal than civil cases.
That being said, the Rules of Evidence apply equally to
criminal cases and civil cases. Just because something is a criminal case,
doesn't mean it's not going to impact the admissibility of the digital evidence
in your civil case. Let's get started here. We're going to start with Rule 901.
Rule 901 is the authentication or identifying evidence. The rule says, "In
general, to satisfy the requirement of authenticating or identifying an item of
evidence, the proponent must produce evidence sufficient to support a finding
that the item is what the proponent claims it is." What does that mean?
Well, we've got a case here. I picked one. There are many cases that explain
Rule 901. The case I picked here is United States versus Vidack, it's 553 F.3d
344. It's a 2009 decision from the 4th circuit.
The court says, "The burden to authenticate under Rule
901 is not high. Only a prima facie showing is required. A district court's
role is to serve as gatekeeper in assessing whether the proponent has offered a
satisfactory foundation from which the jury could reasonably find that the
evidence is authentic." That's the key wording right there. A jury could
reasonably find the evidence is authentic. You don't have to prove beyond a
reasonable doubt, you don't have to prove by clear and convincing evidence, you
don't even have to prove it's more likely than not. You have to offer enough
facts that a jury could reasonably conclude that the evidence is authentic.
From Rule 901, we go into Rule 902. Rule 902 is ever
evidence that is self-authenticating. You've probably dealt with rules 902(11)
and (12) before, that's our self-authenticating business records or records of
a regularly conducted activity. That's where you send out your subpoena, along
with a declaration for the custodian to fill out. That custodian from the
business sign saying, "Yeah, I'm the custodian of records. These records
are kept in the normal course of business." You give notice to the other
side, you disclose that declaration, and now those business records are self
authenticating at trial. You do not need to have live testimony to authenticate
it at trial.
There is an equivalent for digital evidence under the
Federal Rules. Those are rules 902(13) and (14). Rule 902(13) are certified
records generated by an electronic process or system. Very similar to Rule
902(11) and (12). If you have a qualified person write a declaration stating
these records were generated by an electronic process or system, then it is
self-authenticating at trial. As long as you follow the requirements, the
notice requirements of Rule 902(11). Rule 902(14) is where things get a little
bit more interesting. This is where most of our work is as digital forensic
examiners.
Rule 902(14) is certified data copied from an electronic
device, storage medium, or file. Essentially the rule says, "If you have a
qualified individual obtain data from a digital medium, like a cell phone, a
file server, or computer, they can write a declaration stating that that
evidence was acquired in a forensically sound manner." Now you don't need
to bring that expert to testify. This rule saves you money. There are so few
rules out there that actually save you money in litigation, but this is one of
them. If you are having an expert obtain data from a digital medium, make sure
they're familiar with this rule so that they can write this declaration, and
then you don't have to bring them to testify about authentication. That's not
to say you won't need them at all. You still might need them for other things,
which we'll get to in a bit, but for authentication, that declaration will
suffice.
How we do this, how we prove things are done in a
forensically sound manner is through what we call a hash value. I pulled a
definition of a hash value from Microsoft. What Microsoft says is, "A hash
value is a numeric value of a fixed length that uniquely identifies data."
Hash values represent large amounts of data as much smaller numeric values, so
they are used with digital signatures. Well they're used in digital forensics
to show data has not been altered. What we do is when we acquire data from a
digital medium, let's say a hard drive, we take a hash value of that hard drive.
Then we take a hash value of our copy of that hard drive. Those hash values
should be identical. Meaning our copy is mathematically proven to be exactly
the same as the original.
Give you another example. Let's take a Word document,
because you can take a hash value of any amount of data. It can be as small as
a Word document. We can take that Word document and run it through this hash
algorithm. These are freely available online, you can download programs like
HashMyFiles that will allow you to do this. Nothing magical about these
algorithms. You run this Word document through the hash algorithm and you get a
resulting hash, this long string of letters and numbers that represent that
file. If we were to go open that Word document, scroll to the end and add a
space, then save the document. We've made a slight change, something that you
might not even notice as a user, seeing that space at the very end, easily
overlooked.
But if you were to run that word document through that hash
algorithm again, you're going to have a completely different resulting hash.
It's going to look nothing like the original one. It's going to tell us that
that new document, that one with the space in it has different than the
original. It does not tell us what changed, only that something changed. Hash
values are our way of proving a chain of custody. Proving that a document has
been unaltered since it was acquired, through analysis, all the way through
production. It proves the document is the same as the original.
Let me give you an example of a case where this happened.
This is a 2020 case, pretty recent case from the 6th circuit United States v.
Dunnican. Here, agent Snyder, ATF agent Snyder had acquired data from the
defendant's cell phone, and he wrote a declaration certifying that he extracted
data from the defendant's phone using specialized forensic software. That
software generated a hash. That hash indicated the download was successful,
complete, and accurate. The government then gave notice to the defense under
Rule 902(11) that they did not intend to call agent Snyder at trial. Instead,
they were going to rely on his certification to admit the evidence under Rule
902(14). They did that at trial. The defense objects, says agent Snyder needs
to testify, delay that authentication testimony, and they lose that objection.
Goes up on appeal and the 6th circuit affirms the trial court and says that
agent Snyder did not need to testify. The government complied with rules
902(11) and (14). They provided notice, they provided that declaration, the
data is self-authenticating. It does not require a live testimony.
All right, let's move on now to hearsay. Because once you've
authenticated the data, chances are, the reason you want to use that data in
trial is because there's some statement in it. It's an email that asserts
something, a text message, it's a chat message, a Facebook post, a Twitter
post. There's some sort of assertion, so then we have to deal with hearsay.
Hearsay is Rule 801 and 802. 801 are our definitions of hearsay, "Any out
of court statement offered to prove the truth of the matter asserted,"
that's hearsay. Rule 802 says, "Hearsay is inadmissible, unless there is
some statute or rule that says otherwise." Hearsay is generally inadmissible,
but there's a few ways that we're able to deal with hearsay. The first, this is
often referred to as a hearsay exception, although technically it is not. It is
statements by party opponent. This is Rule 801(d)(2). 801(d)(2) is a
definition. 801 being our definitions of hearsay. This is not an exception
because it's in that definition section. By definition, statements by the party
opponent are not hearsay.
Often people say these are admissions by the party opponent.
It doesn't have to be an admission. It just has to be a statement offered
against the party opponent at trial. If you are trying to introduce statements
by the party opponent that were made in emails or text messages, those are not
hearsay. One of the common hearsay exceptions that we see in digital evidence
is business records, Rule 803(6). Technically this rule is called Records of
Regularly Conducted Activity, but commonly people refer to it as the business
record exception. For the business record exception to apply, you need to show
that the record was made at or near the time of the event by somebody with
knowledge. That the record was kept in the regular course of business, and that
making this record was a regular practice of that activity. Then finally you
need to have that declaration from the custodian of records, or live testimony
to assert those three prior elements.
That's a common way we're dealing with digital evidence, is
we're often dealing with records that were generated by a business in their
normal course of business, emails, memos, product testing, all these kinds of
things you'd expect businesses to maintain. But be careful about emails, not
every email is a business record. If I were to go email one of my colleagues
here at Archer Hall and say, "Hey, you want to go grab drinks after
work?" That's not a business record, has nothing to do with the regular
practice of Archer Hall. Just because something is an email from one employee
to another, doesn't make it a business record. There's a couple of cases on
point here. There's United States v. Daneshvar, and I'm not sure I'm
pronouncing that correctly. It's a 6th circuit case from 2019, and there's
United States v. Cone, a 4th circuit case from 2013.
Both of these cases say that just because it was an email
that was made by an employee or part of a business, doesn't make it a business
record. It still has to relate to the regular practice of that business. Going
back to my example, if I were to email my colleague here at Archer Hall and
say, "We have a new phone coming in on this date and time, I need you to
handle the chain of custody for that phone." That would be a business
record. That's our normal course of business, that is a record we normally
maintain. It would go into the file to show how we were handling that evidence.
But that email asking about a social event or happy hour, that's not the
regular course of business, that's not going to be a business record.
Let me give you another example here. This is a criminal
case from the 5th circuit in 2019, it's 917 F.3d 394. In this case, the
district court admitted emails that were produced by Google and Yahoo
purporting to be from the defendants in this criminal case. The government also
obtained certifications from both Google and Yahoo saying they kept these
emails in the regular course of business. The court admitted the emails saying
the document itself was self-authenticating under rules 902(11) and (12) and
803(6), our hearsay exception. Then the court ruled, the content of the email
was admissible under Rule 801(d)(2). They were statements by the opposing
party, the defendant, and they were statements in furtherance of a conspiracy,
both things that are defined as not hearsay under Rule 801.
The court is saying here, the document itself was a business
record, but the contents of the document had nothing to do with the regular
activity of Google or Yahoo, those were statements by the defendant and
therefore those statements were not hearsay. What the court did not address
here is what foundation is required to show that it was the defendants that
authored the document. We're going to come back to that when we go through some
more cases later in this CLE. But keep that in mind, how do you prove the
emails came from the defendant?
Let's first move on to the expert witness rules. Rules 701,
702, 703. Rule 701 says, "Lay witnesses can provide opinions based on
their perception. They cannot provide testimony based on scientific, technical,
or other specialized knowledge. That requires expert testimony." How does
this relate to digital evidence? Well, many courts have ruled that GPS data,
things like Google Timeline or Apple Maps data does not require expert
testimony. They found that juries understand this data. They use Google Maps,
they use Apple Maps. It doesn't require an expert to explain how those work.
Therefore, a lay witness can testify about those things.
Take text messages, juries understand text messages. A lay
witness could testify that they made or received text messages. They could
probably provide the foundation required for those text messages. But a lay
witness would not be able to testify about the databases that store text
messages, and how they work, and how deleted text messages are recovered.
That's technical knowledge that would require expert testimony. Where that line
is between lay witness testimony and expert testimony, well, that's still up
for debate a bit when it comes to certain types of digital evidence. Be sure to
check local case law on this. Different states have ruled differently when it
comes to these aspects of digital evidence. Check your local case law, see if
there's anything on point. But those examples I gave you, those tend to be the
areas where courts are going right now.
Rule 702 is testimony by experts. If you are trying to
introduce how text messages work, how deleted messages are recovered, that's
going to require expert testimony under Rule 702. Experts can testify about
scientific, technical, or other specialized knowledge, so long as that
testimony is based on sufficient facts and data. That the testimony is a
product of reliable principles and methods, and the expert has reliably applied
those principles and methods to the facts of this case. That's essentially our
Daubert standard. If the expert meets those requirements, then they can testify
about their opinions regarding their scientific, technical, or other
specialized knowledge. Rule 703 allows the expert to base their opinions on
inadmissible data. An expert is not confined by simply what would be admissible
at trial.
Additionally, if the expert does base their opinion on
otherwise inadmissible facts or data, the court could allow the expert to
testify about that inadmissible facts and data, if the court finds that the
probative value of those facts substantially outweighs any prejudicial effect.
This is the reverse of Rule 403. Rule 403 being evidence that is substantially
more prejudicial than probative is not admissible. Under Rule 703, the evidence
has to be substantially more probative than it is prejudicial. It's the reverse
of Rule 403. Let me give you an example. Let's say I am hired to download a
witness's cell phone in a case. I go out to meet with that witness to download
that cell and the witness says, "I'm really sorry, last night I dropped my
phone in the toilet and it won't turn on anymore." My opinion could be
that I will never be able to recover data from that phone due to the damage the
phone obtained during that fall, the water damage, and the encryption on the
phone.
So I'm basing it on several things. The witness statement
about how she dropped the phone in the toilet, along with my technical
knowledge about what happens when a phone has water damage. The court would
allow me to give my opinion that I'm not going to be able to obtain data from
that phone, even though my opinion is partially based on hearsay. Additionally,
the court could allow me to testify that the witness told me that she dropped
the phone in the toilet. As long as the court deems that those facts are
substantially more probative than prejudicial in helping the jury assess my
opinion. In that situation, it's pretty unlikely that a court would find that
those statements are prejudicial. So the court would likely allow me to tell
the jury that the witness told me the phone was dropped in the toilet, and
that's how I know there's water damage.
All right, the last set of rules we're going to go over here
before we switch to covering some cases is the best evidence rules, Rules 1001,
1002 and 1003. These rules are not commonly used. There's very little case law
out there on these rules, especially when it comes to using these rules for
digital evidence. Rule 1001 is our definitions of best evidence. Rule 1002 is
the requirement for an original. Meaning, if you want to produce a photograph,
a document, text messages, you need the original. Rule 1003 says, "Well,
you can also use a duplicate." It says, "A duplicate is admissible,
to the same extent as the original, unless a genuine question is raised about
the original's authenticity or the circumstances make it unfair to admit the
duplicate."
This comes up a lot when we deal with screenshots of
evidence. A screenshot of an email, or a screenshot of a text message, or a
printout of an email, those are not the original, they are duplicates and they
are duplicates that are easily modified and faked. So there could be genuine
questions about the duplicate. It doesn't contain the metadata that helps us
authenticate it and prove that it is real. It can be altered with programs like
Photoshop. This comes up all the time, and yet there's very little case law on
it. Anytime you're not dealing with an original, or you're not dealing with a
duplicate made by a forensic examiner under Rule 902(14), you want to be
thinking about best evidence. Is there a genuine question about the
authenticity of this duplicate, of this screenshot, or printout, or PDF
version? If so, you want to be raising best evidence challenges.
All right, let's talk about some cases. We're going to go
through these cases, almost all of them are federal court cases. There's a
couple state court cases from Arizona where I am. But Arizona does follow the
Federal Rules of Evidence, so while they're state court cases, I do think
they're helpful in analyzing Federal Rules. Let's get to our first case. This
is a case involving Facebook and YouTube pages. In this case, the government
introduced screenshots of the defendant's Facebook and YouTube page. The
Facebook screenshots show the defendant's biographical information with
listings of their interests. Things like where they went to school, their
friends, their family, sports teams they follow, things like that that you see
on Facebook. Those interests match the defendant's true interest and true
biographic information.
The Facebook page had links to the YouTube page that the
government was claiming also belonged to the defendant. Finally... or I
shouldn't say finally, not yet. The certification from the custodian of records
from Facebook or Google verified that the pages had been maintained in the
regular course of business. There was a certification, Facebook said,
"Yeah, we kept this page in the normal course of business." Google
said, "Yes, we kept this YouTube page in the normal course of business."
Now we get to the finally part. Finally, tying the accounts to the defendant's
IP address. There was information that tied the defendants to the IP... or the
defendant's IP address to both accounts. The ruling in this case, admissible.
The court said, "There was no abuse of discretion in admitting the
Facebook pages and YouTube pages." It's U.S. v. Hasan, 742 F.3d 104.
I think the critical fact in this case was that IP address
information. Let me tell you a little bit about IP addresses and why they are
important. An IP address is like your street address on the internet. When you
plug in your cable modem or your DSL modem in your home, you plug in that box
to your phone line or your cable connection, that box reaches out to your
internet service provider, companies like Comcast, Verizon, Cox, CenturyLink.
It says, "Hey, I'm here. Please give me an IP address." Your internet
service provider assigns your home a public IP address, meaning a public
facing, like your street address.
How that works, let's say you're sitting at your computer
and you go to cnn.com in your browser. So you type in cnn.com. What your
computer does in the background is it looks up CNN's public IP address, its
address on the internet. Then it sends a request like a letter to CNN, it's
actually called a packet. It addresses that packet, just like it would address
an envelope, to CNN's address. In this case, their IP address. Then in that
packet, it says, "Hey, I would like a copy of your website. I want to view
the front page." Sends that off in the internet. That packet gets routed
just like the mail. It goes from server to server, or from post office to post
office, until it gets to CNN. CNN then gets that packet. They see up in the top
corner of like that envelope, your return address, your return IP address, your
public IP address is in that packet.
Technically, it's a series of packets, it's not just one,
but that doesn't really matter for our purposes today. CNN gets that packet,
they open it up and say, "Oh, this IP address would like our
website." They package up their website, they shove it back in that
packet, and then they return it. They send it to your public IP address, to
your return address. Then it gets routed back through the internet, back
through the mail system, until it arrives back at your home, and then your
computer displays cnn.com. Of course, all of that happens nearly
instantaneously. That's how the IP addresses work. In this case, there was data
from Facebook and from YouTube that had the same IP address. Mean the same
person was logging into these accounts.
Let me give you a caveat though. Not necessarily the same
person under that IP address. Everyone in your home is using the same IP
address. Every device that's connected to that modem is using the same public
IP address. What happened in this prior case is they had IP addresses from
Facebook, from YouTube. They see the same IP address logged into both accounts,
logged into that Facebook account, logged into that YouTube account. Then what
they do is they trace the IP address. They say, "Okay, who owns
this?" Let's say Verizon owns that IP address. They go to Verizon, they
send Verizon a subpoena or a warrant. They say, "Verizon, tell us which
customer you gave this IP address to on this date and time." The date and
time that the YouTube video was uploaded, or the Facebook page was logged into.
Verizon says, "Oh yeah, we assigned that to our customer, Joe Smith at 123
Main Street."
Now the government's taken this kind of anonymized data,
this anonymized Facebook data or YouTube data, they've taken that IP address
and they've translated it back into a street address. If the defendant lives at
that home, that's a pretty good indication that the defendant's the one
responsible. It's not proof, could be the defendant's roommate, could be their
family members or friends that were over at the home. But remember, Rule 901
doesn't require that you prove it came from the defendant. You have to provide
sufficient facts from which a jury could reasonably conclude that the data is
authentic. Certainly in this case, you've got the defendant's name associated
with these accounts, the defendant's true biographical information on that
Facebook account, and then an IP address that traces back to the defendant's
home. A jury certainly could reasonably conclude the defendant is the one
responsible for that Facebook and YouTube page. Therefore, that data was
admissible.
All right, let's talk now about website printouts. In this
case, it's a printout of a website. The witness who is on the stand has not
previously seen the printout or the website, but the printout is from the
American Board of Emergency Medicine. The witness agrees that the American
Board of Emergency Medicine is an authoritative and trusted organization. You
might be thinking along the lines of a learned treatise under the hearsay
exceptions. In fact, this website is only used on cross. The learned treatise
exception only applies to cross. You can confront a witness with a learned
treatise and you can read portions of it into the record. You think,
"Okay, maybe here, the attorney's going to be able to read in portions of
this printout from the American Board of Emergency Medicine." Yet the
ruling in this case is not admissible.
This case is O'Connor versus Newport Hospital, it is a Rhode
Island Supreme Court case from 2015. Here, what they said is that, "We
don't get to the question of hearsay, because we can't lay that authentication
testimony. The witness has never seen this printout. The witness doesn't know
if this printout is accurate, or if it's been modified. There's no information
here for this to be authenticated. We don't get to the issue of hearsay until
we deal with authentication." Now clearly, this was an important website
for this case. This issue was preserved for appeal. This attorney printed this
out, presumably himself, or maybe a staff member. Thought, "I'm going to
use this on cross. I'm going to get this expert." Then it failed. This
obviously was important if this issue went up on appeal. Don't be this lawyer.
Make sure you're thinking about admissibility of digital evidence when you are
gathering it.
He did not have a witness that could introduce this
document, that could lay the proper authentication for it. The question is,
what authentication is needed to introduce a website? Well, there's a treatise
out there by Christopher Mueller. It's in the 5th version of Federal... Or
sorry, 4th edition of Federal Evidence. It has three possible elements for
introducing a printout of a website. Now this is just a treatise, it's not case
law, but it's a good guide. What the author suggest is that the printout
accurately reflects the computer image of the page as of a specified date,
essentially the same foundation you would introduce for a photograph. A witness
saying, "Yes, this picture accurately reflects what I saw on this date and
time." The same thing here, a witness saying, "Yes, this printout
accurately reflects what I saw on that website on January 5th, 2020."
Next element, the website where the posting appears is owned
or controlled by a particular person or entity. In our prior case, that that
website was actually owned or controlled by the American Board of Emergency
Medicine. The final element, the authorship of the web posting is reasonably
attributable to that person or entity. How do we know that that document was
actually written by the American Board of Emergency Medicine? Was it a guest
post or a blog written by somebody else? Was it an opinion piece submitted by
some physician that's not actually supported in the industry? You need to know
who the author is.
There are many websites out there, Medium being one of the
biggest, medium.com, where people can write their own articles and publish them
to the website. You might say, "This document came from Medium," but
that doesn't mean anything because Medium has hundreds or thousands or tens of
thousands of authors. You still have to figure out who the author is. If you
have the author, and the website, and a witness to say that this website
accurately reflects what was on the computer screen on that date and time, then
you have enough to authenticate. But you still have hearsay to deal with, only
talking about authentication here.
Let me give you another example. Here, in this case, we have
a printout of a website after a terrorist attack. The printout or the website
was relied on by an expert to say an individual acted on behalf of the
organization. The printout of this website, really the website was saying it
was from the organization claiming credit for the actions of the individual.
The individual who carried out this terrorist attack said nothing. They didn't
say who they were acting on behalf of, but the organization said, "Yeah,
that guy over there who committed this heinous act, he was acting on our
behalf."
But the expert testifies that scholars, journalists, and law
enforcement all rely on this website. The ruling here about this printout was
that it was admissible. Here there was that authentication testimony. The expert
could say, "I printed this. I found it. Yes, this is what the website
looked like. Yes, it came from this organization." But then we get to
hearsay. Well, how do we know there's any truth here? How can we trust this
document? It's hearsay statement from this organization. Well, keep in mind
who's testifying, it's an expert witness. Rule 703 allows experts to base their
conclusion on inadmissible data, on hearsay. Additionally, that data that they
base their opinion on can be admitted if it is substantially more probative
than it is prejudicial. The court in this case found that that data was
substantially more probative than it was prejudicial in helping the jury assess
the expert's opinions. Therefore, this printout was admissible. It was
authenticated, and then it came in under Rule 703, despite the fact that it
might have been hearsay.
All right, let's talk now about the emails. Emails are
probably one of the most common types of digital evidence that we see/ they're
all over the place. In this case, defendants were involved in a business, with
the business name of MTE. There were emails sent from [email protected]. The
sender name of that email account was Hayward Borders. Hayward was a board
member of MTE. At trial, no one could say they saw Hayward author the emails.
But the contents of the emails were consistent with Hayward's and with MTE's
actions. Meaning the emails were describing actions they were taking in the
physical world. The emails contained facts known by Hayward and known by the defendant's
MTE.
The ruling in this case, admissible. The court says,
"Authentication can be established in a variety of ways under Rule 901. It
can be done by distinctive characteristics, such as appearance, contents,
substance, internal patterns taken in conjunction with the circumstances."
In this case, the contents of the email had facts known by the defendants. They
described actions that matched the circumstances of the case. The actions
described in the emails where the actions MTE was taking.
That's enough that a jury could reasonably conclude that
these emails came from Hayward, came from MTE. Despite the fact that that's a
really generic business address, mte_123@hotmail. I mean, that is not a very
professional looking address. Certainly somebody could go on to Hotmail right
now and create something similar, maybe mte_321@hotmail. How do you know this
really came from Hayward? Well, you can look at the contents of the emails and
the circumstances of the case. You don't have to prove that Hayward or MTE were
the true authors. You have to provide sufficient facts and data such that the
jury could conclude, MTE was the author here. There were sufficient facts and
data.
Now emails are really problematic. It is really, really easy
to fake emails. There are services online that allow you to generate fake
emails. Or you can send an email to yourself, you go into your sent mailbox,
you then edit that email to send it to somebody else to make it look like it
was sent to somebody else. You edit the contents of the email to change it. If
that email is then printed and disclosed, there's going to be no way to detect
those alterations. We want to keep it in its original digital form so that we
can detect those alterations.
I'll give you another example. You can create what looks
like an email in Microsoft Word. I've done this before in a case where there
was a criminal prosecution against a defendant for violating a restraining
order by emailing the victim. The only disclosure was a printout of that email.
I was being called to challenge the authenticity of that email. So I created an
email from the judge to the prosecutor in Microsoft Word. I then printed that
email and brought it with me to court. Well, gave it to my client who can
disclose it, but we brought it to court. That email was to show the judge,
"Look how easy it is to fake something. This looks perfectly legitimate.
It looks like a real email, and yet it was created in Microsoft Word."
We want to keep those emails in their original digital
format so that we can establish the authenticity of them. We can look for signs
of editing. We can look to establish who it was from, who it was to, and
confirm it really was an email. How do we get that data? Well, we can retrieve
it from the computer that sent the email. We go to a forensic exam of that
computer, that Outlook account, and we look to see if we can get it there. Or
maybe we don't need to go to that level. Maybe you just have a witness who saw
the email being authored. You could put that witness on the stand and they
could say, "Oh yeah, I saw Joe Smith author that email." That's
certainly sufficient to authenticate it. A jury could easily reasonably
conclude that Joe Smith was the author if a witness says, "Yeah, I saw Joe
Smith write that email."
Maybe it was an email that was sent via something like
Gmail. So you could go to Google with your warrant or with a subpoena complying
with the Stored Communications Act subpoena. That would mean a subpoena plus a
signed authorization from the account holder. Then Google can produce that
email. Say, "Yeah, here's the email." Then Google could also produce
the IP address of the person who sent that email. Then you could do what we
talked about before, trace that IP address back. Find out who owns it, maybe
it's AT&T. You send your subpoena to AT&T and say, "Hey, AT&T,
which customer had this IP address on this date and time?" Now you've
taken that otherwise kind of anonymous Gmail email, and you've traced it back
to a physical location. Keep those things in mind when you're dealing with
emails. They are incredibly easy to fake. You really want to keep them in
digital format. The Federal Rules of Civil Procedure suggest that they be kept
in their original native format. You don't want to rely on printouts because
they are so easy to manipulate.
Let's move on now to text messages. We're going to talk
about a few cases here involving text messages. Text messages are interesting,
they have the same issue when you're dealing with screenshots, as emails. You
can create fake text message screenshots online easily. Go to a website like
ifaketextmessage.com, and it will allow you to generate fake text message
screenshots. You could also even take a real screenshot and then edit it in
tools like Photoshop to change the contents, change the date and time, change
the sender of those text messages. They are really easy to manipulate,
screenshots.
Let's talk about our fur first text message case. Here, we
have pictures of text message from an informant's cell phone. It's not a
screenshot, these are pictures. These pictures of the phone of the text
messages were taken by a police officer. The officer testifies, he was with the
informant when she was texting. The officer testifies that he saw her send and receive
text messages from a contact in her phone named Joseph Davis. However, there
was no evidence presented that Joseph Davis' contact was in fact the same phone
number as Joseph Davis, the defendant. Meaning that witness, that informant
could have told her friend, "Hey, I got to go fool this cop in a little
bit. I'm going to change your name in my phone to Joseph Davis. I need you to
pretend to be Joseph when I text you later today."
Then the cop would be seeing these messages coming in and
out with that name, Joseph Davis, but in fact, it's the informant's friend. We
need that information to tie Joseph Davis, the real Joseph Davis' phone number
to the contact in the informant's phone. Now, there's more information in this
case. That text message exchange between the informant and the contact labeled
Joseph Davis described a location where they're going to meet up, and then
Joseph Davis showed up there. The ruling here, admissible. Because there is
sufficient data from which a jury could reasonably conclude that Joseph Davis
was on the other end of the text messages, he showed up at the location where
the informant told him to show up.
That's really good evidence that Joseph Davis was on the
other end of these text messages, despite the fact that we don't have the phone
number information tying him to the text messages. That is sufficient for a
jury to reasonably conclude that Joseph Davis was on the other end of these
messages. Therefore, these messages were admissible. They're not hearsay,
because Joseph Davis is the defendant. So it's statements by party opponent
under Rule 801(d)(2). Now, could there be a question about best evidence rule?
Maybe, that was not raised in this case. But we don't really have a genuine
question here, the officer took the pictures. The officer could testify nothing
was modified, and we have Joseph Davis showing up at that meetup location. Our
next case... Oh, I should give you the citation for that one. That was U.S. v.
Davis, is a 4th circuit case from 2019.
All right. Our next case. This case is United States v.
Barnes, 5th circuit, 2015. This is printouts of Facebook and text messages. We
already discussed the problems with printouts, they're easily manipulated and a
whole bunch of tools. We've got printouts of Facebook messages and text
messages, alleged to be from the defendant. The defendant, Mr. Barnes, is a
quadriplegic. But a witness testifies that the defendant can operate a phone
using his mouth and limited movement of the right arm, so he is able to operate
electronic devices. The witness testifies that Facebook messages matched the
defendant's manner and style of communicating. His mannerisms in those messages
were the same. The witness further testified that she had spoken to the
defendant on the phone, and that the phone number she had used to talk to the
defendant matched the phone number of those text messages. She said that she
had seen the defendant use that Facebook account.
So we've got this witness tying the defendant to the phone
number and the text messages, and tying the defendant to the Facebook account.
The ruling here, well, it's admissible. That is enough that a jury could
reasonably conclude that those messages came from the defendant. Don't have to
prove beyond a reasonable doubt, don't have to prove by clear and convincing
evidence, or preponderance of the evidence, just sufficient facts from which a
jury could reasonably conclude that the messages were authentic. When we get to
hearsay, well, they're statement by the party opponent. These were offered by
the government against the defendant, it's Rule 801(d)(2), statements by a
party opponent. We don't have hearsay to deal with here.
All right, our next case. This is an Arizona case, State v.
Fell. It's from the Arizona Court of Appeals in 2017, it's 242 Arizona 134.
These are text messages between a defendant and the alleged victim, transcribed
by the probation officer. The probation officer who saw these text messages
could not recall how he viewed them. Didn't a program he used to view the text
messages. So the probation officer's there saying, "I viewed these. I
can't tell you how, but I did, and then I typed them up. That's how we have a
record of them." The phone is sent off for a forensic examination. In that
forensic examination, these text messages were not found anywhere. They weren't
there on the phone, they weren't there in deleted status on the phone, they
weren't found.
The phone itself was registered to the defendant's mother.
The probation officer says the defendant admitted the text messages were
between him and the victim. The defendant says, "No, I didn't. Never said
that. Never admitted to these." In a jail call, the defendant mentioned
the victim's phone number. So we do know the defendant knows the victim's phone
number. But now we've got kind of a he-said-she-said type situation, defendant
saying, "I never texted the victim. I never admitted this." The
probation officer is saying, "Well, he admitted it to me, and I don't know
how I view these text messages, but I did. I typed them up, and of course my
transcription is accurate. Just trust me."
What do you think the court's going to do here? Well, the
trial court actually suppressed the evidence, but was reversed on appeal. The
trial court does not need to determine whether the evidence is truly authentic,
but only whether evidence exists from which a jury could reasonably conclude
that it is authentic. The Court of Appeals says, "A flexible approach is
appropriate. Allowing the trial court to consider the unique facts and
circumstances answers in each case, and the purpose for which the evidence is
being offered in deciding whether the evidence has been properly
authenticated." Here, the Court of Appeals said, "Look, the probation
officer's testimony was enough."
The defense is still free to contradict it, to bring their
own witnesses, to bring their own testimony, to contradict that of the
probation officer, they can cross examine, but this evidence gets to the jury.
The jury could conclude it's authentic. They don't have to conclude that, they
could. They get the final say. What was not raised in this case was best
evidence rule. The defense is saying, "Hey, we have a genuine question
here about that transcription." But they didn't raise that under Rule 1003,
that would have been very interesting to see what the trial court and the
appellate court would've done with that kind of best evidence rule, but it
wasn't preserved.
All right, we're going to talk about our last case. This is
again, another Arizona case State v. Griffith. It's a Court of Appeals decision
from 2019 in Arizona. It's 247 Arizona 361. In this case, it is a sale of
stolen iPads. Law enforcement obtains Facebook messages between allegedly the
defendant and a third party. In those messages, there are pictures of the
stolen iPads with matching serial numbers. So you can see the serial number of
the iPads in these Facebook messages, and that serial number does in fact match
the serial number of the stolen iPads. The state, at trial, attempts to admit
these records, these Facebook messages, under Rule 803(6), our business record
hearsay exception, and rules 902(11) and (12). That's our self-authenticating
business record rules there.
The problem, the state didn't have a certification from Facebook
to comply with rules 902(11) and (12), or 803(6). Nor did they have a live
testimony from somebody from Facebook. They didn't have a custodian here and
they were trying to admit these as business records. Those rules require a
custodian, either by declaration or by live testimony, but you got to have it.
They didn't have that. So you're probably thinking, "Well, then that's not
admissible." Well, you're wrong. Court of Appeals said this was
admissible. They kind of forgave the state's error here. They said, "Look,
these aren't business records. This isn't the normal a course of business,
these are statements by the defendant. Therefore, we don't need to deal with
hearsay under Rule 803(6)." If they're authored by the defendant, then
they're non-hearsay, they're Rule 801(d)(2).
I want to pull out a few statements here that the court
made, because it's pretty interesting. What the court says, "The state
claimed the message was sent by the defendant Griffith himself and the state
was required to provide some indicia of authorship to satisfy its
authentication obligation before the message could be admitted into
evidence." Fully agree, makes sense. If you're saying, "It came from
the defendant." You got to provide something to say, "It came from
the defendant." You've got to provide enough information so that the jury
could reasonably conclude that it's authentic. If you don't do that, then we
don't have authentication and we have a hearsay issue, because we don't have
any information to say, "These came from the defendant and therefore they
are out of court statements being offered to prove the truth of the matter
asserted," they're hearsay.
The court goes on to say, "A Facebook records custodian
could not provide such indicia beyond attesting that the message came to or
from a particular account." Makes absolute sense. Facebook doesn't know
who's using the account. They're going to say, "Hey, these came to and
from this account, this account labeled John Doe, but we don't know if John Doe
is the owner of this account. We can give you an IP address. You can go figure
it out." But Facebook doesn't know who's using the account, so they can't
provide data enough to satisfy that it was the defendant using this account, it
was the defendant sending these messages.
The court goes on to say, "Allowing the state to
fulfill its authentication obligation, simply by submitting such a
certification would amount to holding that social media evidence need not be
subjected to a relevance assessment prior to admission under Rule 803(6)."
This statement, to me, does not make a lot of sense. Let's pull it apart here.
"Allowing the state to fulfill its authentication obligation." Yeah,
they've got to fulfill that. "By submitting such a certification would
amount to holding that social media evidence need not be subjected to a
relevance assessment." Where does relevance come in? Relevance is Rule
401. We haven't been talking about relevance. Clearly these messages are
relevant. These messages contain pictures of the stolen iPads, they are
absolutely relevant. Whoever took those pictures, whoever sent these messages
clearly has facts related to this theft. Why is relevance coming in here? What
does relevance have to do with authentication or hearsay? That part makes no sense.
But then they go on to say, "The certification from
Facebook doesn't fit under Rule 803(6)." Well, that makes perfect sense.
We already talked about that. Facebook can't tell us who these messages came
from and they're certainly not business records, they're not Facebook's
business records. That's for sure. Facebook maintains them, but the statements
contained within the messages aren't going to fall under 803(6), they're not
business records. The court goes on to say, "Accordingly, we conclude that
social media communications, when offered to prove the truth of what a user
said, fall outside the scope of Rule 803(6), and are thus not
self-authenticating under Rule 902(11)." That all makes sense. The
statements in these messages are absolutely not Facebook's business records.
Facebook can maintain the account, can maintain the messages, but the content
within the messages are not business records. Therefore, they will not fall
under the business record hearsay exception.
If they're offered against a defendant, the state or the
government better produce information to show some relation of the defendant to
that account. At least enough facts that a jury could reasonably conclude that
these messages are authentic. If they're messages between somebody else, that's
not the defendant, well, you've got to hearsay problem. You're going to have to
figure out, "How are we going to deal with hearsay if we're offering these
messages for the truth of the matter?" Well, are they a present sense
impression, then existing mental state? You're going to have to go through your
803(6), or 803 hearsay exceptions and find what fits. But when they're offered
against the defendant, you need facts to establish the defendant is
responsible. That's our last case.
I want to wrap up here by giving you some things to think
about in the future. While you're gathering evidence in your case, think about
admissibility. How are you going to gather that evidence? You can have an
expert do it. You're going to hire someone like Archer Hall to gather that
evidence for you. Can you have a private investigator do it? Can you have your
paralegal or legal assistant do it? Can you have a witness or a party to the
case do it? Be careful about doing it yourself, you don't want to be that lawyer
that prints out the screenshot, gets to trial and then realizes, "Uh-oh,
I'm the only one that can testify about authentication and clearly I can't do
that if I'm the lawyer on the case." Think about that, when the stage
you're gathering the evidence." Who's going to provide the testimony you
need to make the data admissible?
If the other side is offering digital evidence, decide if
you should make pretrial or trial challenges to it. Many criminal defense
attorneys might want to wait until trial to challenge evidence, because then if
they win and they win the case, we'll double jeopardy attaches. Sometimes
criminal defense lawyers wait until trial to challenge the data. On the civil
side, if you wait until trial to challenge a key piece of evidence, well, a
judge might get pretty annoyed with you. Wondering why you didn't file a motion
to eliminate, why you didn't raise this issue earlier. Now, of course, if you
raise the issue early, it might give the other side the opportunity to cure it.
Maybe it gives them the opportunity to get that certification from the
custodian of records to make it admissible under 902(13). Or maybe they go back
to their expert under Rule 902(14) to get that declaration. Or maybe it can be
admissible under 902(11) and (12) as a record of regularly conducted activity.
By raising the issue early, the other side has the opportunity to cure it, so
long as the close of disclosure isn't done.
The other thing you should think about is using your
pretrial interviews, or discovery and disclosure process, or depositions, for
authentication purposes. Maybe you go and gather a bunch of data. Maybe you
gather screenshots of the opposing party's Facebook page, but now you want them
to admit it's their page. Well, if it's a civil case, you send them a request
for admission. "Admit that this Facebook page is yours. Admit that this
Facebook post was yours. Admit that you have this phone number, that you sent
this text message." Maybe you confront it with them at deposition. You show
them the screenshot, "Is this your Facebook page?" If they won't
confirm that, maybe you ask them about that biographical information, keeping
in mind your low burden under Rule 901, sufficient facts from which a jury
could reasonably conclude that the evidence is authentic.
You just are looking to gather those facts. Use your
pretrial interviews, or depositions, or disclosure and discovery process to
gather all of that. Think about admissibility of your data long before you get
to trial. You don't want to be three days before trial and realize your key
piece of digital evidence isn't going to be admissible. You don't have the
right witnesses or the facts to introduce it. Be prepared, think about this
from the very beginning of your case. How will this data be admissible? If you
do that, you'll be setting yourself up for success later in the case.
That's all I've got for you today. I hope you found
something useful here. Hope you learned something new. Hope you enjoyed this
presentation, and you'll be thinking about digital evidence going forward. If
you ever have questions about this or want to see if I can help you out on a
case, always feel free to reach out to us here at Archer Hall. Again, my name
is Brian Chase. I am the director of digital forensics here at Archer Hall. My
email address is [email protected]. You can reach us at archerhall.com. You
can call us at (855) 839-9084. Thank you all for attending, and I wish you all
the best success dealing with your digital evidence in the future. Thank you.
Credit information
Jurisdiction | Credits | Available until | Status |
---|---|---|---|
Alabama |
| ||
Alaska |
| ||
Arizona |
| ||
Arkansas |
| ||
California |
| ||
Colorado |
| ||
Connecticut |
| ||
Delaware |
| ||
Florida |
| ||
Georgia |
| ||
Guam |
| ||
Hawaii |
| ||
Idaho |
| September 30, 2026 at 11:59PM HST | |
Illinois |
| ||
Indiana |
| ||
Iowa |
| ||
Kansas |
| ||
Kentucky |
| ||
Louisiana |
| ||
Maine |
| December 31, 2026 at 11:59PM HST | |
Minnesota |
| ||
Mississippi |
| ||
Missouri |
| ||
Montana |
| ||
Nebraska |
| ||
Nevada |
| ||
New Hampshire |
| ||
New Jersey |
| ||
New Mexico |
| July 20, 2026 at 11:59PM HST | |
New York |
| ||
North Carolina |
| ||
North Dakota |
| ||
Ohio |
| ||
Oklahoma |
| ||
Oregon |
| ||
Pennsylvania |
| ||
Puerto Rico |
| ||
Rhode Island |
| ||
South Carolina |
| ||
Tennessee |
| ||
Texas |
| ||
Utah |
| ||
Vermont |
| ||
Virginia |
| ||
Virgin Islands |
| ||
Washington |
| July 20, 2026 at 11:59PM HST | |
West Virginia |
| ||
Wisconsin |
| ||
Wyoming |
|
Alabama
Credits
- 1.0 general
Available until
Status
Alaska
Credits
- 1.0 voluntary
Available until
Status
Arizona
Credits
- 1.0 general
Available until
Status
Arkansas
Credits
- 1.0 general
Available until
Status
California
Credits
- 1.0 general
Available until
Status
Colorado
Credits
- 1.0 general
Available until
Status
Connecticut
Credits
- 1.0 general
Available until
Status
Delaware
Credits
- 1.0 general
Available until
Status
Florida
Credits
- 1.0 general
Available until
Status
Georgia
Credits
- 1.0 trial skills
Available until
Status
Guam
Credits
- 1.0 general
Available until
Status
Hawaii
Credits
- 1.0 general
Available until
Status
Idaho
Credits
- 1.0 general
Available until
September 30, 2026 at 11:59PM HST
Status
Illinois
Credits
- 1.0 general
Available until
Status
Indiana
Credits
- 1.0 general
Available until
Status
Iowa
Credits
- 1.0 general
Available until
Status
Kansas
Credits
- 1.0 general
Available until
Status
Kentucky
Credits
- 1.0 general
Available until
Status
Louisiana
Credits
- 1.0 general
Available until
Status
Maine
Credits
- 1.0 general
Available until
December 31, 2026 at 11:59PM HST
Status
Minnesota
Credits
- 1.0 general
Available until
Status
Mississippi
Credits
- 1.0 general
Available until
Status
Missouri
Credits
- 1.0 general
Available until
Status
Montana
Credits
- 1.0 general
Available until
Status
Nebraska
Credits
- 1.0 general
Available until
Status
Nevada
Credits
- 1.0 general
Available until
Status
New Hampshire
Credits
- 1.0 general
Available until
Status
New Jersey
Credits
- 1.2 general
Available until
Status
New Mexico
Credits
- 1.0 general
Available until
July 20, 2026 at 11:59PM HST
Status
New York
Credits
- 1.0 areas of professional practice
Available until
Status
North Carolina
Credits
- 1.0 technology
Available until
Status
North Dakota
Credits
- 1.0 general
Available until
Status
Ohio
Credits
- 1.0 general
Available until
Status
Oklahoma
Credits
- 1.0 general
Available until
Status
Oregon
Credits
- 1.0 general
Available until
Status
Pennsylvania
Credits
- 1.0 general
Available until
Status
Puerto Rico
Credits
- 1.0 general
Available until
Status
Rhode Island
Credits
- 1.0 general
Available until
Status
South Carolina
Credits
- 1.0 general
Available until
Status
Tennessee
Credits
- 1.0 general
Available until
Status
Texas
Credits
- 1.0 general
Available until
Status
Utah
Credits
- 1.0 general
Available until
Status
Vermont
Credits
- 1.0 general
Available until
Status
Virginia
Credits
- 1.0 general
Available until
Status
Virgin Islands
Credits
- 1.0 general
Available until
Status
Washington
Credits
- 1.0 law & legal
Available until
July 20, 2026 at 11:59PM HST
Status
West Virginia
Credits
- 1.2 general
Available until
Status
Wisconsin
Credits
- 1.0 general
Available until
Status
Wyoming
Credits
- 1.0 general
Available until
Status
Become a Quimbee CLE presenter
Quimbee partners with top attorneys nationwide. We offer course stipends, an in-house production team, and an unparalleled presenter experience. Apply to teach and show us what you've got.