Effective December 1, electronic records can be put into evidence in federal court cases by means of a written certification of “authentication by a process of digital identification.” Parties will be able to take advantage of the cost- and time-saving benefits of amended Federal Rule of Evidence 902 if they can demonstrate that the copy is identical to the original.
This is a two part inquiry. First, the ESI must have been collected in a forensically sound manner so that it was not changed during the copying process. Second, the integrity of the ESI must have been maintained throughout the evidence lifecycle. A sound chain of custody is critical because it documents the record’s journey from collection to the courtroom.
Maintaining defensible chain of custody procedures and documentation takes time, experience and close attention to detail. It is an important responsibility of an eDiscovery or forensic data collection specialist to keep defensible chain of custody documentation that if called upon will support an authentication certification. Litigants and counsel should always verify that their service provider follows chain of custody best practices in evidence handling.
Defining “Chain of Custody”
The Electronic Discovery Reference Model’s online glossary provides this definition of chain of custody:
All information on a file’s travels from its original creation version to its final production version. A detailed account of the location of each document/file from the beginning of a project until the end. A sound chain of custody verifies that you have not altered information either in the copying process or during analysis.
Chain of custody shows where the evidence has been, who has touched it and its condition at all times. It tracks a device or file through the full evidence lifecycle of collection, transfer, handling, storage, analysis, review and production.
The norm is to demonstrate that there has been no alteration of the evidence. Where there is a legitimate reason to change the condition of the evidence, such as in laboratory testing of physical evidence, the chain of custody must document the circumstances and details.
Chain of custody is an essential part of authentication of digital evidence because it shows the provenance and integrity of the data or file. What it does not show is what happened before collection. For instance, chain of custody is not in itself evidence that the owner of a computer created the files collected from the computer. Similarly, chain of custody is silent on the question of whether a file is relevant or significant to the issues in the case.
Distinctive Aspects of ESI Chain of Custody
A principal distinction between physical evidence and ESI in the context of chain of custody is that ESI involves copies. Where an object is picked up and moved, an electronic file is copied. The significance for collection is that while chain of custody for the former documents the physical seizure of the evidence, for the latter it documents that an identical copy has been created.
The significance of this distinction cannot be over-emphasized. ESI may be, and typically is, copied many times over in the course of collection, transfer, analysis, etc. The integrity of the record must be maintained and properly documented every time.
The final point to be made may initially seem at odds with the principle of evidence integrity, but nonetheless is a routine and accepted part of standard eDiscovery practice: ESI is altered during production. The continuing preference for TIFF or PDF production format (ideally with linked metadata, extracted text and native files where appropriate) necessitates file format changes. Chain of custody documents those changes. It also correlates the production copy to the source file in case a need arises to produce a file in its original format for evidentiary reasons; for example, to overcome an authentication challenge.
Types of Chain of Custody Documentation
Maintaining a complete chain of custody record involves multiple types of documentation. Which types are used in a particular instance depends on the evidence and how it is handled and used.
a) Collection forms – Collection forms record information about the data and the collection, such as:
- Date and time, location and the name of the collection specialist;
- The copying programs and/or other collection tools used;
- Description of collection target (g., PC, network shared drive, cell phone);
- Custodian name or similar identifying information for the data source;
- Data volume and/or number of files copied;
- Any file copying errors and what was done to resolve them;
- Description of destination media (g., inventory number of external hard drive) or data transfer means (e.g., secure ftp).
b) Photos – Photos should be taken of physical evidence, electronic devices and media. In the ESI context, this typically means photos of identifying information (e.g., serial number), labels and any noticeable damage such as a bent cell phone casing.
c) Delivery and shipping logs –A combination of logs and forms is used to document basic information like date, sender and recipient, courier/shipper and tracking number. Shipping labels and packaging are typically documented with photos or scans; they may also be stored as-is, space allowing.
d) Transfer and handling logs – Evidence intake, check-in/check-out and hand-off is documented with logs recording the what, who, when, where and why of the transfer. The “what” of devices and media includes a description of the item (e.g., make and model, serial number), any labels and a listing of power cords and other peripherals. The “what” of ESI is hash value, data volume and other information used for identification, such as custodian name, folder name and transfer history.
e) Software logs – Forensic collection hardware and software automatically generate various verification, tally and error logs.
f) “About” documentation – The final type of chain of custody documentation is supporting documentation about chain of custody procedures, software tools and evidence repositories. An example is validation documentation for the forensic copying tools. This category also includes forensic lab best practices and security protocols for evidence lockers and media storage rooms.
Chain of Custody and Authentication under Amended Rule 902
Rule 902(14), expected to go into effect later this year on the scheduled date of December 1, creates a mechanism to authenticate qualifying electronic evidence by written certification instead of live testimony. The certification must be by a “qualified person” and show that the record has been “authenticated by a process of digital identification.”
The amendment is designed to streamline authentication of ESI, reduce cost and burden on the parties and eliminate unnecessary evidentiary disputes. Litigants will be able to take advantage of the efficiency gains and cost savings offered by the new rule if they can demonstrate that the ESI was collected in a forensically sound manner and that evidence integrity was maintained during the evidence lifecycle. A thorough and accurate chain of custody provides the documentation needed to make that showing.
Helen Geib is General Counsel and Practice Support Consultant for QDiscovery. Prior to joining QDiscovery, Helen practiced law in the intellectual property litigation department of Barnes and Thornburg’s Indianapolis office where her responsibilities included managing large scale discovery and motion practice. She brings that experience and perspective to her work as an eDiscovery consultant. She also provides trial consulting services in civil and criminal cases. Helen has published articles on topics in eDiscovery and trial technology. She is a member of the bar of the State of Indiana and the US District Court for the Southern District of Indiana and a registered patent attorney.
This post is for general informational and educational purposes only. It is not intended as legal advice or to substitute for legal counsel, and does not create an attorney-client privilege.