Deconstructing Electronic Evidence: What Is It in Layperson’s Terms; Sources of Evidence and Electronic Evidence Procedure.
By Nicholas G. Himonidis (New York)
Computers as we know them today have been around for decades. Technology has continued to expand exponentially. The “Digital Revolution” has reached a “fever pitch,” and the changes that affect almost every aspect of our lives have been dramatic. The way we think about the practice of law must change to keep pace. This is no longer a question of embracing new technology as a means to facilitate our practice, or increase efficiency in our offices. This is about the realization that everything our clients and adversaries are doing, the Subject Matter of what we are litigating, and the forms and location of the vast majority of evidence in the world is now created, stored, exchanged and/or replicated digitally.
Over 95% Of All Information Created In The World Is Now Created Or Stored Digitally
This change is qualitative and quantitative at the same time. Not only is the volume of information much greater than anything the world has ever experienced, but the very manner in which we think and act has changed in fundamental ways. E-mail and texting have replaced talking on the telephone as a primary means of communication. Just about everyone you know has a cellular phone (and they are all digital). Try “calling” someone under the age of 20 on the phone — it’s likely they won’t answer, and you’ll get a text message in response. Do not over simplify the significance of this change. SMS (text messaging) is limited to 160 characters. If texting has replaced “talking” as the primary means of communication for most people under 25 (and believe me, it has) an entire generation is now “programmed” to abbreviate and truncate their language and thoughts into 160 character “sound bytes.”
Over 90% of banking transactions are now conducted electronically— without anyone ever entering a bank branch, and without a single piece of paper being generated.
Information is being created and stored on a scale never before seen — and one which is difficult to comprehend.
The Scale of the Change: Statistics
Over 280 exabytes of data (a/k/a information, a/k/a potential evidence) was created, stored and/or replicated digitally in 2007. That figure is estimated to increase to over 1800 exabytes in 2011. This is the volume of Digital Information being created in a single year – not the total volume of digital information in existence!
Put these numbers in Context: All printed material in every library in the world would fit in less than [one (1) Exabyte] and five (5) Exabytes is sufficient to record every word ever spoken by every human being who ever lived.
All recorded “information” is potentially “evidence.” Therefore, “Digital Evidence” already dwarfs, by sheer volume, all other forms of recorded information in the world as potential evidence. The impact of this change on Criminal and Civil Litigation and the Justice Systems is pervasive and cannot be ignored. (Not only should not be ignored — but literally cannot be ignored, at least by any practicing attorney in New York. The Uniform Court Rules for NYS Trial Courts (PART 202.12) now contain language mandating that the items that shall be considered at the Preliminary Conference include the manner and scope of any electronic discovery. (NYCRR 202.12(c)(3)).
Digital Evidence — Key Terminology & Concepts
“Electronic” vs. “Digital” — What is “ESI” Really?
Electronic: Electronic is a term that is properly used to describe a device, not information. Electronic refers to devices that operate by controlling the flow of electronically charged particles. Your laptop computer is “electronic.” The Microsoft Word document you create on it is digital.
Digital: Information that is stored using numerical values to represent the information itself. Information can be “digital” and it can be created and/or stored by an electronic device. However, information itself cannot accurately be described as “electronic.”
Computers and other electronic devices that store data digitally, do so using Binary Code, a series of 0’s and 1’s, to represent the information in question. Whether that information is a digital photograph, a text message, a web page, a word document, a digital audio recording or a map display on a GPS device, they all break down, ultimately, to a string of 0’s and 1’s.
“Digital Evidence” therefore, is any information that is created or stored digitally (i.e. using numerical values to represent the information) which tends to prove or disprove any fact in controversy.
As we see, the term “Electronic Evidence” is a misnomer, unless you are referring to a device or machine.
New York Courts now use the term “Electronically Stored Information” or ESI as the term of art to refer to what we are referring to as “Digital Evidence.”
Electronic Discovery v. Computer Forensics:
Electronic Discovery (more properly referred to as Discovery of ESI) is the process of requesting and producing Digital Information (or the new term “ESI”) through the formal legal discovery process. Everything from a subpoena to a non-party to produce stored data in digital form, to a Notice for Discovery and Inspection demanding production of a party’s computer hard drive to be imaged and examined, is “Electronic Discovery” or Discovery of ESI.
Computer Forensics is the process of examining digital information for use in investigations or litigation. It may be conducted in connection with Electronic Discovery, or completely outside of same.
Native Format is the format in which a digital file (a group or “string” of digital data) was originally created and stored. The “Native Format” of a Microsoft Word document is a .doc file or .docx file (depending on the version of the program).
Every digital file has a “Native Format” and it is critical to have an item in its Native Format if we seek to obtain the relevant Metadata (see below) and to allow for proper forensic evaluation of the file if necessary.
All digital evidence has a “Native Format” by definition. Examples include: Digital Video Files, Digital Audio files, Digital Photos, Emails, and Documents. In the case of emails and certain other items, the “Native Format” may be slightly more complicated, such as an individual email message that is contained within a Microsoft Outlook .pst or .ost file. In such case, the email is only truly in its “Native Format” if the entire host or container file is obtained.
Some Native Formats are proprietary or custom, and the source code of the application that created the file is not known. Therefore, when requesting files in Electronic Discovery it is important to consider requesting they be produced in their Native Format, but not to “knee jerk” and make blanket demands that every item of Digital Evidence demanded be produced in its “Native Format” every time.
Requesting that items be produced in “Electronic” or in “Digital” form is not the same as requesting them in their “native format.” The native format of a Microsoft Excel Spreadsheet is .xls (or .xlsx). That spreadsheet may be printed out, then scanned and turned into a .tiff or .pdf file and produced as such. To be sure, the item produced is in “Digital Form” but is certainly not in its Native Format. Upon receipt of the spreadsheet in its “new format,” there will be “Meta Data” (see discussion below) but the Meta Data will not be “relevant” as it will not relate to the original creation, modification, accessing and/or other information about the spreadsheet, it will only relate to the creation of the file in its current format.
As noted above, consideration must be given before requesting every file in its Native Format. Some files, for example complex database files and files in proprietary and/or custom file formats, may be of little value in their native format, unless the recipient has the application that created them or the “front end” through which they were designed to be accessed. Although every computer file can ultimately be broken down in Binary Code, a tremendously long series of 0’s and 1’s is of remarkably little value if it cannot be properly interpreted as the information it is supposed to represent.
Meta Data (and beyond):
Meta Data is “Data about Data.” It is “additional information” created by the operating system or device that is creating/storing the data, to help keep track of and provide additional information about the data (usually a digital file) in question. The most basic form of “Meta Data” is referred to as “MAC Dates” or the date(s) and time(s) a computer file was created, last accessed and last modified. Nearly every operating system embeds its files with such “Meta Data.” Depending on the application used to create the data or file in question, Meta Data could also include the Author, the Version Number, the Machine Name of the computer used to create the file etc.
Meta Data can be very valuable in providing additional information about a computer file. However, you must have the file in its native format in order to review and analyze the relevant Meta Data. (See example above regarding production of a Microsoft Excel
Spreadsheet that has been printed, scanned, saved as a PDF and produced. The file is still in “digital form” but the relevant meta-data concerning the original spreadsheet will no longer be available).
Although Meta Data contains difficult to alter dates, times and other information about the User or System that created the original information, Meta Data can be manipulated. For example, MAC Dates/Times (discussed above) are based on the Windows (or other operating system) internal clock. This clock can be manipulated by a savvy user. For example if the user sets the Windows clock back to a date in the past, and then creates an exculpatory letter in Microsoft Word, the Meta Data of that Microsoft Word file, when obtained and examined in its Native Format, will corroborate the “false” date the user would have typed on the letter. As easy as it may be to engage in such a manipulation, it is extremely difficult to do so without leaving significant evidence of the manipulation. However, the evidence of the manipulation will not exist within the file itself, nor even within the “relevant meta data.” It will only be found in other places on the hard drive/system files of the system that was used to create the “false” evidence.
Therefore, you must have access to the system/hard drive in question to analyze “beyond the four corners” of the file itself, and beyond the “Meta Data.” This is one of the best arguments for demanding production of entire computer(s) for inspection and “imaging” through discovery, or obtaining images of relevant computer hard drive(s) outside formal legal discovery where same can be done legally. (For a more thorough treatment of this issue, see The NGH White Paper: “Clandestine Imaging of a Spouse’s Computer(s) Outside Formal Legal Discovery.”)
Nicholas G. Himonidis, is an attorney, licensed Private Investigator, Certified Fraud Examiner and Certified Computer Forensic Specialist. He is a Vice President at T&M Protection Resources, LLC in New York City, where he heads the firm’s Private Investigation Division. For more information, please visit our website at www.tmprotection.com.
To read part 2 click here