Deconstructing Electronic Evidence: What Is It in Layperson’s Terms; Sources of Evidence and Electronic Evidence Procedure.
By Nicholas G. Himonidis (New York)
To read Part 1 click here.
With access to the system which created the evidence in question, we have access to Secondary/Indirect Evidence such as: Created by System (OS) or Application Files, Internet Temporary Files, Application Temporary Files, System Logs and Registry Files. This type of evidence can tell us about what the computer in question was used for, what programs were run, and when, and a variety of other potentially relevant information we might otherwise never know. For example, in one forensic examination, we found an application temporary file called “wipeinfo.lgc” This is a file that would never have been asked for, or produced, as part of any “standard” or even “extensive” ESI discovery request. The existence of that file however, proved that: 1) a program known as Norton System Works had been installed on the subject computer; and 2) one of that program’s utilities, known as “Wipe Info” had been run on the subject computer — the Wipe Info utility being a known “data wiping” utility used to permanently delete data and make same unrecoverable. We then determined that the Norton Program had been installed after the owner of the computer, a party to the litigation, had been served with the Summons and Complaint. This fact, coupled with the lack of information recovered from the subject computer (as compared to what would reasonably have been expected to be there) resulted in an “adverse inference” by the court against that party. Had there been only a discovery demand for specific ESI responsive to certain issues, the “truthful” yet misleading response could well have been “a thorough search of the ESI in defendant’s possession and control have yielded no such documents” and the inquiry might have ended at that.
The discussion of having access to the actual computer, system or device which created the digital evidence in question actually begs the question: “when can I get the other party’s computer in discovery?”
It is beyond question that discovery of ESI in matrimonial cases is vital. “Fault” is now effectively gone from the matrimonial litigation equation, and even before that development, it was settled, at least in the First and Second Department, that discovery on issues of grounds was not permitted. However, discovery regarding the opposing party’s finances is not only permitted, it is often the central issue in a matrimonial case. In addition, where custody is an issue, discovery of material relevant to the character and fitness of each party, and any conduct relevant to the issue of custody is properly discoverable (see Bill S. v. Marilyn S., Slip Op 51093 (Sup. Ct. Nass. 2005)) and it goes without saying that a computer used by the opposing party may be an excellent source of such evidence.
All this notwithstanding, access to an opposing party’s computer(s) in a matrimonial case, as opposed to merely obtaining discovery of specific documents/files, is not guaranteed, and the cases determining when such access is appropriate are far from uniform. One of the seminal New York cases on this issue is Etzion v. Etzion, 7 Misc.3d 940 (Sup. Ct. Nass. 2005), in which the author was the lead computer forensic consultant for the Plaintiff. In Etzion, Judge Stack ruled that Plaintiff Wife was entitled to have her computer forensic experts clone (or image) each and every hard drive in use at the defendant husband’s business, as well as his personal computers, which he used for business purposes. (The court did hold that privileged communications and certain “non relevant personal communications and data” was not discoverable and the Plaintiff Wife was ordered to bear the cost of having the hard drives cloned or imaged. In addition, the court set forth a detailed protocol for processing and review of the information on said hard drives. Notwithstanding all of that, however, the Plaintiff Wife would still be in a position to not only obtain “direct” evidence, such as documents and emails, but potentially critical “indirect” or “secondary evidence” such as system files and other data even beyond the basic “Meta Data” attached to specific digital files in question.)
Contrast the Etzion case with Schreiber v. Schreiber, 2010 NY Slip Op 20271 , 904 N.Y.S.2d 886, Supreme Court Kings County, 2010, where the court actually cited to Etzion, but held that wife’s requests to have her expert image and examine the hard drive of Husband’s office computer were unwarranted.
As with any other form of forensic/scientific evidence, the evidence is only considered to be Forensically Sound, and therefore, admissible, assuming other evidentiary standards are met, if the evidence has been Properly Collected, Authenticated (in this case digitally) and an appropriate Chain of Custody is maintained/documented.
Digital Information on a hard disk or other media is difficult to destroy or eliminate entirely, however, it is easily tampered with or corrupted. Therefore, proper collection, authentication through “hashing,” (explained below) and chain of custody are extremely important for purposes of admissibility.
Although some cases have apparently dispensed with chain of custody as a pre-condition to admissibility of digital evidence (see UNITED STATES v. WERNICK, 03CR0189 (DRH) U.S.D.C.(E.D.N.Y. 2010)), most cases hold that some proof of a Chain of Custody is a condition of admissibility. (See: People v. Pena, 169 Misc.2d 366, 642 N.Y.S.2d 807 (Sup. Ct. 1996) (chain of custody was relevant and chain of custody was proven by showing that cellular telephones and computers seized were the same items offered into evidence: also CA, Inc. v. Simple.com, Inc. et al., 02 Civ. 2748 (U.S.D.C. E.D.N.Y. 3-5-2009)).
The Wernick case, above, is an interesting divergence, but the full picture cannot be understood from the published decision(s) alone. One must also review other filed documents in the case, including letters from counsel and motion papers, to understand the full import of what occurred. Basically, the defendant was charged with Child Pornography and related offenses. It seems beyond any dispute from the letters and other motion papers filed by the prosecution and the defense, that certain hard drives on which the Child Pornography was located were originally seized by local authorities when the defendant was initially arrested.
Sometime later, those hard drives were released by the police to the custody of a third party (relative of the defendant) by mistake, when the federal government took over the prosecution. It further appears that these hard drives then made their way to the defendant’s counsel, who had no reason to know what was on them, and in whose office the hard drives sat for almost a year. When the authorities finally realized the mistake, and recovered the drives from defendant’s counsel, under threat of arrest for possession of Child Pornographic Material, the “chain of custody” of the drives had been irretrievably broken — and in no insignificant manner. Nonetheless, the evidence recovered from the drives was apparently deemed admissible, as the defendant was convicted at trial, and his conviction upheld, notwithstanding his many objections to the admissibility of this evidence.
Authentication through Digital Verification (a/k/a “Hashing”):
“Hashing” is a process by which a mathematical formula known as an “Algorithm” is used to obtain a unique alphanumeric value (like a fingerprint or DNA profile) for a digital file or volume of digital information. This “digital fingerprint” can then be used to “authenticate” that file or volume of information, and to verify an original to a copy, a copy to a copy, etc. This commonly misunderstood process is mathematically complicated, but in practice, very simple and straightforward.
In order to “Hash” (i.e. obtain the Hash Value) of a digital file or volume of digital data (such as a hard disk, memory card etc.) the file or volume of data (which is actually just a string of binary code – i.e. 0’s and 1’s) is subjected to a mathematical formula called a Cryptographic Algorithm. The two most commonly used, and accepted, Cryptographic Algorithms for this purpose are known as the “Md-5” and the “SHA-1” Algorithms. These Algorithms are referred to as “cryptographic” because they can be used to calculate a unique alphanumeric value for that file or volume of data, which cannot be calculated in reverse, and therefore cannot be manipulated.
When a digital file or volume of data is subjected to the Md-5 Algorithm or the SHA-1 Algorithm, the product is an alphanumeric value which is highly unique (more unique in fact than a “DNA Profile”) for the digital file or volume of data in question. The Md-5 and SHA-1 Algorithms are so sensitive, that altering even a single letter or punctuation mark in a Word document or other file, causes the resulting hash value to change radically.
For example, the Md-5 Hash Value of “The quick brown fox jumps over the lazy dog” is 9e107d9d372bb6826bd81d3542a419d6. Observe what happens if we simply add a period (.) at the end of the sentence: “The quick brown fox jumps over the lazy dog.” The Md-5 Hash Value is now: e4d909c290d0fb1ca068ffaddf22cbd0. One punctuation mark is changed, and the hash value is radically different. Calculating what else would need to be changed in order to have the non-altered string produce the same Md-5 Hash Value as the original would be extraordinarily difficult, and this is an ultra simple example.
The value of hashing and obtaining these values when evidence is collected can be explained as follows. Assume we collected a Word document as evidence. Upon collecting it, we obtain its Md-5 Hash and exchange not only the document, but its hash value, with the other parties involved. If different “versions” of that document are later presented by one party, and a dispute arises as to which is the “original” version, the question can be simply and irrefutably answered by re-hashing the questioned versions. Whichever one matches the original hash value is the “authentic” original document.
Despite recent “challenges” from the tech world to the Md-5 and SHA-1 Hash Algorithms (primarily as they are used in digital security and encryption applications) (See FN 1 above) they remain the “gold standard” in authentication of digital files and data volumes for litigation purposes, as evidenced by cases as recent at 2009 and 2010 which tout their value and reliability for such purposes. For example:
Uniloc USA, Inc. v. Microsoft Corp., 640 F.Supp.2d 150,167-8 (U.S.D.C. D. R.I. 2009) (At trial, the parties agreed MD5 and SHA-1 are algorithms and there was little, if any, dispute over their operations. MD5 is a well-known, publicly available, complex, cryptographic program code (also described as a cryptographic checksum or hashing algorithm) that produces a 128-bit output from its inputs, or the equivalent of 16 characters of information (the SHA-1 output is 160-bits)”… It is undisputedly a “one-way” algorithm; that is, from its 16-character output it is impossible to go backwards or “go back and get the information” forming the input.
State v. Tremaine, WD70670 (Mo. App. W.D. 7-27-2010) Limewire verifies that it is accessing pieces of the correct file by means of a Secure Hash Algorithm (or ‘SHA-1’) value which uniquely corresponds to an individual computer file. (Footnote: A SHA-1 value is an alphanumeric signature that identifies an individual computer file, regardless of how the file is named on an individual computer. Besides being used by the search function of the Gnutella network, and by LimeWire, law enforcement agencies track the distribution of files containing known child pornography using the files’ SHA 1 value, and can identify the Internet Protocol (or “IP”) address downloading particular files by the same means.
U.S. v. Wellman, 1:08-cr-00043 (U.S.D.C S.D.W.Va 1-7-2009) (Footnote 2: a hash value is a “digital fingerprint” that is unique to a particular file. Because each hash value is unique, an algorithm, the Secure Hash Algorithm-1 (SHA-1) can be used to show to a 99.99 percent certainty that a file with the same hash value is an identical copy of the same file.
State v. Garbaccio, 214 P.3d 168 (Wn. App. 2009) (footnote 2: [The Detective] was able to determine that a known video of child pornography was available for download from [defendant’s] computer by examining the video file’s “SHA-1” value, a lengthy alphanumeric code unique to each computer file available for transmission over file-sharing networks, such as Gnutella, which is the network that [defendant] used in this instance.)
To read Part 1 click here.
Nicholas G. Himonidis, is an attorney, licensed Private Investigator, Certified Fraud Examiner and Certified Computer Forensic Specialist. He is a Vice President at T&M Protection Resources, LLC in New York City, where he heads the firm’s Private Investigation Division. For more information, please visit our website at www.tmprotection.com.