K&F Consulting Inc.

What Evidence is Obtained Through Computer Forensics?
 By Todd L. Dietrich and Gregory Fordham
(Page 5)
 

5. Internet History, Cookies and Instant Messaging Logs

Most all businesses today have some access to the internet for their employees.  Laying aside the resultant lack of productivity from prolific web surfing, and the potential violations of the corporate computer use policy, the suspect custodian’s activities on the internet, both in the office and at home, are often compelling evidence that should be thoroughly examined.  Numerous types of activity are logged by the operating system or the application and can provide helpful information.  These include:

    • Internet history

      There are several types of internet history activity that can be recovered and reviewed when conducting a detailed analysis of the internet history on a computer.  They include:
      • Search Engine Activity

        The main search engines are Google, Yahoo and MSN, and all three will leave traces not just of their access, but of what the specific search terms were.  For reference, the examination of the internet history on Scott Peterson's computer demonstrated that he was searching for tidal maps and calendars for the San Francisco Bay.  Of course, his story was that he was planning his infamous fishing trip.  The prosecution used that evidence as part of the larger picture to help convict him.
      • Webmail Activity

        Do you know, or believe the suspect custodian has some type of webmail account, such as Gmail, Yahoo or Hotmail?  If so, then an examination of the internet history may be in order to determine if they accessed this account.  If so, an examination may help determine what information may have passed through the account and to where.
      • Localhost activity

        You may recall that one of the issues in Microsoft's antitrust suit was that Internet Explorer was “integrated” into the operating system.  Thus, giving Internet Explorer an edge over the Netscape Navigator browser.  This was one of the by products of Microsoft’s attempts to “unify” the user experience, not to mention run a competitor out of business.  As a result, when someone accesses files on the hard drive using Windows Explorer, for instance by clicking the My Documents folder and then opening a file, that activity is logged in the internet cache, even though the activity is occurring locally and not over the internet. 

        Coupled with a link file analysis, a forensic examiner can often determine many of the files accessed by a user while using a computer.  The information may include when and where these files were accessed, and whether they were on the hard drive, on a network share, or on some type of removable media.  Such information can be of particular interest in many cases, and it may often provide a link between a suspect custodian and the infamous smoking gun.
    • Instant Messaging Logs

      If people will say anything in an email, they will truly let their guard down when sending instant messages.  This dichotomy was somewhat evident in Mark Foley case.  Most people are at least vaguely aware that the former Representative was accused of inappropriate communications with pages at the House of Representatives.  In some instances, some suggestive, but essentially benign email exchanges he had with some of the pages were revealed.  However, the damning information that was released came from logs of instant message chats he had with certain pages.  Most people are oblivious that their instant messaging client software logs their chats by default.  Often the logs are simply plain text files which log the date, time, message and the screen name of who said it.  In other instances, the logs are encrypted and can only be read by the message client software itself.

      Do you have reason to believe that the suspect custodian has been using an instant messaging program?  If so, then recovering and analyzing the instant message logs can prove to be extremely useful. 

6. If it is Discoverable, Does That Mean It's Admissible?

So you have a pile of good helpful ESI, the question becomes how will you get it entered into evidence?  The good news is that evidence is still evidence.  This means that the Rules of Evidence apply to ESI, just as they would to paper.  If the proper foundation is laid out, there should be no problem introducing ESI.  There are several considerations to be made when seeking to admit ESI, these include:

  • Is it relevant?

This is of course the first question that needs to be answered.  Given its nature, the discovery of ESI is likely to provide you with far more information than traditional paper discovery.  In examining produced ESI, you may find information that is damning to the other party, but it is entirely irrelevant to the issues of your lawsuit.  As with any evidence, you must establish the foundation for the evidence you are seeking to admit. 

  • Rules of Evidence

    The Rules of Evidence apply to ESI just like paper.  Thus, the issues and challenges to producing ESI will be common and familiar to most litigators.

Authentication

One issue that can be raised to prevent the admission of ESI is that of authentication.  Authentication can be established via information internal to the ESI, such as company or custodian names and addresses found within files.  Another more common method is authenticating the ESI via its production by other side. 

  • Hearsay or not?

    As you review your ESI evidence, you should consider whether it may be challenged as hearsay.  If the ESI, came from the opposing party, and it is offered against that opposing party, then Fed.  R.  Evid.  801(d)(2) provides that the ESI is not hearsay, but it is an admission of that party.  You will likely find that in most cases, the ESI you are seeking to admit has come from the opposing party, and would then not be considered hearsay. 

    Obviously then ESI may be considered hearsay if it is not from the opposing party, and it is offered as proof against an opposing party.  This would occur if the ESI is produced by a third party.  Even under these circumstances, the ESI may still be admissible at trial if it falls under one of the many exceptions to the hearsay rule.
    • Exceptions to hearsay

      The Federal Rules of Evidence provide a total of no less than twenty-four exceptions to the hearsay rule.  Many of these exceptions deal with public records or public statements and so forth.  The exception that would be most relevant for ESI is Fed.  R.  Evid.  803(6), the Records of Regularly Conducted Activity exception, which has been called the “Business Records exception.”
      • Business Records Exception

        In order to have hearsay evidence admitted under the business records exception, it must, as a regular practice, be “kept in the course of a regularly conducted business activity.” The records must then be authenticated by testimony of the custodian or another “qualified witness”.  The authentication may also be done by a “certification that complies with Rule 902(11), Rule 902(12), or a statute permitting certification.”

        A custodian or qualified witness does not need to testify that they actually created or even maintained the ESI.  They only need to authenticate the ESI.  However, this witness ought to have sufficient knowledge of the ESI, its origin and any computer systems on which the ESI was created and/or stored. 
  • Best Evidence Rule

    You may face a challenge to admitting ESI under the Best Evidence Rule is you have printed files.  You may even face this challenge if your ESI consists of conversions from the native format to an “image format” such as tiff or pdf.  Fortunately, the definition of an original in Fed.  R.  Evid.  1001(3), states: “[i]f data are stored in a computer or similar device, any printout or other output readable by sight, shown to reflect the data accurately, is an ‘original’". 

    Even a copy of a printed file would likely be admissible as a duplicate according to Fed.  R.  Evid.  1003: “A duplicate is admissible to the same extent as an original unless (1) a genuine question is raised as to the authenticity of the original or (2) in the circumstances it would be unfair to admit the duplicate in lieu of the original.”

    Though, it is noted that under some circumstances ESI must be reduced to paper for review by the Court, the best method for producing ESI is in its native electronic format.  Aside from this being the most cost efficient method, producing in native format will completely avoid any questions or challenges as to the Best Evidence Rule. 
  • Computer access statutes

    It may seem absurd and in most cases it probably is, but one issue to consider carefully at the acquisition phase is whether the proposed method of acquiring the ESI violates any applicable law.  There are federal (Fraud and related activity in connection with computer, 18 U.S.C.  § 1030); and state (Georgia Computer Systems Protection Act OCGA § 16-9-93) laws regulating unauthorized access of computer systems.  Usually the Court has ordered the acquisition of the ESI, thus granting authorized access, so these statutes would not come into play whatsoever.  Be advised though, there are certain situations, primarily in domestic practice, where you may be holding ESI that was not acquired via authorized access of the related computer system.  If so, you can rest assured the admissibility of that ESI will be challenged by the opposing party.
  • Proper acquisition, analysis and storage practices used?

    Who did you use to preserve the media?  Who conducted the acquisition of the ESI?  Who was responsible for the analysis?  If the answer to any of those questions is something other than: “our expert,” you had better be prepared to face an admissibility challenge regarding the mishandling of evidence. 
  • Expect kitchen sink challenges

    So, you managed to find the Smoking_gun.doc file that definitively proves your case.  The other side for some reason didn’t settle, and now you are headed for trial.  You’ve taken great care with your ESI.  You’ve had an expert preserve, acquire, store, analyze and produce it.  You’ve laid out a strong foundational basis for getting your ESI admitted.  It should not be at all surprising to face the proverbial “everything, including the kitchen sink” challenge to the admissibility of your ESI.  However, because you’ve prepared for these things, you can meet such challenges head-on and get your ESI admitted and win that judgment.

 

-END-

 

< Previous  

 

Print Article
Printable Version

 

When Every Move Matters

2550 Northwinds Parkway, Suite 275, Alpharetta, Georgia 30004
Copyright 2008 K&F Consulting Inc. This site is for informational purposes only. For technical advice please contact a representative.