Introducing Digital Evidence

On December 19, 2001, Deputy Attorney General Robert Morgester guided Sacramento Law Practice Management and Technology Users Group (SLUG) members through the process of introducing digital media into evidence with a fast-paced presentation on the subject of "Digital Evidence." Morgester is one of five criminal DAGs statewide dealing with technology issues, and is a member of the 35-agency Sacramento Valley High Tech Crime Task Force.

What digital media? Morgester listed an amazing range of digital media that a high tech task force prosecutor might want to introduce in evidence, from garden-variety data files such as word processing documents, e-mail messages, web pages and digital images to the more exotic chat logs, server logs, slack space, print spooler files, memory swap files, Domain Name Server registration records, and Skytel cellular phone messages.

What problems?

Morgester discussed the legal problems in getting digital media into court under five headings: relevance, chain of custody, authentication, what formerly was the best evidence rule, and hearsay.

Relevance

The pertinent Evidence Code sections are 350 (only relevant evidence is admissible), 351 (all relevant evidence is admissible unless excepted by statute), and 210 (defining relevant as having a tendency to prove or disprove any disputed fact). Examples of theories of relevance include the tendency to prove an element of a crime, the perpetrator's identity, knowledge, intent, motive, or lack of mistake, or a witness's credibility or incredibility.

Chain of custody

Morgester advised the proponent to have the witness explain the agency's policies regarding chain of custody and to show how they were followed, presenting the chain of custody witnesses in reverse order. Evidence logs can come into evidence if the proper foundation is laid for them as business records. The standard is that it must be "reasonably certain" that the item in court is the same as what was found. People v. Lozano, 57 Cal. App. 3d 490 (1976).

Authentication

Under Evidence Code section 1400(a), authentication means introducing sufficient evidence to sustain a finding that the writing is what you say it is. Morgester emphasized the difference between this finding and the question, not involved here, of the truth of the document's content. How does one authenticate a writing? Section 1411 provides that the originator's testimony is not necessary. The beginning of authentication, and often the end, is showing a witness the writing and asking what it is.

Several Evidence Code sections list, without limitation (section 1410), ways of authenticating a document: section 1413, a witness who saw the document prepared; section 1415, a handwriting comparison; section 1516, a lay witness's handwriting comparison; section 1470, the finder of fact comparing handwriting; section 1412, a showing that the writing refers to matters of which only the writer would have been aware; and sections 645.1, 1450-54, and 1530, presumptions of authenticity from official seals, official signatures, newspapers and periodicals. Morgester said that "your imagination is the only limit on the ways that you can authenticate documentary evidence."

In authenticating computer data, Evidence Code section 1552(a) provides a rebuttable presumption that a printed representation of computer information or computer program is accurate. The presumption can be rebutted only by evidence. Speculation, often attempted in the form of expert testimony that the information could have been altered, is insufficient under United States v. Bonallo, 858 F.2d 1427 (9th Cir. 1988). If there is rebutting evidence, the printed representation's accuracy must be proved by a preponderance of the evidence. The same burdens apply to printed representations of digital photos under Evidence Code section 1553.

Morgester laid out the most common challenges to authenticity in his experience. First, were the records altered, manipulated, or damaged after they were created? See the burdens discussed in the preceding paragraph. If an image or other representation was altered, say by digital enhancement, then under Evidence Code section 1402 the proponent must account for the alteration and show that it did not change the meaning. Second, how reliable was the program that generated the records? This reliability question is analogous, he said, to the challenge to the reliability of the alcohol machine in a DUI case. Finally, was the purported author the author?

Best evidence

Morgester said that the Best Evidence Rule, requiring the use of the original, is dead. Secondary evidence (a copy) of a writing is admissible under Evidence Code section 1521 unless a genuine dispute exists concerning material terms of the writing and justice requires its exclusion, or admission would be "unfair." If the evidence is voluminous records, section 1523(d) allows the introduction of an oral or written summary without introducing the records themselves.

Hearsay

The hearsay rule, excluding statements brought for the truth of the matter stated, has two main aspects in the digital realm as in the analog: non-hearsay and exceptions. Verbal legal acts, not introduced for their truth, are not hearsay; these include false credit applications used to show a false application, checks, promissory notes, Remington Investments, Inc. v. Hamedani, 55 Cal. App. 4th 1033, 1042-43 (1997), and other contracts. The victim's I.D., introduced in a burglary case to connect the defendant with the crime, is not hearsay. In re Richard W., 91 Cal. App. 3d 960, 971-79 (1979). Narcotic pay-owe sheets or contracts are not hearsay. People v. Harvey, 233 Cal. App. 3d 1206, 1222-26 (1991). Indicia of residency, introduced to connect a person to a location, are not hearsay. People v. Williams, 3 Cal. App. 4th 1535, 1540-43 (1992). Records or reports generated purely by a computer, such as log files or instrument readings, are not hearsay because they do not involve the same risk of observation or recall as human declarations. If the computer file contains human declarations, however, the fact that they are computer-stored, computer-summarized or computer-analyzed does not change their hearsay nature.

Hearsay exceptions, of course, include statements of a party, adoptive admissions, statements in furtherance of a conspiracy, statements against interest, prior inconsistent statements, past recollection recorded, business records, statements of state of mind, and, significantly, published lists or directories. Evidence Code section 1340 excepts from the hearsay rule published tabulations, lists, directories and registers, so long as the compilation is generally used and relied upon as accurate in the course of business. Internet search engines, including the directory behind the venerable "whois" command, may qualify. The question arises, how broad is the relevant business community to show reliance? Oneself? The law enforcement community? The Internet community?

Common attacks

After going over the above legal rules, Morgester summarized the ways in which digital evidence is commonly attacked. One attack is on the software and hardware you have used in collecting and analyzing the data. The best way to deal with this attack, he said, is to keep the original media under lock and key and always work on a copy. When the opposing expert questions your analyst's methods, your analyst can copy the original again for the opposing expert, who probably will uncover the same things.

Another attack is on your analyst's qualifications. Again, the best defense is the inviolate original media.

A third line of attack is illustrated by e-mail purportedly sent by a corporate CEO, but actually created by an employee complainant. The employee, relying on the authenticity of the e-mail, had a civil case for harassment, but later, in criminal court, the prosecution was able to show alteration by the employee. If you are interested in the authenticity and unaltered state of e-mail, there are records of the e-mail along the way between the sender and the recipient, including ISP records, that can support or undermine its genuineness.

What's not on trial?

How analysis hardware or software works internally is not relevant in introducing digital information in evidence. It is enough that the hardware or software is regularly relied upon, like a car or a flashlight. Under People v. Lugashi, 205 Cal. App. 3d 632 (1988), the witness doesn't have to understand how things work, just how to use them.

Common mistakes

Morgester pointed out some mistakes commonly made by his adversaries. One is the SODDI defense, saying "my client did not author that e-mail." The prosecution can then bring embarrassing evidence, such as porn or chat logs, to connect the defendant with the e-mail. Another mistake is to argue that deleted files should not be considered. That can lead to a motion to consider the deletion itself as evidence of consciousness of guilt.

Questions

Morgester then entertained questions. A questioner asked whether spamming is unlawful. Morgester said there is a spamming misdemeanor but that the San Francisco Superior Court has ruled it unconstitutional. To get law enforcement interested, he advised pursuing felonies, such as a denial of service resulting from spamming. Is there a civil cause of action for spamming? Morgester said that the District Attorney can bring cases for civil penalty, but that he had not heard of any such cases being brought.

How do I find a suitable analyst?

Morgester pointed out that his analysis work is done mostly in-house, but advised that there are a number of former FBI agents in the business. Mark Menz, the SLUG presenter this April, has gone private. One should ask which tools the potential analyst uses.

What should my side take from the site? The best thing to take is the original media, or the whole laptop computer. Although taking the original can shut the business down, sometimes it helps to take the original and leave a copy. The last choice is to take only a copy. Calculating the MD5 hash value for the original and the copy is one way of showing that the copying did not alter the data. Always, Morgester advised, watch the chain of custody.

A SLUG member who does civil litigation remarked that delay can kill you; for example, AOL's retention time is only 45 days. Another questioner asked what can be gotten from AOL. The answer: billing records, records of when and where each subscriber logged on, and content. AOL was said to insist on at least a subpoena to give up its records.

A questioner asked about computer-generated visual evidence (accident simulations) used in accident reconstruction. Morgester said this evidence may need three witnesses: one to give the speed, direction and other measurements taken from the accident; one to testify that those pieces of information went into the program; and one to explain what formulas the program relied on in processing the information.

Morgester went on to say there is a plethora of interesting digital evidence these days. He said that GM cars have a chip that captures speed and other measurements during the five seconds before an air bag deploys. In one Napa County vehicular homicide case, the driver hit and ran, but the car's OnStar system, activated by the accident, transmitted the accident location. The police were tipped that something had happened there, found the body, and used OnStar again to locate the car.

SLUG News: On December 19, SLUG elected its officers for the coming year: chair, Heather Hoganson; vice-chair, Timothy Miller; secretary-treasurer, Mike Cable. It also adopted amendments to its section charter, mainly enlarging its purview to embrace law office management.

SLUG Meetings: SLUG meets at noon on the third Wednesday of the month at the Delta King. Coming January 16, LEXIS Time Matters; February 20, Corel WordPerfect 2002; March 20, Amicus Attorney; April 17, Computer Forensics with Mark Menz. For details, subscribe to the Sacramento County Bar Association Listserv or see the County Bar's event calendar at www.sacbar.org. Reserve your place and menu choice with Timothy Miller at 446-4469 in January, later with Mike Cable at 381-7868.