All Discovery Is Not The Same: Part 2

forensic discovery

Once you have decided what evidence you need to make your case. Ask the next question, “Do I believe there is a possibility that the evidence that I seek has been deleted, destroyed, obfuscated, encrypted or altered?” If it has, then where you must begin is with forensic discovery. Court cases exist because two parties are adversarial regarding a particular topic. Therefore, if you believe that the answer to the previous question is “no,” then feel free to move straight to the e-discovery phase of evidence collection. We believe, however, that most of the time, forensic discovery is essential to making certain that you truly have the information that you require to proceed.

Let us assume that your letters of preservation have been delivered to all custodians and the evidentiary conference is complete. All parties have decided those things that are discoverable, and we now need to locate and preserve the evidence. In a forensic discovery, we begin with the “forensic image.” I have found that the term image means different things to different people, so let us define this term of art as “an exact bit-by-bit copy of electronically stored media that is written in such a fashion as to make certain that it cannot be altered, and can be positively authenticated as an accurate reproduction of the evidence being examined.” This process can be done by anyone with the right tools, correct? “Can be” and “Should be” are terms to consider. I can represent myself in court, but it isn’t a good idea. In the same way, only “qualified persons” who are capable of verifying the authenticity of the image should perform this function. This particular issue will be going into effect as a modification of FRCP 902(14) on Dec. 1, 2017. Whereas I am certain that the new rule was intended to lessen the burden of employing an expert witness to attain, there is still the issue of authenticating the data that was acquired. If we look at an excerpt of the advisory committee notes for the amendment, the intent is good, but one must call into question how it will be accomplished.


Today, data copied from electronic devices, storage media, and electronic files are ordinarily authenticated by ‘hash value.’ A hash value is a number that is often represented as a sequence of characters and is produced by an algorithm based upon the digital contents of a drive, medium, or file. If the hash values for the original and copy are different, then the copy is not identical to the original. If the hash values for the original and copy are the same, it is highly improbable that the original and copy are not identical. Thus, identical hash values for the original and copy reliably attest to the fact that they are exact duplicates. This amendment allows self-authentication by a certification of a qualified person that she checked the hash value of the proffered item and that it was identical to the original. The rule is flexible enough to allow certifications through processes other than comparison of hash value, including by other reliable means of identification provided by future technology.

This leaves us with determining how an image is to be authenticated, and what constitutes a “qualified person.” To authenticate an image, it is necessary to compare the original media to the image created. We would also consider it insufficient to provide only one type of hash. In any case, unless there is a person working for you who has some sort of forensic certification, your IT person may very well end up having to testify as to how the image was made and the steps taken to authenticate and protect the data. With all of this in mind, let us assume that you have engaged a qualified person, and you are about to acquire and authenticate data. Randall William Zinn

Leave a Reply

Your email address will not be published. Required fields are marked *

Trending Articles