Dougherty, Molenda, Solfest, Hills & Bauer P.A.

Authentication: Methods for Testing ESI

1. Comparison.

Corroborate the ESI against other identical data. For example, one forwarded e-mail may be compared to other e-mails from other recipient.

2. Control.

The purpose of establishing a "chain of custody" is to ensure that the evidence has not been contaminated or altered. State v. Johnson, 239 N.W.2d 239, 242 (Minn. 1976). Drugs removed from a crime scene are physical evidence that require a chain of custody to show the method of collection, where the evidence has been since that time, how it was stored and how it was handled during analysis and testing, if any.

By contrast, ESI involves electronic copies, not an original item of physical evidence. As such, for ESI that is not distinctive in appearance, the chain of custody requires proof that the copy of the original is identical to the original, except when it has distinctive characteristics. State v. Bellikka, 490 N.W.2d 660, 664 (Minn. Ct. App. 1992) (deciding that "A chain of custody is not required to authenticate evidence that is identifiable based on its distinctive appearance.")

3. Hash Tags.

This term should not be confused with a Twitter Hashtag or a descriptive "tag" preceded by a "#" symbol. Rather, a hash number is a unique combination of letters and numbers (an alphanumeric combination) that is inserted into a file when it is created. Hash is an encryption algorithm. It is sometimes referred to as a digital fingerprint. The hash value represents something completely unique about the file. And the more important aspect of this fingerprint is that it changes if and when the file changes. This means that hash values play a critical role in proving when a file has been modified, or more importantly, when it has not been modified, e.g., when it is authentic. For example, changing a word-or even adding a period-in a 10,000 page document, would change its hash number.

There are many hash formulas that have been invented, but suffice it to say that these methods, if scientifically validated, become an important evidentiary component in the proof process for introducing certain kinds of ESI.

Even the Word document used to compose this text can be "hashed," generating a code that will be unique, until an additional character is added, which will change the value completely, betraying an inadvertent (or malicious) change.

4. Encryption.

Hash algorithms are a form of encryption because they create a value for a file that is unique. Unlike other encryption methods, however, there is no mechanism for "decryption" of a hash value. In other words, having only the hash value does not allow a user to recreate the source file. The process of creating a hash value is not reversible, which happens to be its most valuable trait: the authenticity of the file is proven, but the file itself can remain confidential.

Hash values can often be used to track stolen intellectual property or to identify other important files with known hash values. For example, in In re Welfare of J.E.M., the hash values of known child pornography files were cross-referenced against hash values of files on a suspect's computer and matching hash values were used to support a conviction. A11-1614, 2012 WL 1380400, at *1 (Minn. Ct. App. Apr. 23, 2012).

5. Metadata.

A file name change does not change a file's hash value. However, modification of metadata, for example an internal field within Word like "modified" or "accessed" dates, can modify the hash value. This is important to understand because it can be used to show manipulation.

No Comments

Leave a comment
Comment Information

Contact Us

Dougherty, Molenda, Solfest, Hills & Bauer P.A.
14985 Glazier Avenue, Suite 525
Apple Valley, MN 55124

Toll Free: 800-595-5419
Phone: 952-432-3136
Fax: 952-432-3780
Apple Valley Law Office Map

Contact Us

Service

At Dougherty, Molenda, Solfest, Hills & Bauer P.A., we represent clients from Apple Valley, MN, and throughout the state, including Burnsville, Lakeville, Eagan, Mendota Heights, Rosemount, Farmington, West St. Paul, Minneapolis, Prior Lake, Savage, Shakopee, Elko-New Market, Dakota County, Scott County, Hennepin County, Ramsey County and other communities south of the river.