Minnesota Legal Blog

Authentication: Methods for Testing ESI

by | Jul 10, 2018 | Trial Practice |

1. Comparison.

Corroborate the ESI against other identical data. For example, one forwarded e-mail may be compared to other e-mails from other recipient.

2. Control.

The purpose of establishing a “chain of custody” is to ensure that the evidence has not been contaminated or altered. State v. Johnson, 239 N.W.2d 239, 242 (Minn. 1976). Drugs removed from a crime scene are physical evidence that require a chain of custody to show the method of collection, where the evidence has been since that time, how it was stored and how it was handled during analysis and testing, if any.

By contrast, ESI involves electronic copies, not an original item of physical evidence. As such, for ESI that is not distinctive in appearance, the chain of custody requires proof that the copy of the original is identical to the original, except when it has distinctive characteristics. State v. Bellikka, 490 N.W.2d 660, 664 (Minn. Ct. App. 1992) (deciding that “A chain of custody is not required to authenticate evidence that is identifiable based on its distinctive appearance.”)

3. Hash Tags.

This term should not be confused with a Twitter Hashtag or a descriptive “tag” preceded by a “#” symbol. Rather, a hash number is a unique combination of letters and numbers (an alphanumeric combination) that is inserted into a file when it is created. Hash is an encryption algorithm. It is sometimes referred to as a digital fingerprint. The hash value represents something completely unique about the file. And the more important aspect of this fingerprint is that it changes if and when the file changes. This means that hash values play a critical role in proving when a file has been modified, or more importantly, when it has not been modified, e.g., when it is authentic. For example, changing a word-or even adding a period-in a 10,000 page document, would change its hash number.

There are many hash formulas that have been invented, but suffice it to say that these methods, if scientifically validated, become an important evidentiary component in the proof process for introducing certain kinds of ESI.

Even the Word document used to compose this text can be “hashed,” generating a code that will be unique, until an additional character is added, which will change the value completely, betraying an inadvertent (or malicious) change.

4. Encryption.

Hash algorithms are a form of encryption because they create a value for a file that is unique. Unlike other encryption methods, however, there is no mechanism for “decryption” of a hash value. In other words, having only the hash value does not allow a user to recreate the source file. The process of creating a hash value is not reversible, which happens to be its most valuable trait: the authenticity of the file is proven, but the file itself can remain confidential.

Hash values can often be used to track stolen intellectual property or to identify other important files with known hash values. For example, in In re Welfare of J.E.M., the hash values of known child pornography files were cross-referenced against hash values of files on a suspect’s computer and matching hash values were used to support a conviction. A11-1614, 2012 WL 1380400, at *1 (Minn. Ct. App. Apr. 23, 2012).

5. Metadata.

A file name change does not change a file’s hash value. However, modification of metadata, for example an internal field within Word like “modified” or “accessed” dates, can modify the hash value. This is important to understand because it can be used to show manipulation.