Exploring the issues surrounding chain of custody for electronic evidence may sound like a great cure for insomnia -- the prospect of filling out endless log forms is enough to put anyone to sleep. But a string of recent judicial sanctions over chain of custody for electronic evidence has made the dry issue a hot topic -- one that can make or break your case.

Though a simple concept, chain of custody can be challenging to uphold for electronic data. Potential electronic evidence must be accounted for from the moment of discovery until admittance at trial to prove its authenticity. Documenting the chain of custody of potential, relevant evidence to disprove tampering or alteration is critical to admissibility at trial.

"Preservation of the chain of custody for electronic evidence [...] is key to the integrity of virtually every subsequent step [leading to trial]," electronic evidence and computer forensics expert Craig Ball says. "In some instances, it's the sole leg on which the integrity of the case stands or falls."

E-EVIDENCE -- FROM THE CONCRETE TO THE ABSTRACT

Before the era of electronic data, chain of custody log forms were filled out to track potential tangible evidence. The forms recorded who handled the evidence and its path during the investigation, until the end of trial. Mostly, chain of custody was relevant to criminal cases.

In a properly handled criminal investigation, all tangible items, such as a murder weapon or blood-soaked clothing, were carefully gathered, identified, bagged, tagged, tested and kept safe in an evidence room until trial. Chain of custody paperwork (usually a handwritten log) was updated every time the item changed hands, from initial collection to trial, and those log forms were usually stored with evidentiary objects to prove authenticity and absence of tampering.

Fast forward to the present, where electronic discovery has added a whole new level of complexity to the rather straightforward chain of custody concept. Physical object tracking still remains intact for criminal cases, but chain of custody isn't just an issue for criminal cases any more. In modern litigation practice, electronically stored information now figures into many different types of cases -- both criminal and civil.

Tom O'Connor, a litigation support consultant and director of the Legal Electronic Document Institute in Seattle, says that the No. 1 request for e-discovery that he's seeing in Washington state is for divorce cases, not criminal ones. Investigators confiscate and search laptops and home computers for proof of adulterous affairs, hidden financial assets and the like -- a far cry from the notorious bloody glove in the O.J. case.

When evidence is in electronic form, chain of custody suddenly becomes two-dimensional -- both tangible and intangible objects need to be tracked and preserved. Brett Burney, e-discovery consultant and president of Burney Consultants, notes that "when applying chain of custody to digital evidence, there are physical, tangible items such as the laptops, PCs, hard drives, CDs, backup tapes, digital cameras, thumb drives, etc., which need to be tracked. However, you must also track handling of the intangible data such as documents, e-mails and the all-important metadata, which captures details such as when files and messages were created, last updated and deleted."

The biggest violation that Burney sees in electronic discovery chain of custody is right at the beginning, when law enforcement, IT people or attorneys turn on computers which have been identified as potential sources of electronic evidence. Powering up computers destroys or overwrites valuable clues and changes metadata, which can lead to charges of spoliation and possible inadmissibility of the digital evidence.

Initially, Burney recommends not touching the computers, even if lawyers or the client are pressuring you to do so. When you decide it's OK to turn them on, document everything that you do -- which files you opened, every action and search you performed, and the time and date of every step. Burney says that while his copious notes are not necessarily admissible evidence, if he is called to the stand to testify about his actions, he can refer to his writings to document exactly what was done to the digital files. This type of due diligence preserves a defensible chain of custody for electronic evidence.

MAKING A FORENSICALLY SOUND COPY OF ELECTRONIC EVIDENCE

In the case of a murder weapon, it's crucial to prove where and when the item was discovered, what fingerprints, hair and residue were detected, and to link it to the crime scene and defendant. For electronic evidence, actual analysis is virtually never performed on the actual hardware (laptop, PC, etc.). Instead, the electronic evidence is "copied" from the original data source and all analyzing is done using that replica.

Incomplete or improper creation of that electronic evidence "copy" is a looming pitfall in litigation, mostly because there is confusion about how it should be done properly. When considering chain of custody for electronic evidence, O'Connor says he relates it to the paper world.

"If you made a paper copy, you'd need to have someone testify that it was copied and how," O'Connor says. "The same goes for copying digital data, although finding someone who knows how to properly preserve the electronic data can be difficult."

O'Connor notes that it’s a common misconception that you can just mirror or copy a hard drive or PST (Personal Storage Table) file. "You need to make a forensically sound copy -- a bit-for-bit copy that generates a digital fingerprint," he says. Regular mirroring or copying of digital evidence fails to capture the metadata and deleted files. A truly authentic "image" is one that is created using a forensic software product like Guidance Software Inc.'s EnCase or AccessData Corp.'s Forensic Toolkit (FTK); that image will then be the subject of your examination. Once the image is made, the original laptop or data hardware is usually put into storage and not touched again. All actions done to the hardware and the image or copy need to be documented as part of the electronic chain of custody.

The best way to verify that a digital copy is complete is to apply an algorithm to it and obtain a unique hash value for each file. All hash value combinations are completely unique to each file.

"The hash value of the copy needs to match the hash value of the source," O'Connor says. "This provides that the files and their copies are digitally identical."

LET THE EXPERTS HANDLE THE EVIDENCE

A common pitfall in litigation is entrusting the collection and preservation of electronic evidence to the client or law firm's IT personnel.

"Internal IT staff doesn't always have an awareness that they have to maintain chain of custody," says Forrester Research principal analyst Barry Murphy, who covers the electronic discovery field. "That is when they bring in a trusted third party who takes on the burden of testimony."

Computer forensics specialists are generally the ones who are qualified to provide expert witness testimony. With their reputations on the line, they have developed foolproof methods to ensure chain of custody defensibility. Knowing what to look for is essential, and highly trained examiners know the right questions to ask.

Craig Ball follows a rigorous process for every case, including documentation, authentication, physical security and access control.

Ball's steps to ensuring tight electronic chain of custody:

1. Physically inspect the storage medium -- take photographs and systematically record observations.
2. Establish a baseline of contents for authentication and proof of integrity by calculating hash value for the contents. A reliable hash proves that the media contents have not been altered.
3. Guard against hazards like theft and mechanical failure by using physical security and data encryption. House multiple copies in different locations.
4. Account for all people with physical or electronic access to the data.
5. When the time comes, dispose of the data properly, by proven physical or software-based means.

Physically securing electronic evidence and media from discovery to trial is intrinsic to upholding chain of custody. Storing hardware and data media in fireproof safes should be common practice -- leaving these items out in plain view can lead to a host of problems and security breach potential.

Sometimes, commercial carriers are perfectly adequate to transport evidence, but occasionally greater security is warranted. Computer forensics expert and Sensei Enterprises President Sharon Nelson says that FedEx is often sufficient for transporting e-discovery materials, since they require a signature on each end and record the time and date of receipt. However, Nelson has seen many more "hands-on" approaches to bringing in the data.

"A lot of our clients won't go through FedEx," Nelson says. "We have had famous people show up personally with armed guards, carrying their CPU towers in their hands. Or they sometimes send a lawyer, a trusted agent or an employee to bring it in. Once it's in our care, we're responsible for it -- we image the drive and return it to the representative." Other highly secure transportation alternatives include armored car transport and bonded messengers.

LOOKING TO THE FUTURE

Ensuring chain of custody and data security for electronic evidence can be taxing, especially when lawyers, IT professionals and vendors are still scrambling to get a handle on e-discovery in many ways. The issue is only increasing, though, so the problem will not go away.

Federal rules for e-discovery handling are already in effect, and some states like New Jersey and Maryland have already established their own statewide rules. O'Connor predicts that it's likely that in the next two to four years, most or all states will be creating legislation with real teeth when it comes to keeping scrupulous security measures to secure digital evidence and ensure a proper chain of custody.

Rest assured, with proper attention to detail and documentation, there is no real reason for you to trip over the digital chain of custody. Finding trusted experts, using sound techniques and developing a defensible process will prevent you from falling asleep at the e-discovery wheel.

Christy Burke is President of Burke & Company LLC, a New York-based public relations and marketing firm that specializes in serving the legal and technology industries.  In addition to providing communications consulting, Christy also organizes corporate retreats and professional development programs for companies large and small.