Scott M. Giordano is a solo practitioner in Los Angeles and an adjunct professor at Loyola Law School, where he teaches the Law of Electronic Evidence.
E-Mail: SGiordano@ElectronicEvidenceLaw.com.

Introduction
There is a growing sophistication, or at least cognizance, on the part of the legal community with respect to electronic evidence. The litany of steps involved in correctly applying the law to such evidence during the discovery process and throughout trial can be daunting, both in terms of how to articulate requests for such evidence and the proper strategy for identifying all potential sources of that evidence. This article addresses that challenge in a variety of ways.

Federal Rules
At the Federal level, Federal Rule of Evidence 901(b)(9) states that one method for authenticating an electronic document is to demonstrate “[e]vidence describing a process or system used to produce a result and showing that the process or system produces an accurate result.” This is typically accomplished through the testimony of an authenticating witness who explains the particulars of such a process, and is often done in conjunction with a computer forensic expert witness.

What falls under the rubric of “writing,” in the Federal Rules is defined in Rule 1001(1) and includes “magnetic impulse” and "electronic recording”as part of its definition.

California Rules
In California, the Evidence Code explicitly requires that a writing be authenticated before being admitted into evidence (Evid C §1401(a)); that the proponent of that evidence bears the burden of demonstrating that the writing is authentic (Evid C §403(a)(3); and that authentication be made by a subscribing witness (Evid C §§1411-1413) or circumstantial evidence (Evid C §1421). In Evidence Code §250, the definition of writing includes, “handwriting, typewriting, printing, photostating, photographing, photocopying, transmitting by electronic mail [sic] or facsimile...”

No Special Foundation Required
While the trustworthiness of electronic evidence (usually in the form of a business record) may have given Federal and California courts reason to pause in the past, today no special foundation is required to authenticate electronic records vis-à-vis paper ones. The court in United States v Young Bros., Inc. (5th Cir 1984) 728 F2d 682,694 states that
“[a]ny person in a position to attest to the authenticity of certain records is competent to lay the foundation for the admissibility of the records....”. This rule applies to computer-generated business records as well as to other types of business records.

In United States v Tropeano (2nd Cir 2001) 252 F3d 653, the court stated that the threshold for admissibility of such evidence (in this case, an audio recording) is one of reasonable likelihood that the evidence is what it purports to be. Beyond this point, all challenges to the evidence go to its weight, rather than its admissibility.

Authentication Strategies
Once a proper foundation has been laid for the mechanism that created the electronic evidence, circumstantial evidence can then be used in establishing the connection between electronic evidence and its purported creator. The following are authentication strategies, delineated by medium:

1. Electronic Mail (“E-Mail”)
Craig J. Chval and Keith G. Chval in Authenticating Online Communications and Making them Count, HTCIA International, 2002 <http://www.htcia.org/online newsframe.htm> suggest the following methods for authenticating a message:

The Reply-Letter Doctrine. Usually applied to paper mail, used in this context, it would tend to authenticate an original e-mail message when a reply to that e-mail contains the original in the body of the reply;

Content of the Message. If the content of the message reveals information that only the author would have known, subsequent investigation or formal discovery can confirm that this is truly the case, and tend to establish a connection between the message and the alleged author;

Header Information. Routing information of the message (such as an IP address) contained in the message “header,” will indicate all of the servers and/or routers that a message has passed through. From there the task becomes connecting the alleged author to the computer that generated the message;

Actions of the Author. If the alleged author takes actions subsequent to the message’s dispatch that are consistent with the content of the message then, like in #2, these actions tend to establish a connection between the message and the alleged author.

2. Websites
A witness can authenticate the contents of the website much in the same way as he or she would a photograph or similar exhibit. When the opposing party wishes to contest the trustworthiness of such evidence, he may do so by examining the totality of the qualities of the website. The best person to testify as to the authenticity (or the lack thereof) of the contents of a site is usually the person responsible for maintaining the integrity of the website, referred to as the “webmaster.” A webmaster is typically well versed in the protocols used to create, maintain and protect the site and can provide valuable testimony.

3. Chat Rooms and News Groups
A news group (such as USENET) is essentially an electronic version of a bulletin board, a place where participants can post messages about a particular topic. A chat room is an interactive version of a news group where participants can post messages to the entire group or just certain members. Each poses a larger problem than websites since they’re hosted by a third party (similar to a common carrier) and the participants often use pseudonyms (so-called “screen names”).

According to Greg Joseph,(see <http://josephnyc.lawoffice.com/article 2.htm)>, potential authenticating data include: evidence that the individual used the screen name in question when participating in chat room conversations; evidence that, when a meeting with the person using the screen name was arranged, the individual in question showed up; evidence that the person using the screen name identified him- or herself as the individual in chat room conversations or otherwise, especially if that identification is coupled with information unique to the individual, such as a street address or email address; evidence that the individual had in his or her possession information given to the person using the screen name (such as contact information provided by the police in a sting operation); evidence from the hard drive of the individual's computer reflecting that a user of the computer used the screen name in question.

4. Application Program Files
In addition to the above types of evidence, files created by application programs (such as Microsoft Word) usually contain “metadata”(i.e., data about other data) that may be utilized in the authentication process. Such data is normally embedded invisibly in the documents but may be viewed using forensic utility programs (e.g. Metadata Assistant, published by the Payne Consulting Group).

Included in this metadata could be the type and serial number of the microprocessor of the computer hosting the application program; the Global Unique ID (GUID) of the file in question; the file’s author; the date on which the file was created; and when it was last accessed. A GUID is an electronic fingerprint or serial number placed in the non-printing portions of many documents, such as Microsoft word documents, which identifies the program that created it. It can be used to compare various documents to see if they came from the same source and if that source is positively identified, then the various documents can be potentially authenticated.

Metadata can be crucial to verifying that a document was created or sent before, on, or after a given date and in doing so can be used to support or impeach testimony with respect to the document’s veracity.

5. Internet or Network “Surfing”
When the evidence to be proffered is not a message or document but rather the places that a defendant has allegedly visited (especially in the context of a computer intrusion), an audit trail is very useful. An audit trail is a list of activities or events that have occurred over time for a given computer function. Some examples include telephone connection records, modem bank logs, router logs and system access (and related) logs. (See Mandia and Prosise Incident Response: Investigating Computer Crime, McGraw-Hill Osborne, 2001). The system administrator is the point of contact for such logs and will be able to indicate the types of programs that lend themselves to auditing.

Conclusion
Electronic evidence is increasingly used in the courtroom. A computer forensic expert should be incorporated into this process as early as possible in order to prevent any spoliation of potential evidence. The challenge and responsibility that lies before lawyers as a profession is to appreciate both the complexities as well as the subtleties involved in this constantly changing discipline of electronic discovery.