The Forensics Take: Authenticating Trump Jr.'s 'Russia Meeting' Evidence
ALM Media
Updated
On July 8, The New York Times reported that during the 2016 U.S. presidential election campaign, Donald Trump Jr. met with individuals connected to the Russian government. The individuals purported to have incriminating evidence against then-Democratic presidential candidate Hillary Clinton.
In the days that followed, The New York Times obtained and shared excerpts from emails between Trump Jr. and Rob Goldstone, a former British reporter and publicist with connections to the Trump organization that documented the two organizing the meeting. The paper also showed that Goldstone "checked-in" at Trump Tower on June 9, 2016, the date of the meeting, on Facebook, writing: "preparing for a meeting."
On July 11, Trump Jr. himself verified the authenticity of the emails, releasing them in full on his Twitter account. It was a rare confirmation from a direct source, one all investigators, whether in journalism, regulatory agencies or law firms, desire.
But what if said emails were not released? And what if The New York Times could not rely on witness sources or direct evidence to support their authenticity, or for that matter, the authenticity of Goldstone's social media post?
Authenticating the digital evidence, especially in a way that could hold up as evidence in court, would be far more difficult though it would not be entirely impossible, depending on the nature of the evidence itself.
With emails, authentication is a fairly straightforward process. "What people don't realize is that every email has a hidden thing called an email header," said John Rosenthal, partner and chair of the e-discovery and information governance practice at Winston & Strawn.
Acting as a type of metadata container, the header usually provides "a whole lot of information about where the document came from; it's actually going to reflect every server that it touched to the point [to where] it got to you, and it's also going to identify the IP address [and estimated location] of the original sender," he explained.
John Simek, vice president of Sensei Enterprises, added that such email headers can also include information about "what workstation and email client was used [to send the email], and if it was web-based or not."
With this metadata information at hand, Simek said, one can "with a high degree of confidence, say that these were authentic messages that were sent form this account to that account and sent back."
The data gleaned from email headers will likely be more than enough to meet the evidence authentication requirements mandated by the Federal Rules of Evidence (FRE) Rule 901, a standard commonly used by both federal and nonfederal courts around the country.
Among other things, the rule allows for authentication based on "distinctive characteristics" of an item including its contents and substance, such as email addresses and messages. These characteristics must be taken together with circumstantial facts, such as evidence a person was at their computer or device at the time an email was sent, or that the email client and device identified in the header matches those commonly used by the person in question.
There is, however, one large caveat to collecting information from email headers: In order to obtain all relevant metadata, one must be in possession of the original email itself. Having a forwarded copy of an original email, Simek noted, creates entirely new header information. "[All I'm] able to see is your information about the forwarding, and not about the original message."
But once in possession of an original email, extracting the header is fairly easily. Simek explained that one can use e-discovery tools for the task, or even extract them manually from their email client, though the steps for that will vary depending on "if it's a Gmail message, if it's Hotmail or some [other] web-based client. The processes are different."
He advised attorneys, however, to turn to data forensics experts for such extractions, given that "DIY extractions of headers" will likely run into problems, and those who extract the data may also be called to testify in court.
Social Media Authentication
While email authentication is relatively simple, verifying social media content, such as Goldstone's Facebook "check in," is a whole other ballgame.
Whereas emails have accessible metadata headers, "a lot of the information that you might need [from social media] isn't accessible to the common user; it is only accessible behind the scenes" from the social media company itself, Simek said.
That being said, independently obtaining metadata information about a social media post is not entirely impossible.
Brandon Daniels, managing director and president of Exiger Analytics, noted, "There are open-source Python scripts that if someone, for instance, has a [public] Facebook profile, you can run some analytics on and potentially obtain some basic information about a post," such as the device used and location of the user when he or she posted.
But Daniels added that such tools and methods "probably cross the lines of hacking and applicable legal restrictions in terms of utilization of certain code on a privately owned website on Facebook."
So aside from using potentially illicit tools or acquiring metadata information about a specific post from the social media company, there is little attorneys and investigators can do but rely completely on external evidence to corroborate the post.
What this external evidence needs to entail, however, can depend on what court jurisdiction an investigation or case finds itself in. While federal courts are governed by the authentication guidelines put down in the FRE Rule 901, Rosenthal noted that there are two standards of social media authentication within the U.S. state courts.
The first is "the Texas approach," which is based off of a Texas state court ruling in Tienda v. State that declared social media content should be treated like email content and subject to authentication standards set down in FRE 901.
The second is "the Maryland approach" based off of a Maryland state court ruling from Griffin v. State that set out three different ways attorneys can authenticate social media content.
"The first is to ask the author or creator of the profile whether it's his or her post," Rosenthal said. "The second is to search the computer where it came from, to basically identify the hard drive contents or internet history. And the third way is obtain information from the social media network or website that can attest to what [the post or profile] is."
Rosenthal called the Maryland approach "a pretty tough standard," but noted that only a handful of states have adopted it, with most others trending toward the Texas approach.
Strategic Technology Forum USA will take place at the Rancho Bernardo Inn Golf Resort & Spa in San Diego on Oct. 11-13, 2017.
Designed to connect a C-level audience of Am Law 200 leaders with the most progressive IT, data and security disruptors, STF USA will challenge the way legal services are delivered in the future and provide you with practical ideas to drive your strategic planning. Join our community and together we will future-proof the business of law!
