Wednesday, June 16, 2010

Best Evidence Rule and Digital Copies

I’ve done a few posts that discussed the best evidence rule and digital copies of documents, such as emails. The rule has historically focused only on documents. As Wikipedia notes, the rule can be traced back at least as far as the 18th century. In Omychund v Barker (1745) 1 Atk, 21, 49; 26 ER 15, 33, Lord Harwicke stated that no evidence was admissible unless it was `the best that the nature of the case will allow’.” As Wikipedia also notes, under the best evidence rule “secondary evidence, such as a copy or facsimile, will be not admissible if an original document exists, and is not unavailable due to destruction or other circumstances indicating unavailability.”

Wikipedia explains that the rationale for the best evidence rule can be understood from

the context in which it arose: in the eighteenth century a copy was usually made by hand by a clerk (or even a litigant). The best evidence rule was predicated on the assumption that, if the original was not produced, there was a significant chance of error or fraud in relying on such a copy.

This post is about a case in which the defendant argued that digital image and movie files were introduced into evidence in violation of the best evidence rule. The case is Midkiff v. Commonwealth, 54 Va. App. 323, 678 S.Ed2d 287 (Virginia Court of Appeals 2009) [Midkiff #1], affirmed 2010 WL 2305819 (Virginia Supreme Court 2010) [Midkiff #2]. Here’s a summary of how the case arose:

On August 3, 2006, pursuant to a search warrant issued earlier that day, Sergeant Thompson of the Bedford County Sheriff's Office and Investigator Arnold of the Pittsylvania County Sheriff's Office searched [David Midkiff’s] house for child pornography. [He] was not home at the time the warrant was executed. However, the officers located a telephone number on his phone's `caller ID’ inside his house and called him. They told [Midkiff] where they were and their purpose for being there. [He] advised the officers that he had `purchas[ed] memberships to child pornography websites’ and that child pornography was stored in `his computer.’ He told them where that computer was located in his house. The officers seized the computer and sent it to the Department of Forensic Science in Richmond to determine whether child pornography was stored on the computer's hard drive.

Midkiff #1, supra. Midkiff was charged with and, following a jury trial, convicted of multiple counts of possessing child pornography. Midkiff #1, supra. In his initial appeal to the Court of Appeals, Midkiff outlined the following facts as being relevant to his best evidence argument:

Kristen Scott . . . testified that she was an employee of the digital evidence section of the Department of Forensic Science. After testifying that the Defendant's computer was delivered to her for forensic analysis Ms. Scott testified that there were 5 hard drives in the Defendant's computer and that the first thing she did was make an image of the hard drives, a bit for bit copy. Ms. Scott stated, `it's very similar to making a photocopy of a document. The difference is every time you make a photocopy of a document you lose something. When you make a bit for bit image of a hard drive you get the exact same thing each time.’ Ms. Scott then went on to describe how she looked for contraband images on the image of the hard drive which she had made and identified the images shown to her as being fair and accurate representations of what she found on [Midkiff’s] computer. . . . Ms. Scott testified that when she recovered the images she wrote them onto a data DVD and provided that DVD to Investigator Arnold.

On cross examination Ms. Scott confirmed that she made a copy of the hard drive from the computer and that she first tried to use her automated forensic tool to examine it and could not. The following colloquy then occurred between defense counsel and the investigator,

Q. . . . and so after you did that, you were able to use your regular software, you did that, you made a copy of what you made a copy of and gave it to Investigator Arnold. Is that correct?

A. Yes.

Q. If Investigator Arnold has just testified that a copy was made from what you gave him to print out these pictures, that would be a third generation copy. Is that correct?

A. No sir.

Q. Alright, why is that not a correct answer?

A. Because in computers a bit for bit digital copying, there is no such thing as a generation. Each copy you create from the original is considered forensically to be an original.

Q. Forensically?

A. Yes.

Q. Okay, but it's the third time that has been copied. Correct?

A. I believe so.

Q. Copied from where, where is Mr. Midkiff's computer now?

A. I have no idea.

Q. It's not in the courtroom is it?

A. I have not seen it.

Q. Did you put me hard drives back in it?

A. Yes, I did. . . .

Q. So where is the hard drive now, the actual hard drive?

A. I returned it to Investigator Arnold.

Q. And do you have an idea where the actual hard drive is?

A. I do not

After Ms. Scott testified significant argument occurred with the Defendant taking the

Corrected Brief of Appellant, Midkiff #1, supra, 2008 WL 7526913. Midkiff argued, again in his initial appeal, that the trial judge erred in admitting into evidence the sixteen

images and three digital movie files of suspected child pornography purportedly recovered from his computer. He argues that evidence was not the best evidence of data stored on his computer as it was `at least third generation removed from [his] computer hard drive.’ He asserts . . .that the hard drive of his computer, allegedly containing the offending images, is `what needs to be produced under the best evidence rule.

Midkiff #1, supra. The Court of Appeals rejected the best evidence argument in essentially two sentences (when you take out the citations and quotations to authority):

In Virginia, the best evidence rule has been limited to writings. . . We conclude the images and digital movies of child pornography admitted as evidence did not constitute `writings’ under the best evidence rule.

Midkiff #1, supra. The logic, of course, is that (i) the best evidence only applies to “writings,” (ii) the images and moves were not “writings” so therefore the best evidence rule did not apply to them.

Having lost on that and some 4th Amendment arguments before the Court of Appeals, Midkiff tried again with the Virginia Supreme Court. Before the Supreme Court, he again argued that the images and movies admitted at trial were a “`third generation removed’” from his original hard drives and that “because there was no evidence that the hard drives themselves were not available, under the best evidence rule, the still images and video recordings should not be admitted into evidence.” Midkiff #2, supra. He also argued that “because digital images are subject to manipulation,” the Supreme Court “should extend the best evidence rule to these images because only that rule `insures the integrity of a criminal conviction.” Midkiff #2, supra. He lost again:

We decline Midkiff's invitation to extend the best evidence rule to this case. Not only is application of the rule limited to written documents. . . but the purpose of the rule, reliability of evidence, is amply met in this case as discussed below. . . .

Scott was qualified as an expert and testified that a bit for bit copy of a hard drive is a reproduction of the actual hard drive without degradation and is considered forensically to be an original. She also testified that she made a bit for bit copy of the hard drives in Midkiff's computer. . . . Arnold testified that he produced the photographs from the data DVD he received from Scott and the photographs were the same as he viewed on the data DVD. Scott also identified the photographs and video clips as accurate representations of the child pornography she viewed on the digital reproduction she made of Midkiff's hard drives. Midkiff made no assertions that the admitted photographs or video clips were in any way manipulated or altered from the images that resided on his computer's hard drives. . . . [W]e conclude that the printed pictures and video recordings were reliable representations of the material contained in the digital image and video recording files on Midkiff's computer hard drives and thus the circuit court did not abuse its discretion in receiving them into evidence.

Midkiff’s argument was far from specious. Federal Rule of Evidence 1002, which is one of the rules that governs admission of evidence in federal cases, states that to “prove the content of a writing, recording, or photograph, the original writing, recording, or photograph is required” except as other rules of evidence or statutes provide otherwise. I did some quick research in state cases and a number of states seem to follow the same rule.

His argument also raises an interesting issue: If the best evidence rule is intended to address the possibility of errors in copying evidence, why wouldn’t it apply to data and images and other digital evidence . . . which can be copied? I’m assuming that the rule originally applied only to documents because they’re the only thing that could be copied in the 18th century, when the rule emerged. On the other hand, as Ms. Scott noted, the process of making digital copies may be sufficiently reliable that we don’t need to apply the best evidence rule in this context . . . ?


SeaDrive said...

The court said the copies were OK because Ms. Scott said the copies were OK. But if it was a matter of fraud, Ms. Scott was the person in a position commit the fraud. It seems weak to me to rely on her assertions of good copies. I did not see that there was testimony that the final images were compared visually to images on the hard drive, and it should be easy enough to make the comparison.

Charles Jeter said...

It was a really good attack on the chain of custody by the defense counsel... However, there may be enough digital rights legislation which has set precendent about digital media, such as mp3 and FLV files made of original content still holding intellectual property value.

In my layman's terms, it seems to be apples to apples for any jury to understand that if a copy of music or video is considered good enough to take kids to court over, a copy of restricted material would hold the same value, no matter what minor degradation may take place.

@ SeaDrive: The bit for bit copy is the standard set long agon - I've also heard it referred to as able to be validated through a 'binary comparison' to ensure the data is exactly the same as the original set. Variations of storage media, such as hard drive bad sectors may actually cause variation but I've not dived deeply enough into that to comment.

Professor Don said...

Actually most forensic software (Encase in particular) uses hash keys and other checks that verify the copy is identical to the original.

Good forensic software also insures that the original is not written to by anyone including the operating system. In fact, after making a forensic copy, the original should never be accessed again and should be secured as evidence.

If such protections are used, then there will be no difference between the copies and the original. There should be no problem with using copies as "best evidence" since it can be proven that there is no difference by any interested party.

Anonymous said...

[He] advised the officers that he had `purchas[ed] memberships to child pornography websites’ and that child pornography was stored in `his computer.’ He told them where that computer was located in his house.

He should have just said: please, please lock me up for a very long, long time as I am an idiot.

Anonymous said...

If a copy is absolutely identical to the original, is it really a copy?

Professor Don said...

Great point about a copy being identical.

Here's the difference. The original is what the defendent possessed. It must be secured and protected with a chain of custody. It should never be subjected to a forensic examination because of the fragile nature of digital evidence.

A copy however can be examined and, if something goes wrong, discarded and the process started over.

A good forensic process will prove the the copy is identical to the original at the start and at the end of the examination.

Anonymous said...

If the defense argument was upheld by the courts, the implications could have been far reaching. Would the camera’s memory card need to be presented as the original version of a crime scene photograph?

Karen said...

@Professor Don -
As I recall, technically the hashing function in EnCase is verifying that 'what it read is what it wrote,' not that it wrote what was on the hard drive with 100% precision. I believe this is why an image can have read errors and still verify. I'm admittedly a little rusty.

What if the original computer was booted by someone after the bit-stream image was created by Ms. Scott? I would argue at that point the image *became* the best evidence. Surely if someone used the defendant's computer between the time it was seized and the time of the trial, and deleted all relevant pornographic images, one could not argue that this is 'best evidence...'?

Sure the whole argument is a hail mary, but it is interesting.

Anonymous said...

Professor Don said:
Actually most forensic software (Encase in particular) uses hash keys and other checks that verify the copy is identical to the original.

This is not technically accurate. EnCase never compares the content of a forensic image back to the "original" hard drive. You can imagine this is impossible where there are read errors on the original media and EnCase has replaced the bad data with \x00. There is no way to compare \x00 in the forensic image to the bad data on the original drive. What EnCase verification means is the content of the image has not changed since it was written. EnCase only compares the current content of the image to what EnCase initially wrote into the image. So if there are no read errors, what EnCase initially wrote into the image matched what was on the original drive (NIST testing has confirmed this). But where there are read errors on the original drive, what EnCase writes is \x00 (in compliance with NIST standards).

An EnCase verification process only compares what is currently in the image to what EnCase wrote initially. It never ever compares back to the original media - nor could it because of the possibility of read errors.

Perhaps a minor point, but in technical matters, sometimes minor is critical.

Silvia Jacinto said...

I love your blog. Keep it up.Visit my site too.