Legally Preserving Online Evidence

By Justin D. Hodson, CPI, CSMIE

When I started private investigations twenty years ago, we were just starting the preservation of social media and online evidence. In 1999, most investigators preserved online evidence by printing it out with your packet of evidence and report.  Fast forward to now, and a lot of our evidence is online electronic content that should be preserved correctly to admissible and defensible in court.  

A recent Pew Research study indicated that 86% of Americans use social media.  This is a staggering number of people online.  Additional research shows that eight billion videos are viewed daily on Facebook.  Also, 23% of Facebook users are checking their profile five times or more a day.  With these outcomes, it’s clear that social media and online usage are prevalent and here to stay.      

Based on the results of this research, the potential online evidence is abundant.  However, it needs to be secured and preserved appropriately to be admissible in court.  This electronic online evidence should be preserved accordingly to the ever-changing laws and current case law.  In this article, I will go over electronically stored information (ESI), the best methods of preservation and some of the laws that govern the process.

Electronically Stored Information

Electronically stored information (ESI), is defined as information created, manipulated, communicated, stored, and best utilized in digital form, requiring the use of computer hardware and software.  So, any online content when preserved and stored would be considered ESI.  As an investigator, it is important that you know the Federal Rules of Evidence codes and your local codes that govern ESI and how to handle the evidence properly.

Relevancy and Authentication

In order for your evidence to be admissible in court, one must make sure that the evidence is relevant to your case, and it must be authenticated. Electronically stored information, without any indication of its creator, source, or custodian may not be authenticated under Federal Rule of Evidence 901.” United States v. O’Keefe, 537 F. Supp. 2d 14, 20 (D.D.C. 2008).

For an investigator to authenticate electronically stored information they must answer, at a minimum, these following questions. Per Arkfeld on Electronic Discovery and Evidence § 8.11(C), at 8–63, (3d ed.)

• When was the evidence collected?
• Who handled the evidence before it was collected?
• Where was the evidence collected?
• How was the evidence collected?
• What are the types of evidence collected?

Preservation of Online Evidence

For us to answer the preceding questions, the evidence should be collected and preserved in a way that answers the queries above.  It’s important to document the following when preserving your evidence:

• Document the investigator who is preserving the evidence
• Type of machine and browser you are utilizing
• Your IP address during the preservation
• Document the complete URL that you are preserving
• Record the date, time and location that you preserved the content
• Document the name and type of file you preserved
• Record the process you did to preserve the evidence
• Store the information in a secure and single location for the complete storage time

A diligent online investigator can accomplish those above by meticulous documentation or by using preservation software.    

Preservation Software

For this article, we will touch on some of the available programs that will allow you to preserve online evidence in a way that will be not only admissible in court but also defensible.

One of the most popular and basic ways to preserve online evidence is via a “screenshot.”  A screenshot has been defined as an image of the data displayed on the screen of a computer or mobile device that is captured to a single file that can be viewed.  The most popular screenshot software is Snagit.  Snagit is a screenshot program that captures video display and audio output. Originally for the Microsoft Windows operating systems, recent versions have also been available for macOS, but with fewer features. It is created and distributed by TechSmith and was first launched in 1990.  It is very reasonably priced and should be a tool for any online investigator.  

The problem with screenshot preservation is that astute attorneys could inject doubts in a judge or jurors’ minds about manipulation and authenticity of the basic screenshot.  This is because of the lack of metadata or MD5 hash values.  There are many ways to take a screenshot other than Snagit.  However, it is an opinion that we as investigators should circumvent screenshots and focus on more advanced methods of preservation.  The following are additional innovative software that helps with the preservation of online evidence.

X1 Social Discovery software is that can help with the preservation of online evidence.  The software allows users to search and preserve online data.  This software is installed on your computer and may require a higher processing PC.  The data is collected and preserved in a way that can be authenticated and is defensible.  Each collected item secures MD5 hash values of specific items showing that the preserved item is an actual and true copy of the original content.  The problem with this software is the time for an investigator to acclimate to the use of the software.  Further, the price point is in the thousands of dollars.  Their website is https://www.x1.com.

The second recommended software is Pagefreezer.  Pagefreezer provides websites, blog & social media archiving to meet regulatory compliance and eDiscovery requirements. This software is an application that is downloaded and uses your Chrome internet browser.  There is no large file software downloaded on your PC.  Like the other software, items are collected in a way that secures MD5 hash values of individual items showing that the preserved item is an actual and true copy of the original content.  While running the software an MHTML file and PDF is also preserved.  The price point is high but can be negotiated dependent on your amount of use.  Their website is https://www.pagefreezer.com.

The last recommended software is called Huncly.  This software provides court ready preserved content similar to the other two types of software.  The software is downloaded on your PC.  The requirements for the software are not as high as X-1.  Huncly provides dynamic captures that include MHTML files with MD5 Hash Values.  The deliverables include a report with appropriate captures.  The price point of Hunchly is reasonable.  The only issue that we have experienced is that the software has had recent coding bugs that require regular updates. The developer appears to be responsive to these problems as they arrive.  Their website is https://www.hunch.ly.

As our investigations become more online based, we need to guarantee that the evidence is captured and preserved correctly.  Using software and established processes are critical to legally preserving online evidence. 

Justin D. Hodson, CPI, CSMIE is a California licensed private investigator and owner of Hodson P.I., LLC.  He is a Certified Social Media Investigators Expert and Certified Professional Investigator.  He has been a private investigator since 1999.