John Patzakis, Executive Chairman, X1 Discovery

John, you're Executive Chairman at X1 Discovery. Tell us a bit about your role – what does a day in your life look like?

This is an exciting time in the eDiscovery and computer forensics field, given all the legal developments and technical innovation, so a lot of my time is spent tracking and analyzing these various changes and advancements. I am active on our blog and generally publish two articles a month. I also engage a lot with key partners and law firms to bring joint services and technology solutions to our mutual customers. And I am chairman of the board of directors where I oversee X1’s strategy and get to focus on the big picture.You recently posted an article about a new amendment to US Federal Rule of Evidence 902. Why do you predict an increase in the utilization of forensics and eDiscovery practitioners coming from this?

F.R.E. 902(14) provides that electronic data recovered “by a process of digital identification” is to be self-authenticating, and allows for a streamlined process to admit digital evidence at trial where best practices are employed, through a written affidavit by a “qualified person,” instead of requiring their actual trial testimony. The accompanying official Advisory Committee notes, which are very important in applying the law, specifically reference the use of hash values to verify collected digital evidence to provide the requisite “process of digital identification” required by the statute.

So in effect this new rule will greatly encourage the use of tools and qualified practitioners by providing a very efficient process to establish a foundation for ESI collected in a Rule 902(14) compliant manner. And as the law requires a “qualified person” to provide the written testimony via affidavit, this will essentially necessitate a competent forensics or eDiscovery practitioner to provide their written testimony, which will be in the place of expensive and burdensome in-person trial testimony.

Prior to rule 902(14), there were some disincentives to utilizing a forensic expert as some attorneys assumed hiring them would require expensive testimony and pre-trial depositions, and thus there was temptation to go the “fast and easy” route, even though there were clear risks associated with that approach. But now that dynamic is actually reversed. If you don’t utilize best practices, you will not be able to take advantage of the considerable efficiencies provided by rule 902(14).


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.


At the same time, this rule will in effect call into question electronic evidence collection methods that do not enable a defensible “digital identification” and verification process. In fact, the Advisory Committee notes specifically reference the importance of computer forensics experts, noting that a “challenge to the authenticity of electronic evidence may require technical information about the system or process at issue, including possibly retaining a forensic technical expert.”

So for instance, if key social media evidence is collected through manual print screen, which is not a “process of digital identification” under Rule 902(14), then not only will the proponent of that evidence fail to take advantage of the efficiencies and cost-savings provided by the rule, they will also invite heightened scrutiny for not preserving the evidence utilizing best practices. All of this, in my opinion, will add up to increased utilization of forensics and eDiscovery professionals.

In your opinion, will Rule 902(14) have different implications for law enforcement professionals (compared with corporate, for example), and what might these different challenges be?

The Rule will create efficiencies for prosecutors and while it should reduce the overall in-person trial testimony requirements of computer forensics law enforcement professionals, I believe it will overall increase their utilization, so that can cause additional strains on resources. But in terms of the biggest impact, today many front line detectives and other investigators who are not equipped with the tools and training to properly collect and handle digital evidence are routinely doing so anyway. They will simply power on and rummage through laptops and mobile phones they find, or go to a suspect Facebook page and hit print screen. As mentioned in the previous answer, now prosecutors are going to be reinforcing best practices and relying on trained forensics examiners because it will make their lives a lot easier at trial. So I believe this is likely going to cause some disruption in how a lot of police work is done.

Defining best practices, particularly when international cases are taken into account, can be a minefield of complications. In your opinion, what would an attempt at defining this look like, and how practical might it be to implement?

Regarding the law, all it really is doing is replacing, in most cases, in-person trial testimony with written affidavits. It also is creating a lot more predictability and other efficiencies on many levels for trial attorneys.

The Advisory Committee provides this important guidance: “A proponent establishing authenticity under this Rule must present a certification containing information that would be sufficient to establish authenticity were that information provided by a witness at trial.” What that means is that the written affidavit must put forth sufficient and competent testimony to establish that the electronic evidence was collected via a process of digital identification and that the evidence was subsequently verified as not being unchanged through a hash value checksum. The written testimony must be just as sufficient as if the testimony were orally provided at trial. Ultimately, however, it is the judge who is determining whether this sufficiency standard is met, and that is on a case-by-case basis.

As we all know, backlogs in digital forensic investigations are a huge challenge for practitioners – how does the retroactive aspect of 902(14) impact upon this, and what should digital forensic professionals start doing now to make sure they're prepared?

Digital forensics professionals need to study up on the law right away, as while FRE 902(14) technically goes into effect on December 1, 2017, electronic evidence collected in a Rule 902(14) compliant manner any time prior to the statute’s effective date can be subject to the new rule’s provisions once the rule goes into effect. This is important, because digital evidence is routinely collected well in advance of trial. Electronic evidence that an examiner collects this week may not be actually introduced at trial until one year or more from now, so practitioners need to understand and account for Rule 902(14) immediately.

In your opinion, is Rule 902(14) a positive step forward for digital forensics as a field? Why / why not?

The Rule is extremely important. First off, it is solely dedicated to electronic evidence. As mentioned before, the accompanying official Advisory Committee notes, which provide essential guidance on applying law, specifically reference the use of hash values and verification hash values as the only example as a means to verify collected digital evidence to meet the rule’s requirement for “a process of digital identification.” This is only possible with the right forensics tools utilized by trained professionals who know how to use them. And as I mentioned, the Advisory Committee notes also specifically reference the importance of computer forensics experts, noting that a “challenge to the authenticity of electronic evidence may require technical information about the system or process at issue, including possibly retaining a forensic technical expert.”

All of these elements, not to mention the intangibles associated with computer forensics practices being directly referenced in in the US Federal Rules of Evidence, add up to a very positive and significant impact.

Digital evidence collection is forever changing, with the proliferation of data and devices. What do you think the most important developments are that need to happen within the near future, in order to help investigators keep the pace?

I really believe social media, Internet and cloud-based data is still widely overlooked. To be sure, there are countless examples of social media evidence providing the smoking gun, and many practitioners are doing a good job and making a difference. But many others are still not baking social media and internet investigation into their investigation processes, even though social media and internet data is relevant to nearly every case. Part of the problem is that it is burdensome to manually view social media accounts. That is why it is so important to provide the right solutions to enable efficient and scalable Internet-based investigations.

Finally, when you're not working, what do you like to do in your spare time?

Most recently, I have been going on some very enjoyable nature hikes with my family, which is lot of fun. We try and visit a couple of National Parks here in the US each year.

John Patzakis is an attorney and Executive Chairman of X1. Mr. Patzakis is widely published over the past 15 years and has lectured frequently on matters concerning digital evidence and the law. X1 (www.x1.com) offers next generation search, investigation and eDiscovery software including X1 Social Discovery, the leading social media and internet investigation solution, and X1 Distributed Discovery, a revolutionary enterprise eDiscovery search and collection platform.

Leave a Comment