How to Authenticate Digital Evidence Under FRE 902(13): A Practical Guide for Litigators

Digital evidence is present in nearly every case that goes to trial. Body camera footage, surveillance video, audio recordings, photographs, electronic documents — all of it requires authentication before it can be admitted. For decades, this meant calling a foundation witness: someone with personal knowledge of the system that generated or stored the evidence, who could testify that the process was reliable and the output accurate.

That changed in 2017 when the Federal Rules of Evidence were amended to add Rules 902(13) and 902(14), creating a pathway for digital evidence to self-authenticate through written certification rather than live testimony.

Despite being available for nearly a decade, many practitioners still default to foundation witnesses — either because they're unfamiliar with the self-authentication process, or because they're uncertain about the requirements. This guide breaks down exactly how Rules 902(13) and 902(14) work, what the certification must contain, and how to implement a practical workflow that satisfies both rules.

What FRE 902(13) Actually Requires

Rule 902(13) covers records generated by an electronic process or system. The rule states that such records are self-authenticating if the proponent provides:

1. A written certification of a qualified person that describes the process or system used to generate the record and shows that the process or system produces an accurate result.
2. The certification must be provided to all parties in advance — at minimum, the notice period required by Rule 902(11) applies.

The certification is made under penalty of perjury consistent with 28 U.S.C. § 1746, which means the certifier is personally attesting to the accuracy of the described process. This carries the same legal weight as sworn testimony.

The phrase "a qualified person" does not require a forensic expert or system administrator. It means someone with sufficient knowledge of the electronic process to describe how it works and attest that it produces accurate results. In practice, this is often the person who uploaded or managed the evidence in the system, or someone from the platform provider who can describe the technical process.

What FRE 902(14) Adds: Hash Verification

Rule 902(14) specifically addresses copies of electronic data that have been verified through a hash value. If a copy of electronic data is verified by a process of digital identification (such as a SHA-256 hash), the proponent can authenticate the copy by providing a certification from a qualified person describing the hashing process and confirming the hash values match.

A SHA-256 hash is a mathematical fingerprint of a file at a specific moment. If the cryptographic hash of the file at the time of collection matches the hash of the file being introduced, the file has not been altered. SHA-256 has 2^256 possible outputs — the probability of two different files producing the same hash is effectively zero.

A copy of a video file can therefore be authenticated without anyone testifying about the original. The hash proves the copy is identical to the original, and the certification describes the process that generated and verified the hash.

The Certification: What Must It Contain

The written certification under Rules 902(13) and 902(14) must include several elements to satisfy both the rule and 28 U.S.C. § 1746:

Process description. A clear explanation of how the electronic system works — how files are uploaded, stored, and retrieved. For example: "Files uploaded to the system are stored in encrypted cloud storage. At the time of upload, the system computes a SHA-256 cryptographic hash of the file and records it in a tamper-evident log."

Accuracy attestation. A statement that the process produces accurate results. This is the core of the certification — the qualified person is personally attesting that the system does what it claims to do.

Integrity verification. For 902(14), the certification must describe the hash verification process and confirm that the hash values match. The specific hash algorithm should be identified (SHA-256 is the current standard; MD5 and SHA-1 are considered deprecated for forensic purposes).

Penalty of perjury language. The certification must include the declaration prescribed by 28 U.S.C. § 1746: "I declare under penalty of perjury that the foregoing is true and correct. Executed on [date]."

Chain of custody information. While not explicitly required by Rule 902(13), courts have consistently looked favorably on certifications that include access logs — who accessed the evidence, when, from what IP address, and what actions they took. This also addresses the authentication concern under Rule 901(b)(9), which allows authentication by evidence describing a process or system that produces an accurate result.

Where Lorraine v. Markel Changed Everything

The seminal case on digital evidence authentication is Lorraine v. Markel American Insurance Co. (D. Md. 2007), in which Magistrate Judge Paul Grimm wrote a 101-page opinion rejecting virtually all digital evidence offered by both parties because neither side properly authenticated it.

The opinion systematically analyzed every Federal Rule of Evidence applicable to electronic evidence and concluded that attorneys routinely fail to lay proper foundation. Judge Grimm's opinion became the roadmap for digital evidence authentication that practitioners still reference today.

Lorraine established that authentication of digital evidence requires affirmative proof that the evidence is what it purports to be. Producing a file and asserting it is authentic is insufficient. The proponent must establish the reliability of the system that generated or stored the evidence, and demonstrate that the specific file has not been altered since collection.

Rules 902(13) and 902(14), adopted a decade after Lorraine, directly address the authentication framework Judge Grimm described — but simplify the process by allowing written certification in lieu of live testimony.

Practical Implementation: A Step-by-Step Workflow

A 902(13)-compliant workflow breaks down into four stages:

Stage 1: Secure Upload with Hash Generation. When evidence is first collected or received, upload it to a system that computes a cryptographic hash (SHA-256) at the time of upload. This hash becomes the baseline — any future verification compares against this original hash. The system should record the timestamp of upload, the identity of the uploader, and the file metadata (name, size, type).

Stage 2: Controlled Access with Logging. Every access to the evidence should be logged with the identity of the person accessing it, the time of access, their IP address, and the nature of the access (view, download, share). This creates a complete chain of custody that satisfies both 902(13) and 901(b)(9). If anyone questions whether the evidence was altered, the access log documents every interaction.

Stage 3: Integrity Verification. Before the evidence is offered at trial or in a filing, compute the current hash and compare it against the original upload hash. Matching hashes confirm the file has not been modified. Document this verification in the certification.

Stage 4: Certification Generation. Prepare the written certification per 28 U.S.C. § 1746, describing the system, the hash verification, the access log, and the qualified person's attestation. Provide the certification and underlying records (hash values, access logs) to opposing counsel with sufficient advance notice as required by the rules.

Common Pitfalls

Waiting until trial to address authentication. The certification must be provided in advance. Attempting to authenticate digital evidence for the first time at trial risks exclusion and sanctions.

Using deprecated hash algorithms. MD5 and SHA-1 have known collision vulnerabilities. While courts have not universally rejected them, SHA-256 is the current standard and eliminates any argument about hash reliability.

Incomplete chain of custody. A certification that describes the upload and hash but cannot account for who accessed the evidence between upload and trial leaves a gap that opposing counsel will exploit. Every access should be logged.

Failure to preserve. Under FRCP 37(e), failure to take reasonable steps to preserve electronically stored information triggers sanctions ranging from adverse inference instructions to case-dispositive remedies. Zubulake v. UBS Warburg established the duty to preserve, and courts have only become stricter since. Body camera evidence presents a particularly acute version of this challenge — see our guide on body cam chain of custody for a practical workflow. Any evidence management system should include preservation capabilities — particularly litigation hold functionality that prevents deletion.

Not designating a qualified person. The certification requires a real person to sign under penalty of perjury. Automated certificates that lack a human certifier may be challenged. Identify the qualified person early — typically the attorney or paralegal who manages the evidence in the system.

The Cost of Getting It Wrong

Authentication failures carry documented financial consequences:

In Lorraine, all digital evidence was excluded because neither party authenticated it properly. In Zubulake v. UBS Warburg, failure to preserve electronic evidence resulted in a $29.3 million verdict with adverse inference instructions. In Allied Concrete Co. v. Lester, deletion of social media evidence resulted in $542,000 in sanctions plus $180,000 in attorney fees. In Guarisco v. Boh Bros., production of an altered photograph triggered sanctions.

Across these cases, the failure was not in the evidence itself but in the process — or lack of process — for managing, preserving, and authenticating it.

A single foundation witness costs $3,000 to $5,000 per appearance, and an authentication challenge can cost $2,000 to $10,000 in attorney time to defend. A systematic approach to 902(13) compliance eliminates these costs.

Conclusion

Rules 902(13) and 902(14) provide a clear pathway for authenticating digital evidence without live testimony. The requirements are straightforward: a reliable system, cryptographic hash verification, a documented chain of custody, and a written certification under penalty of perjury.

Practitioners who implement this workflow arrive at evidentiary hearings with pre-authenticated evidence, documented chain of custody, and cryptographically verifiable integrity. The rules have been available since 2017.