Authentication of Digital Evidence in Illinois Family Court (2025 Guide)

Authentication Of Digital Evidence

Illinois Family Court Practice Guide Illinois Rules of Evidence 901, 902, 803(6), and 1002 December 2024

Part I: Authentication Fundamentals

Illinois Rule of Evidence 901(a): General Requirement The foundational rule for authenticating any evidence in Illinois is Rule 901(a), which states: "The requirement of authentication or identification as a condition precedent to admissibility is satisfied by evidence sufficient to support a finding that the matter in question is what its proponent claims." Ill. R. Evid. 901(a). This standard is intentionally modest—a "prima facie" showing suffices. The proponent need only present enough evidence for a reasonable juror to conclude that the evidence is genuine. The ultimate determination of authenticity is left to the trier of fact. See People v. Downin, 828 N.E.2d 341 (Ill. App. Ct. 3d Dist. 2005) ("A finding of authentication is merely a finding that there is sufficient evidence to justify presentation of the offered evidence to the trier of fact and does not preclude the opponent from contesting the genuineness of the writing after the basic authentication requirements are satisfied."). Illinois Rule of Evidence 901(b): Methods of Authentication Rule 901(b) provides a non-exhaustive list of ten methods for authenticating evidence. The most relevant for digital evidence include:

• Rule 901(b)(1) — Testimony of Witness with Knowledge: A witness who can testify that a matter is what it is claimed to be. For digital evidence, this may be the person who sent or received the message, created the file, or observed the screen.
• Rule 901(b)(4) — Distinctive Characteristics: "Appearance, contents, substance, internal patterns, or other distinctive characteristics, taken in conjunction with circumstances." This provision allows circumstantial authentication through speech patterns, personal knowledge, references to known events, and metadata.
• Rule 901(b)(7) — Public Records: Evidence that a writing authorized by law to be recorded or filed has been recorded or filed in a public office.
• Rule 901(b)(9) — Process or System: Evidence describing a process or system used to produce a result and showing that the process produces an accurate result.

Self-Authenticating Evidence Under Rule 902 Illinois Rule of Evidence 902 establishes categories of evidence that are "self-authenticating"—requiring no extrinsic evidence of authenticity. Key provisions for digital evidence include:

• Rule 902(11) — Certified Domestic Records of Regularly Conducted Activity: Business records accompanied by a written certification from a custodian or qualified person attesting that the record (A) was made at or near the time of the occurrence, (B) was kept in the regular course of business, and (C) was made as a regular practice of that business.
• Rule 902(13) — Certified Records Generated by Electronic Process or System: (Effective September 28, 2018) A record generated by an electronic process or system that produces an accurate result, as shown by certification of a qualified person.
• Rule 902(14) — Certified Data Copied from Electronic Device: (Effective September 28, 2018) Data copied from an electronic device, storage medium, or file, authenticated by a process of digital identification (such as hash value verification), as shown by certification of a qualified person.

Practice Note: Under Rule 902(11), the party intending to offer a record must provide written notice of intent to all adverse parties and make the record and certification available for inspection sufficiently in advance of trial to provide a fair opportunity to challenge them.

Part Ii: Text Message Authentication

The Governing Standard Illinois courts analyze text message authenticity under the same standards as traditional documents. See People v. Chromik, 408 Ill. App. 3d 1028 (3d Dist. 2011) (holding that documentary evidence including text messages may be authenticated by either direct or circumstantial evidence). The Reply Doctrine The reply doctrine provides that when a message is sent to a person and a response is received that appears contextually related to the original message, the response may be presumed authentic. The doctrine creates circumstantial evidence of authorship based on:

• The timing of the response relative to the original message
• References to specific content from the original message
• Continuation of the same subject matter or conversation
• Use of the same phone number or messaging account

See People v. Downin, 357 Ill. App. 3d 193 (3d Dist. 2005) (authenticating emails through evidence of "recurring exchanges" containing "private information between identifiable parties who later acted in furtherance of the messages"). Circumstantial Authentication Methods People v. Hauck, 2022 IL App (2d) 191111, clarified that text messages "may be authenticated by circumstantial evidence" including:

• Content-Based Factors: Information that would be known only by the alleged author or a small group including the author
• Distinctive Characteristics: Appearance, contents, substance, internal patterns, spelling/grammar patterns, pet names, inside references
• Corroborating Phone Records: Carrier records showing the correct phone number, date, and time matching the text transcripts
• Subsequent Conduct: Actions taken by the parties consistent with the messages
• Metadata: Date/time stamps, phone numbers, device identifiers

Screenshots vs. Native Format The Problem with Screenshots: Screenshots are easily manipulated using readily available software. While not per se inadmissible, courts and opposing counsel increasingly challenge screenshot authenticity. Best Practices:

• Native format exports: Use iPhone backup files (iTunes), Android backup utilities, or forensic extraction tools
• Carrier records: Subpoena call detail records (CDRs) from AT&T, Verizon, T-Mobile showing message timestamps
• Forensic extraction: Cellebrite UFED or similar tools create forensically sound copies with hash verification
• Complete threads: Produce entire conversation threads, not cherry-picked messages (see Ill. R. Evid. 106)

Sample Foundation Questions — Text Messages

• Q: I'm showing you what has been marked as Petitioner's Exhibit 3. Do you recognize what this is?
• Q: How do you recognize this document?
• Q: What phone number is shown sending the messages marked with the blue bubbles [or green bubbles for Android]?
• Q: Whose phone number is [XXX-XXX-XXXX]?
• Q: How do you know that phone number belongs to [Respondent]?
• Q: Did you participate in this text message exchange?
• Q: Does this exhibit accurately reflect the text message conversation you had with [Respondent]?
• Q: Has this exhibit been altered or modified in any way from the original text conversation?

Part Iii: Social Media Evidence

The Illinois Standard: People v. Kent People v. Kent, 2017 IL App (2d) 140917, is the seminal Illinois case on social media authentication. The Second District reversed a first-degree murder conviction because a Facebook post was admitted without proper authentication, holding:

• A photograph resembling the defendant and a name similar to his alias was insufficient to authenticate the post
• Creating a fictitious account and masquerading under another's name is easy on social media
• "Something more" is required beyond a name and photograph to link the post to its purported author

Key Holding: "The authentication of social media poses unique issues regarding what is required to make a prima facie showing that the matter is what the proponent claims." Kent at ¶ 105 (quoting Smith v. State, 136 So.3d 424 (Miss. 2014)). What "Something More" Means The Kent court suggested evidence that would have been sufficient:

• Facebook records establishing that the post originated from an IP address belonging to the defendant or someone close to him
• Evidence linking the alias "Santos" to the defendant
• Testimony from someone who witnessed the defendant post the content
• References to private matters only the defendant would know

Platform-Specific Considerations Facebook & Instagram (Meta Platforms)

• Authentication by custodian certification: Meta provides certified records under Rule 902(11) upon receipt of valid legal process
• Available records: Basic subscriber information (name, email, phone), IP logs, login/logout timestamps, account creation date
• Content limitations: Under the Stored Communications Act (18 U.S.C. § 2701 et seq.), Meta cannot produce message contents pursuant to civil subpoena—must obtain from the party directly

TikTok

• Videos include metadata such as upload date, account information, and engagement metrics
• Accounts can be tied to phone numbers or email addresses
• Preservation demands should be sent immediately given ephemeral nature of content

Snapchat

• Most challenging platform: Content designed to disappear
• Snap may retain some data including account information, logs of Snaps sent (not content), and location data
• Screenshots taken by recipients may be authenticated through recipient testimony

Sample Foundation Questions — Social Media

• Q: Are you familiar with [Respondent's] Facebook/Instagram account?
• Q: How did you come to be familiar with it?
• Q: What is the profile name or username on that account?
• Q: I'm showing you Petitioner's Exhibit 5. Do you recognize what this is?
• Q: What about this post tells you it came from [Respondent's] account?
• Q: Is the profile photograph shown in this exhibit consistent with [Respondent's] appearance?
• Q: Are there any references in this post to matters that [Respondent] would have personal knowledge of?
• Q: Have you observed [Respondent] use this account or reference posts from this account?

For certified platform records:

• Q: Your Honor, I offer Petitioner's Exhibit 6, certified records from Meta Platforms pursuant to Illinois Rule of Evidence 902(11), with the accompanying certification.

Part Iv: Email Authentication

The Illinois Rule: No Authentication by Production Unlike some jurisdictions, Illinois does not recognize "authentication by production"—emails produced in discovery are not automatically deemed authentic. See Complete Conference Coordinators, Inc. v. Kumon North America, Inc., 394 Ill. App. 3d 105 (2d Dist. 2009). Emails must be authenticated through the same methods as traditional documents. Methods of Email Authentication

• Direct testimony: Witness testifies they sent or received the email, or observed another person do so
• Reply doctrine: Email received in reply to one sent to a known address of the purported author
• Distinctive characteristics: Content references private matters, uses known email address, signature blocks, writing style
• Headers and metadata: Full email headers showing routing information, timestamps, server paths
• Admission by party: Opposing party admits sending or receiving the email (Request to Admit under Ill. S. Ct. R. 216(b))

Email Headers and Metadata Full email headers contain critical authentication information:

• Return-Path/From: The sender's email address (can be spoofed but relevant)
• Received headers: Chain of servers the email passed through (bottom to top chronologically)
• Message-ID: Unique identifier assigned by the sending mail server
• DKIM-Signature: Digital signature verifying the email's origin and integrity
• X-Originating-IP: IP address of the sender's device

Practice Tip: Request production of emails in native format (.eml or .msg files) rather than PDFs to preserve all metadata and headers. Chain of Custody Considerations When producing emails as evidence, be prepared to establish:

• How the email was preserved (screenshot, export, forensic imaging)
• When the preservation occurred relative to the events at issue
• Who had access to the email account or files
• Whether any modifications were made to the preserved copy

Part V: The "I Didn'T Send That" Defense

Common Defense Theories

• Account hacking: "Someone gained unauthorized access to my account"
• Device access: "Someone else used my phone/computer"
• Fabrication: "The screenshot was manipulated or entirely fabricated"
• Impersonation: "Someone created a fake account using my name/photo"

How to Defeat These Defenses

• Obtain IP address logs: Subpoena platform/provider records showing login locations and times. Cross-reference with known locations of the party.
• Look for corroborating communications: Messages on multiple platforms containing similar content reduce the likelihood of hacking/fabrication.
• Examine distinctive characteristics: Spelling patterns, pet names, inside jokes, references to private matters only the alleged author would know.
• Subsequent conduct: Did the party act consistently with the messages? (e.g., showed up at time/place mentioned, made referenced purchases)
• No contemporaneous hacking report: If the party claims hacking, did they report it at the time? Change passwords? Contact the platform?
• Forensic analysis: Retain a digital forensics expert to examine the device or analyze metadata for signs of manipulation.

Remember: "Once the document is admitted, the ultimate issue of authorship is left to the trier of fact to determine." People v. Fillyaw, 123 N.E.3d 113 (Ill. App. Ct. 2d Dist. 2018). The defense can challenge authenticity after admission—this goes to weight, not admissibility.

Part Vi: Video And Audio Evidence

Illinois Eavesdropping Law Critical Threshold Issue: Illinois is an all-party consent state for audio recordings. Under 720 ILCS 5/14-2, recording a private conversation without the consent of all parties is a felony. However, effective January 1, 2015, the statute was amended to permit recording of conversations when:

• The recording is made openly and with the knowledge of all parties (no concealment)
• The recording is made by a party to the conversation
• The conversation is not private (in a public place with no reasonable expectation of privacy)

Practice Note: Recordings made in violation of the eavesdropping statute may be inadmissible AND subject the recording party to criminal prosecution. Screen record only your own side of conversations unless all parties consent or there is no reasonable expectation of privacy. Ring Doorbell and Home Security Footage Home security footage is generally admissible when properly authenticated. Key considerations:

• No expectation of privacy: Video recording of public areas (sidewalks, driveways, front doors) does not implicate privacy concerns
• Audio component: Many doorbell cameras record audio—may implicate eavesdropping concerns for private conversations
• Timestamp verification: Ensure camera clock was accurate; corroborate with other time-stamped evidence if possible
• Chain of custody: Document how footage was downloaded, stored, and whether it has been edited

Voicemail Authentication Voicemails may be authenticated through:

• Voice identification: Witness who knows the speaker can identify their voice (Ill. R. Evid. 901(b)(5))
• Caller ID/phone records: Records showing the call came from the speaker's known phone number
• Content: References to matters only the speaker would know
• Context: Left in response to a prior communication to the speaker

Sample Foundation Questions — Video Evidence

• Q: Do you have a home security camera system at your residence?
• Q: What type of camera system do you have?
• Q: Where is the camera positioned?
• Q: Was the camera recording on [date]?
• Q: I'm showing you Petitioner's Exhibit 8. Do you recognize what this is?
• Q: Does this video accurately depict what was recorded by your camera on [date]?
• Q: Was this video edited, altered, or modified in any way from the original recording?
• Q: Was the clock on your camera system accurate on [date]?

Part Vii: Business Records & Financial Documents

Illinois Rule 803(6): Records of Regularly Conducted Activity The business records exception permits admission of records kept in the regular course of business. Under Illinois Rule 803(6), a record is admissible if:

• Made at or near the time of the event recorded
• Made by, or from information transmitted by, a person with knowledge
• Kept in the course of a regularly conducted business activity
• Making such records is a regular practice of that activity
• The source or method of preparation does not indicate lack of trustworthiness

Who Can Lay Foundation? The author of the record need not testify. "Anyone familiar with the business and its procedures may testify about how the business record was prepared." In re V.T., 306 Ill. App. 3d 817, 820 (1999). Under Illinois Rule 902(11), no live testimony is required—a written certification from a custodian or qualified person is sufficient. See People v. Hauck, 2022 IL App (2d) 191111, ¶ 47 ("The purpose of Rule 902(11) is to provide an alternative means of establishing a proper foundation for business records, without the need for a representative of the business to testify in court."). Bank and Financial Records Bank records are paradigmatic business records. Courts have recognized that "foundation for admissibility may at times be predicated on judicial notice of the nature of the business and the nature of the records... particularly in the case of bank and similar statements." Key Holding for Successor/Assignee Records: "When business records pass from a predecessor entity to a successor entity under a merger or receivership, the successor entity is able to authenticate the business records of its predecessor." A bank need not have a witness with personal knowledge of the predecessor's record-keeping—the bank's reliance on such records renders them equivalent to its own. Sample Foundation Questions — Bank Records

• Q: I'm showing you Petitioner's Exhibit 10. Do you recognize these documents?
• Q: What are they?
• Q: Are these records kept by [bank name] in the ordinary course of its business?
• Q: Is it the regular practice of [bank name] to maintain these types of records?
• Q: Are these records made at or near the time of the transactions they reflect?
• Q: Are these records made by persons with knowledge of the transactions?

Alternative (with certification): Q: Your Honor, I offer Petitioner's Exhibit 10, bank records from [institution], accompanied by the Certificate of Authenticity of Business Records pursuant to Illinois Supreme Court Rule 236 and Illinois Rules of Evidence 803(6) and 902(11).

Part Viii: Cell Phone Forensics And Extraction Reports

Types of Forensic Extractions

• Logical extraction: Copies data accessible through the device's operating system (contacts, call logs, texts, photos)
• File system extraction: Copies the entire file system including some deleted data
• Physical extraction: Bit-by-bit copy of the device's storage, including deleted and hidden data
• JTAG/Chip-off: Direct reading of memory chips; most complete but may destroy device

Cellebrite and Similar Tools Cellebrite UFED is the industry-standard tool for mobile device forensics. In United States v. Williams, 83 F.4th 994 (5th Cir. 2023), the Fifth Circuit held that testimony about Cellebrite extractions does not require expert qualification: "Operating a Cellebrite device and understanding its report require knowledge in the realm of a reasonably tech-savvy lay person... Without a showing of specialized knowledge, the mere use and understanding of a Cellebrite extract at trial is insufficient to require an expert." Caveat: "There are cases in which the collection of digital data would require testimony due, for example, to the sophisticated nature of the particular forensic analysis or the equipment deployed, or the technical nature of the testimony." Complex analyses may still require expert testimony. Hash Values and Data Integrity A hash value is a unique digital "fingerprint" generated by a mathematical algorithm based on the contents of a file or drive. If two files have identical hash values, they are exact copies. Federal Rules 902(13) and (14) (mirrored in Illinois) permit self-authentication of electronic data through certification of hash value verification. Common hash algorithms: MD5, SHA-1, SHA-256. Forensic reports should document the hash values of both the source device/file and the extracted copy.

Part Ix: The Best Evidence Rule And Electronic Documents

Illinois Rule 1002: Requirement of Original "To prove the content of a writing, recording, or photograph, the original writing, recording, or photograph is required, except as otherwise provided in these rules or by statute." Ill. R. Evid. 1002. What Constitutes an "Original" for Electronic Documents? Under Illinois Rule 1001(d): "For electronically stored information, 'original' means any printout—or other output readable by sight—if it accurately reflects the information." Practical effect: A printed email, screenshot of a text message, or PDF of a social media post can all be "originals" if they accurately reflect the underlying data. This reflects the reality that electronic documents exist as data, not physical objects. Duplicates Under Rule 1003 "A duplicate is admissible to the same extent as the original unless a genuine question is raised as to the authenticity of the original or, in the circumstances, it would be unfair to admit the duplicate in lieu of the original." Ill. R. Evid. 1003. Rule 106: Completeness "When a writing or recorded statement or part thereof is introduced by a party, an adverse party may require the introduction at that time of any other part or any other writing or recorded statement which ought in fairness to be considered contemporaneously with it." Ill. R. Evid. 106. Practice tip: When opposing counsel introduces only part of an email thread or text conversation, invoke Rule 106 to require production of the complete exchange.

Part X: Subpoenaing Records From Tech Platforms

The Stored Communications Act Barrier The federal Stored Communications Act (18 U.S.C. § 2701 et seq.) generally prohibits electronic communication service providers from disclosing the contents of stored communications to third parties. This means:

• Civil subpoenas cannot compel production of message contents from Meta, Google, Apple, or similar providers
• Platforms will produce only non-content data (subscriber information, login records, IP logs) pursuant to civil process
• Content must be obtained from the account holder directly through discovery

What You CAN Obtain Directly from Platforms Meta (Facebook/Instagram): With valid legal process—name, length of service, email, phone number, login/logout IP addresses, credit card info Google: Basic subscriber information, account creation date, IP logs (but not email contents) Apple: Device registration, iCloud subscriber info, connection logs Cell carriers (Verizon, AT&T, T-Mobile): Call detail records, cell tower data, text message logs (times/numbers, typically not content) Obtaining Content from the Party Since platforms cannot produce content to civil litigants, use these discovery methods:

• Requests for Production: Request the party produce all messages, posts, and content from specified accounts and date ranges
• Data download instruction: Instruct party to use platform's "Download Your Information" tool (available on Facebook, Google, Instagram) and produce the resulting archive
• Authorization/consent: Obtain signed authorization permitting direct subpoena to the platform with the party's consent
• Court order: Seek court order compelling party to consent to production or to produce content directly

Preservation Demands Most platforms will preserve data pending legal proceedings upon receipt of a proper preservation request:

• Meta: Preserves for 90 days, renewable, through Law Enforcement Online Request System
• Google: Accepts preservation requests via its Legal Investigations Support portal

Important: Send preservation demands immediately upon learning of potentially relevant digital evidence. Content may be deleted or accounts deactivated.

Part Xi: Common Objections And How To Overcome Them

"Objection: Lack of Authentication" Response: "Your Honor, the witness has testified that [she recognizes this as a text message conversation she had with Respondent / the phone number shown belongs to Respondent / the content references private matters only Respondent would know]. Under Illinois Rule of Evidence 901(a), this is sufficient to support a finding that the exhibit is what it purports to be. The ultimate question of authenticity is for the trier of fact." "Objection: Hearsay" Response options:

• Admission by party-opponent: "The statement is offered against Respondent and was made by Respondent. It is not hearsay under Rule 801(d)(2)(A)."
• Not for truth: "The statement is not offered for the truth of the matter asserted, but to show [Respondent's state of mind / notice / effect on listener]."
• Present sense impression: "The message describes an event and was sent immediately after—it's a present sense impression under Rule 803(1)."
• Then-existing state of mind: "The statement shows Respondent's then-existing intent/plan/emotional condition under Rule 803(3)."

"Objection: Best Evidence Rule" Response: "Under Illinois Rule of Evidence 1001(d), for electronically stored information, an 'original' includes any printout or output readable by sight if it accurately reflects the information. This [printout/screenshot] accurately reflects the electronic data and is an original under the rule." "Objection: Foundation — Anyone Could Have Sent This" Response: "Your Honor, the possibility that someone else might have sent this message goes to weight, not admissibility. The witness has identified sufficient distinctive characteristics—[the phone number, content, writing style, references to private matters]—to support a prima facie finding of authenticity under Rule 901. Respondent is free to challenge authorship through cross-examination or evidence." "Objection: This Screenshot Could Have Been Manipulated" Response: "Your Honor, the mere possibility of alteration does not bar admission. The standard is whether there is sufficient evidence to support a finding of authenticity—not certainty. The witness has testified this accurately depicts the messages as they appeared on the device. Opposing counsel has presented no specific evidence of manipulation, only speculation. The question of whether the exhibit is genuine is for the trier of fact."

Part Xii: Demonstrative Vs. Substantive Evidence

The Distinction

• Substantive evidence: Evidence offered to prove a fact at issue; admitted as an exhibit; goes to the jury
• Demonstrative evidence: Visual aids to assist the trier of fact in understanding testimony; typically not admitted as exhibits; does not go to jury

Application to Digital Evidence

• Substantive: The actual text messages, emails, or social media posts—offered to prove what was communicated
• Demonstrative: A timeline chart summarizing messages, a map showing cell tower locations, an annotated screenshot highlighting key portions

Practice tip: If opposing counsel objects to foundation for your entire exhibit, consider offering the underlying data as substantive evidence and using clean visual aids as demonstratives to explain it.

Part Xiii: Key Illinois Cases (2017-2024)

Social Media Authentication People v. Kent, 2017 IL App (2d) 140917: Seminal case requiring "something more" than name and photograph to authenticate social media posts. Reversed murder conviction due to improperly admitted Facebook post. Court emphasized risk of false attribution in social media context. People v. Maya, 88 N.E.3d 10 (Ill. App. Ct. 2017): Discussed circumstantial authentication of social media through distinctive characteristics and corroborating evidence. People v. Curry, 2020 IL App (2d) 180148: Illinois courts willing to consider Facebook records as self-authenticating under amended Rule 902, but relevance still required. Text Messages and Emails People v. Chromik, 408 Ill. App. 3d 1028 (3d Dist. 2011): Text messages analyzed under same standards as traditional documents; circumstantial evidence including carrier records and content sufficient for authentication. People v. Hauck, 2022 IL App (2d) 191111: Affirmed that text messages "may be authenticated by circumstantial evidence." Clarified Rule 902(11) provides alternative foundation for business records without live testimony. People v. Fillyaw, 123 N.E.3d 113 (Ill. App. Ct. 2d Dist. 2018): "Once the document is admitted, the ultimate issue of authorship is left to the trier of fact to determine." Business Records and Computer-Generated Evidence Complete Conference Coordinators, Inc. v. Kumon North America, Inc., 394 Ill. App. 3d 105 (2d Dist. 2009): Illinois does not recognize "authentication by production"—emails produced in discovery must still be authenticated. People v. Downin, 357 Ill. App. 3d 193 (3d Dist. 2005): Emails authenticated through recurring exchanges containing private information between identifiable parties. Preski v. Warchol: Clarified that many courts incorrectly read limitations into Rule 236 (business records) that are not in the text of the rule.

Summary: Essential Foundation Checklist

For ANY digital evidence:

• Establish witness has personal knowledge (sent, received, observed, or is familiar with)
• Identify the account/phone number and link it to the purported author
• Establish distinctive characteristics (content, style, private references)
• Confirm accurate depiction (not altered, edited, or manipulated)
• Address hearsay (admission by party-opponent, not for truth, or applicable exception)

For business records:

• Made at or near time of event
• Made by person with knowledge
• Kept in regular course of business
• Regular practice to make such records
• OR: certified under Rule 902(11)

For platform records:

• Obtain certification from custodian under Rule 902(11)
• Provide advance notice to opposing party
• Make records available for inspection
• Independently establish relevance and address hearsay

* * * This guide is intended as a practice resource and does not constitute legal advice.

Written by Jonathan D. Steele

Chicago divorce attorney with cybersecurity certifications (Security+, ISC2 CC, Google Cybersecurity Professional Certificate). Illinois Super Lawyers Rising Star 2016-2025.

Free Consultation

For more insights, read our Divorce Decoded blog.