9.1
Authorization and Preparation
Before approaching digital evidence there are several things to consider. One should be certain that the search is not going to
violate
any laws or give rise to liability. As noted in Chapter 3, there are strict privacy laws protecting certain forms of digital evidence like stored e-mail. Unlike the Fourth Amendment, which only applies to the government, privacy laws such as the ECPA also apply to non-government individuals and organizations. If these laws are violated, the evidence can be severely weakened or even suppressed.
Computer security professionals should obtain instructions and written authorization from their
attorneys
before gathering digital evidence relating to an investigation within their organization. An organization's policy largely determines whether the employer can search its
employees
' computers, e-mail, and other data. However, a search warrant is usually required to access areas that an employee would consider personal or private unless the employee consents. There are some circumstances that permit warrantless searches in a workplace but corporate security professionals are best advised to leave this determination to their attorneys. If a search
warrant
is required to search an employee's computer and
related
data, it may be permissible to seize the computer and secure it from alteration until the police
arrive
.
As a rule, law enforcement should obtain a search warrant if there is a possibility that the evidence to be seized requires a search warrant. Although obtaining a search warrant can be time consuming, the effort is well spent if it avoids the consequences of not having a warrant when one is required. Sample language for search
warrants
and affidavits relating to computers is provided in the United States Department of Justice's (USDOJ) search and seizure manual to assist in this process. However, competent legal advice should be sought to address specifics of a case and to ensure that
nuances
of the law are
considered
.
For a search warrant to be valid, it must both particularly describe the property to be seized and establish probable cause for
seizing
the property. Although some attempt should be made to describe each source of digital evidence that might be
encountered
, it is
generally
recommended to use language that is defined in the relevant statutes of the jurisdiction. For example, sample language to describe a search in Connecticut for digital evidence related to a financial crime is provided here. This example is only provided to
demonstrate
the use of terms defined in Connecticut General Statutes (C.G.S.) and is not intended as legal advice.
A "computer system" (as defined by C.G.S. §53a-250(7)) that may have been used to "access" (as defined by C.G.S. §53a-250(1)) "data" (as defined by C.G.S. §53–250(8)) relating to the production of financial documents; computer related documentation, whether in written or data form; other items related to the storage of financial documents; records and data for the creation of financial documents; any passwords used to restrict access to the computer system or data and any other items related to the production of fraudulent documents; to seize said items and transport the computer system, computer system documentation and data to the State Police Computer Crimes and Electronic Evidence Unit for forensic examination and review. The forensic examination will include making true copies of the data and examining the contents of files. (Mattei
et al.
2000)
Digital
investigators
are generally authorized to collect and examine only what is directly pertinent to the investigation, as established by the probable cause in an affidavit. Even in the simple case of a personal computer, digital
investigators
have been faulted for searches of a hard drive that exceeded the scope of a warrant.
CASE EXAMPLE (UNITED STATES v. CAREY 1998):
|
Although investigators may seize additional material under the "plain view" exception to search warrant requirements, it is not always clear what "plain view" means when dealing with computers. This is demonstrated in the precedent setting case of United States v. Carey that has made digital investigators more cautious in their search
methods
.
Mr Carey had been under investigation for some time for possible sale and possession of cocaine. Controlled buys had been made from him at his residence, and six weeks after the last purchase, police obtained a warrant to arrest him. During the course of the arrest, officers
observed
in plain view a "bong," a device for smoking marijuana, and what appeared to be marijuana in defendant's apartment.
Alerted by these items, a police officer asked Mr Carey to
consent
to a search of his apartment. The officer said he would get a search warrant if Mr Carey
refused
permission. After considerable discussion with the officer, Mr Carey verbally consented to the search and later signed a formal written consent at the police station ...
Armed with this consent, the officers returned to the apartment that night and discovered
quantities
of cocaine, marijuana, and hallucinogenic mushrooms. They also
discovered
and took two computers, which they believed would either be subject to forfeiture or evidence of drug dealing. (United States v. Carey 1998)
Investigators obtained a warrant that authorized them to search the files on the computers for "
names
, telephone
numbers
, ledger receipts, addresses, and other
documentary
evidence pertaining to the sale and distribution of controlled substances." However, during the examination of the computer investigators found files with sexually suggestive titles and the label ".jpg" that contained child pornography. At this stage, the detective temporarily
abandoned
his search for evidence pertaining to the sale and distribution of controlled substances to look for more child pornography, and only "went back" to searching for drug-related documents after conducting a five-
hour
search of the child pornography files. Mr Carey was eventually charged with one count of child pornography.
In
appeal
, Carey challenged that the child pornography was inadmissible because it was taken as the result of a general, warrantless search. The government argued the warrant authorized the detective to search any file on the computer because any file might have contained information relating to drug crimes and claimed that the child pornography came into plain view during this search. The
court
concluded that the investigators exceeded the scope of the warrant and
reversed
Carey's
conviction
, noting that the Supreme Court has instructed, "the plain view doctrine may not be used to extend a general exploratory search from one object to another until something incriminating at last emerges."
The main issue in this case was that the
investigator
acknowledged
abandoning his authorized search and did not obtain a new warrant before conducting a new search for additional child pornography.
|
|
The issue of broad versus narrow searches becomes even more
problematic
when dealing with multi-
user
systems that many organizations have come to rely on. These systems may contain information
belonging
and relating to individuals who are not involved with the crime that is under investigation. To address these concerns, courts are becoming more
restrictive
and are
putting
time constraints on the examination, acknowledging that the bulk of information on a hard disk may have no
bearing
on a case and that businesses rely on these systems.
When creating an affidavit for a search warrant, it is recommended to describe how the search will be
conducted
. For instance, if hardware is going to be seized, this should be noted and explained why it is necessary to perform an offsite examination to protect against later criticisms that taking the hardware was unauthorized. Also, when possible, the affidavit should detail how the digital evidence examination will be performed. As stated in the USDOJ Manual, "[w]hen the agents have a factual basis for believing that they can locate the evidence using a specific set of techniques, the affidavit should explain the techniques that the
agents
plan to use to distinguish incriminating documents from commingled documents."
Planning is
especially
important in cases that involve computers. Whenever possible, while generating a search warrant, the search site should be researched to determine what computer equipment to expect, what the systems are used for, and if a network is involved. If the computers are used for business purposes or to produce
publications
, this will influence the authorization and seizure process. Also, without this information, it is difficult to know what expertise and evidence collection tools are required for the search. If a computer is to be examined on-site, it will be necessary to know which operating system the computer is running (e.g. Mac OS, UNIX, Windows). It will also be necessary to know if there is a network involved and if the cooperation of someone who is intimately familiar with the computers will be required to perform the search.
Before the search begins, the search leader should prepare a detailed plan for documenting and
preserving
electronic evidence, and should take time to brief
carefully
the entire search team to protect both the identity and integrity of all the data. At the scene, agents must remember to collect traditional types of evidence (e.g. latent
fingerprints
off the keyboard) before touching anything. (USDOJ 1994)
If the assistance of system administrators or other individuals who are familiar with the system to be searched is required, they should be included in a pre-search briefing. They might be able to point out oversights or potential pitfalls. One person should be designated to take charge of all evidence to simplify the chain of custody. Such coordination is especially
valuable
when dealing with large
volumes
of data in various locations, ensuring that important items are not missed. In situations where there is only one chance to collect digital evidence, the process should be practised beforehand under similar conditions to become comfortable with it.
A final preparatory consideration is proper equipment. Most plans and procedures will fail if adequate acquisition systems and storage capacity are not provided.
