9.1 Authorization and Preparation

9.1 Authorization and Preparation

Before approaching digital evidence there are several things to consider. One should be certain that the search is not going to violate any laws or give rise to liability. As noted in Chapter 3, there are strict privacy laws protecting certain forms of digital evidence like stored e-mail. Unlike the Fourth Amendment, which only applies to the government, privacy laws such as the ECPA also apply to non-government individuals and organizations. If these laws are violated, the evidence can be severely weakened or even suppressed.

Computer security professionals should obtain instructions and written authorization from their attorneys before gathering digital evidence relating to an investigation within their organization. An organization's policy largely determines whether the employer can search its employees' computers, e-mail, and other data. However, a search warrant is usually required to access areas that an employee would consider personal or private unless the employee consents. There are some circumstances that permit warrantless searches in a workplace but corporate security professionals are best advised to leave this determination to their attorneys. If a search warrant is required to search an employee's computer and related data, it may be permissible to seize the computer and secure it from alteration until the police arrive.

As a rule, law enforcement should obtain a search warrant if there is a possibility that the evidence to be seized requires a search warrant. Although obtaining a search warrant can be time consuming, the effort is well spent if it avoids the consequences of not having a warrant when one is required. Sample language for search warrants and affidavits relating to computers is provided in the United States Department of Justice's (USDOJ) search and seizure manual to assist in this process. However, competent legal advice should be sought to address specifics of a case and to ensure that nuances of the law are considered.

For a search warrant to be valid, it must both particularly describe the property to be seized and establish probable cause for seizing the property. Although some attempt should be made to describe each source of digital evidence that might be encountered, it is generally recommended to use language that is defined in the relevant statutes of the jurisdiction. For example, sample language to describe a search in Connecticut for digital evidence related to a financial crime is provided here. This example is only provided to demonstrate the use of terms defined in Connecticut General Statutes (C.G.S.) and is not intended as legal advice.

A "computer system" (as defined by C.G.S. 53a-250(7)) that may have been used to "access" (as defined by C.G.S. 53a-250(1)) "data" (as defined by C.G.S. 53–250(8)) relating to the production of financial documents; computer related documentation, whether in written or data form; other items related to the storage of financial documents; records and data for the creation of financial documents; any passwords used to restrict access to the computer system or data and any other items related to the production of fraudulent documents; to seize said items and transport the computer system, computer system documentation and data to the State Police Computer Crimes and Electronic Evidence Unit for forensic examination and review. The forensic examination will include making true copies of the data and examining the contents of files. (Mattei et al. 2000)

Digital investigators are generally authorized to collect and examine only what is directly pertinent to the investigation, as established by the probable cause in an affidavit. Even in the simple case of a personal computer, digital investigators have been faulted for searches of a hard drive that exceeded the scope of a warrant.

CASE EXAMPLE (UNITED STATES v. CAREY 1998):

Although investigators may seize additional material under the "plain view" exception to search warrant requirements, it is not always clear what "plain view" means when dealing with computers. This is demonstrated in the precedent setting case of United States v. Carey that has made digital investigators more cautious in their search methods.

Mr Carey had been under investigation for some time for possible sale and possession of cocaine. Controlled buys had been made from him at his residence, and six weeks after the last purchase, police obtained a warrant to arrest him. During the course of the arrest, officers observed in plain view a "bong," a device for smoking marijuana, and what appeared to be marijuana in defendant's apartment.

Alerted by these items, a police officer asked Mr Carey to consent to a search of his apartment. The officer said he would get a search warrant if Mr Carey refused permission. After considerable discussion with the officer, Mr Carey verbally consented to the search and later signed a formal written consent at the police station ...

Armed with this consent, the officers returned to the apartment that night and discovered quantities of cocaine, marijuana, and hallucinogenic mushrooms. They also discovered and took two computers, which they believed would either be subject to forfeiture or evidence of drug dealing. (United States v. Carey 1998)

Investigators obtained a warrant that authorized them to search the files on the computers for "names, telephone numbers, ledger receipts, addresses, and other documentary evidence pertaining to the sale and distribution of controlled substances." However, during the examination of the computer investigators found files with sexually suggestive titles and the label ".jpg" that contained child pornography. At this stage, the detective temporarily abandoned his search for evidence pertaining to the sale and distribution of controlled substances to look for more child pornography, and only "went back" to searching for drug-related documents after conducting a five-hour search of the child pornography files. Mr Carey was eventually charged with one count of child pornography.

In appeal, Carey challenged that the child pornography was inadmissible because it was taken as the result of a general, warrantless search. The government argued the warrant authorized the detective to search any file on the computer because any file might have contained information relating to drug crimes and claimed that the child pornography came into plain view during this search. The court concluded that the investigators exceeded the scope of the warrant and reversed Carey's conviction, noting that the Supreme Court has instructed, "the plain view doctrine may not be used to extend a general exploratory search from one object to another until something incriminating at last emerges."

The main issue in this case was that the investigator acknowledged abandoning his authorized search and did not obtain a new warrant before conducting a new search for additional child pornography.

The issue of broad versus narrow searches becomes even more problematic when dealing with multi-user systems that many organizations have come to rely on. These systems may contain information belonging and relating to individuals who are not involved with the crime that is under investigation. To address these concerns, courts are becoming more restrictive and are putting time constraints on the examination, acknowledging that the bulk of information on a hard disk may have no bearing on a case and that businesses rely on these systems.

When creating an affidavit for a search warrant, it is recommended to describe how the search will be conducted. For instance, if hardware is going to be seized, this should be noted and explained why it is necessary to perform an offsite examination to protect against later criticisms that taking the hardware was unauthorized. Also, when possible, the affidavit should detail how the digital evidence examination will be performed. As stated in the USDOJ Manual, "[w]hen the agents have a factual basis for believing that they can locate the evidence using a specific set of techniques, the affidavit should explain the techniques that the agents plan to use to distinguish incriminating documents from commingled documents."

Planning is especially important in cases that involve computers. Whenever possible, while generating a search warrant, the search site should be researched to determine what computer equipment to expect, what the systems are used for, and if a network is involved. If the computers are used for business purposes or to produce publications, this will influence the authorization and seizure process. Also, without this information, it is difficult to know what expertise and evidence collection tools are required for the search. If a computer is to be examined on-site, it will be necessary to know which operating system the computer is running (e.g. Mac OS, UNIX, Windows). It will also be necessary to know if there is a network involved and if the cooperation of someone who is intimately familiar with the computers will be required to perform the search.

Before the search begins, the search leader should prepare a detailed plan for documenting and preserving electronic evidence, and should take time to brief carefully the entire search team to protect both the identity and integrity of all the data. At the scene, agents must remember to collect traditional types of evidence (e.g. latent fingerprints off the keyboard) before touching anything. (USDOJ 1994)

If the assistance of system administrators or other individuals who are familiar with the system to be searched is required, they should be included in a pre-search briefing. They might be able to point out oversights or potential pitfalls. One person should be designated to take charge of all evidence to simplify the chain of custody. Such coordination is especially valuable when dealing with large volumes of data in various locations, ensuring that important items are not missed. In situations where there is only one chance to collect digital evidence, the process should be practised beforehand under similar conditions to become comfortable with it.

A final preparatory consideration is proper equipment. Most plans and procedures will fail if adequate acquisition systems and storage capacity are not provided.