When an intrusion is detected , you must know to what lengths you can go to minimize the damage and also whether or not you can seize property. For example, let's say that you have determined that an employee has installed hacking tools on your network and he has hacked into a business partner's network. He proceeded to hack into their network and steal passwords. Can you search his computer for evidence without a warrant ? What about that JumpDrive he is carrying around his neck? Is it a work- related item or a personal item? These are the types of questions you'll need to answer before you act.
Employers can be either public or private. The distinction is important because government employers are bound by the Fourth Amendment, which is discussed in the next section. Despite laws, not everything that passes through the confines of a business door can be considered part of the workplace. For example, the contents of an employee's purse or briefcase maintain their private character even though the employee has brought them to work. Although circumstances might permit a supervisor to search in an employee's desk for a work-related file, a supervisor usually will have to stop at the employee's purse or briefcase.
When confronted with this issue, courts have analogized electronic storage devices to closed containers, and they have reasoned that accessing the information stored within an electronic storage device is akin to opening a closed container. Because individuals generally retain a reasonable expectation of privacy in the contents of closed containers, they also generally retain a reasonable expectation of privacy in data held within electronic storage devices. The following are some cases that can be used as references:
United States v. Ross, 456 U.S. 798, 822-23 (1982)
United States v. Barth, 26 F. Supp. 2d 929, 936-37 (W.D. Tex. 1998)
United States v. Reyes, 922 F. Supp. 818, 832-33 (S.D.N.Y. 1996) United
States v. Lynch, 908 F. Supp. 284, 287 (D.V.I. 1995)
United States v. Chan, 830 F. Supp. 531, 535 (N.D. Cal. 1993)
United States v. Blas, 1990 WL 265179, at *21 (E.D. Wis. Dec. 4, 1990)
This analysis has interesting implications for items such as JumpDrives or floppy disks, which can be either work-related or private, depending on the circumstances. It is probably reasonable for employers to assume that floppy disks found at an office are part of the workplace, but a court could treat a floppy disk or JumpDrive as if it were a private, personal item.
Generally speaking, an employer may consent to a search of an employee's computer and peripherals if the employer has common authority over them. There are currently no cases specifically addressing an employer's consent to search and seize an employee's computer and related items. However, cases exist that discuss searches of an employee's designated work area or desk.
In an electronic environment, employees do not know when a network administrator, supervisor, or anyone else accesses their data. As a practical matter, system administrators can, and sometimes do, look at data. But when they do, they leave no physical clues that would tell a user they have opened one of his files. Some users who are unfamiliar with computer technology may believe that their data is completely private. If an organization has published clear policies about privacy on the network, this effort would support the position that the user has implied consent to a search by working there under said policy. However, if an organization or administration has not addressed these issues with the users and the situation is ambiguous, the safest course would be to get a warrant.
The Fourth Amendment limits the ability of government agents to search for evidence without a warrant. It states 'The right of the people to be secure in their persons, houses , papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.'
A warrantless search does not violate the Fourth Amendment if one of two conditions is met. Accordingly, investigators must consider two issues when asking whether a government search of a computer requires a warrant. First, does the search violate a reasonable expectation of privacy? And if so, is the search nonetheless reasonable because it falls within an exception to the warrant requirement?
The most basic Fourth Amendment question in computer cases asks whether an individual enjoys a reasonable expectation of privacy in electronic information stored within computers or other electronic storage devices under the individual's control. For example, do individuals have a reasonable expectation of privacy in the contents of their laptop computers, floppy disks, or pagers ? If the answer is Yes, the government ordinarily must obtain a warrant before it accesses the information stored inside. A search is constitutional if it does not violate a person's 'reasonable' or ' legitimate ' expectation of privacy [Katz v. United States, 389 U.S. 347, 362 (1967) (Harlan, J., concurring)]. In most cases, a defendant's subjective expectation of privacy focuses on whether the individual's expectation of privacy was reasonable.
Recognizing that government agencies could not function properly if supervisors had to establish probable cause and obtain a warrant every time they needed to look for a file in an employee's office, the Supreme Court held that two kinds of searches are exempt. Specifically, both (1) a noninvestigatory, work-related intrusion and (2) an investigatory search for evidence of suspected work-related employee misfeasance are permissible without a warrant and should be judged by the standard of reasonableness (ID at 725-6). These exemptions are stated under the Federal Guidelines for Searching and Seizing Computers. You can find the entire document at http://www.knock-knock.com/federal_guidelines.htm .
Agents must evaluate whether a public employee retains a reasonable expectation of privacy in the workplace on a case-by-case basis, but written employment policies can simplify the task dramatically. See O'Connor, 480 U.S. at 717 (plurality). Courts have uniformly deferred to public employers' official policies that expressly authorize access to the employee's workspace, and they have relied on such policies when ruling that an employee cannot retain a reasonable expectation of privacy in the workplace. See the following cases:
American Postal Workers Union, Columbus Area Local AFL-CIO v.
United States Postal Serv., 871 F.2d 556, 59-61 (6th Cir. 1989)
United States v. Bunkers, 521 F.2d 1217, 1219-1221 (9th Cir. 1975)
When planning to search a government computer in a government workplace, agents should look for official employment policies or "banners" that can eliminate a reasonable expectation of privacy in the computer.
In the event that an incident is of enormous proportion and the organizational policy is to prosecute , an investigation could end up in court. Courts are requiring that information instead of equipment be seized and that ample, unaltered information is presented in each case. Court compliance could require cooperative efforts between law enforcement officers and the computer forensic examiner to make certain that the technical resources are sufficient to address both the scope and complexity of a search.
Computer forensic examiners can help prosecute a case with advice about how to present computer-related evidence in court. They can help prepare the case and anticipate and rebut defense claims. In addition, forensic examiners can assist prosecutors in complying with federal rules pertaining to expert witnesses. Under these rules, the government must provide, upon request, a written summary of expert testimony that it intends to use during its case. There is a reciprocal requirement for a summary of defense expert witness testimony, as long as the defense has requested a summary from the government, and the government has complied.
Should the situation arise, make sure the evidence was processed properly. Good laboratory practices ensure the quality and integrity of evidence by dictating how examinations are planned, performed, monitored , recorded, and reported . Unless you are law enforcement, you probably don't have a lab to process evidence; however, most organizations do have a specially trained team to identify and collect evidence of any incidents that arise. Often incidents happen that aren't actually crimes and require only internal investigations. This specially trained team conducts those investigations and is also aware of what constitutes a crime that would require law enforcement involvement. Let's take a closer look at how such a team is organized and how it works.