You probably won't have unobstructed access to all evidence. Before you collect evidence, you must make sure you have the right to either search or seize the evidence in question. This section briefly discusses the options and restrictions of searching and seizing evidence.
The easiest method of acquiring the legal right to search or seize computer equipment is through voluntary surrender . This type of consent occurs most often in cases where the primary owner is different from the suspect. In many cases, the equipment owner cooperates with the investigators by providing access to evidence. Be aware that the evidence you want might reside on a business-critical system. Although the equipment owner may be cooperative, you must be sensitive to the impact your requests for evidence may have on the equipment owner's business. Although you might want to seize all the computers in the Human Resources department to analyze payroll activity, you can't put the whole department out of operation for long. If your activities will alter the business functions of an organization, you may need to change your plans. For example, you could make arrangements to create images of each drive from the Human Resources department computers during off-business hours. If you can image each drive overnight, you could get what you need without impacting the normal flow of operations.
Permission granted by a computer equipment owner to search and/or seize the equipment for investigative purposes.
You would also have voluntary consent in cases in which an employee signed search and seizure consent as a condition of employment. Such prior consent relieves you from having to get additional permission to access evidence. As in any investigation, the value of evidence often diminishes over time. The sooner you collect evidence, the higher the likelihood that evidence will be useful. If no such consent exists, you are going to have to get a court involved.
Never assume you have consent to search or seize computer equipment. Always ensure you are in compliance with all policies and laws when conducting an investigation. Few things are more frustrating than having to throw out good evidence because it was acquired without proper consent.
In the cases where you do not have voluntary consent to search or seize evidence, you'll have to ask for permission from a court. The first option using a court order is a subpoena . A subpoena compels the individual or organization that owns the computer equipment to surrender it.
A court order that compels an individual or organization to surrender evidence.
A subpoena is appropriate when it is unlikely that notifying the computer equipment owner will result in evidence being destroyed . A subpoena provides the equipment owner ample time to take malicious action and remove sensitive information. Make sure you are confident a subpoena will not allow a suspect to destroy evidence. A common use of a subpoena is when the nonsuspect equipment owner is unwilling to surrender evidence. An owner could have many reasons for being unwilling to release evidence. The evidence could contain sensitive information and company policy could require a court order to release such information. Many times, the court order is required by policy or regulation to document that sufficient authority exists to release information. In any case, where cooperation is based on proper authority, a subpoena may provide the access to evidence you need.
When you need to search or seize computer equipment that belongs to a suspect in the investigation, the possibility exists that evidence may be damaged or rendered useless. You need to have the court grant law enforcement officers permission to search and/or seize the identified computer equipment without giving the owner any prior notice. A search warrant allows law enforcement officers to acquire evidence from a suspect's machine without allowing the suspect to taint the evidence. You should resort to a search warrant only when a subpoena puts evidence at risk. If you are working as an independent investigator , you do not have the option to execute a search warrant. This option is available only to law enforcement officials.
A court order that allows law enforcement to search and/or seize computer equipment without providing advance warning to the equipment owner.
Because a search warrant is an extreme step, courts are reluctant to issue such a ruling without compelling reasons to do so. Make sure you are prepared to justify your request. If you are operating on a 'hunch,' you are likely to be refused . Before asking for a search warrant, gather some preliminary evidence that points to the suspect and his or her machine as a crucial part of the evidence chain.