Seizing and Searching Computers and Computer Data
February 7, 2012With the explosion of computers and technology, investigators of all types are more often faced with analyzing computer-generated and/or maintained information relevant to their cases. The U.S. Department of Justice has issued as guidance to prosecutors and agents “Federal Guidelines for Searching and Seizing Computers”. These guidelines are the product of the Computer Search and Seizure Working Group, whose members were drawn from the FBI, Secret Service, IRS, DEA, ATF, DOJ, Homeland Security, Customs, the Air Force, and US Attorneys’ offices.
The guidelines include general principles of search warrants, consent searches, chain of custody, and other legal aspects as well as addressing the technological aspects of searching and seizing computers. In this summary, the focus will be on the technological aspects, but the guidelines provide a good primer on operating in the legal environment of prosecutors and law enforcement.
Before any search or seizure begins, a determination must be made of the computer’s role in the offense. This determination drives decisions such as whether to seize the hardware, software, data, or all components and whether the search can be conducted on-site or the computer should be taken to a field office or laboratory. Fourth Amendment rights apply to computer searches as well as traditional ones, and can affect the admissibility of any evidence subsequently found.
Hardware
Without going into the specific legal detail here, generally seizure of computer hardware can be justified on one of three theories:
(1) The hardware is contraband;
(2) The hardware was an instrumentality of the offense; or
(3) The hardware constitutes evidence of an offense. In many cases, more than one theory may apply. For example, when a hacker uses his computer to spread viruses, the computer may be both an instrumentality of and evidence of an offense. When hardware is seized, it is important to be sure that required components be taken.
In some cases, the computer workstation may be just a dumb terminal and the desired evidence (data) resides on a server. At the same time, the investigators must take care to only seize required components to the extent it is possible to make that determination. For example, in a networked environment the data could reside on any of multiple machines. However, to protect the legality and admissibility of the evidence, the investigator should be able to articulate a reason for each component that is taken.
The computer must be transported from the scene properly to avoid damage to the evidence. This may require researching the related operating manuals on how to secure the equipment, or may require having a technical expert assist in the seizure. Before disconnecting cables, it is helpful to videotape or photograph the site and prepare a wiring schematic. This will document the condition of the equipment at the scene and ensure the system can be reconfigured for later analysis. Once this is done, the equipment should be disassembled, tagged and inventoried prior to the move.
Any disks, drives, or other magnetic media should also be secured to prevent damage, such as avoiding strong magnetic fields, temperature extremes, or buildup of static electricity.
Software And Data
Searches and seizures of data and software are more complex, and fall into two distinct groups:
(1) Instances where the data is stored on a computer at the search site, and
(2) Those where the information is stored off-site and the computer at the search scene is used to access the off-site location. In some cases, the difference is insignificant. On the other hand, there are certain unique issues that arise only in a networked environment. A search warrant is required to be issued by a court in the district where the property is located. Thus, if a network is involved, the data may reside on a computer in a different jurisdiction/district and a second search warrant may be required. Furthermore, some computers may contain privileged information, such as that of doctors, lawyers, or clergy, and require extra care in being accessed. For these confidential fiduciaries, the computer data is very likely to include confidential information about persons not connected to the investigation. In 42 USC 2000aa-11(1)
Congress has recognized a “special concern for privacy interests in cases in which a search or seizure for … documents would intrude upon a known confidential relationship such as that which may exist between clergyman and parishioner; lawyer and client; or doctor and patient.” A search warrant can be used if using less intrusive means would substantially jeopardize the availability or usefulness of the materials sought; access to the documents appears to be of substantial importance to the investigation; and the application for warrant has been recommended by the US Attorney and approved by the appropriate Deputy Assistant Attorney General.
Congress has also expressed a concern for publishers and journalists in the Privacy Protection Act, 42 USC 2000aa. Generally speaking, agents may not search for or seize any “work product materials” (defined by statute) from someone “reasonably believed to have a purpose to disseminate to the public a newspaper, book, broadcast, or similar form of public communication.” In some cases, a court may appoint a special master to search a computer containing privileged information and identify that, which is pertinent to the case.
The guidelines caution investigators to ensure the master is neutral computer expert with no connections to the investigated parties. Understandably, if the person who holds the documents is a target rather than a disinterested party, the rules are different. In those cases, the investigator may get a warrant to search. the files, but the warrant should be narrowly written to include only information that is pertinent to the investigation.
As with hardware, computer data can be contraband, an instrumentality, or evidence of an offense. In addition to the computer data files, computer printouts or manuals with handwritten notes may be significant to the case. Data may also be contained in laser printers (before they are moved), hard disk print buffers of some laser printers, some specialized keyboards, hard cards, or fax machines.
These devices, and others, sometimes contain memory of varying sizes that holds data until it is overwritten or the machine is turned off. Backup systems provide another source for obtaining data depending on how regularly and frequently data backups have been made.
In networked systems, investigators could end up with nothing more than hardware if they have not gathered information, whether from sources or surveillance, on how the system is operated. The file server which stores the programs and data files for the network can be in a separate physical location from the networked computers, perhaps in a different judicial district. Electronic mail might be stored on a server until the addressee retrieves the messages. Even deleted messages may be accessible from the network server if mail is backed up before the messages were deleted. Voice mail systems are computer systems that can provide necessary evidence (data). Again, messages may be accessible from the backup system even if they have been deleted.
Another quirk of seizing data from a networked system is the need to control access to the files during the seizure. When seizing paper files, the perimeter can be secured to prevent unauthorized access. Electronic records on a network are more susceptible to alteration or destruction even while the seizure is underway. Therefore, it is important to prohibit access to the data, either by software commands or by disconnecting the network cables to the computer. This should only be performed by an expert to avoid damaging the data or system.
In deciding whether to search computer data at the scene or seize it to review at an off-site location, many factors should be considered. Concerns for “best evidence” must be weight against the civil liability created by closing a business down. Providing an exact image on a replacement drive to the business can satisfy your need for “best evidence” and limit any civil liability.
The search warrant should be written as specifically as possible by focusing on the content of the records. Then, as a separate logical step, investigators should address the practical aspects of whether the data can be searched on-site. The volume of data may take days to search for relevant information, thus taking available data off-site becomes reasonable. While data seized should be limited where possible, a search does not become invalid merely because some items not covered by the search warrant are seized. As long as the investigators do not demonstrate flagrant disregard for the search warrant’s limitations, the items covered by the warrant will be admissible. Sometimes documents are so intermingled that it is not feasible to sort them on-site. Another factor to consider is location of the data. When a search is conducted at a home, courts seem more understanding of the choice to seize the data and search it at an off-site location later. As cited in United States v. Santarelli, 778 F.2d 609 (11th Cir. 1985), “To require an on-premises examination … would significantly aggravate the intrusiveness of the search by prolonging the time the police would be required to remain in the home.”
Once the data has been obtained, analysts with specialized skills are often required to ensure the data is properly processed to maintain its integrity. These analysts use specially designed software utility programs to search for specific names, dates, file extensions, etc. They can also recover deleted data, search for and expose hidden files, recover encrypted or password-protected data. The analyst can assist in searching the data by using keyword searches and by printing file directories for the investigator
review. Typically, the computer expert will prepare a mirror image of the computer’s files to allow the analysis to be conducted without harming the original data. A well-intentioned investigator with amateur skills could inadvertently, but irretrievably, damage the data or admissibility of the evidence. Computer experts have to track their procedures so they can recreate their steps in court if necessary. Also, computer-literate suspects may install commands to destroy the computer’s data if a required password is not entered at periodic intervals, or some other hidden trap.
To ensure the proper expertise is available, information such as the operating system, the software being used, the hardware configuration, should be gathered. Computer forensic experts can help prosecute cases with advice about how to present computer-related evidence in court. Further, many are experienced expert witnesses and can help anticipate and rebut defense claims.
Backlinks: