Create an account Home  ·  Topics  ·  Downloads  ·  Your Account  ·  Submit News  ·  Top 10  
Modules
· Home
· Content
· FAQ
· Forensic Downloads
· Forensics Feedback
· Forums
· Members List
· Statistics
· Surveys
· Top 10
· Topics
· Training Reviews
· Web Links
· Your Account

Our Membership

Latest: TheresaDelcas
New Today: 0
New Yesterday: 1
Overall: 29232

Computer Forensics
This is a free and open peer to peer medium for digital and computer forensics professionals and students. Please help us maintain it by contributing and perhaps linking to us from your own website.

Recent Posts

 Viewing real MAC times of a timestomped file
 software that can view files in Volume Slack
 Case Study exam questions
 Saving the digital records
 Help to setup computer forensic investigation team

Computer Forensics World Forums


Pages Served
We received
48631494
page views since August 2004

Security Sources

FTC
OnGuard Online
ISO 17799 ISO 27001
ISO 27000 Toolkit
ISO 27001 & 27000
Cryptography
Security Policies

Legal Perspective: Searching for and Seizing Information




This is a fascinating paper from the United States Department of Justice. Although quite dated now, the guide does offer a useful insight into the issues and problems facing legal adminstrators and others.


A. INTRODUCTION 
Hardware searches are not conceptually difficult. Like searching for weapons, 
the items sought are tangible. They occupy physical space and can be moved in 
familiar ways. Searches for data and software are far more complex. For purposes 
of clarity, these types of searches must be examined in two distinct groups: (1) 
searches where the information sought is on the computer at the search scene and 
(2) searches where the information sought has been stored off-site, and the 
computer at the search scene is used to access this off-site location. 
In some cases, the distinction is insignificant, and many topics covered in this 
section apply equally to both types of searches. On the other hand, there are 
certain unique issues that arise only when the computer is part of a network. 
For example, since Fed. R. Crim. P. 41(a) requires that a search warrant be 
issued by a court in the district where the property is located, agents may have 
to get a second warrant in another district if the target has sent data to a 
distant computer. See "Describing the Place to be Searched," infra p. 87. 
Although "property" is defined in Federal Rule of Criminal Procedure 41(h) to 
include "documents, books, papers and other tangible objects," (emphasis added), 
courts have held that intangible property such as information may be seized. In 
United States v. Villegas, 899 F.2d 1324, 1334-35 (2d Cir.), cert. denied, 498 
U.S. 991 (1990), the Second Circuit noted that warrants had been upheld for 
intangible property such as telephone numbers called from a given phone line and 
recorded by a pen register, conversations overheard by means of a microphone 
touching a heating duct, the movement of property as tracked by 
location-monitoring beepers, and images seized with video cameras and 
telescopes. The court in Villegas upheld a warrant which authorized agents to 
search a cocaine factory and covertly take photographs without authorizing the 
seizure of any tangible objects. But see United States v. Johns, 948 F.2d 599 
(9th Cir. 1991), cert. denied, 112 S. Ct. 3046 (1992)(a "sneak and peek" warrant 
executed without giving notice to the defendants that the search had occurred 
violated Rule 41(d)). 

B. INFORMATION AS CONTRABAND 
The same theories which justify seizing hardware--contraband or fruit of crime, 
instrumentality, or evidence--also apply to seizing information. See "Authority 
for Seizing Contraband or Fruits of Crime," supra p. 25. Because individuals 
often obtain copies of software in violation of copyright laws, it may be 
appropriate to seize that software as well as any documentation (such as 
photocopied software manuals) because they are likely to be illegally obtained. 
(Software producers may allow a purchaser to make a backup copy of the software 
bought, but these copies may not be disseminated because of copyright laws.) 
Lists of telephone card access codes and passwords for government computer 
networks may also be considered contraband, because their possession is 
prohibited by statute if the possessor has the requisite mens rea. 18 U.S.C. § 
1029(a)(3), 18 U.S.C. § 1030(a)(6). 

C. INFORMATION AS AN INSTRUMENTALITY 
Rule 41(b) broadly defines what may be seized as an instrumentality: any 
"property designed or intended for use or which is or has been used as the means 
of committing a criminal offense." Fed. R. Crim. P. 41(b)(3). This includes both 
tangible and intangible property. See United States v. Villegas, supra p. 33. 
Thus, in some cases, informational documents and financial instruments which 
have been used in the commission of an offense may be seized as 
instrumentalities of crime. Compare Abel v. United States, 362 U.S. 217, 237-9 
(1960)(documents used in connection with suspect's illegal alien status were 
instrumentalities, including phony birth certificates, bank records, and 
vaccination records) with Application of Commercial Inv. Co., 305 F. Supp. 967 
(S.D.N.Y. 1969)($5 million in securities were not instrumentalities where the 
government suspected improprieties with an $18,000 brokerage account and the 
securities were at most "incidental" to the offense). 
Likewise, investigators should seize objects if they are "designed or intended 
for use" as instrumentalities. Fed. R. Crim. P. 41(b)(3). Sometimes an item will 
obviously fit that description (like software designed to help hackers crack 
passwords or lists of stolen credit card numbers) but, at other times, it may 
not be so simple. Even so, as long as a reasonable person in the agent's 
position would believe the item to be an instrumentality, the courts will 
probably respect the agent's judgment. This is, after all, the same test used to 
determine when an object would aid apprehension or conviction of a criminal. See 
Andresen v. Maryland, 427 U.S. 463, 483 (1976). As such, the particular facts of 
the case are very important. For example, if an agent investigating the sysop of 
an illegal bulletin board knows that the board only operates on one personal 
computer, a second computer sitting in the same room is probably not an 
instrumentality. But if the agent has heard from a reliable informant that the 
suspect has boasted about expanding his operation to a second board, that second 
computer is probably "intended" as an instrumentality, and the agent should take 
it. Additionally, if the suspect has substantially modified a personal computer 
to enhance its usefulness for a particular crime (perhaps by installing 
password-cracking software), an agent might well reasonably believe that the 
computer and the software was "designed" for criminal activity. 

D. INFORMATION AS EVIDENCE 
Before the Supreme Court's rejection of the "mere evidence" rule in Warden v. 
Hayden, 387 U.S. 294, 300-301 (1967), courts were inconsistent in ruling whether 
records that helped to connect the criminal to the offense were 
instrumentalities of crime (and thus seizable), or were instead merely evidence 
of crime (and thus not seizable). Compare Marron v. United States, 275 U.S. 192 
(1927) (approving prohibition agent's seizure of bills and ledger books 
belonging to speakeasy operators as instrumentalities of crime) with United 
States v. Lefkowitz, 285 U.S. 452 (1932)(disapproving prohibition agent's 
seizure of papers intended to solicit orders for illegal liquor). Indeed, 
several courts have concluded that, when it comes to documents, it is impossible 
to separate the two categories. See Hayden, 387 U.S. at 302 (stating that the 
distinction between mere evidence and instrumentalities "is wholly irrational, 
since, depending on the circumstances, the same 'papers and effects' may be 
'mere evidence' in one case and 'instrumentality' in another"); United States v. 
Stern, 225 F. Supp. 187, 191 (S.D.N.Y. 1964) ("It would be hazardous to attempt 
any definition [of papers that are instrumentalities of crime and not mere 
evidence]; we shall not."). Now that evidence of crime may be seized in the same 
way as instrumentalities of crime, it is useful to acknowledge that, in most 
instances, documents and other information connecting the criminal to his 
offense should be viewed as evidence of the crime, and not as instrumentalities. 
For example, in United States v. Lindenfield, 142 F.2d 829, 830-32 (2d Cir.), 
cert. denied, 323 U.S. 761 (1944), the prescription records of a doctor who 
illegally prescribed morphine to "patients" were classified as evidence, not as 
instrumentalities. 
The prescription records in Lindenfield illustrate the sort of document that may 
be seized as evidence: records that reveal the operation of the criminal 
enterprise over time. Other examples include the customer lists of narcotics 
traffickers, telephone bills of hackers who break into computer networks, and 
plans for the fraud or embezzlement of corporate and financial targets. This 
documentary evidence may be in paper or book form, or it may be stored 
electronically in a computer or on a backup tape. As with other types of 
evidence, documents may be seized if they aid in showing intent and the absence 
of mistake on the suspect's part, even though they may not relate directly to 
the commission of the crime, but to some other similar transaction instead. See 
Andresen v. Maryland, 427 U.S. 463, at 483-84 (1976)(approving seizure of 
documents about a second transaction because they showed criminal intent and 
absence of mistake in the first transaction). 


1. Evidence of Identity 
Evidence of a crime also includes various types of identification evidence. For 
example, courts have recognized that clothing seen worn by a criminal during the 
commission of the offense constitutes evidence of the crime, because it helps to 
tie the suspect to the crime. See, e.g., United States v. Korman, 614 F.2d 541, 
547 (6th Cir.)(approving the seizure of a green ski jacket as both evidence of 
and an instrumentality of the crime), cert. denied, 446 U.S. 952 (1980). 
Documents that incriminate a suspect's co-conspirators also may be seized as 
evidence because they help identify other involved parties and connect them with 
the suspect. See, e.g., United States v. Santarsiero, 566 F. Supp. 536, 544 
(S.D.N.Y. 1983)(approving the seizure of the suspect's notebook in a counterfeit 
credit card investigation where others were working with or purchasing cards 
from him, and the notebook contained telephone numbers that the investigating 
officers could reasonably believe would help in identifying and connecting 
others with the suspect's crimes). In many computer crimes, we have found that 
hackers work jointly and pool hacking information. In these cases, telephone 
records may prove this connection. Moreover, agents may seize evidence that 
helps identify the occupant of a home or office connected to the crime, where 
the home or office is used regularly by more than one person. See, e.g., United 
States v. Whitten, 706 F.2d 1000, 1008-09 (9th Cir. 1983)(approving the seizure 
of telephone books, diaries, photos, utility bills, telephone bills, personal 
property, cancelled mail, keys, rent receipts, deeds, and leases that helped 
establish who owned and occupied premises used for a large scale narcotics 
operation, where the premises were used by more than one person and the warrant 
authorized seizing items "indicating the ownership or occupancy of the 
residence"), cert. denied, 465 U.S. 1100 (1984). As with houses and offices, 
computers are often used by more than one person, and this sort of evidence may 
help establish just who used the computer or computers to commit the crime. 


2. Specific Types of Evidence 
a. Hard Copy Printouts
Any information contained in a computer system may have been printed out by the 
target of the investigation. Finding a printed copy may be valuable for a number 
of reasons. First, a printout may display an earlier version of data that has 
since been altered or deleted. Second, in certain electronic environments (such 
as bulletin boards), individuals may claim to lack knowledge about what 
information is electronically stored in the computer (e.g., a bulletin board 
operator may disavow any knowledge that his board contained illegal access codes 
that were posted and downloaded by others). Finding printed copies in someone's 
possession may negate this defense. Third, the printouts may tie the crime to a 
particular printer which, in turn, may be seizable as an instrumentality (e.g., 
the printouts may reveal that extortionate notes were printed on a certain 
printer, thus warranting seizure of the printer). 

b. Handwritten Notes
Finally, agents should be alert for notes in manuals, on the equipment, or in 
the area of the computer. These may provide critical keys to breaking passwords, 
finding the file or directory names of important data, operating the hardware or 
software, identifying the suspect's electronic or telephone connections with 
co-conspirators and victims, or finding login names or accounts. 

E. PRIVILEGED AND CONFIDENTIAL INFORMATION 
1. In General 
Warrants to search computers which contain privileged information must meet the 
same requirements as warrants to search for and seize paper documents under 
similar conditions; that is, the warrant should be narrowly drawn to include 
only the data pertinent to the investigation, and that data should be described 
as specifically as possible. See, e.g., Klitzman v. Krut, 744 F.2d 955 (3d Cir. 
1984). Since a broad search of computers used by confidential fiduciaries (e.g., 
attorneys or physicians) is likely to uncover personal information about 
individuals who are unconnected with the investigation, it is important to 
instruct any assisting forensic computer experts not to examine files about 
uninvolved third parties any more than absolutely necessary to locate and seize 
the information described in the warrant. 

a. Doctors, Lawyers, and Clergy 
Federal law recognizes some, but not all, of the common law testimonial 
privileges. Fed. R. Evid. 501. Indeed, Congress has recognized a "special 
concern for privacy interests in cases in which a search or seizure for 
documents would intrude upon a known confidential relationship such as that 
which may exist between clergyman and parishioner; lawyer and client; or doctor 
and patient." 42 U.S.C. § 2000aa-11(1)(3). At Congress's direction, see 42 
U.S.C. § 2000aa-11(a), the Attorney General has issued guidelines for federal 
officers who want to obtain documentary materials from disinterested third 
parties. 42 U.S.C. § 2000aa-11. Under these rules, they should not use a search 
warrant to obtain documentary materials believed to be in the private possession 
of a disinterested third party physician, lawyer, or clergyman where the 
material sought or likely to be reviewed during the execution of the warrant 
contains confidential information on patients, clients, or parishioners. 28 
C.F.R. § 59.4(b). A search warrant can be used, however, if using less intrusive 
means would substantially jeopardize the availability or usefulness of the 
materials sought; access to the documentary materials appears to be of 
substantial importance to the investigation; and the application for the warrant 
has been recommended by the U.S. Attorney and approved by the appropriate Deputy 
Assistant Attorney General. 28 C.F.R. § 59.4(b)(1) and (2). 

b. Publishers and Authors
Additionally, Congress has expressed a special concern for publishers and 
journalists in the Privacy Protection Act, 42 U.S.C. 2000aa. Generally speaking, 
agents may not search for or seize any "work product materials" (defined by 
statute) from someone "reasonably believed to have a purpose to disseminate to 
the public a newspaper, book, broadcast, or other similar form of public 
communication." 42 U.S.C. § 2000aa(a). In addition, as an even broader 
proposition, government officers cannot search for or seize "documentary 
materials" (also defined) from someone who possesses them in connection with a 
purpose to similarly publish. 42 U.S.C. § 2000aa(b). These protections do not 
apply to contraband, fruits of a crime, or things otherwise criminally 
possessed. 42 U.S.C. § 2000aa-7. 
Although this provision may seem, at first blush, to have a somewhat limited 
application for law enforcement, it has emerged as a frequent issue in computer 
searches. Because even a stand-alone computer can hold thousands of pages of 
information, it is common for users to mix data so that evidence of crime is 
commingled with material which is innocuous--or even statutorily protected. And 
as a technical matter, analysts sometimes cannot recover the electronic evidence 
without, in some manner, briefly searching or seizing the protected data. 
Moreover, this problem becomes exponentially more difficult, both legally and 
practically, if the target computers are part of a network which holds the work 
of many different people. The larger the network and the more varied its 
services, the harder it is to predict whether there might be information on the 
system which could arguably qualify for statutory protection. (This complex area 
of the law is discussed in detail at "THE PRIVACY PROTECTION ACT, 42 U.S.C. § 
2000aa," infra p. 69. It is critical that prosecutors and agents read this 
section and the statute with care before undertaking a search which may intrude 
on protected materials.) 

2. Targets 
If the person who holds the documents sought is not "disinterested" but a target 
of the investigation, the rules are understandably different. In those cases, 
agents may get a warrant to search the files for confidential information 
(regardless of whether that information is technically "privileged" under 
Federal law), but the warrant should be drawn as narrowly as possible to include 
only information specifically about the case under investigation. 
When the target of an investigation has complete control of the computer to be 
searched (such as a stand-alone PC), it may be difficult to find all the 
evidence without examining the entire disk drive or storage diskettes. Even in 
situations like these, it may be possible to get other people in the suspect's 
office to help locate the pertinent files without examining everything. When a 
computer must be removed from the target's premises to examine it, agents must 
take care that other investigators avoid reading confidential files unrelated to 
the case. Before examining everything on the computer, analysts should try to 
use other methods to locate only the material described in the warrant. Finally, 
as experts comb for hidden or erased files or information contained between disk 
sectors, they must continue to protect the unrelated, confidential information 
as much as possible. 

3. Using Special Masters 
In rare instances, the court may appoint a special master to help search a 
computer which contains privileged information. See, e.g., DeMassa v. Nunez, 747 
F.2d 1283 (9th Cir. 1984). A neutral master would be responsible to the court, 
and could examine all the documents and determine what is privileged. If the 
court appoints a master, the government should ask for a neutral computer expert 
to help the master recover all the data without destroying or altering anything. 
In cases like these, the computer expert needs detailed instructions on the 
search procedures to be performed. In no event should the target of the search 
or his employees serve as the master's computer expert. 

F. UNDERSTANDING WHERE THE EVIDENCE MIGHT BE: STAND-ALONE PCs, NETWORKS AND 
FILE-SERVERS, BACKUPS, ELECTRONIC BULLETIN BOARDS, AND ELECTRONIC MAIL 
1. Stand-Alone PCs 
When searching for information, agents must not overlook any storage devices. 
This includes hard drives, floppy disks, backup tapes, CD-ROMs, WORM drives, and 
anything else that could hold data. In addition, notwithstanding the high-tech 
nature of computer searches, investigators must remember basic evidentiary 
techniques. If identification is an issue, they should look for fingerprints or 
other handwritten notes and labels that may help prove identity. If data is 
encrypted, a written copy of the password is clearly important. 

a. Input/Output Devices: Do Monitors, Modems, Printers, and Keyboards Ever Need 
to be Searched?
Prosecutors must always keep in mind the independent component doctrine (supra 
p. 24); that is, there must be a basis for seizing each particular item. If 
agents are only searching for information, it may be senseless to seize hardware 
that cannot store information. 
That said, it is important to remember that information can be retrieved from 
many hardware devices, even those not normally associated with a storage 
function. Generally speaking, input and output (I/O) devices such as keyboards, 
monitors, and printers do not permanently store data. Most data is stored on 
devices such as hard drives, CD-ROMs, and floppy disks. By contrast, I/O devices 
are used to send data to, and receive data from, the computer. Once the computer 
is turned off, I/O devices do not store information. For example, when a 
computer is turned off, the information on the screen is lost unless it has been 
saved to a storage device. 
However, there are significant exceptions to this general rule. A trained 
computer specialist, using specialized techniques, may find data or other 
evidence even on I/O devices. The following list is not all-inclusive, but 
rather offers some examples of I/O devices that may provide useful evidence even 
after they have been turned off. 
Laser printers -- It may be possible to search for images of the last page 
printed on laser printers. This technique requires planning because the expert 
must examine the printer before it is moved. If this type of evidence may be 
needed, a computer expert must be ready at the scene with the necessary 
equipment. Additionally, paper containing information may still be inside a 
laser printer due to a paper jam that was not cleared. 
Hard disk print buffers -- Some laser printers have five- or ten-megabyte hard 
drives that store an image before it prints, and the information will stay on 
the drive until the printer runs out of memory space and writes over it. One 
example of a printer that may have an internal hard drive is the Qume 1000 Color 
Printer. An expert would be able to search the hard drive for information sent 
to and stored by that printer.
Print Spooler Device -- This device holds information to be printed. The spooler 
may be holding a print job if the printer was not ready to print when the print 
command was given (e.g., the printer was not turned on or was out of paper). 
This device should be handled at the scene since the information will be lost 
when power is disrupted.
Ribbon printers -- Like old typewriter ribbons, printer ribbons contain 
impressions from printed jobs. These impressions can be recovered by examining 
the ribbon.
Monitors -- Any burning of the screen phosphorus may reveal data or graphics 
commonly left on the screen.
Keyboards -- Although they do not normally store information, some unusual 
keyboards are actually computer workstations and may contain an internal 
diskette drive.
Hard Cards -- These appear to be a typical function board but they function like 
a hard disk drive and store information. 
Scanner -- Flatbed type scanners may have hard paper copy underneath the cover.
(9) Fax machines -- Although some kinds of stand-alone fax machines simply scan 
and send data without storing it, other models can store the data (e.g., on a 
hard drive) before sending it. Significantly, the data remains in the machine's 
memory until overwritten. Some fax machines contain two or more megabytes of 
memory--enough to hold hundreds of pages of information. 

b. Routine Data Backups Routine Data Backups
Even on stand-alone systems, computer users often make backup copies of files to 
protect against hardware failure or other physical disruptions. If the computer 
has any sort of failure which destroys the original copy of data or programs 
(e.g., a hard disk failure), the data can then be restored from the backups. How 
often backups are made is solely up to the user. As a practical matter, however, 
most computer-literate users will back up data regularly since mechanical 
failures are not uncommon and it is often difficult and time-consuming to 
recreate data that has been irretrievably lost. Backup copies can be made on 
magnetic tape, disks, or cartridges. 


2. Networked PCs 
Increasingly, computers are linked with other computers. This can be done with 
coaxial cable in a local area network, via common telephone lines, or even 
through a wireless network, using radio frequency (RF) communications. Due to 
this interconnectivity, it has become more important than ever to ascertain from 
sources or surveillance what type of system agents will encounter. Without 
knowing generally what is there before the search, investigators could end up 
with nothing more than a "dumb terminal" (no storage capability) connected to a 
system which stores the files in the next county or state. It would be akin to 
executing a search warrant for a book-making operation on a vacant room that 
only has a phone which forwards calls to the actual operation site. During the 
planning stage of a search, the government must consider the possibility of 
off-site storage locations. 
The following are systems or devices which make it possible for a suspect to 
store data miles, or even continents, away from her own computer: 
FILE SERVER: A file server is a computer on a network that stores the programs 
and data files shared by the users of the network. A file server acts like a 
remote disk drive, enabling someone to store information on a computer system 
other than his own. It can be located in another judicial district from the 
target machine. 
ELECTRONIC MAIL: Electronic mail provides for the transmission of messages and 
files between computers over a communications network. Sending information in 
this way is similar in some ways to mailing a letter through the postal service. 
The messages are sent from one computer through a network to the electronic 
address of another specific computer or to a series of computers of the sender's 
choice. The transmitted messages (and attached files) are either stored at the 
computer of the addressee (such as someone's personal computer) or at a mail 
server (a machine dedicated, at least in part, to storing mail). If the 
undelivered mail is stored on a server, it will remain there until the addressee 
retrieves it. When people "pick up" e-mail from the mail server, they usually 
receive only a copy of their mail, and the stored message is maintained in the 
mail server until the addressee deletes it (some systems allow senders to delete 
mail on the server before delivery). Of course, deleted mail may sometimes be 
recovered by undeleting the message (if not yet overwritten) or by obtaining a 
backup copy (if the server was backed up before the message was deleted). 
ELECTRONIC BULLETIN BOARD SYSTEMS (BBS): A bulletin board system is a computer 
dedicated, in whole or in part, to serving as an electronic meeting place. A BBS 
computer system may contain information, programs, and e-mail, and is set up so 
that users can dial the bulletin board system, read and leave messages for other 
users, and download and upload software programs for common use. Some BBSs also 
have gateways which allow users to connect to other bulletin boards or networks. 
A BBS can have multiple telephone lines (so that many people can use it at the 
same time) or a single line where a user's access is first-come, first-served. 
BBSs can have several levels of access, sometimes called "sub-boards" or 
"conferences." Access to the different conferences is usually controlled by the 
system operator with a password system. A single user may have several different 
passwords, one for each different level or conference. A user may store 
documents, data, programs, messages, and even photographs in the different 
levels of the BBS. 
A bulletin board system may be located anywhere telephone lines go. Therefore, 
if a suspect may have stored important information on a BBS, a pen register on 
the suspect's phone may reveal the location of these stored files. Agents must 
be careful, though, because sysops have been known to forward incoming calls 
through a simple phone in one spot to their BBS computers somewhere else. 
Sometimes these calls hop between houses, and sometimes, between jurisdictions. 
Investigators cannot assume that the phone number called by the suspect is 
always the end of the line. 
VOICE-MAIL SYSTEMS: A voice-mail system is a complex phone answering machine 
(computer) which allows individuals to send and receive telephone voice messages 
to a specific "mailbox" number. A person can call the voice-mail system (often a 
1-800 number) and leave a message in a particular person's mailbox, retrieve 
messages left by other people, or transfer one message to many different 
mailboxes in a list. Usually, anyone can leave messages, but it takes a password 
to pick them up or change the initial greeting. The system turns the user's 
voice into digital data and stores it until the addressee erases it or another 
message overwrites it. Criminals sometimes use voice mailboxes (especially 
mailboxes of unsuspecting people, if the criminals can beat the mailbox 
password) as remote deaddrops for information which may be valuable in a 
criminal case. Voice mailboxes are located in the message system computer of the 
commercial vendor which supplies the voice-mail service, or they can be found on 
the computer at the location called. Voice mail messages can be written on 
magnetic disk or remain in the computer's memory, depending on the vendor's 
system. 
Of course, all networked systems, whether data or voice, may keep routine and 
disaster backups. 

a. Routine Backups
Making backups is a routine, mandatory discipline on multi-user systems. On 
larger systems, backups may be created as often as two to three times per 
working shift. Usually backups are made once per day on larger systems and once 
per week on smaller ones. Backups are usually stored in a controlled environment 
to protect the integrity of the data (e.g., locked in a file cabinet or safe). 
The system administrators will usually have written procedures which set out how 
often backup copies will be made and where they will be kept. Backups for large 
systems are often stored at remote locations. 
b. Disaster Backups
These are additional backups of important data meant to survive all 
contingencies, such as fire, flood, etc. As extra protection, the data is stored 
off-site, usually in another building belonging to the business or in rented 
storage space. It would be unusual to find the disaster backups near the routine 
backups or original data. Again, these copies can be stored on diskettes, 
magnetic tape, or cartridge. A 

G. SEARCHING FOR INFORMATION 
1. Business Records and Other Documents 
Obtaining records from a multi-user computer system raises certain issues that 
are uncommon in the paper world. When dealing with papers stored in filing 
cabinets, agents can secure the scene and protect the integrity of the evidence 
by physically restricting access to the storage container and its papers. 
Electronic records are, of course, easier to alter or destroy. More important, 
such alteration or destruction may occur while the agent is looking at a copy of 
the document on a workstation terminal. Therefore, it is important to control 
remote access to data while the search is being conducted. This can often be 
done by prohibiting access to the file or file server in question, either by 
software commands or by physically disconnecting cables. This should only be 
done by an expert, however, because altering the system's configuration may have 
significant unintended results. 
If the system administrator is cooperating with investigators, the task becomes 
much easier, and agents should use the least intrusive means possible to obtain 
the data (e.g., a request, grand jury subpoena, or admini-strative subpoena). Of 
course, if the entire business is under investigation or there is reason to 
believe that records may be altered or destroyed, a search warrant should be 
used. 

2. Data Created or Maintained by Targets 
Targets of criminal investigations, particularly computer crimes, may have data 
on a multi-user computer system. Where the target owns or operates the computer 
system in question, it is safest to use warrants, although subpoenas may be 
appropriate in the right case. 
Where the target does not control the system but merely has data on it, the 
sysop may be willing to provide the requested data assuming he has the authority 
to do so. Never forgetting the legal restraints of 18 U.S.C. § 2702 (see "Stored 
Electronic Communications," infra p. 82), the sysop can, as a practical matter, 
probably retrieve the needed data rather easily. Ordinarily, a multi-user 
computer system will have specific accounts assigned to each user or groups of 
users. While the various "users" may not be able to get into each others' files, 
the system operator (like a landlord with passkeys) can usually examine and copy 
any file in the computer system. (Typically, the sysop has what is called 
"superuser" authority or "root" access.) 
Some systems, by their rules, may prohibit the system managers or operators from 
reading files in specific data areas or may expressly limit the purposes for 
which sysops may exercise their access. In those cases, sysops may insist on a 
court order or subpoena. If, on the other hand, users have consented to complete 
sysop access in order to use the system, a request to the sysop for the 
information may be all that is required. In either event, rarely will it be wise 
for investigating agents to search large computer systems by themselves. Without 
the sysop's help, it may be difficult (if not impossible) for agents to comb a 
multi-user computer system the way they search file cabinets for paper records. 
When using a subpoena with a future return date, agents should specifically ask 
for the computerized records as they exist at time of service, and state clearly 
that service of the subpoena obliges the recipient to preserve and safeguard the 
subpoenaed information by making a copy. Investigators should explain that even 
if the recipient contests the subpoena, he must not only copy the data "as is," 
but must also confirm to the agent that the copy has been made. The subpoena 
should also say that failure to preserve the subpoenaed information may subject 
the recipient to sanctions for contempt. In some circumstances, a "forthwith 
subpoena" may even be appropriate. If all this is not done, the data may be 
altered or erased--deliberately, accidentally, or in the normal course of 
business--before the return date on the subpoena. 


3. Limited Data Searches 
Once analysts have determined the operating system and have taken precautions to 
protect the integrity of the data, they will select tools to aid in the search. 
Using specially designed software called "utilities" will greatly help, because 
analysts can tailor the search to look for specified names, dates, and file 
extensions. They can scan disks for recently deleted data and recover it in 
partial or sometimes complete format. They can also identify and expose hidden 
files. In some cases, analysts may find files that are not in a readable format; 
the data may have been compressed to save space or encrypted to control access 
to it. Here again, utility packages will help recover the data. In designing the 
data search, they might use a variety of utilities. Some are off-the-shelf 
software available from most computer retailers. But utility software can also 
be custom-made, especially designed to perform specific search functions that 
are specified in standard laboratory procedures. Obviously, agents should rely 
upon experts for this kind of analysis. (See APPENDIX C, p. 136, for a list of 
federal sources for experts.) 
There are several reasons why analysts will probably want to do a limited rather 
than a complete search through the data. First of all, the law in general 
prefers searches of all things--computer data included--to be as discrete and 
specific as possible. Second, the warrant may specify particular files, 
directories, or sub-directories, or certain categories of data. Finally, even if 
the facts of a case give an analyst free rein to search all the data, the 
economies of scale usually require a more systematic approach. At the least, 
analysts should plan for a methodical inventory of directories and 
sub-directories and prepare to document all the steps taken in the search. 
Because data is so easy to alter or destroy, analysts must have a careful record 
so that their efforts can be re-created for a court. In examining the data, 
analysts will probably have to do some sorting--examining things that could be 
relevant and by-passing the unrelated items. Only rarely will they be allowed to 
or even want to read everything on the computer system being searched. Even so, 
caution is advised, because directory headings and file names may often be 
misleading. 
In addition to searching by file, sub-directory, or directory, the power of the 
computer allows analysts to design a limited search in other ways as well. 
Computer experts can search data for specific names (like names of clients, 
co-conspirators, or victims), words (like "drugs," "tax," or "hacking"), places 
(either geographic locations or electronic ones), or any combination of them. As 
legal researchers know, if the keyword search is well defined, it can be the 
most efficient way to find the needle in the haystack. But unless analysts are 
working from a tip and know how the data is organized, there will probably be 
some trial and error before they can find the key words, names, or places. In 
addition, technical problems may complicate a keyword search. For example, 
encryption, compression, graphics, and certain software formatting schemes may 
leave data difficult to search in this fashion. 
In the list of files contained in a directory or sub-directory, there will be 
other kinds of information that may indicate whether a particular file should be 
searched. The names of files in a directory often carry extensions that indicate 
what sort of file it is or what it does. These file extensions are often 
associated with common appli-cations software, such as spreadsheets (that could 
hold accounting data), databases (that can have client information), word 
processing (which could hold any sort of alphanumeric text), or graphics. There 
will also be a date and time listed for every file created. Although this 
information can easily be altered and may be misleading, in some cases it may 
accurately reflect the last time the file was revised. 
Further, the kind of software found loaded on a computer may reveal how the 
computer has been used. If there is communications software, for example, the 
computer may have been used to send incriminating data to another computer 
system at another location. A modem or other evidence of remote access should 
also tip off the searcher to this possibility, which may expand the 
investigation and create a need for a new warrant. For example, the original 
search may disclose phone bills indicating frequent long-distance calls to one 
particular number. If a call to this number reveals a modem tone, then further 
investigation would be warranted. 
Clearly, the person conducting a computer search should have high-level 
technical skills to ensure success. Moreover, a well-meaning investigator with 
amateur skills could inadvertently, but irretrievably, damage the data. When in 
doubt, rely only on experts. 

4. Discovering the Unexpected 
a. Items Different from the Description in the Warrant
The Fourth Amendment requires specific descriptions of the places, people, and 
things to be searched as well as the items to be seized. Specificity has two 
aspects--particularity and overbreadth. "Particularity" is about detail: the 
warrant must clearly describe what it seeks. "Breadth" is about scope: the 
warrant cannot include items for which there is no probable cause. Together, the 
particularity and breadth limitations prevent general searches of a person's 
property. Thus, generic classifications in a warrant are acceptable only when a 
more precise description is not possible. In Re Grand Jury Subpoenas, 926 F.2d 
847, 856-7 (9th Cir. 1991). 
Despite defense objections, the court upheld the seizure of computer disks not 
named in the warrant in United States v. Musson, 650 F. Supp. 525, 532 (D. Colo. 
1986). The warrant in that case authorized agents to seize various specific 
records, and the court reasoned that because of the changing technology, the 
government could not necessarily predict what form the records would take. See 
also United States v. Reyes, 798 F.2d 380, 383 (10th Cir. 1986); United States 
v. Lucas, 932 F.2d 1210, 1216 (8th Cir.), cert. denied, 112 S. Ct. 399 (1991). 
In these days, the safest course is always to assume that particular, clearly 
described "records" or "documents" may be in electronic form and to provide for 
this possibility in the warrant. (See "SAMPLE COMPUTER LANGUAGE FOR SEARCH 
WARRANTS," APPENDIX A, 
Other courts, however, have suppressed the results of search warrants which 
broadly covered electronic "records" in form, but were too vague about their 
content. In Application of Lafayette Academy, Inc., 610 F.2d 1 (1st Cir. 1979), 
the court struck a warrant which expressly authorized the seizure of computer 
tapes, disks, operation manuals, tape logs, tape layouts, and tape printouts. 
Although the warrant specified that the items must also be evidence of criminal 
fraud and conspiracy, that limit on content was not sufficiently particular to 
save the evidence. Id. at 3. See also Voss v. Bergsgaard, 774 F.2d 402, 404-5 
(10th Cir. 1985). 

b. Encryption
If agents have authority to search the data in a computer or on a disk and find 
it has been encrypted, how should they proceed--both legally and practically? 
Although an encrypted computer file has been analogized to a locked file cabinet 
(because the owner is attempting to preserve secrecy), it is also analogous to a 
document written in a language which is foreign to the reader. As both of these 
metaphors demonstrate, the authority granted by the warrant to search for and 
seize the encrypted information also brings the implied authority to decrypt: to 
"break the lock" on the cabinet or to "translate" the document. Indeed, a 
warrant to seize a car and its contents implicitly authorizes agents to unlock 
it. 
Of course, the rule may be different if the search is based upon consent. A 
court might well find that a target who has encrypted his data and has not 
disclosed the necessary password has tacitly limited the scope of his consent. 
In that case, the better practice is to ask explicitly for consent to search the 
encrypted material, as well as for the password. If the target refuses, agents 
should obtain a warrant for the encrypted data. 
In United States v. David, 756 F. Supp. 1385 (D. Nev. 1991), the defendant was 
cooperating with the government by giving them drug-dealing information from 
encrypted files in his computer memo book. During one interview, the agent 
learned the defendant's password by standing over his shoulder and watching as 
he typed it. Later, when the defendant stopped cooperating and started 
destroying information in the notebook, the agent seized it and used the 
defendant's password to access the remaining information. The court reasoned 
that the agent's learning the password was like his picking up the key to the 
container. When the defendant withdrew his consent to give more information from 
the memo book, the act which required a warrant was looking inside the 
container--whether locked or unlocked--not the acquisition or even the use of 
the key. If the agent did not have authority to search the data, then knowing 
the password would not confer it. Id. at 1391. Conversely, if the agent does 
have a warrant for the data, she may break the "lock" to search it. For more 
comment on the consent issues in the David case, see the discussion at p. 13. 
As a practical matter, getting past the encryption may not be easy, but there 
are several approaches to try. First of all, the computer crime lab or the 
software manufacturer may be able to assist in decrypting the file. 
Investigators should not be discouraged by claims that the password "can't be 
broken," as this may simply be untrue. Some can be done easily with the right 
software. If that fails, there may be clues to the password in the other 
evidence seized--stray notes on hardware or desks; scribbles in the margins of 
manuals or on the jackets of disks. Agents should consider whether the suspect 
or someone else will provide the password if requested. In some cases, it might 
be appropriate to compel a third party who may know the password (or even the 
suspect) to disclose it by subpoena (with limited immunity, if appropriate). 

c. Deleted Information 



H. DECIDING WHETHER TO CONDUCT THE SEARCH ON-SITE OR TO REMOVE 
HARDWARE TO ANOTHER LOCATION 
It is possible for analysts to search for electronic evidence in several places: 
on-site, at an investigative agency field office, or at a laboratory. The key 
decision is whether to search at the scene or somewhere else, since an off-site 
search will require packing and moving the property and may constitute a greater 
intrusion on the property rights of the computer owner/user. In addressing this 
issue, it is necessary to consider many factors such as the volume of evidence, 
the scope of the warrant, and the special problems that may arise when 
attempting to search computers. 
Although it may, practically speaking, be necessary to remove the computer in 
order to search it, that logistical reality does not expand the theoretical 
basis of probable cause. This is a completely separate issue, and agents must 
not write broad warrants simply because, in reality, it will be necessary to 
seize the entire filing cabinet or computer. Rather, they should draft the 
warrant for computer records as specifically as possible (akin to a search 
warrant for papers in a file cabinet) by focusing on the content of the record. 
Then, as a separate logical step, they should address the practical aspects of 
each case: whenever searching data "containers" on site would be unreasonable, 
agents should explain in the affidavit why this is true and ask for permission 
to seize the containers in order to find the relevant documents. (See "DRAFTING 
A WARRANT TO SEIZE INFORMATION: Describing the Items to be Seized," infra p. 
93.) (If the particular computer storage devices which contain the evidence may 
also hold electronic mail protected by 18 U.S.C. § 2701, et seq., see "STORED 
ELECTRONIC COMMUNICATIONS," infra p. 82. If they may contain material covered by 
the Privacy Protection Act, 42 U.S.C. § 2000aa, see "THE PRIVACY PROTECTION 
ACT," infra p. 69.) 

1. Seizing Computers because of the Volume of Evidence 
Since any document search can be a time-consuming process, cases discussing file 
cabinet searches are helpful. Although not technically complex, it can take days 
to search a file cabinet, and courts have sustained off-site searches when they 
are "reasonable under the circumstances." The key issues here are: (1) how 
extensive is the warrant and (2) what type of place is to be searched. 

a. Broad Warrant Authorizes Voluminous Seizure of Documents
In determining whether agents may take documents from the scene for later 
examination, they must consider the scope of the warrant. When the warrant 
directs agents to seize broad categories of records, or even all records 
(because the suspect's business is completely criminal or infected by some 
pervasive, illegal scheme), then it is not difficult to argue all papers and 
storage devices should be seized. In these cases, courts have supported the 
carting off of whole file cabinets containing pounds of unsorted paper. United 
States Postal Service v. C.E.C. Services, 869 F.2d 184, 187 (2d Cir. 1989); 
United States v. Sawyer, 799 F.2d 1494, 1508 (11th Cir. 1986), cert. denied sub 
nom. Leavitt v. United States, 479 U.S. 1069 (1987). "When there is probable 
cause to seize all [items], the warrant may be broad because it is unnecessary 
to distinguish things that may be taken from things that must be left 
undisturbed." United States v. Bentley, 825 F.2d 1104, 1110 (7th Cir.), cert. 
denied, 484 U.S. 901 (1987). In such cases, it is not necessary to carefully 
sort through documents at the scene to insure that the warrant has been properly 
executed. 
This rationale has been extended to computers. In United States v. Henson, 848 
F.2d 1374 (6th Cir. 1988), cert. denied, 488 U.S. 1005 (1989), agents searched 
several used car dealerships for evidence of an interstate odometer rollback 
scheme. The warrant authorized agents to seize, among other things, "modules, 
modems and connectors, computer, computer terminals, hard copy user 
documentation pertaining to files and/or programs, cables, printers, discs, 
floppy discs, tapes, vendor phone numbers, all original and backup tapes and 
discs, any other informational data input, all vendor manuals for hardware and 
software, printouts. . . ." Id. at 1382. The warrant did not require on-site 
sorting, and the defendants later accused agents of going on a "seizing frenzy." 
The court, however, sustained the search, observing that the extensive seizures 
were authorized by the warrant, and the warrant was broad because so was the 
criminality. The court relied on the rule of reasonableness in concluding that 
officers were right not to try to sort through everything at the scene. 
Since the extensive seizure of records was authorized by the terms of the 
warrant, it was inevitable that the officers would seize documents that were not 
relevant to the proceedings at hand. We do not think it is reasonable to have 
required the officers to sift through the large mass of documents and computer 
files found in the Hensons' office, in an effort to segregate those few papers 
that were outside the warrant. 
Id. at 1383-4 (emphasis added). 
Although the Henson defendants argued that agents seized items not covered by 
the warrant, this did not invalidate the search. As noted by the court, 
A search does not become invalid merely because some items not covered by a 
warrant are seized . . . . Absent flagrant disregard for the limitations of a 
search warrant, the items covered by the warrant will be admissible. 
Id. at 1383 (citations omitted). See also United States v. Snow, 919 F.2d 1458, 
1461 (10th Cir. 1990). 
The Eleventh Circuit expressed a similar rule of reasonableness in United States 
v. Wuagneux, 683 F.2d 1343, 1353 (11th Cir. 1982), cert. denied, 464 U.S. 814 
(1983). In Wuagneux, a dozen agents searched the records of a business for a day 
and a half, and seized between 50,000 and 100,000 documents (approximately one 
to two percent of those on the premises). Defendants complained that the agents 
should not have removed whole files or folders in order to take a particular 
document, but the court disagreed: "To require otherwise 'would substantially 
increase the time required to conduct the search, thereby aggravating the 
intrusiveness of the search,'" citing United States v. Beusch, 596 F.2d 871, 
876-7 (9th Cir. 1979). The Eighth Circuit reached the same conclusion in Marvin 
v. United States, 732 F.2d 669 (8th Cir. 1984), where agents searched a clinic 
for financial information related to tax fraud. The agents seized many files 
without examining the contents at the scene, intending to copy and sort them 
later. Although the agents seized some files that were completely outside the 
warrant, the district court's remedy, upheld on appeal, was to order return of 
the irrelevant items. The agents' decision not to comb through all the files at 
the scene, the court noted, was "prompted largely by practical considerations 
and time constraints." Id. at 675. Accord Naugle v. Witney, 755 F. Supp. 1504, 
1516 (D. Utah 1990) (Removing an entire filing cabinet, including items not 
described in the warrant, was reasonable since the alternative would require 
officers to remain on the premises for days, a result less reasonable and more 
intrusive.) 

b.Warrant is Narrowly Drawn but Number of Documents to be Sifted through is 
Enormous
The more difficult cases are those in which the sought-after evidence is far 
more limited and the description in the warrant is (and should be) more limited 
as well. "When the probable cause covers fewer documents in a system of files, 
the warrant must be more confined and tell the officers how to separate the 
documents to be seized from others." United States v. Bentley, supra, at 1110. 
The problem of the narrowly drawn, tightly focused warrant is illustrated by 
United States v. Tamura, 694 F.2d 591 (9th Cir. 1982). Because agents knew 
exactly what records they sought at a particular business, they were able (and 
it was reasonable for them) to draft the warrant very specifically. But it was 
much easier to describe the records than to find them, especially when the 
company employees refused to help. In the end, the agents simply took all the 
records including eleven boxes of computer printouts, 34 file drawers of 
vouchers, and 17 drawers of cancelled checks. Unlike most other cases that 
address these issues, this court faced a seizure where most of the documents 
taken were outside the warrant. It concluded, therefore, that "the wholesale 
seizure for later detailed examination of records not described in a warrant is 
significantly more intrusive, and has been characterized as 'the kind of 
investigatory dragnet that the Fourth Amendment was designed to prevent.'" Id. 
at 595 (citations omitted). Although the court found reversal was not compelled 
(because the government had been "motivated by considerations of practicality"), 
it also found this a "close case." Their advice for law enforcement is concrete: 

In the comparatively rare instances where documents are so intermingled that 
they cannot feasibly be sorted on site, we suggest that the Government and law 
enforcement officials generally can avoid violating Fourth Amendment rights by 
sealing and holding the documents pending approval by a magistrate of a further 
search, in accordance with the procedures set forth in the American Law 
Institute's Model Code of Pre Arrangement Procedure. If the need for 
transporting the documents is known to the officers prior to the search, they 
may apply for specific authorization for large scale removal of material, which 
should be granted by the magistrate issuing the warrant only where onsite 
sorting is infeasible and no other practical alternative exists. 
Id. at 5956 (footnote omitted). 

c. Warrant Executed in the Home
When a search is conducted at a home instead of a business, courts seem more 
understanding of an agent's predilections to seize now and sort later. In United 
States v. Fawole, 785 F.2d 1141, 1144 (4th Cir. 1986), ten agents had searched 
the defendant's home for three and a half hours removing, among other things, 
350 documents. Almost half of those papers were in a briefcase, which the agents 
seized without sorting. Although many things in the briefcase were outside the 
scope of the warrant, the court found that, under the circumstances, the seizure 
did not amount to a general, exploratory rummaging in a person's belongings. 
Even more extensive were the seizures in United States v. Santarelli, 778 F.2d 
609 (11th Cir. 1985). In that case, agents searched the home of a suspected 
loanshark, confiscating the entire contents of a fourdrawer file cabinet. In the 
end, they left with eight large boxes of items which they inventoried at the 
local FBI office. When the defendant objected to this process, the court 
strongly disagreed: 
Given the fact that the search warrant entitled the agents to search for 
documents . . .it is clear that the agents were entitled to examine each 
document in the bedroom or in the filing cabinet to determine whether it 
constituted evidence. . . . It follows that Santarelli would have no cause to 
object if the agents had entered his home to examine the documents and remained 
there as long as the search required. The district court estimated that a brief 
examination of each document would have taken several days. Under these 
circumstances, we believe that the agents acted reasonably when they removed the 
documents to another location for subsequent examination. . . . [T]o require an 
onpremises examination under such circumstances would significantly aggravate 
the intrusiveness of the search by prolonging the time the police would be 
required to remain in the home. 
Id. at 6156 (citations omitted). 


d. Applying Existing Rules to Computers
Clearly, the Tamura court could not have anticipated that the explosion in 
computers would result in the widespread commingling of documents. While 
computers are often set up with directories and subdirectories (much like a file 
cabinet is set up with file folders), many users put data on disks in random 
fashion. Thus, a particular letter or file could be anywhere on a hard disk or 
in a box of floppies. 
Most important, all of the file-cabinet cases discussed above implicitly rely on 
the premise that "documents" are readily accessible and ascertainable items; 
that any agent can find them and (unless the subject is quite technical) can 
read, sort, and copy those covered by warrant. The biggest problem in the paper 
cases is time, the days it takes to do a painstaking job. But computer searches 
have added a formidable new barrier, because searching and seizing are no longer 
as simple as opening a file cabinet drawer. When agents seize data from computer 
storage devices, they will





Source: US DoJ








Copyright © by Computer Forensics World All Right Reserved.

Published on: 2004-08-27 (17490 reads)

[ Go Back ]
Content ©

 

TMs property of their respective owner. Comments property of posters. © 2007 Computer Forensics Science World.
Digital forensic computing news syndication: Computer Forensics Training News or UM Text
Software is copyrighted phpnuke.org (c)2003, and is free under licence agreement. All Rights Are Reserved.