1. Searching and Seizing -- Warrants and Evidence 1 Computer Forensics BACS 371 1 Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations, USDOJ/NIJ, Sections II and V, http://www.cybercrime.gov/s&smanual2002.pdf http://www.cybercrime.gov/s&smanual2002.pdf

2. Fundamentals of Warrants  Must Describe  Probable cause A reasonable belief that a person has committed a crime  Place to be searched, things to be seized Limited right to violate a person’s privacy

3. Four Steps for Successful Search and Seizure 1. Assemble a team consisting of the case agent, the prosecutor, and a technical expert as far in advance as possible 2. Learn as much as possible about the computer system that will be searched before devising a search strategy or drafting the warrant 3. Formulate a strategy for conduction the search (including a backup plan) based on the known information about the targeted computer system 4. Draft the warrant, taking special care to describe the object of the search and the property to be seized accurately, and particularly, and explain the possible search strategies in the supporting affidavit.

4. Basic Search Strategies 1. Search the computer and print out a hard copy of particular files at that time 2. Search the computer and make an electronic copy of particular files at that time 3. Create a duplicate electronic copy of the entire storage device on-site, and then later recreate a working copy of the storage device off-site for review 4. Seize the equipment, remove it from the premises, and review its contents off-site

5. When to Seize  Seize if…  The hardware is itself evidence, and instrumentality, contraband, or a fruit of the crime  But… When the hardware is not a stand-alone PC but part of a complicated network, and collateral damage to a legitimate business could result, may not want to seize  Generally, do not seize if…  The hardware is merely a storage device for evidence  But… Property used to commit an offense involving obscene material may be forfeited

6. Other Reasons to Seize  Seize only if a less intrusive alternative is infeasible  If agents suspect evidence is mislabeled, encrypted, stored in hidden directories, embedded in slack space, …  Uncommon Operating System  Suspected “booby traps”  Generally, pursue the quickest, least intrusive, and most direct search strategy consistent with securing evidence described in warrant

7. Privacy Protection Act (PPA)  Matters when search may result in seizure of 1 st Amendment materials (publishing, …)  “Congress probably intended the PPA to apply only when law enforcement intentionally targeted First Amendment material that related to a crime.”  Incidental seizure of PPA-protected material commingled on a suspect’s computer with evidence of a crime does not give rise to PPA liability.  However, subsequent search of such material was probably forbidden

8. Electronic Communications Privacy Act (ECPA)  Governs law enforcement access to contents of electronic communications stored by third party service providers  Prohibits unauthorized access to electronic or wire communications in “electronic storage”  ECPA is implicated only when law enforcement does not obtain a search warrant  Ordinarily served like subpoenas: Investigators transmit request for information to service providers

9. Other Warrant Issues  Multiple Warrants for Network Searches  No-Knock Warrants  Sneak-and-Peek Warrants  Privileged Documents

10. Drafting Warrant and Affidavit  Affidavit  A sworn statement that explains the basis for the affiant’s belief that the search is justified by probable cause  Warrant  Typically a one-page form, plus attachments, that describes the place to be searched, and the persons or things to be seized  Warrant must be executed within 10 days

11. Drafting the Warrant and Affidavit 1. Accurately and Particularly Describe the Property to be Seized in the Warrant  Specific enough to separate cited items from irrelevant ones  Not so broad as to include items which should not be seized  Hardware vs. Information 2. Establish Probable Cause in the Affidavit  A fair probability that contraband or evidence of crime will be found in the particular place to be searched 3. In the Affidavit Supporting the Warrant, Include an Explanation of the Search Strategy

12. Sample Warrant  All records relating to violations of 21 U.S.C. § 841 (a) (drug trafficking) and/or 21 U.S.C. § 846 (conspiracy to traffic drugs) involving [the suspect] since January 1, 1996, including lists of customers and related identifying information; types, amounts, and prices of drugs trafficked as well as dates, places, and amounts of specific transactions; any information related to sources of narcotic drugs (including names, addresses, phone numbers, or any other identifying information); any information recording [the suspect's] schedule or travel from 1995 to the present; all bank records, checks, credit card bills, account information, and other financial records.  The terms "records " and "information" include all of the foregoing items of evidence in whatever form and by whatever means they may have been created or stored, including any electrical, electronic, or magnetic form (such as any information on an electronic or magnetic storage device, including floppy diskettes, hard disks, ZIP disks, CD-ROMs, optical discs, backup tapes, printer buffers, smart cards, USB storage devices, memory calculators, pagers, personal digital assistants such as Palm Pilot computers, as well as printouts or readouts from any magnetic storage device); any handmade form (such as writing, drawing, painting); any mechanical form (such as printing or typing); and any photographic form (such as microfilm, microfiche, prints, slides, negatives, videotapes, motion pictures, photocopies).

13. Evidence  Potential Hearsay  “The hearsay rules exist to prevent unreliable out-of-court statements by human declarants from improperly influencing the outcomes of trials.”  Records containing only computer-generated data untouched by human hands cannot contain hearsay  Authentication  Must offer evidence “to support a finding that the [computer record or other evidence] in question is what its proponent claims.”  Circumstantial evidence generally provides the key to establishing the authorship and authenticity of a computer record  Best Evidence  “[i]f data are stored in a computer or similar device, any printout or other output readable by sight, shown to reflect the data accurately, is an ‘original.’”