Presentation is loading. Please wait.

Presentation is loading. Please wait.

Digital Device Searches

Published byปิยวรรณ ติณสูลานนท์ Modified over 5 years ago

Similar presentations

Presentation on theme: "Digital Device Searches"— Presentation transcript:

1 Digital Device Searches
A digital device search is an examination of data stored on a device that uses a computer or microcontroller to record information.

2 Digital Device Searches
What do they include? Digital devices may include cell phones, tablets, laptops, desktop computers, and medical devices like pacemakers, hearing aids, heart-rate monitors, smartwatches, and smart meters.

3 Cloud Searches Digital device searches may sometimes involve cloud searches where the device is used as a portal for examining digital information and media stored outside the device itself, on remote servers known as the “cloud.”

4 How do they work? Digital device searches (DDS) may be performed: Manually – by looking through data on the device as a user would Forensically – with assistance from other computers or software Hybrid – using some combination of a manual and forensic search Imaging - where law enforcement physically seizes a device for search and makes a complete digital copy or “image” of the entirety of its contents onto a separate external medium such as a hard drive Forensic Analysis - the government uses advanced forensic software to analyze the digital copy of the device contents; expanding its search and analysis capabilities and often allowing them to view deleted data that the software on the device itself wouldn’t be capable of displaying.

5 What do the cops do? The DOJ’s Manual for Searching and Seizing Computers and Obtaining Evidence in Criminal Investigations ( sets forth a 2-step process for digital device searches: The “imaging” - where law enforcement makes a complete digital copy of all info on the device The “analysis” – where govt uses forensic software to examine the digital copy, allowing it to organize, methodically search, and view data – including data the user may have believed was deleted Imaging - where law enforcement physically seizes a device for search and makes a complete digital copy or “image” of the entirety of its contents onto a separate external medium such as a hard drive Forensic Analysis - the government uses advanced forensic software to analyze the digital copy of the device contents; expanding its search and analysis capabilities and often allowing them to view deleted data that the software on the device itself wouldn’t be capable of displaying.

6 What do the Cops Know? Review govt training materials:
DOJ Guide on Admitting Electronic Evidence from 2011: 2009 – DOJ CCIPS Criminal Division Manual on Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations. 2009 – DOJ CCIPS Criminal Division Manual on Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations. DOJ Guide on admitting Electronic Evidence from 2011:

7 What do the Cops Know? 1994 – NIJ Special Report: Forensic Examination of Digital Evidence: A Guide for Law Enforcement. 1994 – NIJ Special Report: Electronic Crime Scene Investigation: A Guide for First Responders. NIJ Forensic Examination of Digital Evidence: The report guides law enforcement agents on how to properly handle and secure digital evidence during criminal investigations, along with suggestions on proper policies and procedures that law enforcement departments can adopt This report guides law enforce­ment and other first responders who may be responsible for preserving an electronic crime scene and for recognizing, col­lecting, and safeguarding digital evidence.

8 Data Extraction Programs
What do the Cops Use? Police use a variety of extraction programs like: Cellebrite Securview Oxygen FTK Imager Encase Police use a variety of forensic extraction programs that have the capacity to collect metadata and content, help bypass encryption, classify images, restore deleted data, track GPS locations over time, search for specific keywords, and map relationships.

9 Data Extraction Programs
What do the Cops Get? These extraction programs have the capacity to: Collect metadata and content, help bypass encryption, classify images, restore deleted data, track GPS locations over time, search for specific keywords, map relationships Metadata – info that relates to a piece of data Content – the substance of the data or electronic communication

10 What to look for? Seizure of your client’s cell phone or other digital device, production of your client’s digital information, and no subpoenas or warrants directed at third party service providers. Any mention of digital forensics software, like Cellebrite, Secureview, Oxygen, FTK Imager, Encase, MSAB XRY, or E-fense Helix3, or of “images” or “copies” of device contents. Any mention of bypassed digital security, encryption, or passwords, or attempts to bypass these security features. including, but not limited to, iPhones, Android phones, Apple Watches, Fitbit devices, iPads and tablets, and home assistants like the Amazon Echo and Google Home.

11 DDS Case Highlights Riley v. CA, 134 S.Ct. 2473, 2493 (2014) – digital device searches require a warrant, even incident to arrest US v. Griffith, 867 F.3d 1265, (D.C. Cir. 2017) – threshold factors for device seizure U.S. v. Comprehensive Drug Testing, Inc (CDT), 621 F.3d 1162, 1180 (9th Cir ) – judicial oversight Review our digital device search case inventory at

12 Best Practices for Judicial Oversight
Govt must waive reliance on the plain view doctrine Forensic analysis should be done by an independent third party. Govt must disclose actual risks of destruction & other avenues of access search protocol must be designed to seize only info for which govt has PC Govt must destroy or return non-responsive data Time limit for device search execution See U.S. v. Comprehensive Drug Testing, Inc (CDT), 621 F.3d 1162, 1180 (9th Cir. 2010)

13 How do I challenge DDS? Advocate for ex-ante search protocol limits, such as: 1.     Keywords 2.     Date range 3.     Time range 4.     Specific user account 5.     Specific application 6.     Communications to/from specific actors 7.     File type 8.     File size

14 How do I challenge DDS? File a motion to suppress. For warrantless device searches per Riley. Even if a SW was obtained beforehand, there may still be grounds for suppression: Failure to Authorize Search (v. Seizure) Lack of Specificity/Particularity Lack of Probable Cause Overbreadth Flagrant Disregard Most affidavits submitted in support of a search warrant for a digital device or cloud storage platform are often boilerplate and lacking in specificity and particularity. Some do not even show a nexus between the device seized and the specific incident being investigated.

15 Lack of Specificity/Particularity
SW should be as specific as possible about the files to be searches and the locations on a device where those files are likely to be found. Where the govt uses the device to access content stored remotely in the cloud, object if remote data is not specifically mentioned in the SW or isn’t within the scope of PC articulated

16 Lack of Probable Cause IP address alone ≠ PC
Membership in or attempt to access an online group suspected of illegal conduct alone ≠ PC No Nexus between device and suspect or incident Search exceeds Scope of SW

17 Overbreadth Object to overbroad seizure of:
“any and all” devices “including, but not limited to” language Object to initial seizure of device where govt fails to satisfy threshold factors from US v. Griffith: That client own, use or possess a device That device will be found at a particular place at a particular time (like client’s home) That device contains incriminating evidence about the suspected offense US v. Griffith, 867 F.3d 1265, (D.C. Cir. 2017)

18 How do I challenge DDS? Refer to more privacy-protective state laws.
California’s CalECPA requires: a search warrant (CA Penal Code §§ ) before obtaining content or location info notice to the target (CA Penal Code section §§ ) statutory suppression (CA Penal Code §§ , ) for violation of the state’s warrant requirement.

19 How do I challenge DDS? You can learn more about CalECPA by going through this Prezi presentation: And for a peek at what California police are being told about CalECPA, take a look at this CA Peace Officers’ Association Fact Sheet on CalECPA.

20 Digital Device Searches
Where do I learn more? Visit:

21 Stephanie Lacambra Criminal Defense Staff Attorney 415-436-9333 x130

Download ppt "Digital Device Searches"

Similar presentations

Sean B. Hoar Assistant United States Attorney 2010 Financial Crimes & Digital Evidence Conference.

Sean B. Hoar Assistant United States Attorney 2010 Financial Crimes & Digital Evidence Conference.
2 Language of Computer Crime Investigation

2 Language of Computer Crime Investigation
E-Discovery in Government Investigations and Criminal Law JOLT Symposium February 22, 2013 1.

E-Discovery in Government Investigations and Criminal Law JOLT Symposium February 22,
Criminal Procedure for the Criminal Justice Professional 11 th Edition John N. Ferdico Henry F. Fradella Christopher Totten Prepared by Tony Wolusky Criminal.

Criminal Procedure for the Criminal Justice Professional 11 th Edition John N. Ferdico Henry F. Fradella Christopher Totten Prepared by Tony Wolusky Criminal.
Evidence Collection & Admissibility Computer Forensics BACS 371.

Evidence Collection & Admissibility Computer Forensics BACS 371.
The Patriot Act And computing. /criminal/cybercrime/PatriotAct.htm US Department of Justice.

The Patriot Act And computing. /criminal/cybercrime/PatriotAct.htm US Department of Justice.
Teaching Computer Forensics Using Student Developed Evidence Files Anna Carlin Cal Poly Pomona.

Teaching Computer Forensics Using Student Developed Evidence Files Anna Carlin Cal Poly Pomona.
The M57 Patents Case Investigating criminal activity within m57.biz

The M57 Patents Case Investigating criminal activity within m57.biz
Evidence Computer Forensics. Law Enforcement vs. Citizens  Search must have probable cause –4 th amendment search warrant  Private citizen not subject.

Evidence Computer Forensics. Law Enforcement vs. Citizens  Search must have probable cause –4 th amendment search warrant  Private citizen not subject.
Computer Forensics Principles and Practices

Computer Forensics Principles and Practices
1 Chapter 15 Search Warrants. 2 Search warrants fall under the 4 th Amendment Search warrants fall under the 4 th Amendment The police must have “probable.

1 Chapter 15 Search Warrants. 2 Search warrants fall under the 4 th Amendment Search warrants fall under the 4 th Amendment The police must have “probable.
COS/PSA 413 Day 5. Agenda Questions? Assignment 2 Redo –Due September 3:35 PM Assignment 3 posted –Due September 3:35 PM Quiz 1 on September.

COS/PSA 413 Day 5. Agenda Questions? Assignment 2 Redo –Due September 3:35 PM Assignment 3 posted –Due September 3:35 PM Quiz 1 on September.
Applications with Warrants In Mind. The Law  Why are there laws specifically for computer crimes?  A persons reasonable right to privacy  The nature.

Applications with Warrants In Mind. The Law  Why are there laws specifically for computer crimes?  A persons reasonable right to privacy  The nature.
Legal Aspects of Criminal Investigation: Arrest, Search and Seizure

Legal Aspects of Criminal Investigation: Arrest, Search and Seizure
INTRODUCTION TO THE LAW OF EVIDENCE

INTRODUCTION TO THE LAW OF EVIDENCE
Introduction to Computer Forensics Fall 2007. Computer Crime Computer crime is any criminal offense, activity or issue that involves computers (http://www.forensics.nl).http://www.forensics.nl.

Introduction to Computer Forensics Fall Computer Crime Computer crime is any criminal offense, activity or issue that involves computers (
By Drudeisha Madhub Data Protection Commissioner Date: 12.08.14.

By Drudeisha Madhub Data Protection Commissioner Date:
Role of Technology in Combating Crime Against Woman and Children Presented by Detective Constable Janelle Blackadar Child Exploitation Section Toronto.

Role of Technology in Combating Crime Against Woman and Children Presented by Detective Constable Janelle Blackadar Child Exploitation Section Toronto.
CYBER FORENSICS PRESENTER: JACO VENTER. CYBER FORENSICS - AGENDA Dealing with electronic evidence – Non or Cyber Experts Forensic Imaging / Forensic Application.

CYBER FORENSICS PRESENTER: JACO VENTER. CYBER FORENSICS - AGENDA Dealing with electronic evidence – Non or Cyber Experts Forensic Imaging / Forensic Application.
Guide to Computer Forensics and Investigations, Second Edition

Guide to Computer Forensics and Investigations, Second Edition

Similar presentations

Ads by Google