The Digital Evidence in the Information Era
Date: March 10, 2004Source: Computer Crime Research Center
By:
Next13. In some cases, the distinction is insignificant, for example when the computer is part of a network. Although "property" is defined in Federal Rule of Criminal Procedure 41(h) to include "documents, books, papers and other tangible objects," (emphasis added), courts have held that intangible property such as information may be seized. In United States v. Villegas, 899 F.2d 1324, 1334-35 (2d Cir.), cert. denied, 498 U.S. 991 (1990), the Second Circuit noted that warrants had been upheld for intangible property such as telephone numbers called from a given phone line and recorded by a pen register, conversations overheard by means of a microphone touching a heating duct, the movement of property as tracked by location-monitoring beepers, and images seized with video cameras and telescopes. The court in Villegas upheld a warrant which authorized agents to search a cocaine factory and covertly take photographs without authorizing the seizure of any tangible objects.
14. When investigators are dealing with smaller networks, desktops PC and workstations an attempt to justify the taking of the whole system should be based on the following criteria. When an entire organization is pervasively involved in an ongoing criminal scheme, with little legitimate business, (in non-essential services) and evidence of the crime is clearly present throughout the network, an entire system seizure might be proper.
In small desktop situations, investigators should seize the whole system, after requesting to do so in the affidavit. Investigators seizing whole systems should justified it by wording their affidavits in such a way so as to refer to the computer as a "system", dependant on set configurations to preserve "best evidence" in a state of original configuration. This can and often does include peripherals, components, manuals, and software.
In addition to the above, investigators should make every effort to lessen the inconvenience of an on-site search. Some estimates of manual data search and analyses are 1 megabyte for every 1hour of investigation work. Based on this equation, a 1-Gigabyte hard drive can take up to 1000 hours to fully examine. This equation assumes that each piece of data is decrypted, decoded, compiled, read, interpreted and printed out.
B: Having a search Warrant
15. As mentioned above, there are some principals that govern searching and seizing the digital evidence, we will be presenting an overview on the U.S. Constitution and other federal laws, as this will help in understanding the general theories governing this subject:
“ The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants[4] shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized ”.
16. The Fourth Amendment is applicable when a ''search'' and a ''seizure,'' are occurring typically in a criminal case, with a subsequent attempt to use judicially what was seized. Whether there was a search and seizure within the meaning of the Amendment, whether a complainant's interests were constitutionally infringed, will often turn upon consideration of his interest and whether it was officially abused. Its restrictions apply only to agents of the government such as the public employees, the public officials, and the police officers. A private party cannot violate a suspect’s Fourth Amendment rights.
17. In order to search a specific location, a search warrant issued by a ''judicial officer'' or a ''magistrate' should be obtained. Warrants to search computers which contain privileged information must meet the same requirements as warrants to search for and seize paper documents under similar conditions; that is, the warrant should be narrowly drawn to include only the data pertinent to the investigation[5], and that data should be described as specifically as possible. Since a broad search of computers used by confidential fiduciaries (e.g., attorneys or physicians) is likely to uncover personal information about individuals who are unconnected with the investigation, it is important to instruct any assisting forensic computer experts not to examine files about uninvolved third parties any more than absolutely necessary to locate and seize the information described in the warrant. The search warrant may normally authorize the seizure of a) contraband, b) Anything which is the fruit of or has been used in the commission of any crime.
c) Anything other than documents which may constitute evidence of any crime.
d) Documents which may constitute evidence of any crime. . .
C: Searching without a search Warrant
18. As already explained, a search without a warrant is per se invalid. However, there are some well defined and well delineated exceptions to that rule. These exceptions as established by statues include :
(1) Consent Search
19. A consent search is a voluntary permission of the party who is being searched, or controlled to the officers. In this case, they search using this consent, even if they don’t have a reason to believe that an offense has been committed. The consent should be always being voluntary; if it is obtained under threat, duress, or any shape of intimidation, it is considered non voluntary.
20. Courts have held that the person, who gives the consent, must have the authority to do. For example, an employer can give the officers consent to search employees’ computer, parents for their young minors, spouses, On the other hand, a landlord can’t give consent to search a tenant’s home. The courts normally consider the person giving this consent, and its scope.
(2) Exigent Circumstances[6]
21. The second situation where searches can be done, without a warrant is the case of exigent circumstances. Under the "exigent circumstances" exception to the warrant requirement, agents can search without a warrant if the circumstances would cause a reasonable person to believe it to be necessary when destruction of evidence is imminent, a warrantless seizure of that evidence is justified if there is probable cause to believe that the item seized constitutes evidence of criminal activity. If a target's screen is displaying evidence which agents reasonably believe to be in danger, the "exigent circumstances" doctrine would justify downloading the information before obtaining a warrant. For example, agents may know that the incriminating data is not actually stored on the suspect's machine, but is only temporarily on line from a second network storage site in another building, city, or district. Thus, even if the agents could secure the target's computer in front of them, someone could still electronically damage or destroy the data--either from the second computer where it is stored or from a third, unknown site. Of course, when agents know they must search and seize data from two or more computers on a wide-area network, they should, if possible, simultaneously execute separate search warrants.
22. The court always regards the exigent circumstances; some courts have ruled that exigent circumstances did not exist if the law enforcement officers had time to obtain a warrant by telephone. United States v. Patino, 830 F.2d 1413, 1416 (7th Cir. 1987) (warrantless search not justified when officer had adequate opportunity to obtain telephone warrant during 30-minute wait for backup assistance; not permissible for agents to wait for exigency and then exploit it), cert. denied, 490 U.S. 1069 (1989).
(3) Plain-View search
23. In this exception, the law enforcement officer is in a place, where he/she can observe the evidence in plain view. This normally happen, when the officers search for a particular evidence, and they come across a different one. To rely on this exception, the officer must be in a lawful position to observe the evidence, and its incriminating character must be immediately apparent
(4) Border Searches
24. Law enforcement officers may search computers without a warrant and without probable cause as a condition of crossing the border or its "functional equivalent. When determining the contents of international baggage and incoming international mail at the border
Border searches or international mail searches of diskettes, tapes, computer hard drives (such as laptops carried by international travelers), or other media should fall under the same rules which apply to incoming persons, documents, and international mail. On the other hand, this exception will not be applied to data transmitted electronically, or by other non-physical methods into the United States from other countries.
D: Seizure of Digital Evidence
25. The way in which we can seize the digital evidence differs from hardware to software. Investigators used to print the files and recopy them on floppy disks, or to seize all computer equipments and access the stored data from another location. Hardware searches are not conceptually difficult; they occupy physical space and can be moved in familiar ways. One of the best ways used nowadays is making a complete exact bitstream copy of the hard disk before shutting down the computer. These copies will be used to reconstruct the suspect disk and analyze it later.
26. Searches for data and software are far more complex, specially to be accepted by the court. Before the Supreme Court's rejection of the "mere evidence" rule in Warden v. Hayden, 387 U.S. 294, 300-301 (1967), courts were inconsistent in ruling whether records that helped to connect the...
Add comment
Email to a Friend
| Discussion is closed - view comments archieve |
| 2005-11-30 23:14:28 - i think you should have cases in which... anonamous |
| Total 1 comments |
