It must be
at least 200 words
for each posting.



Chapter 10 Executing a Search Warrant for Digital Evidence Chapter Outline I. Once a search warrant is signed and the pre-planning phase is over, the planning for the actual seizure can begin. II. Investigators not familiar with computers seek out the assistance of someone who is familiar with the latest in technology. A. Local computer experts. B. Colleges and universities’ computer sciences departments. III. Properly powering down a computer and packaging the various components of the computer system is as important to the successful prosecution of a case as are the other stages of the criminal investigation. I. The Steps of Executing a Search Warrant for Digital Evidence A. Step One: Removing the Suspects from the Computer 1. Executing a search warrant for digital evidence is much like executing a search warrant for any other contraband evidence. 2. There is a greater potential for the suspect to damage or completely destroy any evidence when it is digital in nature. a. Computers that are powered on can allow the suspect to use a variety of software programs that will either encrypt evidence or destroy evidence. b. Like any emergency preparedness plan, the best plans for handling digital evidence are always prepared with the idea that such programs will be encountered during the collection of digital evidence. 3. Some have questioned whether “no-knock search warrants” should be obtained when executing a warrant for digital evidence, but it is hard to meet the criteria of officer safety for such a warrant. 4. There are two methods one could remove a suspect from a computer: a. By asking the individual to shake your hand and preventing them from returning to the computer. b. Through the use of physical force. 5. It is very important that the suspect not be allowed to return to the computer for any reason. B. Step Two: Securing the Scene 1. From the instant the suspect is removed from the computer, the focus should be securing the scene and beginning the process of documenting the crime scene. 2. Photographs may become an important part of the case later on should the suspect decide to pursue a jury trial. a. It is recommended that personnel use a digital camera to take these pictures. i. Saves money because there no need to buy film. ii. Allows investigators to ensure good usable images while on the scene. 3. One technique that has become much more commonly encountered as video cameras have dropped in price is the use of a digital camera to record the entire search. a. Useful should the suspect attempt to claim that the digital evidence was planted by law enforcement officers. b. Allows for a more thorough documentation process i. Can provide a 360-degree view of the suspect’s computer(s). ii. Can provide a view any peripherals attached to the computer(s). 4. It is important to take pictures of the suspect’s computer(s) at the time the search warrant is executed. a. Allows investigators to go back later and document exactly what programs were operational at the time of its seizure. b. Used to counter a suspect’s argument that they were not engaged in a particular activity. 5. In most cases it is also recommended that the photographer obtain a picture of the time stamp located at the bottom right-hand side of most computer screens. a. Can be used in cases in which multiple people have access to the machine to determine who was using the computer at the time of the illegal activity. b. It is also recommended that investigators make note as to whether the time is correct, so that if the time is incorrect, forensic analysis can reconcile any activity logs. 6. Investigators must be sure to provide a brief training session with any individuals who will be assisting with the search who may have limited experience executing search warrants so that evidence is collected properly. C. Step Three: Disconnect any Outside Control Possibilities 1. When locating network connections within the residence, it should be noted that wireless networks are more than likely to be encountered. a. These wireless networks can be problematic in that there is a need to immediately shut off any network connections in order to remove the possibility of someone outside of the residence damaging potential evidence. b. An investigator should familiarize himself/herself with the latest wireless routers prior to executing a search warrant. c. Network detector programs (such as those found in cellular telephones) can be used to detect the presence of wireless networks. 2. There is a chance that an investigator will also encounter a computer connected to an Internet via a telephone line. 3. Regardless of whether the Internet connection is via a narrowband or broadband connection, an investigator should disconnect the Internet connection as soon as possible. 4. Investigators should be aware that there is a possibility that the network is not connected via the connection closest to the computer. 5. Following the terrorist attacks of September 11, 2001, there was a movement among some companies to allow evidence to be stored at a location different that where the computer normally operates such as: a. Data storage services b. Intra-company networks c. Data hosting services d. This means that the digital evidence an investigator is searching for may be stored on a computer across the street, across the city, or across the country. e. Digital evidence that the investigator is searching for can be stored on a computer across the street, the city, or the country. f. In ideal scenarios investigators would have knowledge of such off- site storage of data prior to the development of the search warrant. i. If such information is not available, then there will still likely be some evidence on the seized computer showing where the data is stored. 6. Before disconnecting a computer from the Internet or network, the investigation should look for the presence of active downloads. a. An investigator may make the decision to photograph or video record the screen of the computer and include notations concerning any programs or files that are currently downloading or recently downloaded. b. Investigators must be aware of the fact that any utilities running can be minimized at the bottom of the screen, and if the decision is made to maximum the screen, the investigator must ensure that his or her actions are recorded in the search log; if possible, the entire process should be videotaped. D. Step Four: Powering Down the Computer 1. An investigator executing a search warrant for computer-related evidence will have to consider which operating system, and version of the software, the user is running on the computer. a. Version and brand will determine the proper method of powering down the computer. i. Using the operating system’s shutdown features ii. Unplugging the power cable from the back of the computer b. Pulling the plug from the back of the computer is considered the most effective means of properly powering down the computer. i. This prevents any malicious software or code launching when the computer is shut down. ii. There are software programs available that begin formatting a computer’s hard drive if proper shut-down protocols are not adhered to, but the use of such programs is rare. 2. Before a decision is made to power down the computer, it is important to examine the computer to determine whether there are any programs running on the computer, because potential evidence could be damaged. a. This requires familiarity with the various operating systems, which helps an investigator determine whether there are any files open and stored in the computer’s Random Access Memory (RAM). i. Data that is stored in RAM memory will be lost when the computer is powered down, and such data is not normally recoverable. ii. If programs are found, the decision to save the file or shut down the computer and lose data can be made. 3. Microsoft Windows operating system is likely to be the most commonly encountered operating system. a. Software programs and files that are open and running can be located by looking at the bottom of the computer screen. b. An investigator who chooses to save a copy of the file should ensure that the file’s name is one that they can easily remember and one that can easily be explained to a judge and a jury should the need arise. i. A note in the search log should be made of the file name selected, as well as the time the file was discovered and the time the file was saved to the external drive to prevent the corruption of evidence stored somewhere else on the suspect’s hard disk. 4. If the suspect is running a version of Linux, then the method of determining whether there are files running in RAM may be different. a. Recently there have been Windows emulators (sometimes referred to as WINE) that