Chapter 9 Seizure of Digital Evidence Chapter Outline I. Introduction A. The Fourth Amendment to the United States Constitution remains the focus of consideration when it comes to determining the admissibility of evidence from high- technology crimes. II. The Search Warrant Requirements A. The Fourth Amendment’s protections against unreasonable searches and seizures are designed to protect citizens from aggressive, overreaching, and inappropriate seizures of information and property, including personal computers and Internet Service Providers. B. According to Orin Kerr of the Computer Crime Intellectual Property Section of the U.S. Justice Department, the best definition of “unreasonable” requires that for a search to be reasonable you need one thing—a properly drafted search warrant that satisfies the requirements of particularity and scope pertaining to the items to be seized. C. There have been few decisions to address the issue when it comes to digital evidence, and the few court decisions that have been provided are from the various lower courts and not from the Supreme Court. D. It is recommended that any search warrant involving the seizure of digital evidence be as thorough as possible, and the Fourth Amendment requires a complete analysis and description of the place (or places) to be searched by law enforcement officials. 1. If an individual is using a computer in the commission of a criminal activity, then there is the possibility that any or all of these devices may be employed in the criminal activity. 2. What information should law enforcement officers include in their request for a search warrant? a. United States v. Hunter (1998)—An officer’s failure to list specifically all digital evidence that could be encountered at a crime scene resulted in a search warrant that was overly broad and allowed for officers to engage in what is often referred to as a “fishing expedition,” wherein officers broadly write the warrant and seize as much as possible in hopes of finding incriminating evidence. i. Many manuals or training materials relating to the handling of digital evidence recommend that the proper means of avoiding this problem is to include as many items as possible as well as the following phrase: “including but not limited to,” but at least one court has ruled against the use of this phrasing. ii. Matter of Search Warrant for K-Sports Imports, Inc. (1995)—The use of the phrase “including but not limited to” resulted in the search warrant’s violating the particularity requirement of the Fourth Amendment. iii. Other courts have upheld search warrants that did not specifically list all potential computer-related evidence. 1. United States v. Upham (1999)—The court held that a search warrant calling for the seizure of all computer-related devices was sufficient because such a search would be necessary to ensure that all evidence was properly collected. 2. United States v. Graziano (2008—A search of a computer was found to be valid after the search warrant indicated gambling records could be either paper or electronic. 3. United States v. Alexander (2009)—The court held that a search of a computer was acceptable even though the search warrant did not list all computer-related storage media. iv. As the law stands today, it may still be in the best interest of law enforcement officers to list all possible sources of digital evidence and then include a statement concerning how digital evidence may take many forms and there is the potential that the suspect may have additional pieces of technology that were not included. E. One final issue that must be considered when examining the search warrant requirement is the judge’s level of understanding. i. It is important that law enforcement officers who request a search warrant ensure that the signing judge understands what is being seized, and this can be accomplished by carrying a pocket dictionary of computer terms. ii. Officers who encounter judges who are not familiar with the latest technological terminology may also find salvation through the good faith clause of the exclusionary rule. 1. This requires that officers prove that they acted upon what they thought to be a valid warrant 2. Proving this may require extra effort that could be avoided through use of the dictionary and planning on the front end of the search. III. Preplanning Associated with the Search Warrant A. Search warrants involving digital evidence and computer technology require specific planning. B. Because there are numerous types of digital evidence that could be desirable evidence, and each may require separate seizure techniques, it is important that all possible seizure scenarios be considered. C. Another consideration is the number of computers located at the site upon which the search warrant is to be executed. 1. Many times more than one computer will be seized at a time and because each computer on the scene may be running and occupied by a user, law enforcement personnel must take into consideration several additional factors that govern the seizure of these devices. a. If there is no plan in place for this scenario, then evidence could be destroyed by personnel onsite before the computer can be seized. D. The issue of operating systems in use by the computers is an important consideration. 1. The determination of which operating systems the computers are running will guide the investigator’s decisions in regard to powering down the computer before disassembly. E. Another consideration for investigators is whether the actions of their search warrant will affect any federal legislation. 1. The Electronics Communication Privacy Act (ECPA) of 1986 a. Regulates the amount of information that law enforcement officers may obtain with certain levels of service. b. An officer needs the following level of service to obtain information about a potential suspect under the ECPA: i. Subpoena—basic subscriber information ii. Court order—transactional information iii. Search warrant—the actual content of e-mail messages. 2. The Privacy Protection Act (PPA) a. Originally drafted to protect those who publish books, magazines, etc. from having their materials confiscated and released by law enforcement officers before they are made available to the public. b. Today, it is believed by some that the provisions of the Privacy Protection Act may be interpreted to include individuals who write web pages or conduct other web page design work. F. Investigators must next consider whether there is the presence of a computer network in the building in which they are executing the search warrant. 1. The presence of a computer network invokes an additional consideration as to where the data is actually being stored because files may be stored on another computer that is generally considered a server. 2. The presence of servers can be both a positive and a negative event in the investigation of a computer-related crime. a. Positive—Many times there are daily, weekly, or monthly backups created for files stored on the servers, which can help investigators find copies of evidence that was destroyed. b. Negative—The server may not be included in the warrant or may be located off-site. 3. A search warrant for computer-related evidence may not include the server in its description of evidence allowed to be seized if investigators are not aware of the presence of an off-site server, and the investigators will be forced to obtain a new search warrant before seizing the server. IV. Planning for the Seizure of Electronic Communications A. ECPA regulates the information about an electronic message’s owner, as well as information relating to the actual electronic communication. 1. Designed to protect communications that are sent via electronic methods such as e-mail, wireless telephones, and similar devices. 2. The ECPA provides for three levels of service: a. The subpoena —Can be used to obtain basic subscriber information such as name, address, local and long-distance telephone connection records, session times and duration, length of service, types of services used, telephone number or IP address, sources of payment (to include bank account or credit card information), and the content of e-mails that are older than 180 days and have been previously opened by the owner. b. The court order (aka 2703d court order or articulable facts order)—Can be used to obtain information such as past audit trail information and addresses of past e-mail correspondents; addresses of past e-mail correspondents is of benefit to investigators to determine how many individuals in the public could have been exposed to the individual’s behavior. c. The search warrant—Needed to seize e-mails that are less than 180 days old and are stored on the Internet Service Provider’s web server. d. Each level of process supersedes the lower level, which means that the court order will not only allow for the collection of information requiring a court order but also information that would be obtainable through a subpoena. e. The search warrant, while allowing for the collection of the most evidence, is also the hardest level of service to obtain; to obtain a search warrant it is necessary for the investigator to complete a statement of the facts that shows that a crime has been committed, that the individual who owns the account is linked to the crime, and that the electronic account contains information relevant to the investigation of the case. f. Prior to submitting the subpoena, court order, or search warrant, it is customary for investigators to submit a request for the preservation of evidence. i. This informs the Internet Service Provider that one of their customers is under investigation and that all materials relating to the account should be preserved until a reasonable effort can be