Computer Forensics
BACS 371
Constitutional Amendments &
Digital Forensics
Topic Outline
1st, 4th, 5th, and 14th Amendments
 Probable Cause
 Search & Seizure
 4th Amendment Exceptions
 Warrants
 Subpoenas

2
Constitutional Amendments


3
The U.S. Constitution was originally ratified with 10
Amendments, now called “The Bill of Rights”
The 4 Amendments that most closely relate to digital
forensics are:

1st Amendment – Freedom of religion, speech, & press

4th Amendment – Protection against search & seizure

5th Amendment – Self incrimination, due process

14th Amendment – Equal protection, due process
Constitutional Amendments

1st Amendment

4
“Congress
shall make no law respecting an
establishment of religion, or prohibiting the
free exercise thereof; or abridging the
freedom of speech, or of the press; or the
right of the people peaceably to assemble,
and to petition the Government for a redress
of grievances.”
Forensics and the




5
st
1
Amendment
Privileged information and obscenity/child
pornography are the main forensic concern that the
1st Amendment embodies.
Search warrants are not generally issued for
anything that falls under the current definition of
“the press.”
Subpoenas can be obtained for specific information
held by a “press” entity.
There is some dispute as to whether an ISP is a
provider of information or a medium of transport.
Constitutional Amendments

4th Amendment
 “The
right of the people to be secure in their
persons, houses, papers, and effects, against
unreasonable searches and seizures, shall not
be violated, and no Warrants shall issue, but
upon probable cause, supported by Oath or
affirmation, and particularly describing the
place to be searched, and the persons or
things to be seized.”
6
Forensics and the
th
4
Amendment
Key forensic impact includes:





“Reasonable” search and seizure
Warrants
Probable cause
Places to be searched
Things to be seized
~Details on this later in the presentation~
7
Constitutional Amendments

5th Amendment
 "No
person shall be held to answer for a capital, or
otherwise infamous crime, unless on a presentment or
indictment of a grand jury, except in cases arising in the
land or naval forces, or in the militia, when in actual
service in time of war or public danger; nor shall any
person be subject for the same offense to be twice put
in jeopardy of life or limb; nor shall be compelled in
any criminal case to be a witness against himself, nor
be deprived of life, liberty, or property, without due
process of law; nor shall private property be taken for
public use, without just compensation."
8
Forensics and the




9
th
5
Amendment
Protects the right to “due process of law” at federal
level
Protects against testifying against yourself (“self
incrimination”)
Forcing someone to give up a password (for encryption
or login purposes) can be considered as forcing them to
testify against themselves.
You can, however, require them to provide fingerprints,
retina scans, voice samples which, if used to protect a
system, would make evidence available for search.
Constitutional Amendments

14th Amendment
 “Section.
1. All persons born or naturalized in the
United States and subject to the jurisdiction thereof,
are citizens of the United States and of the State
wherein they reside. No State shall make or enforce
any law which shall abridge the privileges or
immunities of citizens of the United States; nor shall
any State deprive any person of life, liberty, or
property, without due process of law; nor deny to
any person within its jurisdiction the equal
protection of the laws.”
10
Forensics and the



11
th
14
Amendment
Amendment was created primarily in response to
the Civil War
Reinforces the concept of “due process of law” (this
time at state level)
Makes most of the original bill of rights also apply
to the states. Prior to this, it was technically only
applicable at the federal level.
Constitutional Amendments

The 4th Amendment deserves special
attention as it relates to digital forensics.
 “The
right of the people to be secure in their
persons, houses, papers, and effects, against
unreasonable searches and seizures, shall not be
violated, and no Warrants shall issue, but upon
probable cause, supported by Oath or affirmation,
and particularly describing the place to be
searched, and the persons or things to be seized.”
12
th
4






13
Amendment to U.S. Constitution
It does not specify citizens of the U.S. It says “people”;
consequently, anyone physically in the boundaries of the
country has this protection.
It includes corporations (since they are treated as
people legally).
It does not apply to foreign nationals within the
boundary of their own country.
It only applies to searches conducted by the
government, not private individuals.
Has been interpreted as protecting people, not places.
Only applies in situations where person has a
“reasonable expectation of privacy.”
Key Components to
1.
2.
3.
4.

14
th
4
Amendment
Reasonable search and seizure
Probable cause
The place to be searched
The things to be seized
Each of these has very specific legal meaning and a
good deal of historical case law to back them up.
Notes on Key Components



15
The right to be secure is not unlimited. The government
has the right to perform searches and seize items if it is
“reasonable”. What is “reasonable” is viewed in the
totality of the circumstances.
A “search” and a “seizure” are 2 separate things.
Search is an infringement of a person’s privacy
(including tangible and intangible).
“Seizure” is the legal act of taking something that could
constitute evidence. Can be tangible (i.e., computer) or
intangible (i.e., digital artifacts). (Electronic surveillance
within a search has been deemed the seizure of words).
Notes on Key Components cont.




16
Any evidence collected by illegal search is normally
inadmissible (so called “fruits of the poisonous tree”). This is
to discourage overly aggressive search and seizure.
Probable cause is the reasonable belief that a crime has
been, is being, or is about to be committed. This belief must
be reliable and reasonable enough to convince a judge,
court commissioner, or magistrate that it is valid.
Probable cause information is detailed in a written affidavit.
It must be sworn to in front of somebody who has the power
to give oaths or affirmations. (Oaths invoke “God” as a
witness while affirmations do not).
Extreme details about where to search and what to look for
are contained in the affidavit. This poses some problems
when trying to get digital data.
Key Exceptions to the 4th Amendment

The 4th Amendment is not absolute. There are several
exceptions where search can take place without a
warrant.
No “reasonable expectation of privacy”
 Consent
 Plain view
 Search incident to a lawful arrest
 Exigent Circumstances
 Workplace searches
 Inventory searches
 Border searchers

17
No Expectation of Privacy Exception




18
Katz v. United States (1967). Case that reexamined
what “reasonable expectation of privacy” means.
Case dealt with recordings made in a public phone
booth.
Ruling stated that going into a phone booth and
closing the door gave one the expectation of
privacy.
Inverse of this ruling is that statements made in a
public forum (i.e., Internet, Facebook) do not have
the expectation of privacy.
Consent Exception

If you give permission, no warrant is necessary. At
any time, consent can be revoked.






19
Consent must be given knowingly and voluntary.
The scope must be understood based upon what a “typical
reasonable person” would understand it to be.
The more specific and detailed the request for consent, the better.
If necessary to remove computer from its original location, you
also need consent to seize.
While not required, consent in writing is best and should notify
party how to revoke consent.
When joint ownership occurs, all must agree (applies to computer
with multiple sign-ons).
Plain View Exception




20
Apparent evidence in plain view can be seized
without a warrant.
The officer must be in the area legally.
Computers with visible contraband showing can be
seized without a warrant (but you can’t open any
files manually to look for more without a warrant).
Observations of potential evidence on the Internet
are public domain and may be “searched” and
“seized” without a warrant.
Lawful Arrest Exception




21
Incident to a lawful arrest, officers are permitted to
conduct a full search of a person’s person and the area
immediately under their control.
The limited area is called the “lunge-reach-rule” and
extends to the distance a person could lunge to reach a
weapon or destroy evidence.
The search must be contemporaneous to the lawful
arrest.
It is “reasonable” to search a pager at arrest time. No
formal rules for PDA’s or cell phones (yet). So, you still
need a warrant for these devices.
Exigent Circumstances Exception



22
Exigent (that is, emergency) circumstances can allow
a warrantless search if the officer believes that
physical harm could come to someone or evidence
will be destroyed.
Frequently applies to computer equipment because
it is easy to destroy.
If the officer believes that the delay needed to get
the warrant will allow the evidence to be destroyed,
this rule can be used.
Workplace Search Exception




23
Law Enforcement personnel may search without a warrant
with consent of the business in the workplace.
3rd party searches can be re-created for law enforcement
(but not go beyond original search). If the 3rd party acts
under the instruction of the officer, they become an
“agent” of the government and have to follow the
standard search rules.
Work computers can usually be searched without a
warrant if there is implied consent and no expectation of
privacy.
The extent of private sector search is determined by the
expectation of privacy within the work environment.
Official Banners Eliminate Reasonable Expectation of Privacy
Inventory Search Exception




25
Routine collection of personal effects for inventory
purposes does not require a warrant.
If obvious contraband is found, it can be seized.
Locked containers may not be searched for
evidence without a warrant.
Electronic media discovered during an inventory
search cannot be accessed without a search
warrant.
Border Search Exception



26
Allows searches and seizures at international
borders and their functional equivalent without a
warrant or probable cause.
The expectation of privacy is less at the border
than in the interior of the country.
Consequently, the balance between the interests of
the Government and the privacy right of the
individual is weighted much more favorably to the
Government at the border.
Search Warrants
27
Fundamentals of Warrants
In cases where there is no 4th Amendment
exception, a search warrant is generally
needed to perform a legal search.
 Search Warrant – An order issued by a judge
giving government officials express permission
to enter an area and search for specific
evidence pertaining to a specific crime.

28
Fundamentals of Warrants

Warrants Must Describe:
 Probable
cause
A
reasonable belief that a person has committed
a crime (affidavit required)
 Places
 This
to be searched, things to be seized
must be specified in detail
 Gives government official the limited right to
violate a person’s privacy
29
Drafting Warrant and Affidavit

Affidavit
A
sworn statement that explains the basis for the
affiant’s belief that the search is justified by
probable cause

Warrant
 Typically
a one-page form, plus attachments, that
describes the place to be searched, and the
persons or things to be seized
 Warrant must be executed within 10 days
30
“Reasonable Expectation of Privacy” in
Computers as Storage Devices



To determine whether an individual has a reasonable
expectation of privacy in information stored in a computer, it
helps to treat the computer like a closed container such as a
briefcase or a file cabinet.
The Fourth Amendment generally prohibits law enforcement
from accessing and viewing information stored in a computer
without a warrant if it would be prohibited from opening a
closed container and examining its contents in the same
situation.
Issues:


31
Are individual files each considered a “closed container?”
Relinquishing control to 3rd parties
Warrantless Searches

Warrantless searches do not violate the 4th
Amendment if:
 Search
does not violate “reasonable expectation of
privacy”, or
 Falls within an established exception to the warrant
requirement (that is, the 4th Amendment exceptions
covered previously).
32
Other Warrant Issues
Multiple Warrants for Network Searches
 No-Knock Warrants
 Sneak-and-Peek Warrants
 Privileged Documents

33
Multiple Warrants for Network Search



34
When a computer network is being searched,
multiple warrants may be required.
This is intended to protect the privacy of the other
parties that may have data stored on the network.
A similar situation exists when a single computer has
multiple logins which are owned and controlled by
different people.
No-Knock Warrants


Unless otherwise noted, warrants must abide with
the “knock and announce” rule.
Some warrants are issued as “no-knock” when:
 It
is reasonable that the suspect may aggressively repel
the search
 The suspect may escape after the officer knocks
 It is likely that evidence will be destroyed after the
officer knocks and announces

35
In digital cases, when a “kill switch” is anticipated, it
is common to request this type of warrant
Sneak & Peak Warrants




36
The Patriot Act of 2001 provided a new tool called
“delayed notice” warrant (aka “sneak & peak”).
This allows notification of the search to be delayed
up to 90 days.
Under normal circumstances, officers cannot seize
evidence; however, judges can allow exceptions.
For digital forensics, this would allow the officer to
secretly make a copy of a computer file found
during the secret search.
Privileged Documents


Some documents are not generally available via
warrant (and hence are not “discoverable”).
These are called “privileged documents” and
generally fall into the following categories.
 Attorney-client
 Doctor-patient
 Work
product content
 Protected intellectual property
37
Subpoenas




A subpoena is not the same thing as a warrant.
A subpoena does not give the right to search a
person or location.
Subpoenas do not give the right to seize any
material evidence.
A subpoena can do 2 things:
1.
2.
38
Command a person to appear (in person or with
evidence)
Command a person or organization to surrender (or
allow examination) of specified tangible evidence
Computer Specific Statues












39
Computer Fraud and Abuse Act of 1986 (18 USC § 1030)
Child Pornography Protection Act (CPPA)
Telecommunications Reform Act of 1996
Federal Wiretap Act
Stored Communications Act
Electronic Communication Privacy Act of 1986
Communications Assistance for Law Enforcement Act (CALEA) of 1994 –
Amended in 2994 to include cell phones)
Title III of the Omnibus Crime Control and Safe Streets Act of 1968
Foreign Intelligence Surveillance Act (FISA) of 1978
Comprehensive Crime Control Act of 1984
Privacy Protection Act of 1980
Digital Millennium Copyright Act (DMCA??)