Computer Forensics BACS 371 Searching and Seizing -Warrants, Subpoenas, and Evidence Warrant vs. Subpoena? Search Warrants are an order issued by a judge that gives government officials permission to enter a property and look for specific evidence of a crime. They are very specific and require an affidavit stating probable cause. They cannot be challenged. Subpoenas are orders to appear before the court or to produce the evidence defined in the subpoena (or both). Subpoenas can be challenged for a number of reasons. Search Warrants “Search” is a violation of privacy and is taken very seriously by the court. Illegal search normally results in inadmissible evidence. Search warrants are required for legal search except in cases of 4th Amendment exceptions: No “reasonable expectation of privacy” Consent Plain view Search incident to a lawful arrest Exigent Circumstances Workplace searches Inventory searches Border searchers Fundamentals of Warrants Must Describe Probable cause A reasonable belief that a person has committed, is committing, or is about to commit a crime Place to be searched, things to be seized Limited right to violate a person’s privacy Four Steps for Successful Forensic Search and Seizure 1. 2. 3. 4. Assemble a team consisting of the case agent, the prosecutor, and a technical expert as far in advance as possible Learn as much as possible about the computer system that will be searched before devising a search strategy or drafting the warrant Formulate a strategy for conduction the search (including a backup plan) based on the known information about the targeted computer system Draft the warrant, taking special care to describe the object of the search and the property to be seized accurately, and particularly, and explain the possible search strategies in the supporting affidavit. Basic Search Strategies In “Live Acquisition”: 1. Search the computer and print out a hard copy of particular files at that time. 2. Search the computer and make an electronic copy of particular files at that time. In “Static (Dead) Acquisition”: 1. Seize the equipment, remove it from the premises, and review its contents off-site. 2. Create a duplicate electronic copy of the entire storage device on-site, and then later recreate a working copy of the storage device off-site for review. When to Seize Seize if… The hardware is itself evidence, and instrumentality, contraband, or a fruit of the crime But… When the hardware is not a stand-alone PC but part of a complicated network, and collateral damage to a legitimate business could result, may not want to seize Generally, do not seize if… The hardware is merely a storage device for evidence But… Property used to commit an offense involving obscene material may be forfeited Other Reasons to Seize Seize only if a less intrusive alternative is infeasible If agents suspect evidence is mislabeled, encrypted, stored in hidden directories, embedded in slack space, … Uncommon Operating System Suspected “booby traps” Generally, pursue the quickest, least intrusive, and most direct search strategy consistent with securing evidence described in warrant Privacy Protection Act (PPA) Matters when search may result in seizure of 1st Amendment materials (publishing, …) “Congress probably intended the PPA to apply only when law enforcement intentionally targeted First Amendment material that related to a crime.” Incidental seizure of PPA-protected material commingled on a suspect’s computer with evidence of a crime does not give rise to PPA liability. However, subsequent search of such material is usually forbidden Electronic Communications Privacy Act (ECPA) Governs law enforcement access to contents of electronic communications stored by third party service providers Prohibits unauthorized access to electronic or wire communications in “electronic storage” ECPA is implicated only when law enforcement does not obtain a search warrant Ordinarily served like subpoenas: Investigators transmit request for information to service providers Other Warrant Issues Multiple Warrants for Network Searches No-Knock Warrants Sneak-and-Peek Warrants Privileged Documents Drafting Warrant and Affidavit Affidavit A sworn statement that explains the basis for the affiant’s belief that the search is justified by probable cause Warrant Typically a one-page form, plus attachments, that describes the place to be searched, and the persons or things to be seized Warrant must be executed within 10 days Drafting the Warrant and Affidavit 1. Accurately and Particularly Describe the Property to be Seized in the Warrant 2. Establish Probable Cause in the Affidavit 3. Specific enough to separate cited items from irrelevant ones Not so broad as to include items which should not be seized Hardware vs. Information A fair probability that contraband or evidence of crime will be found in the particular place to be searched In the Affidavit Supporting the Warrant, Include an Explanation of the Search Strategy Sample Warrant All records relating to violations of 21 U.S.C. § 841 (a) (drug trafficking) and/or 21 U.S.C. § 846 (conspiracy to traffic drugs) involving [the suspect] since January 1, 1996, including lists of customers and related identifying information; types, amounts, and prices of drugs trafficked as well as dates, places, and amounts of specific transactions; any information related to sources of narcotic drugs (including names, addresses, phone numbers, or any other identifying information); any information recording [the suspect's] schedule or travel from 1995 to the present; all bank records, checks, credit card bills, account information, and other financial records. The terms "records " and "information" include all of the foregoing items of evidence in whatever form and by whatever means they may have been created or stored, including any electrical, electronic, or magnetic form (such as any information on an electronic or magnetic storage device, including floppy diskettes, hard disks, ZIP disks, CD-ROMs, optical discs, backup tapes, printer buffers, smart cards, USB storage devices, memory calculators, pagers, personal digital assistants such as Palm Pilot computers, as well as printouts or readouts from any magnetic storage device); any handmade form (such as writing, drawing, painting); any mechanical form (such as printing or typing); and any photographic form (such as microfilm, microfiche, prints, slides, negatives, videotapes, motion pictures, photocopies). Evidence Evidence is the key to winning a case. Only “admissible” evidence can be used in court. Evidence collected illegally will not be admissible; consequently, it is very important that you follow all the proper procedures when collecting it. You cannot determine if evidence is admissible, that is up to the judge. Judges follow well established “rules of evidence” to determine this. Admissible Evidence 1. 2. 3. 3 Characteristics are needed for evidence to be admissible. Is it relevant? Is it authentic and credible? Is it competent? Only the judge can answer these questions. Relevant Evidence 1. 2. To be considered relevant, evidence must be: Material Directly relates to the case being presented Probative Proves something that will help get to the truth in the case Authentic & Credible Evidence Authentic evidence is proven to be what it purports to be. Cannot be an opinion (except for “expert witness” Credible evidence must be precisely what it is claimed to be Cannot have been tampered with in any way Competent Evidence Competent evidence cannot be prejudicial in any way. In other words, it must be as fully objective as possible and directly relate to the case at hand.