Computer Forensics
BACS 371
Searching and Seizing
-Warrants, Subpoenas, and
Evidence
Warrant vs. Subpoena?




Search Warrants are an order issued by a judge
that gives government officials permission to enter a
property and look for specific evidence of a crime.
They are very specific and require an affidavit
stating probable cause. They cannot be
challenged.
Subpoenas are orders to appear before the court
or to produce the evidence defined in the subpoena
(or both).
Subpoenas can be challenged for a number of
reasons.
Search Warrants


“Search” is a violation of privacy and is taken very seriously
by the court. Illegal search normally results in inadmissible
evidence.
Search warrants are required for legal search except in
cases of 4th Amendment exceptions:








No “reasonable expectation of privacy”
Consent
Plain view
Search incident to a lawful arrest
Exigent Circumstances
Workplace searches
Inventory searches
Border searchers
Fundamentals of Warrants

Must Describe
 Probable
cause
A
reasonable belief that a person has committed,
is committing, or is about to commit a crime
 Place
to be searched, things to be seized
 Limited
right to violate a person’s privacy
Four Steps for Successful Forensic
Search and Seizure
1.
2.
3.
4.
Assemble a team consisting of the case agent, the
prosecutor, and a technical expert as far in advance as
possible
Learn as much as possible about the computer system that
will be searched before devising a search strategy or
drafting the warrant
Formulate a strategy for conduction the search (including a
backup plan) based on the known information about the
targeted computer system
Draft the warrant, taking special care to describe the object
of the search and the property to be seized accurately, and
particularly, and explain the possible search strategies in
the supporting affidavit.
Basic Search Strategies
In “Live Acquisition”:
1.
Search the computer and print out a hard copy
of particular files at that time.
2.
Search the computer and make an electronic
copy of particular files at that time.
In “Static (Dead) Acquisition”:
1.
Seize the equipment, remove it from the
premises, and review its contents off-site.
2.
Create a duplicate electronic copy of the entire
storage device on-site, and then later recreate a
working copy of the storage device off-site for
review.
When to Seize

Seize if…
The hardware is itself evidence, and instrumentality,
contraband, or a fruit of the crime
 But…



When the hardware is not a stand-alone PC but part of a
complicated network, and collateral damage to a legitimate business
could result, may not want to seize
Generally, do not seize if…
The hardware is merely a storage device for evidence
 But…


Property used to commit an offense involving obscene material may
be forfeited
Other Reasons to Seize
Seize only if a less intrusive alternative is
infeasible
 If agents suspect evidence is mislabeled,
encrypted, stored in hidden directories,
embedded in slack space, …
 Uncommon Operating System
 Suspected “booby traps”
 Generally, pursue the quickest, least intrusive,
and most direct search strategy consistent with
securing evidence described in warrant

Privacy Protection Act (PPA)

Matters when search may result in seizure of
1st Amendment materials (publishing, …)
 “Congress
probably intended the PPA to apply
only when law enforcement intentionally targeted
First Amendment material that related to a crime.”
 Incidental seizure of PPA-protected material
commingled on a suspect’s computer with evidence
of a crime does not give rise to PPA liability.
 However, subsequent search of such material is
usually forbidden
Electronic Communications Privacy Act (ECPA)
Governs law enforcement access to contents of
electronic communications stored by third party
service providers
 Prohibits unauthorized access to electronic or
wire communications in “electronic storage”
 ECPA is implicated only when law enforcement
does not obtain a search warrant
 Ordinarily served like subpoenas:
Investigators transmit request for information to
service providers

Other Warrant Issues
Multiple Warrants for Network Searches
 No-Knock Warrants
 Sneak-and-Peek Warrants
 Privileged Documents

Drafting Warrant and Affidavit

Affidavit
A
sworn statement that explains the basis for the
affiant’s belief that the search is justified by
probable cause

Warrant
 Typically
a one-page form, plus attachments, that
describes the place to be searched, and the
persons or things to be seized
 Warrant must be executed within 10 days
Drafting the Warrant and Affidavit
1.
Accurately and Particularly Describe the Property
to be Seized in the Warrant



2.
Establish Probable Cause in the Affidavit

3.
Specific enough to separate cited items from irrelevant
ones
Not so broad as to include items which should not be
seized
Hardware vs. Information
A fair probability that contraband or evidence of crime
will be found in the particular place to be searched
In the Affidavit Supporting the Warrant, Include an
Explanation of the Search Strategy
Sample Warrant


All records relating to violations of 21 U.S.C. § 841 (a) (drug trafficking) and/or 21
U.S.C. § 846 (conspiracy to traffic drugs) involving [the suspect] since January 1, 1996,
including lists of customers and related identifying information; types, amounts, and prices of
drugs trafficked as well as dates, places, and amounts of specific transactions; any
information related to sources of narcotic drugs (including names, addresses, phone numbers,
or any other identifying information); any information recording [the suspect's] schedule or
travel from 1995 to the present; all bank records, checks, credit card bills, account
information, and other financial records.
The terms "records " and "information" include all of the foregoing items of evidence in
whatever form and by whatever means they may have been created or stored, including any
electrical, electronic, or magnetic form (such as any information on an electronic or magnetic
storage device, including floppy diskettes, hard disks, ZIP disks, CD-ROMs, optical discs,
backup tapes, printer buffers, smart cards, USB storage devices, memory calculators, pagers,
personal digital assistants such as Palm Pilot computers, as well as printouts or readouts from
any magnetic storage device); any handmade form (such as writing, drawing, painting); any
mechanical form (such as printing or typing); and any photographic form (such as microfilm,
microfiche, prints, slides, negatives, videotapes, motion pictures, photocopies).
Evidence





Evidence is the key to winning a case.
Only “admissible” evidence can be used in court.
Evidence collected illegally will not be admissible;
consequently, it is very important that you follow all
the proper procedures when collecting it.
You cannot determine if evidence is admissible, that
is up to the judge.
Judges follow well established “rules of evidence”
to determine this.
Admissible Evidence

1.
2.
3.
3 Characteristics are needed for evidence to be
admissible.
Is it relevant?
Is it authentic and credible?
Is it competent?
Only the judge can answer these questions.
Relevant Evidence

1.
2.
To be considered relevant, evidence must be:
Material
Directly relates to the case being presented
Probative
Proves something that will help get to the truth in
the case
Authentic & Credible Evidence

Authentic evidence is proven to be what it purports
to be.


Cannot be an opinion (except for “expert witness”
Credible evidence must be precisely what it is
claimed to be

Cannot have been tampered with in any way
Competent Evidence


Competent evidence cannot be prejudicial in any
way.
In other words, it must be as fully objective as
possible and directly relate to the case at hand.