1. Tangible Objects

a. Justify Seizing the Objects

Explain why, in this case, the tangible computer items are instrumentalities, fruits, or evidence of crime--independent of the information they may hold.

Your affiant knows that [subject's] regional offices concertedly and systematically supplied various specialized computer programs to its individual local offices. These computer programs were designed to manipulate data in ways which would automatically add a few pennies to the amount billed to customers for each transaction. By using this specially designed program in its computers, the [subject] was able to commit a pervasive and significant fraud on all customers which would be very difficult for any one of them to detect.

* * * * * * *

or

* * * * * * *

Your affiant knows that [subject] accessed computers without authority from his home by using computer hardware, software, related documentation, passwords, data security devices, and data, more specifically described as follows: [ ].

* * * * * * *

and

* * * * * * *

As described above, the [subject's] computer hardware, software, related documentation, passwords, data security devices, and data were integral tools of this crime and constitute the means of committing it. As such, they are instrumentalities and evidence of the violations designated. Rule 41 of the Federal Rules of Criminal Procedure authorizes the government to seize and retain evidence and instrumentalities of a crime for a reasonable time, and to examine, analyze, and test them.

b. List and Describe the Objects

The tangible objects listed below may be named and seized as the objects of the search when they are, themselves, instrumentalities, fruits, or evidence of crime. Depending on the facts of the case, the list may be long or very short. The affidavit should describe the specific tangible objects with as much particularity as the facts allow. The following paragraphs are designed to be expansive and all-inclusive for those cases in which the government has probable cause to search and seize all computer hardware, software, documentation, and data security devices (including passwords) on site. However, most cases will call for a much more limited list.

(1) Hardware

Computer hardware consists of all equipment which can collect, analyze, create, display, convert, store, conceal, or transmit electronic, magnetic, optical, or similar computer impulses or data. Hardware includes (but is not limited to) any data-processing devices (such as central processing units, memory typewriters, and self-contained "laptop" or "notebook" computers); internal and peripheral storage devices (such as fixed disks, external hard disks, floppy disk drives and diskettes, tape drives and tapes, optical storage devices, transistor-like binary devices, and other memory storage devices); peripheral input/output devices (such as keyboards, printers, scanners, plotters, video display monitors, and optical readers); and related communications devices (such as modems, cables and connections, recording equipment, RAM or ROM units, acoustic couplers, automatic dialers, speed dialers, programmable telephone dialing or signaling devices, and electronic tone-generating devices); as well as any devices, mechanisms, or parts that can be used to restrict access to computer hardware (such as physical keys and locks).

(2) Software

Computer software is digital information which can be interpreted by a computer and any of its related components to direct the way they work. Software is stored in electronic, magnetic, optical, or other digital form. It commonly includes programs to run operating systems, applications (like word-processing, graphics, or spreadsheet programs), utilities, compilers, interpreters, and communications programs.

(3) Documentation

Computer-related documentation consists of written, recorded, printed, or electronically stored material which explains or illustrates how to configure or use computer hardware, software, or other related items.

(4) Passwords and Data Security Devices

Computer passwords and other data security devices are designed to restrict access to or hide computer software, documentation, or data. Data security devices may consist of hardware, software, or other programming code. A password (a string of alpha-numeric characters) usually operates as a sort of digital key to "unlock" particular data security devices. Data security hardware may include encryption devices, chips, and circuit boards. Data security software or digital code may include programming code that creates "test" keys or "hot" keys, which perform certain pre-set security functions when touched. Data security software or code may also encrypt, compress, hide, or "booby-trap" protected data to make it inaccessible or unusable, as well as reverse the process to restore it.

Table of Contents - Main Federal Guidelines

2. Information: Records, Documents, Data

For clarity, most "information" warrants need one paragraph listing all the kinds of evidence they seek (content). Then they need a separate paragraph detailing all the various forms this evidence could take, so it is clear that all forms apply to all records. Most warrants will need another section (in appropriate cases) explaining why agents need to seize data storage devices for off-site searches. It may also be necessary to ask the magistrate for permission to take some peripheral hardware and software even though it does not directly contain evidence.

Table of Contents - Main Federal Guidelines

a. Describe the Content of Records, Documents, or other Information

If the object of the search is information which has been recorded in some fashion (including digital form), it is important to begin with the content of the record and not with its form. Depending on the case, the probable cause may be limited to one very specific document or extend to every record in a wholly criminal enterprise. Describe the content of the document with the same specificity and particularity as for paper records.

Based on the facts as recited above, your affiant has probable cause to believe the following records are located at [the suspect's] residence and contain evidence of the crimes described:

A letter dated July 31, 1991 from [the suspect] to his mother.

Tax records and all accompanying accounts, records, checks, receipts, statements, and related information for tax year 1991.

Lists of illegal or unauthorized access codes or passwords, including (but not limited to) telephone, credit card, and computer access codes.

All records relating to [the suspect's] drug trafficking, including (but not limited to) lists of customers and related identifying information; types, amounts, and prices of drugs trafficked as well as dates, places, and amounts of specific transactions; any information related to sources of narcotic drugs (including names, addresses, phone numbers, or any other identifying information); any information recording [the suspect's] schedule or travel from 1988 to present; all bank records, checks, credit card bills, account information, and other financial records.

Table of Contents - Main Federal Guidelines

b. Describe the Form which the Relevant Information May Take

If you know the records are stored on a computer or in some other digital form, you should limit the scope of the search to digital records. If you cannot determine in advance the form of the records (or if the records are in several different forms) the following language is a starting point. BUT BE SURE TO ELIMINATE ANYTHING WHICH DOES NOT APPLY TO YOUR CASE. Once again, because cases which have nothing else in common may all have digital evidence, the following list is extremely broad. For example, in child pornography or counterfeiting cases, the non-digital evidence may be photographs, films, or drawings. But in drug cases, tax cases, or computer crimes, the agents may not be searching for graphics or other pictures.

The terms "records," "documents," and "materials" include all of the foregoing items of evidence in whatever form and by whatever means such records, documents, or materials, their drafts, or their modifications may have been created or stored, including (but not limited to) any handmade form (such as writing, drawing, painting, with any implement on any surface, directly or indirectly); any photographic form (such as microfilm, microfiche, prints, slides, negatives, videotapes, motion pictures, photocopies); any mechanical form (such as phonograph records, printing, or typing); any electrical, electronic, or magnetic form (such as tape recordings, cassettes, compact discs, or any information on an electronic or magnetic storage device, such as floppy diskettes, hard disks, backup tapes, CD-ROMs, optical discs, printer buffers, smart cards, memory calculators, electronic dialers, Bernoulli drives, or electronic notebooks, as well as printouts or readouts from any magnetic storage device).

Table of Contents - Main Federal Guidelines

c. Electronic Mail: Searching and Seizing Data from a BBS Server under 18 U.S.C. § 2703

In some situations, you may know or suspect that the target's computer is the server for an electronic bulletin board service (BBS). If you need to seize the computer, the data on it, or backups of the data, consider the applicability of 18 U.S.C. § 2703. (See "STORED ELECTRONIC COMMUNICATIONS," supra p. 82.) If the statute applies and there is or may be qualifying e-mail on the computer, consider whether the government has probable cause to believe that all or any of it is evidence of crime.

Your affiant has probable cause to believe that [the suspect's] computer operates, in part, as the server (or communications center) of an electronic bulletin board service ("BBS"). This BBS [appears to] provide[s] "electronic communication service" to other persons, and [may] contain[s] their "electronic communications," which may have been in "electronic storage" on [the suspect's] computer for less than 180 days (as those terms are defined in 18 U.S.C. § 2510). The affiant is aware of the requirements of Title 18 U.S.C. § 2703 describing law enforcement's obligations regarding electronic communications in temporary storage incident to transmission, as defined in that statute.

Table of Contents - Main Federal Guidelines

(1) If All the E-Mail is Evidence of Crime

If the whole BBS is dedicated to criminal enterprise (such as a specialty "porn board" or "pirate board"), the facts may support searching and seizing all the e-mail, including the electronic mail which qualifies under the statute.

[Your affiant, as an undercover subscriber and user of (the suspect's) BBS network, has learned that it is dedicated to exchanging illegal copies of computer software and stolen access codes among users. All users are asked to furnish pirated software products and active access codes (phone cards, credit cards, PBX codes, and computer passwords) in return for the privilege of illegally downloading from the BBS other illegal software or codes they may choose. Your affiant has used the electronic mail services of the BBS, and knows that the subscribers use it primarily to share information about other sources of illegal software and about how to use stolen access codes and computer passwords. Thus, your affiant has probable cause to believe that any electronic mail residing on the system contains evidence of these illegal activities.]

Table of Contents - Main Federal Guidelines

(2) If Some of the E-Mail is Evidence of Crime

If you have probable cause to believe that there will be evidence of crime in the e-mail of some users and not others, the affidavit and warrant should distinguish and describe which will be searched and seized and which will not. In most cases like this, the government will be focusing on the electronic communications of the suspect/ sysop's co-conspirators. The affidavit should identify the particular individuals, if possible (by name or "hacker handle"), so that data analysts will know which e-mail to search and which to leave unopened. In some cases, the government may have probable cause to search e-mail from some "sub-boards" of the BBS, but not from others. In other cases, the magistrate may allow the government to run "string searches" of all the e-mail for certain specified key words or phrases. There are too many variations in these cases to draft useful models, but the wisest course is to address this issue in the affidavit and set out a search and seizure plan which the magistrate can approve. Please call the Computer Crime Unit (202-514-1026) for more specific assistance.

Table of Contents - Main Federal Guidelines

(3) If None of the E-Mail is Evidence of Crime

In some cases, the suspect's criminal uses of his computer are quite separate from and coincidental to his using it as the server for a BBS. For example, a sysop who runs a legal bulletin board from his home may also use the same computer to store personal copies of child pornography, or records of his drug-dealing business, or a death-threat letter to the President of the United States. None of these criminal uses has anything to do with the legal (and perhaps statutorily protected) private electronic communications of his BBS subscribers--except for the fact that they reside on the same computer system. And even when this computer system clearly is an instrumentality of the suspect/sysop's crime, the government may be obliged to protect the unrelated, qualifying e-mail of innocent third parties and set it aside, unopened. In any event, the government should consider and address this issue with the magistrate and devise a plan which will work in the case at hand. Call the Computer Crime Unit for more help.

Table of Contents - Main Federal Guidelines

d. Ask Permission to Seize Storage Devices when an Off-Site Search is Necessary

Based upon your affiant's knowledge, training and experience, and consultations with [NAME AND QUALIFICATIONS OF EXPERT], your affiant knows that searching and seizing information from computers often requires agents to seize most or all electronic storage devices (along with related peripherals) to be searched later by a qualified computer expert in a laboratory or other controlled environment. This is true because of the following:

1) The volume of evidence. Computer storage devices (like hard disks, diskettes, tapes, laser disks, Bernoulli drives) can store the equivalent of thousands of pages of information. Additionally, a suspect may try to conceal criminal evidence; he or she might store it in random order with deceptive file names. This may require searching authorities to examine all the stored data to determine which particular files are evidence or instrumentalities of crime. This sorting process can take weeks or months, depending on the volume of data stored, and it would be impractical to attempt this kind of data search on site.

2) Technical requirements. Searching computer systems for criminal evidence is a highly technical process requiring expert skill and a properly controlled environment. The vast array of computer hardware and software available requires even computer experts to specialize in some systems and applications, so it is difficult to know before a search which expert is qualified to analyze the system and its data. In any event, however, data search protocols are exacting scientific procedures designed to protect the integrity of the evidence and to recover even "hidden," erased, compressed, password-protected, or encrypted files. Since computer evidence is extremely vulnerable to inadvertent or intentional modification or destruction (both from external sources or from destructive code imbedded in the system as a "booby trap"), a controlled environment is essential to its complete and accurate analysis.

Table of Contents - Main Federal Guidelines

e. Ask Permission to Seize, Use, and Return Auxiliary Items, as Necessary

In cases where you must seize hardware, software, documentation, and data security devices in order to search and seize the data for which you have probable cause, ask the magistrate's permission in the affidavit. The language which follows is general and will be most applicable to computers which are not part of an extensive network. Of course, if you have specific information in your case to support seizing auxiliary items (e.g., the computer hardware is rare; the operating system is custom-designed), cite those factors rather than using the general description which follows.

Based upon your affiant's knowledge, training and experience, and [NAME AND QUALIFICATIONS OF EXPERT], your affiant knows that searching computerized information for evidence or instrumentalities of crime commonly requires agents to seize most or all of a computer system's input/output peripheral devices, related software, documentation, and data security devices (including passwords) so that a qualified computer expert can accurately retrieve the system's data in a laboratory or other controlled environment. This is true because of the following:

The peripheral devices which allow users to enter or retrieve data from the storage devices vary widely in their compatibility with other hardware and software. Many system storage devices require particular input/output (or "I/O") devices in order to read the data on the system. It is important that the analyst be able to properly re-configure the system as it now operates in order to accurately retrieve the evidence listed above. In addition, the analyst needs the relevant system software (operating systems, interfaces, and hardware drivers) and any applications software which may have been used to create the data (whether stored on hard drives or on external media), as well as all related instruction manuals or other documentation and data security devices.

If, after inspecting the I/O devices, software, documentation, and data security devices, the analyst determines that these items are no longer necessary to retrieve and preserve the data evidence, the government will return them within a reasonable time.

Table of Contents - Main Federal Guidelines

f. Data Analysis Techniques

Data analysts may use several different techniques to search electronic data for evidence or instrumentalities of crime. These include, but are not limited to the following: examining file directories and subdirectories for the lists of files they contain; "opening" or reading the first few "pages" of selected files to determine their contents; scanning for deleted or hidden data; searching for key words or phrases ("string searches").

Table of Contents - Main Federal Guidlines

3. Stipulation for Returning Original Electronic Data

In some cases, you may want to return data storage devices which contain original electronic evidence to the suspect and keep "bit-stream" or "mirror-image" copies for processing and for use at trial. For example, the suspect may be a large business which employs many innocent people and which needs its computers and data in order to run the business and pay the employees. If you do wish to return the equipment and data before trial, consider using some version of the following stipulation to avoid evidentiary issues. Of course, whether the copies are, indeed, "exact" copies is a question of fact, and the defense will have to satisfy itself that the government's copying process was accurate. But if, after exploring the issue, the defense refuses to sign a stipulation and cannot be satisfied about the reliability of the duplicates, you will probably need to keep the originals. (See "Returning Seized Computers and Materials," supra p. 101, and "EVIDENCE," supra p. 108.) (For a form stipulation, see p. 131.)

UNITED STATES DISTRICT COURT

In the Matter of the Search of:

________________________________

STIPULATION OF THE PARTIES

It is hereby stipulated and agreed between

and

as an individual and as an agent for

that:

(1) the electronic information contained on the [Bernoulli 90-MB disk, number ____________] is a complete, exact, and accurate duplicate of the electronic information contained on [the hard drive of an IBM personal computer, serial number _____________] [the hard drive of a personal computer identified as "Fred's" by an evidence tag attached to the top of the CPU cover, said personal computer bearing no serial number or other identifying information] [a floppy disk marked with an evidence sticker as "item number ________, and bearing the initials "_ _ _"]; which computers/floppy disk were/was seized from ______________________ on ____________, 199_, by agents of the _______________________.

(2) the electronic information contained on the [Bernoulli 90-MB disk, number ____________] accurately reproduces the original data described above as of ______________, 199_.

   ________________________     ______________________

   Assistant U.S. Attorney      Defendant

   _______________________      ______________________

   Agency                       Attorney

Go to . . . Table of Contents - Main Federal Guidelines

CCIPS || Justice Home Page

---

Updated page March 5, 1998
usdoj-jmd/irm/css/mc

---