Table of Contents - Main Federal Guidelines

IV. SEARCHING FOR AND SEIZING INFORMATION


A. INTRODUCTION

Hardware searches are not conceptually difficult. Like searching for weapons, the items sought are tangible. They occupy physical space and can be moved in familiar ways. Searches for data and software are far more complex. For purposes of clarity, these types of searches must be examined in two distinct groups: (1) searches where the information sought is on the computer at the search scene and (2) searches where the information sought has been stored off-site, and the computer at the search scene is used to access this off-site location. [3]

In some cases, the distinction is insignificant, and many topics covered in this section apply equally to both types of searches. On the other hand, there are certain unique issues that arise only when the computer is part of a network. For example, since Fed. R. Crim. P. 41(a) requires that a search warrant be issued by a court in the district where the property is located, agents may have to get a second warrant in another district if the target has sent data to a distant computer. See "Describing the Place to be Searched," infra p. 87.

Although "property" is defined in Federal Rule of Criminal Procedure 41(h) to include "documents, books, papers and other tangible objects," (emphasis added), courts have held that intangible property such as information may be seized. In United States v. Villegas, 899 F.2d 1324, 1334-35 (2d Cir.), cert. denied, 498 U.S. 991 (1990), the Second Circuit noted that warrants had been upheld for intangible property such as telephone numbers called from a given phone line and recorded by a pen register, conversations overheard by means of a microphone touching a heating duct, the movement of property as tracked by location-monitoring beepers, and images seized with video cameras and telescopes. The court in Villegas upheld a warrant which authorized agents to search a cocaine factory and covertly take photographs without authorizing the seizure of any tangible objects. But see United States v. Johns, 948 F.2d 599 (9th Cir. 1991), cert. denied, 112 S. Ct. 3046 (1992)(a "sneak and peek" warrant executed without giving notice to the defendants that the search had occurred violated Rule 41(d)).

Table of Contents - Main Federal Guidelines

B. INFORMATION AS CONTRABAND

The same theories which justify seizing hardware--contraband or fruit of crime, instrumentality, or evidence--also apply to seizing information. See "Authority for Seizing Contraband or Fruits of Crime," supra p. 25. Because individuals often obtain copies of software in violation of copyright laws, it may be appropriate to seize that software as well as any documentation (such as photocopied software manuals) because they are likely to be illegally obtained. (Software producers may allow a purchaser to make a backup copy of the software bought, but these copies may not be disseminated because of copyright laws.) Lists of telephone card access codes and passwords for government computer networks may also be considered contraband, because their possession is prohibited by statute if the possessor has the requisite mens rea. 18 U.S.C. § 1029(a)(3), 18 U.S.C. § 1030(a)(6).

Table of Contents - Main Federal Guidelines

C. INFORMATION AS AN INSTRUMENTALITY

Rule 41(b) broadly defines what may be seized as an instrumentality: any "property designed or intended for use or which is or has been used as the means of committing a criminal offense." Fed. R. Crim. P. 41(b)(3). This includes both tangible and intangible property. See United States v. Villegas, supra p. 33. Thus, in some cases, informational documents and financial instruments which have been used in the commission of an offense may be seized as instrumentalities of crime. Compare Abel v. United States, 362 U.S. 217, 237-9 (1960)(documents used in connection with suspect's illegal alien status were instrumentalities, including phony birth certificates, bank records, and vaccination records) with Application of Commercial Inv. Co., 305 F. Supp. 967 (S.D.N.Y. 1969)($5 million in securities were not instrumentalities where the government suspected improprieties with an $18,000 brokerage account and the securities were at most "incidental" to the offense).

Likewise, investigators should seize objects if they are "designed or intended for use" as instrumentalities. Fed. R. Crim. P. 41(b)(3). Sometimes an item will obviously fit that description (like software designed to help hackers crack passwords or lists of stolen credit card numbers) but, at other times, it may not be so simple. Even so, as long as a reasonable person in the agent's position would believe the item to be an instrumentality, the courts will probably respect the agent's judgment. This is, after all, the same test used to determine when an object would aid apprehension or conviction of a criminal. See Andresen v. Maryland, 427 U.S. 463, 483 (1976). As such, the particular facts of the case are very important. For example, if an agent investigating the sysop of an illegal bulletin board knows that the board only operates on one personal computer, a second computer sitting in the same room is probably not an instrumentality. But if the agent has heard from a reliable informant that the suspect has boasted about expanding his operation to a second board, that second computer is probably "intended" as an instrumentality, and the agent should take it. Additionally, if the suspect has substantially modified a personal computer to enhance its usefulness for a particular crime (perhaps by installing password-cracking software), an agent might well reasonably believe that the computer and the software was "designed" for criminal activity.

Table of Contents - Main Federal Guidelines

D. INFORMATION AS EVIDENCE

Before the Supreme Court's rejection of the "mere evidence" rule in Warden v. Hayden, 387 U.S. 294, 300-301 (1967), courts were inconsistent in ruling whether records that helped to connect the criminal to the offense were instrumentalities of crime (and thus seizable), or were instead merely evidence of crime (and thus not seizable). Compare Marron v. United States, 275 U.S. 192 (1927) (approving prohibition agent's seizure of bills and ledger books belonging to speakeasy operators as instrumentalities of crime) with United States v. Lefkowitz, 285 U.S. 452 (1932)(disapproving prohibition agent's seizure of papers intended to solicit orders for illegal liquor). Indeed, several courts have concluded that, when it comes to documents, it is impossible to separate the two categories. See Hayden, 387 U.S. at 302 (stating that the distinction between mere evidence and instrumentalities "is wholly irrational, since, depending on the circumstances, the same 'papers and effects' may be 'mere evidence' in one case and 'instrumentality' in another"); United States v. Stern, 225 F. Supp. 187, 191 (S.D.N.Y. 1964) ("It would be hazardous to attempt any definition [of papers that are instrumentalities of crime and not mere evidence]; we shall not."). Now that evidence of crime may be seized in the same way as instrumentalities of crime, it is useful to acknowledge that, in most instances, documents and other information connecting the criminal to his offense should be viewed as evidence of the crime, and not as instrumentalities. For example, in United States v. Lindenfield, 142 F.2d 829, 830-32 (2d Cir.), cert. denied, 323 U.S. 761 (1944), the prescription records of a doctor who illegally prescribed morphine to "patients" were classified as evidence, not as instrumentalities.

The prescription records in Lindenfield illustrate the sort of document that may be seized as evidence: records that reveal the operation of the criminal enterprise over time. Other examples include the customer lists of narcotics traffickers, telephone bills of hackers who break into computer networks, and plans for the fraud or embezzlement of corporate and financial targets. This documentary evidence may be in paper or book form, or it may be stored electronically in a computer or on a backup tape. As with other types of evidence, documents may be seized if they aid in showing intent and the absence of mistake on the suspect's part, even though they may not relate directly to the commission of the crime, but to some other similar transaction instead. See Andresen v. Maryland, 427 U.S. 463, at 483-84 (1976)(approving seizure of documents about a second transaction because they showed criminal intent and absence of mistake in the first transaction).

Table of Contents - Main Federal Guidelines

1. Evidence of Identity

Evidence of a crime also includes various types of identification evidence. For example, courts have recognized that clothing seen worn by a criminal during the commission of the offense constitutes evidence of the crime, because it helps to tie the suspect to the crime. See, e.g., United States v. Korman, 614 F.2d 541, 547 (6th Cir.)(approving the seizure of a green ski jacket as both evidence of and an instrumentality of the crime), cert. denied, 446 U.S. 952 (1980).

Documents that incriminate a suspect's co-conspirators also may be seized as evidence because they help identify other involved parties and connect them with the suspect. See, e.g., United States v. Santarsiero, 566 F. Supp. 536, 544 (S.D.N.Y. 1983)(approving the seizure of the suspect's notebook in a counterfeit credit card investigation where others were working with or purchasing cards from him, and the notebook contained telephone numbers that the investigating officers could reasonably believe would help in identifying and connecting others with the suspect's crimes). In many computer crimes, we have found that hackers work jointly and pool hacking information. In these cases, telephone records may prove this connection. Moreover, agents may seize evidence that helps identify the occupant of a home or office connected to the crime, where the home or office is used regularly by more than one person. See, e.g., United States v. Whitten, 706 F.2d 1000, 1008-09 (9th Cir. 1983)(approving the seizure of telephone books, diaries, photos, utility bills, telephone bills, personal property, cancelled mail, keys, rent receipts, deeds, and leases that helped establish who owned and occupied premises used for a large scale narcotics operation, where the premises were used by more than one person and the warrant authorized seizing items "indicating the ownership or occupancy of the residence"), cert. denied, 465 U.S. 1100 (1984). As with houses and offices, computers are often used by more than one person, and this sort of evidence may help establish just who used the computer or computers to commit the crime.

Table of Contents - Main Federal Guidelines
Supplement - Evidence of Identity

2. Specific Types of Evidence

a. Hard Copy Printouts

Any information contained in a computer system may have been printed out by the target of the investigation. Finding a printed copy may be valuable for a number of reasons. First, a printout may display an earlier version of data that has since been altered or deleted. Second, in certain electronic environments (such as bulletin boards), individuals may claim to lack knowledge about what information is electronically stored in the computer (e.g., a bulletin board operator may disavow any knowledge that his board contained illegal access codes that were posted and downloaded by others). Finding printed copies in someone's possession may negate this defense. Third, the printouts may tie the crime to a particular printer which, in turn, may be seizable as an instrumentality (e.g., the printouts may reveal that extortionate notes were printed on a certain printer, thus warranting seizure of the printer).

Table of Contents - Main Federal Guidelines

b. Handwritten Notes

Finally, agents should be alert for notes in manuals, on the equipment, or in the area of the computer. These may provide critical keys to breaking passwords, finding the file or directory names of important data, operating the hardware or software, identifying the suspect's electronic or telephone connections with co-conspirators and victims, or finding login names or accounts.

Table of Contents - Main Federal Guidelines

E. PRIVILEGED AND CONFIDENTIAL INFORMATION

1. In General

Warrants to search computers which contain privileged information must meet the same requirements as warrants to search for and seize paper documents under similar conditions; that is, the warrant should be narrowly drawn to include only the data pertinent to the investigation, and that data should be described as specifically as possible. See, e.g., Klitzman v. Krut, 744 F.2d 955 (3d Cir. 1984). Since a broad search of computers used by confidential fiduciaries (e.g., attorneys or physicians) is likely to uncover personal information about individuals who are unconnected with the investigation, it is important to instruct any assisting forensic computer experts not to examine files about uninvolved third parties any more than absolutely necessary to locate and seize the information described in the warrant.

Table of Contents - Main Federal Guidelines

a. Doctors, Lawyers, and Clergy

Federal law recognizes some, but not all, of the common law testimonial privileges. Fed. R. Evid. 501. Indeed, Congress has recognized a "special concern for privacy interests in cases in which a search or seizure for documents would intrude upon a known confidential relationship such as that which may exist between clergyman and parishioner; lawyer and client; or doctor and patient." 42 U.S.C. § 2000aa-11(1)(3). At Congress's direction, see 42 U.S.C. § 2000aa-11(a), the Attorney General has issued guidelines for federal officers who want to obtain documentary materials from disinterested third parties. 42 U.S.C. § 2000aa-11. Under these rules, they should not use a search warrant to obtain documentary materials believed to be in the private possession of a disinterested third party physician, lawyer, or clergyman where the material sought or likely to be reviewed during the execution of the warrant contains confidential information on patients, clients, or parishioners. 28 C.F.R. § 59.4(b). A search warrant can be used, however, if using less intrusive means would substantially jeopardize the availability or usefulness of the materials sought; access to the documentary materials appears to be of substantial importance to the investigation; and the application for the warrant has been recommended by the U.S. Attorney and approved by the appropriate Deputy Assistant Attorney General. 28 C.F.R. § 59.4(b)(1) and (2).

Table of Contents - Main Federal Guidelines
Supplement - Doctors, Lawyers, and Clergy
Supplement II - Doctors, Lawyers, and Clergy

b. Publishers and Authors

Additionally, Congress has expressed a special concern for publishers and journalists in the Privacy Protection Act, 42 U.S.C. 2000aa. Generally speaking, agents may not search for or seize any "work product materials" (defined by statute) from someone "reasonably believed to have a purpose to disseminate to the public a newspaper, book, broadcast, or other similar form of public communication." 42 U.S.C. § 2000aa(a). In addition, as an even broader proposition, government officers cannot search for or seize "documentary materials" (also defined) from someone who possesses them in connection with a purpose to similarly publish. 42 U.S.C. § 2000aa(b). These protections do not apply to contraband, fruits of a crime, or things otherwise criminally possessed. 42 U.S.C. § 2000aa-7.

Although this provision may seem, at first blush, to have a somewhat limited application for law enforcement, it has emerged as a frequent issue in computer searches. Because even a stand-alone computer can hold thousands of pages of information, it is common for users to mix data so that evidence of crime is commingled with material which is innocuous--or even statutorily protected. And as a technical matter, analysts sometimes cannot recover the electronic evidence without, in some manner, briefly searching or seizing the protected data. Moreover, this problem becomes exponentially more difficult, both legally and practically, if the target computers are part of a network which holds the work of many different people. The larger the network and the more varied its services, the harder it is to predict whether there might be information on the system which could arguably qualify for statutory protection. (This complex area of the law is discussed in detail at "THE PRIVACY PROTECTION ACT, 42 U.S.C. § 2000aa," infra p. 69. It is critical that prosecutors and agents read this section and the statute with care before undertaking a search which may intrude on protected materials.)

Table of Contents - Main Federal Guidelines

2. Targets

If the person who holds the documents sought is not "disinterested" but a target of the investigation, the rules are understandably different. In those cases, agents may get a warrant to search the files for confidential information (regardless of whether that information is technically "privileged" under Federal law), but the warrant should be drawn as narrowly as possible to include only information specifically about the case under investigation.

When the target of an investigation has complete control of the computer to be searched (such as a stand-alone PC), it may be difficult to find all the evidence without examining the entire disk drive or storage diskettes. Even in situations like these, it may be possible to get other people in the suspect's office to help locate the pertinent files without examining everything. When a computer must be removed from the target's premises to examine it, agents must take care that other investigators avoid reading confidential files unrelated to the case. Before examining everything on the computer, analysts should try to use other methods to locate only the material described in the warrant. Finally, as experts comb for hidden or erased files or information contained between disk sectors, they must continue to protect the unrelated, confidential information as much as possible.

Table of Contents - Main Federal Guidelines

3. Using Special Masters

In rare instances, the court may appoint a special master to help search a computer which contains privileged information. See, e.g., DeMassa v. Nunez, 747 F.2d 1283 (9th Cir. 1984). A neutral master would be responsible to the court, and could examine all the documents and determine what is privileged. If the court appoints a master, the government should ask for a neutral computer expert to help the master recover all the data without destroying or altering anything. In cases like these, the computer expert needs detailed instructions on the search procedures to be performed. In no event should the target of the search or his employees serve as the master's computer expert.

Table of Contents - Main Federal Guidelines
Supplement II - Using Special Masters

F. UNDERSTANDING WHERE THE EVIDENCE MIGHT BE: STAND-ALONE PCs, NETWORKS AND FILE-SERVERS, BACKUPS, ELECTRONIC BULLETIN BOARDS, AND ELECTRONIC MAIL

1. Stand-Alone PCs

When searching for information, agents must not overlook any storage devices. This includes hard drives, floppy disks, backup tapes, CD-ROMs [4], WORM drives [5], and anything else that could hold data. In addition, notwithstanding the high-tech nature of computer searches, investigators must remember basic evidentiary techniques. If identification is an issue, they should look for fingerprints or other handwritten notes and labels that may help prove identity. If data is encrypted, a written copy of the password is clearly important.

Table of Contents - Main Federal Guidelines

a. Input/Output Devices: Do Monitors, Modems, Printers, and Keyboards Ever Need to be Searched?

Prosecutors must always keep in mind the independent component doctrine (supra p. 24); that is, there must be a basis for seizing each particular item. If agents are only searching for information, it may be senseless to seize hardware that cannot store information.

That said, it is important to remember that information can be retrieved from many hardware devices, even those not normally associated with a storage function. Generally speaking, input and output (I/O) devices such as keyboards, monitors, and printers do not permanently store data. Most data is stored on devices such as hard drives, CD-ROMs, and floppy disks. By contrast, I/O devices are used to send data to, and receive data from, the computer. Once the computer is turned off, I/O devices do not store information. For example, when a computer is turned off, the information on the screen is lost unless it has been saved to a storage device.

However, there are significant exceptions to this general rule. A trained computer specialist, using specialized techniques, may find data or other evidence even on I/O devices. The following list is not all-inclusive, but rather offers some examples of I/O devices that may provide useful evidence even after they have been turned off.

Laser printers -- It may be possible to search for images of the last page printed on laser printers. This technique requires planning because the expert must examine the printer before it is moved. If this type of evidence may be needed, a computer expert must be ready at the scene with the necessary equipment. Additionally, paper containing information may still be inside a laser printer due to a paper jam that was not cleared.

Hard disk print buffers -- Some laser printers have five- or ten-megabyte hard drives that store an image before it prints, and the information will stay on the drive until the printer runs out of memory space and writes over it. One example of a printer that may have an internal hard drive is the Qume 1000 Color Printer. An expert would be able to search the hard drive for information sent to and stored by that printer.

Print Spooler Device -- This device holds information to be printed. The spooler may be holding a print job if the printer was not ready to print when the print command was given (e.g., the printer was not turned on or was out of paper). This device should be handled at the scene since the information will be lost when power is disrupted.

Ribbon printers -- Like old typewriter ribbons, printer ribbons contain impressions from printed jobs. These impressions can be recovered by examining the ribbon.

Monitors -- Any burning of the screen phosphorus may reveal data or graphics commonly left on the screen.

Keyboards -- Although they do not normally store information, some unusual keyboards are actually computer workstations and may contain an internal diskette drive.

Hard Cards -- These appear to be a typical function board but they function like a hard disk drive and store information.

Scanner -- Flatbed type scanners may have hard paper copy underneath the cover.

(9) Fax machines -- Although some kinds of stand-alone fax machines simply scan and send data without storing it, other models can store the data (e.g., on a hard drive) before sending it. Significantly, the data remains in the machine's memory until overwritten. Some fax machines contain two or more megabytes of memory--enough to hold hundreds of pages of information.

Table of Contents - Main Federal Guidelines

b. Routine Data Backups Routine Data Backups

Even on stand-alone systems, computer users often make backup copies of files to protect against hardware failure or other physical disruptions. If the computer has any sort of failure which destroys the original copy of data or programs (e.g., a hard disk failure), the data can then be restored from the backups. How often backups are made is solely up to the user. As a practical matter, however, most computer-literate users will back up data regularly since mechanical failures are not uncommon and it is often difficult and time-consuming to recreate data that has been irretrievably lost. Backup copies can be made on magnetic tape, disks, or cartridges.

Table of Contents - Main Federal Guidelines

2. Networked PCs

Increasingly, computers are linked with other computers. This can be done with coaxial cable in a local area network, via common telephone lines, or even through a wireless network, using radio frequency (RF) communications. Due to this interconnectivity, it has become more important than ever to ascertain from sources or surveillance what type of system agents will encounter. Without knowing generally what is there before the search, investigators could end up with nothing more than a "dumb terminal" (no storage capability) connected to a system which stores the files in the next county or state. It would be akin to executing a search warrant for a book-making operation on a vacant room that only has a phone which forwards calls to the actual operation site. During the planning stage of a search, the government must consider the possibility of off-site storage locations.

The following are systems or devices which make it possible for a suspect to store data miles, or even continents, away from her own computer:

FILE SERVER: A file server is a computer on a network that stores the programs and data files shared by the users of the network. A file server acts like a remote disk drive, enabling someone to store information on a computer system other than his own. It can be located in another judicial district from the target machine.

ELECTRONIC MAIL: Electronic mail provides for the transmission of messages and files between computers over a communications network. Sending information in this way is similar in some ways to mailing a letter through the postal service. The messages are sent from one computer through a network to the electronic address of another specific computer or to a series of computers of the sender's choice. The transmitted messages (and attached files) are either stored at the computer of the addressee (such as someone's personal computer) or at a mail server (a machine dedicated, at least in part, to storing mail). If the undelivered mail is stored on a server, it will remain there until the addressee retrieves it. When people "pick up" e-mail from the mail server, they usually receive only a copy of their mail, and the stored message is maintained in the mail server until the addressee deletes it (some systems allow senders to delete mail on the server before delivery). Of course, deleted mail may sometimes be recovered by undeleting the message (if not yet overwritten) or by obtaining a backup copy (if the server was backed up before the message was deleted).

ELECTRONIC BULLETIN BOARD SYSTEMS (BBS): A bulletin board system is a computer dedicated, in whole or in part, to serving as an electronic meeting place. A BBS computer system may contain information, programs, and e-mail, and is set up so that users can dial the bulletin board system, read and leave messages for other users, and download and upload software programs for common use. Some BBSs also have gateways which allow users to connect to other bulletin boards or networks. A BBS can have multiple telephone lines (so that many people can use it at the same time) or a single line where a user's access is first-come, first-served. BBSs can have several levels of access, sometimes called "sub-boards" or "conferences." Access to the different conferences is usually controlled by the system operator with a password system. A single user may have several different passwords, one for each different level or conference. A user may store documents, data, programs, messages, and even photographs in the different levels of the BBS.

A bulletin board system may be located anywhere telephone lines go. Therefore, if a suspect may have stored important information on a BBS, a pen register on the suspect's phone may reveal the location of these stored files. Agents must be careful, though, because sysops have been known to forward incoming calls through a simple phone in one spot to their BBS computers somewhere else. Sometimes these calls hop between houses, and sometimes, between jurisdictions. Investigators cannot assume that the phone number called by the suspect is always the end of the line.

VOICE-MAIL SYSTEMS: A voice-mail system is a complex phone answering machine (computer) which allows individuals to send and receive telephone voice messages to a specific "mailbox" number. A person can call the voice-mail system (often a 1-800 number) and leave a message in a particular person's mailbox, retrieve messages left by other people, or transfer one message to many different mailboxes in a list. Usually, anyone can leave messages, but it takes a password to pick them up or change the initial greeting. The system turns the user's voice into digital data and stores it until the addressee erases it or another message overwrites it. Criminals sometimes use voice mailboxes (especially mailboxes of unsuspecting people, if the criminals can beat the mailbox password) as remote deaddrops for information which may be valuable in a criminal case. Voice mailboxes are located in the message system computer of the commercial vendor which supplies the voice-mail service, or they can be found on the computer at the location called. Voice mail messages can be written on magnetic disk or remain in the computer's memory, depending on the vendor's system.

Of course, all networked systems, whether data or voice, may keep routine and disaster backups.

Table of Contents - Main Federal Guidelines

a. Routine Backups

Making backups is a routine, mandatory discipline on multi-user systems. On larger systems, backups may be created as often as two to three times per working shift. Usually backups are made once per day on larger systems and once per week on smaller ones. Backups are usually stored in a controlled environment to protect the integrity of the data (e.g., locked in a file cabinet or safe). The system administrators will usually have written procedures which set out how often backup copies will be made and where they will be kept. Backups for large systems are often stored at remote locations.

b. Disaster Backups

These are additional backups of important data meant to survive all contingencies, such as fire, flood, etc. As extra protection, the data is stored off-site, usually in another building belonging to the business or in rented storage space. It would be unusual to find the disaster backups near the routine backups or original data. Again, these copies can be stored on diskettes, magnetic tape, or cartridge. A

Table of Contents - Main Federal Guidelines

G. SEARCHING FOR INFORMATION

1. Business Records and Other Documents

Obtaining records from a multi-user computer system raises certain issues that are uncommon in the paper world. When dealing with papers stored in filing cabinets, agents can secure the scene and protect the integrity of the evidence by physically restricting access to the storage container and its papers. Electronic records are, of course, easier to alter or destroy. More important, such alteration or destruction may occur while the agent is looking at a copy of the document on a workstation terminal. Therefore, it is important to control remote access to data while the search is being conducted. This can often be done by prohibiting access to the file or file server in question, either by software commands or by physically disconnecting cables. This should only be done by an expert, however, because altering the system's configuration may have significant unintended results.

If the system administrator is cooperating with investigators, the task becomes much easier, and agents should use the least intrusive means possible to obtain the data (e.g., a request, grand jury subpoena, or admini-strative subpoena). Of course, if the entire business is under investigation or there is reason to believe that records may be altered or destroyed, a search warrant should be used.

Table of Contents - Main Federal Guidelines

2. Data Created or Maintained by Targets

Targets of criminal investigations, particularly computer crimes, may have data on a multi-user computer system. Where the target owns or operates the computer system in question, it is safest to use warrants, although subpoenas may be appropriate in the right case.

Where the target does not control the system but merely has data on it, the sysop may be willing to provide the requested data assuming he has the authority to do so. Never forgetting the legal restraints of 18 U.S.C. § 2702 (see "Stored Electronic Communications," infra p. 82), the sysop can, as a practical matter, probably retrieve the needed data rather easily. Ordinarily, a multi-user computer system will have specific accounts assigned to each user or groups of users. While the various "users" may not be able to get into each others' files, the system operator (like a landlord with passkeys) can usually examine and copy any file in the computer system. (Typically, the sysop has what is called "superuser" authority or "root" access.)

Some systems, by their rules, may prohibit the system managers or operators from reading files in specific data areas or may expressly limit the purposes for which sysops may exercise their access. In those cases, sysops may insist on a court order or subpoena. If, on the other hand, users have consented to complete sysop access in order to use the system, a request to the sysop for the information may be all that is required. In either event, rarely will it be wise for investigating agents to search large computer systems by themselves. Without the sysop's help, it may be difficult (if not impossible) for agents to comb a multi-user computer system the way they search file cabinets for paper records.

When using a subpoena with a future return date, agents should specifically ask for the computerized records as they exist at time of service, and state clearly that service of the subpoena obliges the recipient to preserve and safeguard the subpoenaed information by making a copy. Investigators should explain that even if the recipient contests the subpoena, he must not only copy the data "as is," but must also confirm to the agent that the copy has been made. The subpoena should also say that failure to preserve the subpoenaed information may subject the recipient to sanctions for contempt. In some circumstances, a "forthwith subpoena" may even be appropriate. If all this is not done, the data may be altered or erased--deliberately, accidentally, or in the normal course of business--before the return date on the subpoena.

Table of Contents - Main Federal Guidelines
Supplement - Data Created on Maintained by Targets

3. Limited Data Searches

Once analysts have determined the operating system and have taken precautions to protect the integrity of the data, they will select tools to aid in the search. Using specially designed software called "utilities" will greatly help, because analysts can tailor the search to look for specified names, dates, and file extensions. They can scan disks for recently deleted data and recover it in partial or sometimes complete format. They can also identify and expose hidden files. In some cases, analysts may find files that are not in a readable format; the data may have been compressed to save space or encrypted to control access to it. Here again, utility packages will help recover the data. In designing the data search, they might use a variety of utilities. Some are off-the-shelf software available from most computer retailers. But utility software can also be custom-made, especially designed to perform specific search functions that are specified in standard laboratory procedures. Obviously, agents should rely upon experts for this kind of analysis. (See APPENDIX C, p. 136, for a list of federal sources for experts.)

There are several reasons why analysts will probably want to do a limited rather than a complete search through the data. First of all, the law in general prefers searches of all things--computer data included--to be as discrete and specific as possible. Second, the warrant may specify particular files, directories, or sub-directories, or certain categories of data. Finally, even if the facts of a case give an analyst free rein to search all the data, the economies of scale usually require a more systematic approach. At the least, analysts should plan for a methodical inventory of directories and sub-directories and prepare to document all the steps taken in the search. Because data is so easy to alter or destroy, analysts must have a careful record so that their efforts can be re-created for a court. In examining the data, analysts will probably have to do some sorting--examining things that could be relevant and by-passing the unrelated items. Only rarely will they be allowed to or even want to read everything on the computer system being searched. Even so, caution is advised, because directory headings and file names may often be misleading.

In addition to searching by file, sub-directory, or directory, the power of the computer allows analysts to design a limited search in other ways as well. Computer experts can search data for specific names (like names of clients, co-conspirators, or victims), words (like "drugs," "tax," or "hacking"), places (either geographic locations or electronic ones), or any combination of them. As legal researchers know, if the keyword search is well defined, it can be the most efficient way to find the needle in the haystack. But unless analysts are working from a tip and know how the data is organized, there will probably be some trial and error before they can find the key words, names, or places. In addition, technical problems may complicate a keyword search. For example, encryption, compression, graphics, and certain software formatting schemes may leave data difficult to search in this fashion.

In the list of files contained in a directory or sub-directory, there will be other kinds of information that may indicate whether a particular file should be searched. The names of files in a directory often carry extensions that indicate what sort of file it is or what it does. These file extensions are often associated with common appli-cations software, such as spreadsheets (that could hold accounting data), databases (that can have client information), word processing (which could hold any sort of alphanumeric text), or graphics. There will also be a date and time listed for every file created. Although this information can easily be altered and may be misleading, in some cases it may accurately reflect the last time the file was revised.

Further, the kind of software found loaded on a computer may reveal how the computer has been used. If there is communications software, for example, the computer may have been used to send incriminating data to another computer system at another location. A modem or other evidence of remote access should also tip off the searcher to this possibility, which may expand the investigation and create a need for a new warrant. For example, the original search may disclose phone bills indicating frequent long-distance calls to one particular number. If a call to this number reveals a modem tone, then further investigation would be warranted.

Clearly, the person conducting a computer search should have high-level technical skills to ensure success. Moreover, a well-meaning investigator with amateur skills could inadvertently, but irretrievably, damage the data. When in doubt, rely only on experts.

Table of Contents - Main Federal Guidelines

4. Discovering the Unexpected

a. Items Different from the Description in the Warrant

The Fourth Amendment requires specific descriptions of the places, people, and things to be searched as well as the items to be seized. Specificity has two aspects--particularity and overbreadth. "Particularity" is about detail: the warrant must clearly describe what it seeks. "Breadth" is about scope: the warrant cannot include items for which there is no probable cause. Together, the particularity and breadth limitations prevent general searches of a person's property. Thus, generic classifications in a warrant are acceptable only when a more precise description is not possible. In Re Grand Jury Subpoenas, 926 F.2d 847, 856-7 (9th Cir. 1991).

Despite defense objections, the court upheld the seizure of computer disks not named in the warrant in United States v. Musson, 650 F. Supp. 525, 532 (D. Colo. 1986). The warrant in that case authorized agents to seize various specific records, and the court reasoned that because of the changing technology, the government could not necessarily predict what form the records would take. See also United States v. Reyes, 798 F.2d 380, 383 (10th Cir. 1986); United States v. Lucas, 932 F.2d 1210, 1216 (8th Cir.), cert. denied, 112 S. Ct. 399 (1991). In these days, the safest course is always to assume that particular, clearly described "records" or "documents" may be in electronic form and to provide for this possibility in the warrant. (See "SAMPLE COMPUTER LANGUAGE FOR SEARCH WARRANTS," APPENDIX A,

Other courts, however, have suppressed the results of search warrants which broadly covered electronic "records" in form, but were too vague about their content. In Application of Lafayette Academy, Inc., 610 F.2d 1 (1st Cir. 1979), the court struck a warrant which expressly authorized the seizure of computer tapes, disks, operation manuals, tape logs, tape layouts, and tape printouts. Although the warrant specified that the items must also be evidence of criminal fraud and conspiracy, that limit on content was not sufficiently particular to save the evidence. Id. at 3. See also Voss v. Bergsgaard, 774 F.2d 402, 404-5 (10th Cir. 1985).

Table of Contents - Main Federal Guidelines
Supplement - Items Different from the description in the warrant

b. Encryption

If agents have authority to search the data in a computer or on a disk and find it has been encrypted, how should they proceed--both legally and practically?

Although an encrypted computer file has been analogized to a locked file cabinet (because the owner is attempting to preserve secrecy), it is also analogous to a document written in a language which is foreign to the reader. As both of these metaphors demonstrate, the authority granted by the warrant to search for and seize the encrypted information also brings the implied authority to decrypt: to "break the lock" on the cabinet or to "translate" the document. Indeed, a warrant to seize a car and its contents implicitly authorizes agents to unlock it.

Of course, the rule may be different if the search is based upon consent. A court might well find that a target who has encrypted his data and has not disclosed the necessary password has tacitly limited the scope of his consent. In that case, the better practice is to ask explicitly for consent to search the encrypted material, as well as for the password. If the target refuses, agents should obtain a warrant for the encrypted data.

In United States v. David, 756 F. Supp. 1385 (D. Nev. 1991), the defendant was cooperating with the government by giving them drug-dealing information from encrypted files in his computer memo book. During one interview, the agent learned the defendant's password by standing over his shoulder and watching as he typed it. Later, when the defendant stopped cooperating and started destroying information in the notebook, the agent seized it and used the defendant's password to access the remaining information. The court reasoned that the agent's learning the password was like his picking up the key to the container. When the defendant withdrew his consent to give more information from the memo book, the act which required a warrant was looking inside the container--whether locked or unlocked--not the acquisition or even the use of the key. If the agent did not have authority to search the data, then knowing the password would not confer it. Id. at 1391. Conversely, if the agent does have a warrant for the data, she may break the "lock" to search it. For more comment on the consent issues in the David case, see the discussion at p. 13.

As a practical matter, getting past the encryption may not be easy, but there are several approaches to try. First of all, the computer crime lab or the software manufacturer may be able to assist in decrypting the file. Investigators should not be discouraged by claims that the password "can't be broken," as this may simply be untrue. Some can be done easily with the right software. If that fails, there may be clues to the password in the other evidence seized--stray notes on hardware or desks; scribbles in the margins of manuals or on the jackets of disks. Agents should consider whether the suspect or someone else will provide the password if requested. In some cases, it might be appropriate to compel a third party who may know the password (or even the suspect) to disclose it by subpoena (with limited immunity, if appropriate).

Table of Contents - Main Federal Guidelines

c. Deleted Information
 Table of Contents - Main Federal Guidelines
 Supplement - Deleted Information (NEW)

H. DECIDING WHETHER TO CONDUCT THE SEARCH ON-SITE OR TO REMOVE HARDWARE TO ANOTHER LOCATION

It is possible for analysts to search for electronic evidence in several places: on-site, at an investigative agency field office, or at a laboratory. The key decision is whether to search at the scene or somewhere else, since an off-site search will require packing and moving the property and may constitute a greater intrusion on the property rights of the computer owner/user. [6] In addressing this issue, it is necessary to consider many factors such as the volume of evidence, the scope of the warrant, and the special problems that may arise when attempting to search computers.

Although it may, practically speaking, be necessary to remove the computer in order to search it, that logistical reality does not expand the theoretical basis of probable cause. This is a completely separate issue, and agents must not write broad warrants simply because, in reality, it will be necessary to seize the entire filing cabinet or computer. Rather, they should draft the warrant for computer records as specifically as possible (akin to a search warrant for papers in a file cabinet) by focusing on the content of the record. Then, as a separate logical step, they should address the practical aspects of each case: whenever searching data "containers" on site would be unreasonable, agents should explain in the affidavit why this is true and ask for permission to seize the containers in order to find the relevant documents. (See "DRAFTING A WARRANT TO SEIZE INFORMATION: Describing the Items to be Seized," infra p. 93.) (If the particular computer storage devices which contain the evidence may also hold electronic mail protected by 18 U.S.C. § 2701, et seq., see "STORED ELECTRONIC COMMUNICATIONS," infra p. 82. If they may contain material covered by the Privacy Protection Act, 42 U.S.C. § 2000aa, see "THE PRIVACY PROTECTION ACT," infra p. 69.)

Table of Contents - Main Federal Guidelines
Supplement - Deciding whether to conduct the search on-site or to remove hardware to another location

1. Seizing Computers because of the Volume of Evidence

Since any document search can be a time-consuming process, cases discussing file cabinet searches are helpful. Although not technically complex, it can take days to search a file cabinet, and courts have sustained off-site searches when they are "reasonable under the circumstances." The key issues here are: (1) how extensive is the warrant and (2) what type of place is to be searched.

Table of Contents - Main Federal Guidelines
Supplement - Seizing computers because of the volume of evidence

a. Broad Warrant Authorizes Voluminous Seizure of Documents

In determining whether agents may take documents from the scene for later examination, they must consider the scope of the warrant. When the warrant directs agents to seize broad categories of records, or even all records (because the suspect's business is completely criminal or infected by some pervasive, illegal scheme), then it is not difficult to argue all papers and storage devices should be seized. In these cases, courts have supported the carting off of whole file cabinets containing pounds of unsorted paper. United States Postal Service v. C.E.C. Services, 869 F.2d 184, 187 (2d Cir. 1989); United States v. Sawyer, 799 F.2d 1494, 1508 (11th Cir. 1986), cert. denied sub nom. Leavitt v. United States, 479 U.S. 1069 (1987). "When there is probable cause to seize all [items], the warrant may be broad because it is unnecessary to distinguish things that may be taken from things that must be left undisturbed." United States v. Bentley, 825 F.2d 1104, 1110 (7th Cir.), cert. denied, 484 U.S. 901 (1987). In such cases, it is not necessary to carefully sort through documents at the scene to insure that the warrant has been properly executed.

This rationale has been extended to computers. In United States v. Henson, 848 F.2d 1374 (6th Cir. 1988), cert. denied, 488 U.S. 1005 (1989), agents searched several used car dealerships for evidence of an interstate odometer rollback scheme. The warrant authorized agents to seize, among other things, "modules, modems and connectors, computer, computer terminals, hard copy user documentation pertaining to files and/or programs, cables, printers, discs, floppy discs, tapes, vendor phone numbers, all original and backup tapes and discs, any other informational data input, all vendor manuals for hardware and software, printouts. . . ." Id. at 1382. The warrant did not require on-site sorting, and the defendants later accused agents of going on a "seizing frenzy." The court, however, sustained the search, observing that the extensive seizures were authorized by the warrant, and the warrant was broad because so was the criminality. The court relied on the rule of reasonableness in concluding that officers were right not to try to sort through everything at the scene.

Since the extensive seizure of records was authorized by the terms of the warrant, it was inevitable that the officers would seize documents that were not relevant to the proceedings at hand. We do not think it is reasonable to have required the officers to sift through the large mass of documents and computer files found in the Hensons' office, in an effort to segregate those few papers that were outside the warrant.

Id. at 1383-4 (emphasis added).

Although the Henson defendants argued that agents seized items not covered by the warrant, this did not invalidate the search. As noted by the court,

A search does not become invalid merely because some items not covered by a warrant are seized . . . . Absent flagrant disregard for the limitations of a search warrant, the items covered by the warrant will be admissible.

Id. at 1383 (citations omitted). See also United States v. Snow, 919 F.2d 1458, 1461 (10th Cir. 1990).

The Eleventh Circuit expressed a similar rule of reasonableness in United States v. Wuagneux, 683 F.2d 1343, 1353 (11th Cir. 1982), cert. denied, 464 U.S. 814 (1983). In Wuagneux, a dozen agents searched the records of a business for a day and a half, and seized between 50,000 and 100,000 documents (approximately one to two percent of those on the premises). Defendants complained that the agents should not have removed whole files or folders in order to take a particular document, but the court disagreed: "To require otherwise 'would substantially increase the time required to conduct the search, thereby aggravating the intrusiveness of the search,'" citing United States v. Beusch, 596 F.2d 871, 876-7 (9th Cir. 1979). The Eighth Circuit reached the same conclusion in Marvin v. United States, 732 F.2d 669 (8th Cir. 1984), where agents searched a clinic for financial information related to tax fraud. The agents seized many files without examining the contents at the scene, intending to copy and sort them later. Although the agents seized some files that were completely outside the warrant, the district court's remedy, upheld on appeal, was to order return of the irrelevant items. The agents' decision not to comb through all the files at the scene, the court noted, was "prompted largely by practical considerations and time constraints." Id. at 675. Accord Naugle v. Witney, 755 F. Supp. 1504, 1516 (D. Utah 1990) (Removing an entire filing cabinet, including items not described in the warrant, was reasonable since the alternative would require officers to remain on the premises for days, a result less reasonable and more intrusive.)

Table of Contents - Main Federal Guidelines
Supplement II - Broad Warrant Authorizes Voluminous Seizure of Documents

b.Warrant is Narrowly Drawn but Number of Documents to be Sifted through is Enormous

The more difficult cases are those in which the sought-after evidence is far more limited and the description in the warrant is (and should be) more limited as well. "When the probable cause covers fewer documents in a system of files, the warrant must be more confined and tell the officers how to separate the documents to be seized from others." United States v. Bentley, supra, at 1110.

The problem of the narrowly drawn, tightly focused warrant is illustrated by United States v. Tamura, 694 F.2d 591 (9th Cir. 1982). Because agents knew exactly what records they sought at a particular business, they were able (and it was reasonable for them) to draft the warrant very specifically. But it was much easier to describe the records than to find them, especially when the company employees refused to help. In the end, the agents simply took all the records including eleven boxes of computer printouts, 34 file drawers of vouchers, and 17 drawers of cancelled checks. Unlike most other cases that address these issues, this court faced a seizure where most of the documents taken were outside the warrant. It concluded, therefore, that "the wholesale seizure for later detailed examination of records not described in a warrant is significantly more intrusive, and has been characterized as 'the kind of investigatory dragnet that the Fourth Amendment was designed to prevent.'" Id. at 595 (citations omitted). Although the court found reversal was not compelled (because the government had been "motivated by considerations of practicality"), it also found this a "close case." Their advice for law enforcement is concrete:

In the comparatively rare instances where documents are so intermingled that they cannot feasibly be sorted on site, we suggest that the Government and law enforcement officials generally can avoid violating Fourth Amendment rights by sealing and holding the documents pending approval by a magistrate of a further search, in accordance with the procedures set forth in the American Law Institute's Model Code of PreArraignment Procedure. If the need for transporting the documents is known to the officers prior to the search, they may apply for specific authorization for largescale removal of material, which should be granted by the magistrate issuing the warrant only where onsite sorting is infeasible and no other practical alternative exists.

Id. at 5956 (footnote omitted).

Table of Contents - Main Federal Guidelines
Supplement - Warrant is narrowly drawn but number of documents to be sifted through is enormous

c. Warrant Executed in the Home

When a search is conducted at a home instead of a business, courts seem more understanding of an agent's predilections to seize now and sort later. In United States v. Fawole, 785 F.2d 1141, 1144 (4th Cir. 1986), ten agents had searched the defendant's home for three and a half hours removing, among other things, 350 documents. Almost half of those papers were in a briefcase, which the agents seized without sorting. Although many things in the briefcase were outside the scope of the warrant, the court found that, under the circumstances, the seizure did not amount to a general, exploratory rummaging in a person's belongings.

Even more extensive were the seizures in United States v. Santarelli, 778 F.2d 609 (11th Cir. 1985). In that case, agents searched the home of a suspected loanshark, confiscating the entire contents of a fourdrawer file cabinet. In the end, they left with eight large boxes of items which they inventoried at the local FBI office. When the defendant objected to this process, the court strongly disagreed:

Given the fact that the search warrant entitled the agents to search for documents . . .it is clear that the agents were entitled to examine each document in the bedroom or in the filing cabinet to determine whether it constituted evidence. . . . It follows that Santarelli would have no cause to object if the agents had entered his home to examine the documents and remained there as long as the search required. The district court estimated that a brief examination of each document would have taken several days. Under these circumstances, we believe that the agents acted reasonably when they removed the documents to another location for subsequent examination. . . . [T]o require an onpremises examination under such circumstances would significantly aggravate the intrusiveness of the search by prolonging the time the police would be required to remain in the home.

Id. at 6156 (citations omitted).

Table of Contents - Main Federal Guidelines

d. Applying Existing Rules to Computers

Clearly, the Tamura court could not have anticipated that the explosion in computers would result in the widespread commingling of documents. While computers are often set up with directories and subdirectories (much like a file cabinet is set up with file folders), many users put data on disks in random fashion. Thus, a particular letter or file could be anywhere on a hard disk or in a box of floppies.

Most important, all of the file-cabinet cases discussed above implicitly rely on the premise that "documents" are readily accessible and ascertainable items; that any agent can find them and (unless the subject is quite technical) can read, sort, and copy those covered by warrant. The biggest problem in the paper cases is time, the days it takes to do a painstaking job. But computer searches have added a formidable new barrier, because searching and seizing are no longer as simple as opening a file cabinet drawer. When agents seize data from computer storage devices, they will need technical skill just to get the file drawer open. While some agents will be "computer literate," only a few will be expert; and none can be expert on every sort of system. Courts have not yet addressed this reality. In the meantime, search warrant planning in every computer case should explore whether agents will ask for off-site search authority in the warrant application.

Table of Contents - Main Federal Guidelines

2. Seizing Computers because of Technical Concerns

a. Conducting a Controlled Search to Avoid Destroying Data

The computer expert who searches a target's computer system for information may need to know about specialized hardware, operating systems, or applications software just to get to the information. For example, an agent who has never used Lotus 1-2-3 (a spreadsheet program) will not be able to safely retrieve and print Lotus 1-2-3 files. If the agent entered the wrong computer command, he could unwittingly alter or destroy the data on the system. This sort of mistake not only alters evidence, but could create problems for the system's owner as well. Since it is the government's responsibility to recover evidence without altering data, the safest course is to rely on experts working in controlled environments.

Additionally, savvy computer criminals may know how to trip-wire their computers with "hot keys" or other self-destruct programs that could erase vital evidence if the system were examined by anyone other than an expert. For example, a criminal could write a very short program that would cause the computer to demand a password periodically and, if the correct password is not entered within ten seconds, it would destroy data automatically. In some cases, valuable evidence has been lost because of the way the computers were handled. Therefore, this concern may make it doubly important to remove the computers, unless an expert determines that an on-site search will be adequate.

Quite obviously, some computers (such as large mainframes) are not easily moved. And some defendants will no doubt argue that if the government can search a mainframe computer on site, it can search PCs on site as well. Even so, the test should not be what is arguably possible, but rather what is the most reasonable, most reliable, and least intrusive way to search each system. The fact that mainframes may pose unique problems should not lead courts to adopt impractical rules for other searches.

In sum, there is ample authority to justify removing computer systems (or the relevant parts of them) to a field office or laboratory in order to search them for information. This is especially true where the warrant is broad, an on-site search will be intrusive, or technical concerns warrant moving the system to a lab. This will not always be the case, however, and agents and their experts should explore searching on site (or making exact copies to search later) whenever it is appropriate. Before agents ask for authority to seize any hardware for an off-site data search, they should analyze the reasons and set them out clearly for the magistrate.

Table of Contents - Main Federal Guidelines
Supplement - Conducting a Controlled Search to Avoid Destroying Data

b. Seizing Hardware and Documentation so the System Will Operate at the Lab

With an ever-increasing array of computer components on the market--and with existing hardware and software becoming obsolete--it may be impossible to seize parts of a computer system (e.g., the CPU and hard drive) and operate them at the laboratory. In fact, there may be times when agents will need to seize every component in the computer system and later have a laboratory computer specialist determine whether or not each piece can be returned. Many hardware incompatibilities exist (even within a given computer family such as IBM-compatible PCs), and the laboratory experts may need to properly re-configure the system back at the lab in order to read data from it.

Peripherals such as printers and special input and display devices may be necessary to operate and display certain software applications. Agents should attempt to learn as much about the system to be searched as possible so that appropriate seizure decisions can be made. If certain peripherals must be seized to insure that the data can be retrieved from storage devices, this should be articulated in the warrant affidavit and covered in the warrant. Then an expert should examine the seized equipment as soon as practicable to determine whether the peripheral devices need to be retained. This approach relies completely on the facts of each case. It will seem reasonable and temperate when the I/O devices seized are essential, but not when the items seized are commercially available and the only justification for the seizure/retention is convenience and not necessity. If in doubt, agents should seek permission to seize the peripherals, and then insure a prompt review at the lab.

Similarly, when agents search and seize a computer system, they should ask for authority to seize any documentation that explains the hardware and software being seized. Documentation found at the scene may be a key in re-assembling the computer, operating it, or using the software on the machine properly. If the computer's user is experienced, he may have customized the software, and the documentation may be required to retrieve data. Although a computer lab may have or be able to obtain many standard varieties of documentation, some of it may not be easily available for purchase. As with hardware or software, the documentation should not be seized unless needed and, if seized, should be returned when no longer required.

Table of Contents - Main Federal Guidelines

I. EXPERT ASSISTANCE

1. Introduction

While planning is important to the success of any search, it is critical in searching and seizing information from computers. Agents should determine, to the extent possible, the type of computer involved, what operating system it uses, and whether the information sought can be accessed by, or is controlled by, a computer literate target.

Answering these questions is key, because no expert can be expert on all systems. Mainframes, for example, are made by various companies (e.g., IBM, DEC, Cray) and often run unique, proprietary operating systems. Even the PC market offers significantly different hardware/software configurations. Although the most common desk-top computer is an IBM or IBM-compatible system, it runs a range of operating systems including DOS (with or without Windows), OS/2, and UNIX. Apple Computers are also popular and run their own unique operating system.

Computer literate targets may attempt to frustrate the proper execution of a search warrant. For example, an ingenious owner might have installed hidden commands that could delete important data if certain start-up procedures are not followed. If this might be the case, experts will take special precautions before the search: they will, for example, start (or "boot") the computer from a "clean" system diskette in a floppy drive, not from the operating software installed on the system. These hidden traps, as well as passwords and other security devices, are all obstacles that might be encountered in a search.

In sum, since computer experts cannot possibly be expert on all systems, it is important to have the correct expert on the scene. Knowing the type of computer to be searched, and the type of operating system being used, will allow the appropriate expert to be selected. This, in turn, will streamline the search process, since the expert may be familiar with the software and file structures on the target machine.

Table of Contents - Main Federal Guidelines
Supplement - Introduction

2. Finding Experts

Most situations will require an expert to retrieve, analyze, and preserve data from the computers to be searched. Oftentimes the job may not be so complex: the records may be stored with a standard brand of software using the DOS (Disk Operating System) format. Some of the most common software programs are WordPerfect (for text), Lotus (for spreadsheets), and dBase (for databases). If it is more complicated than this, however, only an expert in the hardware and software at hand should do the work.

To determine what type of expert will be needed, agents should get as much information about the targeted system as possible. Sources like undercover agents, informants, former employees, or mail covers can provide information about the system at the search site. Once the computer systems and software involved have been identified, an appropriate expert can be found from either the federal or private sector. Ultimately, the expert must use sound scientific techniques to examine any computer evidence.

Table of Contents - Main Federal Guidelines

a. Federal Sources

The best place to find an expert may be in the investigating agency itself. Many federal agencies have experienced people on staff who can help quickly when the need arises, and the list at APPENDIX C provides contact points for various agencies. If the investigating agency lacks an expert in the particular system to be searched, other federal agencies may be able to assist. The trick, of course, is to find the expert while planning for the search and not to start looking after the agents execute the warrant. Prosecutors must allow time to explore the federal network and find the right person.

Most of the federal agencies that routinely execute search warrants for computer evidence have analysts at central laboratories or field experts who can search the seized computer evidence. Many of them will also work on evidence from other federal or state agencies as time permits. It is important to call early to get specific instructions for handling the evidence, and these experts can provide other technical assistance as well. For example, there are many kinds of software (both government and private) which will help process evidence, break passwords, decrypt files, recover hidden or deleted data, or assist investigators in other important ways. Because these utilities are constantly changing, it is important to consult with experts who have them and know how to use them.

Each agency organizes its computer experts differently. For example, the Computer Analysis and Response Team (CART) is a specialized team within the central FBI Laboratory in Washington, D.C., that examines various types of computer evidence for FBI agents nationwide. The IRS, on the other hand, has about seventy decentralized experts, called Seized Computer Evidence Recovery (SCER) Specialists who work in controlled environments across the country. Almost every IRS District has at least one SCER Specialist, and many have two. The Drug Enforcement Administration's forensic computer experts are also experienced in all phases of computer operations related to criminal cases, including data retrieval from damaged media and decryption. The United States Secret Service has approximately twelve special agents who are members of the Electronic Crimes Special Agent Program (ECSAP). These agents are assigned to field offices on a regional basis and are trained in the area of computer investigations and computer forensics. (For a list of federal sources for computer experts, see APPENDIX C, p. 136.)

Table of Contents - Main Federal Guidelines

b. Private Experts

Whatever the source of a private expert, the affidavit should ask permission to use non-law-enforcement personnel during the execution of the search warrant. The issuing magistrate should know why an expert is needed and what his role will be during the search. Agents must carefully monitor the expert to insure that he does not exceed the limits described in the search warrant. Certain experts--those not familiar with the judicial system--are not likely to be expert on how to execute a search warrant, protect chain-of-custody, or resolve search issues that may affect the evidence's admissibility at trial. Thus, a private expert should be paired with an experienced agent every step of the way. In addition, the expert's employment contract should address confidentiality issues, and include a nondisclosure clause and a statement of Privacy Act restrictions. If the contracting agency is the IRS, pay special note to Internal Revenue Code provisions at 26 U.S.C. § 6103, which address rules for confidentiality and nondisclosure of tax return information.

Table of Contents - Main Federal Guidelines

1. Professional Computer Organizations

Many professional computer organizations have members who are experts in a wide variety of hardware and software. Computer experts from the government are a good source for finding a private expert, for the organizations and contacts between them change almost as fast as the technology. Also, one advantage of using a professional organization as the source of an expert is that these organizations usually have members who work routinely with federal or state law enforcement and are therefore familiar with handling evidence and testifying.

2. Universities

Another source for experts is a university, especially for high-tech crimes involving rare kinds of hardware or software. The academic environment attracts problem-solvers who may have skills and research contacts unavailable in law enforcement.

3. Computer and Telecommunications Industry Personnel

In some cases, the very best expert may come from a vendor or service provider, particularly when the case involves mainframes, networks, or unusual systems. Many companies such as IBM and Data General employ some experts solely to assist various law enforcement agencies on search warrants.

4. The Victim

Finally, in some circumstances, an expert from the victim organization may be the best choice, especially if the hardware configuration or software applications are unique to that organization. Agents and prosecutors must, of course, be sensitive to potential claims of bias. Many relevant issues, such as estimates of loss, may pose a considerable gray area. Even if the victim-expert is completely dispassionate and neutral in her evaluation, her affiliation with and loyalty to the victim organization may create a bias issue later at trial.

Table of Contents - Main Federal Guidelines

3. What the Experts Can Do

a. Search Planning and Execution

Agents and prosecutors who anticipate searching and seizing computers should include a computer expert in the planning team as early as possible. Experts can help immeasurably in anticipating the technical aspects of the search. This not only makes the search smoother, it is important information for designing the scope of the warrant. In particular, if agents can give the expert any information about the target's specific computer system, the expert may be better able to predict which items can be searched at the scene, which must be seized for later analysis, and which may be left behind.

Further, if the computer system is unusual or complex, technical experts can be invaluable help at the scene during the search. Particularly when evidence resides on computer networks, backup tapes, or in custom-tailored systems, the evidence will be safest in the hands of an expert.

Table of Contents - Main Federal Guidelines

b. Electronic Analysis

The experts will examine all the seized computer items (so long as they are properly preserved and sealed) and will recover whatever evidence they can. Most forensic computer examiners will perform at least the following: (1) make the equipment operate properly; (2) retrieve information; (3) unblock "deleted" or "erased" data storage devices; (4) bypass or defeat passwords; (5) decipher encrypted data; and (6) detect the presence of known viruses.

The data to be searched can consist of hundreds or even thousands of files and directories. In some cases, there will be evidence in most of the files seized, and in others, only a small fraction of them. Once the analyst has protected the original data from change, she must begin to search for the relevant material.

A good first step is to print out a directory of the information contained on a hard drive or floppy disk. Directories give valuable information about what is in the files, when they were created, and how long they are. Of course, analysts will not entirely trust file names, as hackers have been known to hide highly incriminating material in files with innocuous names and misleading dates.

Once the analyst has printed a directory, he will probably log onto the hard or floppy drive and look at each file, noting on the printed directory (or a separate log sheet if available) the type of information in each file and whether it appears relevant. Relevant files can be copied onto a separate disk or printed out in hard copy. It is a good idea always to review files from bit-stream copies (which record each separate bit of information, including hidden files) or in "read only" mode so that the reviewer can read the document but cannot edit it. This way, the agents can later testify that the seized material could not have been mistakenly altered during the review. Of course, there is more than one "right way" to analyze electronic evidence, and experts must deal with the circumstances of each case. Ultimately the analyst must adhere to sound scientific protocols in recovering and examining computer-related evidence, and keep clear and complete records of the process.

Table of Contents - Main Federal Guidelines

c. Trial Preparation

Computer forensic experts can help prosecute the case with advice about how to present computer-related evidence in court. Many are experienced expert witnesses and they can (1) help prepare the direct case; and (2) anticipate and rebut defense claims. In addition, computer experts can assist prosecutors in complying with the new federal rules pertaining to expert witnesses, Fed. R. Evid. 16(a)(1)(E) and 16(b)(1)(C), effective December 1, 1993. Under these rules, the government must provide, upon request, a written summary of expert testimony which it intends to use during its case in chief. There is a reciprocal requirement for the summary of defense expert witness testimony, as long as the defense has requested a summary from the government, and the government has complied.

Table of Contents - Main Federal Guidelines

d. Training for Field Agents

Before a computer case ever arises, experts can train agents and prosecutors about computer search problems and opportunities. They can teach investigators how to preserve and submit computer evidence for examination, and many will also provide field support as time permits.

J. DISKETTES AND OTHER "CONTAINERS" (NEW SECTION)

Table of Contents - Main Federal Guidelines
Supplement II - Diskettes and Other Containers




----- footnotes ------

[3] Any home PC can be connected to a network simply by adding a modem. Thus, in any case where a modem is present, agents should consider the possibility that the computer user has stored valuable information at some remote location. [Back]

[4] CD-ROM stands for Compact Disk - Read Only emory. Much like a compact disk for music, it allows the user to search for and read information without being able to alter it. [Back]

[5] WORM stands for Write Once Read Many. The user can write large amounts of information to a platter (a large disk); but once written, the platter can only be read, not altered. [Back]

[6] If hardware is going to be removed from the site, refer to the suggestions on packing and moving hardware, supra p. 30. [Back]

Go to . . . Table of Contents - Main Federal Guidelines

CCIPS || Justice Home Page


Updated Page May 9, 1999
usdoj-jmd/irm/css/imc