|
This manual is the 1994 edition. For a more recent
edition and additional resources, please visit www.cybercrime.gov/searching.html
|
PREFACE INTRODUCTION I. KEY TERMS AND CONCEPTS A. DEFINITIONS B. LIST OF COMPUTER SYSTEM COMPONENTS C. DETERMINING THE COMPUTER'S ROLE IN THE OFFENSE II. GENERAL PRINCIPLES A. SEARCH WARRANTS B. PLAIN VIEW C. EXIGENT CIRCUMSTANCES D. BORDER SEARCHES E. CONSENT SEARCHES 1. Scope of the Consent 2. Third-Party Consent a. General Rules b. Spouses c. Parents d. Employers e. Networks: System Administrators F. INFORMANTS AND UNDERCOVER AGENTS G. AGENCY ISSUES (NEW SECTION)
III. SEIZING HARDWARE A. THE INDEPENDENT COMPONENT DOCTRINE B. HARDWARE AS CONTRABAND OR FRUITS OF CRIME 1. Authority for Seizing Contraband or Fruits of Crime 2. Contraband and Fruits of Crime Defined C. HARDWARE AS AN INSTRUMENTALITY OF THE OFFENSE 1. Authority for Seizing Instrumentalities 2. Instrumentalities Defined D. HARDWARE AS EVIDENCE OF AN OFFENSE 1. Authority for Seizing Evidence 2. Evidence Defined E. TRANSPORTING HARDWARE FROM THE SCENE IV. SEARCHING FOR AND SEIZING INFORMATION A. INTRODUCTION B. INFORMATION AS CONTRABAND C. INFORMATION AS AN INSTRUMENTALITY D. INFORMATION AS EVIDENCE 1. Evidence of Identity 2. Specific Types of Evidence a. Hard Copy Printouts b. Handwritten Notes E. PRIVILEGED AND CONFIDENTIAL INFORMATION 1. In General a. Doctors, Lawyers, and Clergy b. Publishers and Authors 2. Targets 3. Using Special Masters F. UNDERSTANDING WHERE THE EVIDENCE MIGHT BE: STAND-ALONE PCs, NETWORKS AND FILE-SERVERS, BACKUPS, ELECTRONIC BULLETIN BOARDS, AND ELECTRONIC MAIL 1. Stand-Alone PCs a. Input/Output Devices: Do Monitors, Modems, Printers, and Keyboards Ever Need to be Searched? b. Routine Data Backups 2. Networked PCs a. Routine Backups b. Disaster Backups G. SEARCHING FOR INFORMATION 1. Business Records and Other Documents 2. Data Created or Maintained by Targets 3. Limited Data Searches 4. Discovering the Unexpected a. Items Different from the Description in the Warrant b. Encryption c. Deleted Information (New Section) H. DECIDING WHETHER TO CONDUCT THE SEARCH ON-SITE OR TO REMOVE HARDWARE TO ANOTHER LOCATION 1. Seizing Computers because of the Volume of Evidence a. Broad Warrant Authorizes Voluminous Seizure of Documents b. Warrant is Narrowly Drawn but Number of Document to be Sifted through is Enormous c. Warrant Executed in the Home d. Applying Existing Rules to Computers 2. Seizing Computers because of Technical Concerns a. Conducting a Controlled Search to Avoid Destroying Data b. Seizing Hardware and Documentation so the System Will Operate at the Lab I. EXPERT ASSISTANCE 1. Introduction 2. Finding Experts a. Federal Sources b. Private Experts (1) Professional Computer Organizations (2) Universities (3) Computer and Telecommunications Industry Personnel (4) The Victim 3. What the Experts Can Do a. Search Planning and Execution b. Electronic Analysis c. Trial Preparation d. Training for Field Agents J. DISKETTES AND OTHER "CONTAINERS" (NEW SECTION) V. NETWORKS AND BULLETIN BOARDS A. INTRODUCTION B. THE PRIVACY PROTECTION ACT, 42 U.S.C. § 2000aa 1. A Brief History of the Privacy Protection Act 2. Work Product Materials 3. Documentary Materials 4. Computer Searches and the Privacy Protection Act a. The Reasonable Belief Standard b. Similar Form of Public Communication c. Unique Problems: Unknown Targets and Commingled Materials 5. Approval of Deputy Assistant Attorney General Required 6. Liability Under the Privacy Protection Act (New Section)
C. STORED ELECTRONIC COMMUNICATIONS D. STORED WIRE COMMUNICATIONS (NEW SECTION)
VI. DRAFTING THE WARRANT A. DRAFTING A WARRANT TO SEIZE HARDWARE B. DRAFTING A WARRANT TO SEIZE INFORMATION 1. Describing the Place to be Searched a. General Rule: Obtain a Second Warrant b. Handling Multiple Sites within the Same District c. Handling Multiple Sites in Different Districts d. Information at an Unknown Site e. Information/Devices Which Have Been Moved 2. Describing the Items to be Seized 3. Removing Hardware to Search Off-Site: Ask the Magistrate for Explicit Permission. 4. Seeking Authority for a No-Knock Warrant a. In General b. In Computer-Related Cases VII. POST-SEARCH PROCEDURES A. INTRODUCTION B. PROCEDURES FOR PRESERVING EVIDENCE 1. Chain of Custody 2. Organization 3. Keeping Records 4. Returning Seized Computers and Materials a. Federal Rules of Criminal Procedure: Rule 41(e) b. Hardware c. Documentation d. Notes and Papers e. Third-Party Owners VIII. EVIDENCE A. INTRODUCTION B. THE BEST EVIDENCE RULE C. AUTHENTICATING ELECTRONIC DOCUMENTS 1. "Distinctive" Evidence 2. Chain of Custody 3. Electronic Processing of Evidence D. THE HEARSAY RULE IX. APPENDICES APPENDIX A: SAMPLE COMPUTER LANGUAGE FOR SEARCH WARRANTS 1. Tangible Objects a. Justify Seizing the Objects b. List and Describe the Objects (1) Hardware (2) Software (3) Documentation (4) Passwords and Data Security Devices 2. Information: Records, Documents, Data a. Describe the Content of Records, Documents, or other Information b. Describe the Form which the Relevant Information May Take c. Electronic Mail: Searching and Seizing Data from a BBS Server under 18 U.S.C. § 2703 (1) If All the E-Mail is Evidence of Crime (2) If Some of the E-Mail is Evidence of Crime (3) If None of the E-Mail is Evidence of Crime d. Ask Permission to Seize Storage Devices when Off-Site Search is Necessary e. Ask Permission to Seize, Use, and Return Auxiliary Items, as Necessary f. Data Analysis Techniques 3. Stipulation for Returning Original Electronic Data APPENDIX B: GLOSSARY APPENDIX C: FEDERAL EXPERTS FOR COMPUTER CRIME INVESTIGATIONS APPENDIX D: COMPUTER SEARCH AND SEIZURE WORKING GROUP APPENDIX E: STATUTORY POPULAR NAME TABLE APPENDIX F: TABLE OF AUTHORITIES Cases Statutes Federal Rules Federal Regulations Legislative History Reference Materials