The fourth amendment requires that a forensic analysis of a computer be

Search Warrant Requirements

A search warrant is a document signed by a magistrate giving law enforcement officers the authority to search a specified place for specific items that are particularly described in the warrant. A warrant must be based on another document called an affidavit, which is signed under oath by some person (a police officer or any other person) expressing the belief that certain items will be found at the location to be searched and giving facts that support the belief. Those facts must constitute probable cause that the objects of the search will be found at the described location. Only those items specifically named in the warrant can be searched for. A warrant can authorize the search and seizure of computer hardware, digital information, or both. Overly broad language (such as authorization to seize “all records” or “all computers”) can result in the warrant being invalidated; the warrant must specify the crime(s) to which the evidence pertains.

On the Scene

The affidavit should be specific enough to satisfy the legal requirements but remain as general as possible so as not to exclude any evidence that might be found.

Search warrants can be obtained to search for specific types of property or for a person. State laws usually define exactly for what things a search can be issued. For example, under the Texas Code of Criminal Procedures, section 18.02, search warrants can be issued to search for any of the following:

Property that was acquired illegally (through theft, fraud, and so on)

Property that was made, designed, or adapted for use to commit an offense and implements or instruments that were used in committing a crime (the tools of the crime, such as a computer used to launch a network attack)

Contraband (property that is illegal to own; this would include child pornography intended for the suspect's own use)

Illegal drugs, prohibited weapons, and illegal gambling equipment

Obscene material for commercial distribution (this would include child pornography intended for commercial distribution as well as other materials deemed “obscene” that are intended for commercial distribution)

Evidence of a crime

A person

Search warrants and the supporting affidavits must follow strict guidelines as to form and content, and the reliability of the affiant (the person signing the affidavit) must be established to the satisfaction of the magistrate who issues the warrant. From the officer's point of view, it is always preferable to have a search warrant rather than searching without a warrant, because a warrant relieves the officer of the responsibility of showing that probable cause and/or applicable exceptions to the search warrant requirements existed.

Note

Generally, a copy of the search warrant must be served on the person in control of the premises being searched or left or posted in a prominent place if there is no one there to accept service. In some cases, courts have authorized so-called “sneak and peek” warrants that do not require officers to provide notification that a search has been conducted.

A related matter is the “no-knock” warrant. Generally, officers are required to announce their presence when they serve a search warrant and identify themselves as law enforcement officers. However, courts have held that the announcement is not required if it would result in danger to the life of some person or destruction of evidence. Because computer evidence can be so easily and quickly destroyed, officers with search warrants for digital evidence are often held to be justified in foregoing the announcement.

Special problems can arise in constructing search warrants for electronic evidence, because of the intangible nature of the evidence. For example, a suspect can move or destroy computer data quickly and easily without leaving the premises. A person with technical expertise should advise the officers and magistrate regarding the technical aspects of searching for and collecting digital evidence based on the facts of a particular case. It is just as important, if not more important, to gather all the information possible about the object of the warrant in a computer-related case as in one involving the search of a physical location. This includes the hardware platforms, operating system environment, and software applications in use, as well as the network connections and configuration. This specificity will help pinpoint the types of files to look for in the search and possible locations where they might be stored.

Reasonable Searches

The Fourth Amendment to the United States Constitution protects citizens from unreasonable search and seizure by the government. In all cases involving seized evidence, if a court determines the evidence was obtained illegally then it will be inadmissible in court. In most circumstances in order for law enforcement to search a private citizen’s property both probable cause and a search warrant issued by a judge are required. The search warrant will specify the area that will be searched and what law enforcement is searching for.

There are circumstances that do not require a search warrant, such as if the property is in plain sight or at public checkpoints. One important exception to the requirement for a search warrant in computer crimes is that of exigent circumstances. Exigent circumstances are those in which there is an immediate threat to human life or of evidence being destroyed. A court of law will later decide whether the circumstances were such that seizure without a warrant was indeed justified.

Search warrants only apply to law enforcement and those who are acting under the color of law enforcement. If private citizens carry out actions or investigations or on behalf of law enforcement, then these individuals are acting under the color of law and can be considered as agents of law enforcement. An example of acting under the color of law would be when law enforcement becomes involved in a corporate case and corporate security professionals are seizing data under direct supervision of law enforcement. If a person is acting under the color of law, then they must be cognizant of the Fourth Amendment rights related to unreasonable searches and seizures. A person acting under the color of law who deprives someone of his or her constitutionally protected rights can be found guilty of having committed a crime under Title 18. U. S. C. Section 242—Deprivation of Rights Under Color of Law.

A search warrant is not required if law enforcement is not involved in the case. However, organizations should exercise care in ensuring that employees are made aware in advance that their actions are monitored, and that their equipment, and perhaps even personal belongings, are subject to search. Certainly, these notifications should only be made if the organization’s security policy warrants them. Further, corporate policy regarding search and seizure must take into account the various privacy laws in the applicable jurisdiction.

Note

Due to the particular issues unique to investigations being carried out by, or on behalf of, law enforcement, an organization will need to make an informed decision about whether, or when, law enforcement will be brought in to assist with investigations.

Preparing for Searches

Because search warrants aren't required in all situations, you should try to identify whether one is needed early in the investigation. In doing so, you should ask the following questions:

Does the company or complainant own the computer? If so, permission can be given to search the machine.

Does the company have a legitimate reason for searching the computer? If not, the employee using the computer could have reason for civil litigation.

Have employees been warned that the company has the right to search the machine? As we'll discuss later in this chapter, by warning employees that computers may be searched at any time, the employee has little to no recourse if anything has been found on his or her machine.

If there are no legal grounds to search the computer without a warrant, statements and any documented evidence pertaining to the incident should be collected. Statements should include as many details as possible, providing a timeline of when events took place and what occurred. Statements should be gathered from anyone associated with the incident, and this should be done as soon as possible so that memories of the event aren't diluted over time. Gathering statements in this manner provides information that can be used to obtain a search warrant, and can be used as evidence later on if the case goes to trial.

Search warrants

The Fourth Amendment requires that search warrants be based upon probable cause and that search warrants particularly describe the evidence being sought and the premises to be searched. In general, applications for search warrants in digital data cases are very specific and longer than other search warrant applications (United States Department of Justice, 2009). Law in this area is far from settled. Courts have wrestled with questions of how much explanation is necessary to justify a computer search and how much specificity is required to authorize searching a computer once a search warrant has been obtained.

Probable cause to search a computer is established when there is reason to believe that a suspect is in possession of incriminating evidence that can be found on a computer and that the computer is likely to be found in a particular location (United States Department of Justice, 2009).

Computer search warrants authorize law enforcement officials to seize a computer and search it offsite (United States v. Schandl, 1991). When a search warrant authorized police to search for records or documents, the search warrant will generally cover seizure of a computer from the location of the search (People v. Gall, 2001). Once the computer has been seized, it is advisable to obtain a separate search warrant authorizing search of the computer. It is good practice for a computer search warrant to specify not only computers, but other storage media that might contain evidence (United States Department of Justice, 2009).

A search warrant authorizing the search of a computer generally authorizes law enforcement officials to search all of the data on the computer, since evidence can be stored anywhere on a computer (United States v. Williams, 2010). The rapidly increasing capacity of personal computers and privacy or confidentiality of data have called into question whether restrictions should be placed on how extensive a computer search can be. Possible accommodation of these concerns includes ex ante restrictions placed by the issuing judge on the search or appointment of special master to review evidence prior to its release to law enforcement for use in criminal cases (Kerr, 2013).

Search warrants must be executed promptly, usually within 10 days of issuance (Fed, in press; Fed. R. Crim. Pro. 41). This requirement applies to seizure of the computer, not the physical search of computer data.

Evidence leads to more evidence

During the collection of storage media at a search warrant related to a gang shooting, a smartphone is seized. There are several computer systems to be examined and only one forensic examiner. Where do you start?

Case in Point

Investigative Tips: The forensic examiner starts the first forensic examination first. Ideally, the first examination is the one that cries for attention as a priority. In one case, this could be the laptop. In another case, it may be the smartphone or a flash drive. All things being equal, the smartphone may be a good piece of evidence to search your examinations.

As in the case in point above, investigators not only examined the iPhones, but requested the call detail records which helped to identify victims. The analysis of mobile devices such as smartphones can yield a wealth of evidence and much of that evidence can place a suspect at any one location that has been either logged by GPS on the phone or through cell tower records. Being able to create a historical location and movement of a suspect helps prove or disprove alibis. It also helps to potentially identify locations where additional evidence may exist.

Although smartphones capable of geolocation through GPS logging or by embedding EXIF data in photos are incredible items of evidence for suspect locations, laptops may contain some of the same location information, as they are almost as portable as a smartphone.

As shown throughout this book, the combination of investigative techniques and forensic processes helps place the suspect at a location and behind a keyboard, but these same processes help find clues and lead to additional evidence and victim identification. Of course, there is always the question of how much effort to place in an investigation when there is enough evidence to prove an allegation in a legal hearing, but when unidentified victims exist, sometimes you should consider going the extra ten yards. The victims will appreciate your effort.

Adding evidence items

Add your evidence through the File | Add Medium menu command. XWF will see all attached storage devices so add each available object to the case. Since this example consists of an onsite preview where the time is generally important, the specific circumstances of your investigation dictate the type of evidence for which you will search. For example, in matters relating to child exploitation, you will generally search for pictures and videos, evidence of peer-to-peer programs, etc. Other crimes will have different types of relevant artifacts such as crimes involving e-mail or Internet use involving stalking.

For our example, we will focus on an investigation related to the possession of child pornography. In this scenario, we will be primarily interested in reviewing pictures and videos found on the computer. We may also be interested in data carving for these file types. Remember that data carving takes time but with XWF, you can data carve with Refine Volume Snapshot (RVS) and conduct a preview at the same time by starting the RVS in one instance of XWF and previewing the hard drive in another.

Once your evidence items have been added, open the RVS by pressing F10. As we already know the specific types of files that we are interested in finding, namely pictures and videos, select only these categories in the File Header Search options. Other RVS options may be helpful, such as Compute hash and Match hash values against hash database, if you have a hash set containing known child pornography hash values. For each additional selection in the RVS, the time to complete the process may increase. We suggest using the RVS for pictures and videos in order to quickly find evidence that previously existed.

As the RVS is processing, start a new session of XWF. Within the new session of XWF, Explore recursively on an evidence object and then use the Type filter in the Directory Browser (Chapter 3 covers filtering in more detail). Next, switch to Gallery mode and XWF will generate thumbnails of the graphic files found in the evidence object. Figure 10.1 shows the gallery view of graphics. If, after reviewing the existing graphics and videos, you have not found evidence, the RVS may be near completion giving you additional files for review.

Depending on your legal authority (consent or search warrant for example), additional options become available once evidence is found, e.g., a probable cause arrest, seizure of digital media, another search warrant, or a violation of parole.

XWF Tips and Tricks

As a search progresses, the relevancy of the computer being examined will increase or decrease depending on the data found. You should use your own judgment to determine how much time to spend reviewing a computer before deciding whether it is or is not of interest.

If no pictures or videos are found, it may be necessary to examine additional artifacts on the computer, such as the registry, shortcut files, installed applications, etc. The quickest way to hone in on these types of files is to use Directory Browser filters (the Category filter is particularly useful in this scenario). Once a given type of artifact is located, use the various features of XWF such as Preview and Details mode, the Registry Viewer, etc., to drill down into those files.

FEDERAL AGENTS HAVE CARRIED OUT SEARCHES IN AT LEAST TWO STATES AS PART OF THE INVESTIGATION INTO THE THEFT OF SOCIAL SECURITY NUMBERS AND OTHER PERSONAL INFORMATION FROM DATABASE GIANT LEXISNEXIS INC.

“Secret Service and FBI agents executed a search warrant in Minnesota, while FBI agents conducted 10 searches in northern California, federal law enforcement officials said Thursday. The search in Minnesota is ‘definitely the LexisNexis case,’ said Mike Brooks, an FBI spokesman in Ohio. No arrests have been made in connection with the searches, which were carried out in recent days…. LexisNexis disclosed in March that hackers had commandeered a database and gained access to the personal files of as many as 32,000 people. The company has since increased its estimate of the people affected to 310,000.

The breaches were uncovered during a review and integration of the systems of Seisint Inc. shortly after LexisNexis bought the Boca Raton, Florida-based unit for $775 million in August. Seisint's databases store millions of personal records including individuals' addresses and social security numbers. Customers include police and legal professionals and public and private sector organizations. Information accessed included names, addresses, social security and driver's license numbers, but not credit history, medical records, or financial information, corporate parent Reed Elsevier Group PLC said in a statement. It was the second such infiltration at a large database provider in recent months. Rival ChoicePoint Inc. said in February that the personal information of 145,000 Americans may have been compromised by thieves posing as small business customers.”34

Commentary: This case is included to give you some idea of what investigators are attempting to do in such cases of information thefts. The number of searches at the various locations shows how widespread such crimes can be.

Searching with a warrant

Absent one of the well-defined exceptions described here, police officers must have a search warrant before searching someone’s private property, including a computer.

A search warrant is an order that is obtained by a law enforcement officer from a judge, granting them permission to search a specific place and seize specific persons or things.

A judge will issue the warrant when he or she believes that there is probable cause that a crime was committed and that the people or things specified in the warrant will be found at that location. The Supreme Court said that probable cause is established when there is “a fair probability that contraband or evidence of a crime will be found in a particular place” (Illinois v. Gates, 1983). Another way to look at this is whether the items or persons to be seized will be more likely than not to be found at that specific location. Mathematically, this would equate to a probability of 51 percent.

When applying for a warrant, it’s helpful to determine the role of the computer in the crime. The computer can be considered contraband if it contains child pornography or is stolen property. The computer can also be used to store evidence, such as incriminating documents. Finally, the computer can serve as a tool or instrumentality of the crime. This is the case when the computer is used to hack into a company’s network, for example.