Computer Crime and Intellectual Property Section (CCIPS)

III. SEIZING HARDWARE

Depending on the facts of the case, the seizure of computer hardware itself can be justified on one of three theories without regard to the data it contains: (1) the hardware is itself contraband; (2) the hardware was an instrumentality of the offense; or (3) the hardware constitutes evidence of an offense. Of course, in many cases, hardware may be seizable under more than one theory. For example, if a hacker uses his computer to insert viruses into other systems, his computer may constitute both an instrumentality of the offense and evidence admissible in court.

As noted above under Definitions, (supra p. 2), hardware is defined as the physical components of a computer system such as the central processing unit (CPU), keyboard, monitor, modem, and printer.

Table of Contents -MainGuidelines

A. THE INDEPENDENT COMPONENT DOCTRINE

We must highlight once again that computer systems are really a combination of connected components (often by wire but increasingly by wireless means). To say that the government has probable cause to seize a "computer" does not necessarily mean it has probable cause to seize the entire computer system (i.e., the computer and all connected peripheral devices). Indeed, each component in a computer system should be considered independently.

In a strictly corporeal world, this doctrine is easy to understand and apply. For example, suppose a defendant stole a television and placed it on a television stand that he lawfully owned. Agents with a warrant for that television would not seize the stand, recognizing that the two items are easily separable and that there is, simply put, no justification for taking the stand.

With computers, the roles of the different attached components are not always separable and it is more difficult to think in such concrete terms. For example, agents with a warrant to seize a target's workstation may discover that the workstation is nothing more than a dumb terminal, and that all the evidence is in the server to which the dumb terminal is connected by wire.

Nonetheless, it is simply unacceptable to suggest that any item connected to the target device is automatically seizable. In an era of increased networking, this kind of approach can lead to absurd results. In a networked environment, the computer that contains the relevant evidence may be connected to hundreds of computers in a local-area network (LAN) spread throughout a floor, building, or university campus. That LAN may also be connected to a global-area network (GAN) such as the Internet. Taken to its logical extreme, the "take it because it's connected" theory means that in any given case, thousands of machines around the world can be seized because the target machine shares the Internet.

Obviously, this is not the proper approach. The better view is to seize only those pieces of equipment necessary for basic input/output (i.e., the computer itself, plus the keyboard and monitor) so that the government can successfully execute the warrant. When agents prepare warrants for other devices, they should list only those components for which they can articulate an independent basis for search or seizure (i.e., the component itself is contraband, an instrumentality, or evidence). Certainly, the independent component doctrine does not mean that connected devices are exempt; it only requires that agents and prosecutors articulate a reason for taking the item they wish to seize. For example, if the defendant has sent letters to the White House threatening the President's life, agents should explain, as a basis for seizing the target's printer, the need to compare its type with the letter. Additionally, there may be other times when the government should seize peripherals that do not contain evidence but, again, there must be a separate basis for the seizure. See, e.g., "Seizing Hardware and Documentation so the System Will Operate at the Lab," infra p. 60.

Table of Contents - Main Federal Guidelines

B. HARDWARE AS CONTRABAND OR FRUITS OF CRIME

1. Authority for Seizing Contraband or Fruits of Crime

Federal Rule of Criminal Procedure 41(b)(2) authorizes warrants to seize "contraband, the fruits of crime, or things otherwise criminally possessed." The rationale behind such seizures is to prevent and deter crime. See Warden v. Hayden, 387 U.S. 294, 306 n.11 (1967). Often the fruits of crime and objects illegally possessed will also constitute evidence of a crime, so that they also can be seized to help apprehend and convict criminals (see infra p. 29).

Table of Contents - Main Federal Guidelines

2. Contraband and Fruits of Crime Defined

The fruits of crime include property obtained by criminal activity, United States v. Santarsiero, 566 F. Supp. 536 (S.D.N.Y. 1983)(cash and jewelry obtained by use of a counterfeit credit card), and contraband is property which the private citizen is not permitted to possess, Warden v. Hayden, supra; Aguilar v. Texas, 378 U.S. 108 (1964)(narcotics). Even plans to commit a crime may constitute contraband. Yancey v. Jenkins, 638 F. Supp. 340 (N.D. Ill. 1986).

Of course, many objects which are fruits of crime or illegally possessed are innocent in themselves and can be possessed by at least certain persons under certain conditions. See, e.g., United States v. Truitt, 521 F.2d 1174, 1177 (6th Cir. 1975)(noting that a person legally can possess a sawed-off shotgun if it is properly registered to its owner, though its lawful possession is rare). A court reviewing a seizure under Rule 41(b)(2) will examine whether the circumstances would have led a reasonably cautious agent to believe that the object was a fruit of crime or was illegally possessed. For example, the seizure of jewelry as a fruit of crime in Santarsiero was upheld because a reliable informant had told officers that the suspect had boasted of using counterfeit credit cards to purchase jewelry. 566 F. Supp. at 544-45.

Certainly, there are instances where computer hardware and software are contraband or a fruit of crime. For example, there have been several recent cases involving the theft of computer equipment. Additionally, hackers have been known to penetrate credit reporting companies, illegally obtain credit card numbers, and then order computer equipment with these illegal access devices. In such cases, the equipment that they receive is a product of the fraud and should be seized as such.

Table of Contents - Main Federal Guidelines

C. HARDWARE AS AN INSTRUMENTALITY OF THE OFFENSE

1. Authority for Seizing Instrumentalities

Federal Rule of Criminal Procedure 41(b)(3) authorizes warrants to seize the instrumentalities of crime; that is, "property designed or intended for use or which is or has been used as the means of committing a criminal offense." The historical justification for the government's ability to seize instrumentalities of crime is the prevention of their use to commit future crimes. See Warden v. Hayden, 387 U.S. 294, 306 n.11 (1967); United States v. Boyette, 299 F.2d 92, 98 (4th Cir.)(Sobeloff, C.J., dissenting), cert. denied, 369 U.S. 844 (1962).

Table of Contents - Main Federal Guidelines
Supplement - Hardware as an instrument of the offense

2. Instrumentalities Defined

An instrumentality of an offense is any machinery, weapon, instrument, or other tangible object that has played a significant role in a crime. See, e.g., United States v. Viera, 569 F. Supp. 1419, 1428 (S.D.N.Y. 1983)(sophisticated scale used in narcotics trafficking and blacklight used in counterfeiting currency). Where the object itself is innocent in character, courts will assess its role in the crime to determine whether it was an instrumentality. Compare United States v. Markis, 352 F.2d 860, 864-65 (2d Cir. 1965)(telephone used to take bets by operators of illegal wagering business was an instrumentality because it was integral to the criminal enterprise), vacated without opinion, 387 U.S. 425 (1967), with United States v. Stern, 225 F. Supp. 187, 192 (S.D.N.Y. 1964)(Rolodex file was not instrumentality where it contained names of individuals involved in tax fraud scheme). As stated by the Southern District of New York:

Not every article that plays some part in the commission of the alleged crime is a means of committing it. . . . Although it is not necessary that the crime alleged could not have been committed but for the use of the article seized, after a consideration of all the circumstances it must appear that the article played a significant role in the commission of the crime alleged.

Stern, 225 F. Supp. at 192 (emphasis in original).

Before the Supreme Court's decision in Warden v. Hayden, 387 U.S. 294 (1967), courts held that seizable property included instrumentalities, but did not include mere evidence. See generally 3 Wright & Miller, Federal Practice and Procedure: Criminal 2d § 664 (1982). In practice, however, judges were reluctant to suppress useful pieces of evidence at trial, preferring instead to interpret the term "instrumentality" broadly enough to encompass items of evidentiary value. For example, the district court in United States v. Robinson, 287 F. Supp. 245 (N.D. Ind. 1968), upheld the seizure of the following items, all of which connected the defendant to the murder of a federal narcotics agent, as "instrumentalities" of the crime and not "mere evidence": a pair of shoes, a shirt, a jacket, handkerchiefs, spent shell casings, and wet washcloths. Such legal gymnastics were abandoned when the Supreme Court held, in Hayden, that the Fourth Amendment principally protected privacy rights, not property rights, and secured "the same protection of privacy whether the search is for 'mere evidence' or for fruits, instrumentalities or contraband." Hayden, 387 U.S. at 306-07.

Although items that are evidence of crime may now be seized along with instrumentalities, fruits, and contraband, this historical perspective is important for understanding why some early decisions may have categorized evidentiary items as instrumentalities. Moreover, the distinction between "an instrumentality" and "mere evidence" remains critical in computer crime cases because it may determine the government's ability to seize hardware. If a computer and all its peripherals are instrumentalities of a crime, the warrant should authorize the seizure of these items. But if we are seeking the computer only for the documents (mere evidence) it contains, it may be more difficult to justify the seizure or retention of hardware.

Applying the independent component doctrine to the rule permitting seizure of instrumentalities will, in most cases, not be difficult. For example, if an individual engaging in wire fraud printed out thousands of phony invoices on his home computer, it would be reasonable to take the computer, monitor, keyboard, and printer. If the individual electronically mailed these invoices to his victims, it would also be appropriate to seize his external modem (if the modem were internal it would, of course, be seized when the agents took the computer itself). If, instead of using electronic mail, he used a conventional fax machine, it would be reasonable to seize the fax as it, too, would have played a significant role in the commission of the offense.

Table of Contents - Main Federal Guidelines
Instrumentalities defined

D. HARDWARE AS EVIDENCE OF AN OFFENSE

1. Authority for Seizing Evidence

In 1972, Federal Rule of Criminal Procedure 41(b) was amended to authorize seizing "mere evidence" of a crime. In relevant part, the Rule now states: "A warrant may be issued under this rule to search for and seize any (1) property that constitutes evidence of the commission of a criminal offense. . . ."

Table of Contents - Main Federal Guidlines

2. Evidence Defined

A physical item is evidence if it will aid in apprehending or convicting a person who has committed a crime. The evidence seized need not be admissible at trial.

Courts will evaluate a seizure under this test according to what a reasonable person would believe under the circumstances, and law enforcement officers will not be judged after-the-fact on how helpful the seized evidence actually was in apprehending or convicting a suspect. See Andresen v. Maryland, 427 U.S. 463, 483 (1976)(holding that the "trained special investigator reasonably could have believed" the seized evidence could be used to show criminal intent); United States v. Truitt, 521 F.2d 1174, 1176-78 (6th Cir. 1975)(holding that a reasonably cautious police officer could have believed under the circumstances that a sawed-off shotgun, although legal if registered, was incriminating evidence).

Of course, simply because an item is "evidence of a crime" does not mean that other restrictions may not apply. Law enforcement officials should be aware of other limits imposed by the Constitution, statutes, and regulations upon the seizure of evidence. See, e.g., Guidelines on Methods of Obtaining Documentary Materials Held by Third Parties, 28 C.F.R. §§ 59.1-.6 (governing the application for search warrants for documentary evidence held by non-suspect third parties).

Although computers commonly contain evidence, sometimes they are evidence. If an extortionist sent a letter to his victim with unique print characteristics (e.g., the top half of the letter "W" was missing), his daisy-wheel printer would constitute evidence which could be seized.

Table of Contents -Main Federal Guidelines

E. TRANSPORTING HARDWARE FROM THE SCENE

Whether a computer is seized as contraband, an instrumentality, or evidence, it is important to transport it properly. With some simple computers, moving the equipment is a straightforward proposition. But computer systems are becoming so increasingly complex and diverse that it is harder than ever for technically untrained agents to avoid mistakes. These Guidelines cannot possibly substitute for the expertise that comes from special training courses in seizing, searching, and preserving electronic evidence. Indeed, the discussion that follows is meant only as introduction and orientation to these issues, and not as a comprehensive guide to all the technical contingencies which may arise during a search. The team for a computer-related search should, if possible, include at least one technically trained agent to act as a leader in these areas. Clearly, as complex computer systems become increasingly common, law enforcement agencies will need more trained agents at almost every crime scene. In the meantime, the following discussion may help prosecutors and investigators to anticipate the problems which can confront them.

First, agents must protect the equipment from damage. Second, to the extent they are transporting information storage devices (e.g., hard drives, floppy disks), improper handling can cause loss of data. Third, it may be impossible to make the system work in the field office, laboratory, or courtroom if the seizing agents did not carefully pack and move the computer system so that it can be successfully reassembled later.

Before the search begins, the search leader should prepare a detailed plan for documenting and preserving electronic evidence, and should take time to carefully brief the entire search team to protect both the identity and integrity of all the data. At the scene, agents must remember to collect traditional types of evidence (e.g., latent fingerprints off the keyboard) before touching anything. They must remember, too, that computer data can be destroyed by strong magnetic fields. (Low density magnetic media is more susceptible to such interference than high density media.) Last, some computer experts will not examine evidence if anyone else has already tried to search or manipulate the data. Their chain-of-custody and integrity-of-evidence procedures will not allow them to examine the computer if its original crime-scene seal has been broken.

The agents executing the actual search must take special precautions when disassembling and packing computer equipment. This careful approach protects not only the hardware items, but also the integrity and accessibility of the data inside. Before disconnecting any cables, it is helpful to videotape or photograph the site (including the screen, if possible, and all wiring connections) and prepare a wiring schematic. This will document the condition of the equipment upon the agents' arrival and show how the system was configured. Agents should disconnect all remote access to the system (e.g., unplug the telephone cord, not the power cord, from the modem) and disconnect network cables from the servers so that no one can alter or erase information during the search. Investigators need to accurately label each cable and the device and port to which the cable connects before disconnecting anything. It is a good idea to attach tags at every connection point on every cable to record all relevant information. It is especially important to label every vacant port as "vacant" so that there is no confusion later. (If vacant ports are not labeled, it is impossible for an expert to tell whether the unlabeled port was in fact vacant, or whether an important label simply fell off.) Once this is done, agents are ready to disassemble, tag and inventory the equipment.

Investigators must determine which drives, disks, and other magnetic media need to be protected. If a hard disk drive is being moved, they must insure that the read/write heads are secured to prevent damage. Some systems secure (park) the heads automatically whenever the machine is not in use, but other systems may require that a specific command be executed or that the heads be secured mechanically. The manufacturer's operating manual should specify the proper procedure for each system.

Agents should protect floppy disk drives according to manufacturer's recommendations. Some suggest inserting a new diskette or piece of cardboard in the drive slot; others do not. (As with hard drives, each manufacturer's instructions may be found in the system manual). Investi-gators must also label diskettes (either individually or in groups), mark them as evidence and place them in non-plastic evidence containers.

Agents must be conscious of static electricity buildup during the execution of the warrant since static electricity can "zap" a disk and damage data. So can degaussing equipment (an electronic appliance that creates a strong magnetic field and can be used to effectively erase a magnetic tape or disk). A well-known story in law enforcement circles involves a hacker who allegedly magnetized his metal door frame, thus creating a magnetic field that erased magnetic media as agents carried it through the doorway. This story has not been verified and, even if true, such an event is unlikely to occur now because high density media is not easily disrupted by magnetic fields. Nonetheless, a device to measure magnetic fields (a compass or, even better, a gaussmeter) can determine whether such fields exist and, as a general rule, agents should avoid placing magnetic media near any strong magnetic field. Magnetic fields may be created by telephones, radio transmitters, and photocopiers. Additionally, although magnetic media has often been taken through airport metal detectors and X-ray machines without damage, it is wiser not to take magnetic media through these devices. (It is the motor driving the conveyor belt on the X-ray machine, not the fluoroscope itself, that creates the magnetic field which causes the damage.)

Transporting agents should keep all hardware and software in dust-free, climate-controlled environments. Computer-related evidence is sensitive to heat and humidity and should not be stored in the back seat or trunk of a car without special precautions. Temperature extremes may render magnetically stored evidence unreadable, and various types of contamination can damage electronic equipment. A safe range for storing magnetic media is between 40°-90°F and 20%-80% humidity, free of dust and tobacco smoke.



Supplement - Transporting hardware from the scene

Go to . . . Table of Contents - Main Guidelines
CCIPS || Home Page