Computer Crime and Intellectual Property Section (CCIPS)
SEARCHING AND SEIZING COMPUTERS

TABLE OF CONTENTS


PREFACE
INTRODUCTION

I. KEY TERMS AND CONCEPTS

A. DEFINITIONS
B. LIST OF COMPUTER SYSTEM COMPONENTS
C. DETERMINING THE COMPUTER'S ROLE IN THE OFFENSE

II. GENERAL PRINCIPLES

A. SEARCH WARRANTS
B. PLAIN VIEW
C. EXIGENT CIRCUMSTANCES
D. BORDER SEARCHES
E. CONSENT SEARCHES
1. Scope of the Consent
2. Third-Party Consent
a. General Rules
b. Spouses
c. Parents
d. Employers
e. Networks: System Administrators

F. INFORMANTS AND UNDERCOVER AGENTS

III. SEIZING HARDWARE

A. THE INDEPENDENT COMPONENT DOCTRINE
B. HARDWARE AS CONTRABAND OR FRUITS OF CRIME

1. Authority for Seizing Contraband or Fruits of Crime
2. Contraband and Fruits of Crime Defined

C. HARDWARE AS AN INSTRUMENTALITY OF THE OFFENSE

1. Authority for Seizing Instrumentalities
2. Instrumentalities Defined

D. HARDWARE AS EVIDENCE OF AN OFFENSE

1. Authority for Seizing Evidence
2. Evidence Defined

E. TRANSPORTING HARDWARE FROM THE SCENE

IV. SEARCHING FOR AND SEIZING INFORMATION

A. INTRODUCTION
B. INFORMATION AS CONTRABAND
C. INFORMATION AS AN INSTRUMENTALITY
D. INFORMATION AS EVIDENCE
1. Evidence of Identity
2. Specific Types of Evidence
a. Hard Copy Printouts
b. Handwritten Notes

E. PRIVILEGED AND CONFIDENTIAL INFORMATION

1. In General

a. Doctors, Lawyers, and Clergy
b. Publishers and Authors

2. Targets
3. Using Special Masters

F. UNDERSTANDING WHERE THE EVIDENCE MIGHT BE: STAND-ALONE PCs, NETWORKS AND FILE-SERVERS, BACKUPS, ELECTRONIC BULLETIN BOARDS, AND ELECTRONIC MAIL

1. Stand-Alone PCs

a. Input/Output Devices: Do Monitors, Modems, Printers, and Keyboards
Ever Need to be Searched?
b. Routine Data Backups

2. Networked PCs

a. Routine Backups
b. Disaster Backups

G. SEARCHING FOR INFORMATION

1. Business Records and Other Documents
2. Data Created or Maintained by Targets
3. Limited Data Searches
4. Discovering the Unexpected

a. Items Different from the Description in the Warrant
b. Encryption

H. DECIDING WHETHER TO CONDUCT THE SEARCH ON-SITE OR TO REMOVE HARDWARE TO ANOTHER LOCATION

1. Seizing Computers because of the Volume of Evidence

a. Broad Warrant Authorizes Voluminous Seizure of Documents
b. Warrant is Narrowly Drawn but Number of Document to be Sifted
through is Enormous
c. Warrant Executed in the Home
d. Applying Existing Rules to Computers

2. Seizing Computers because of Technical Concerns

a. Conducting a Controlled Search to Avoid Destroying Data
b. Seizing Hardware and Documentation so the System Will Operate
at the Lab

I. EXPERT ASSISTANCE

1. Introduction
2. Finding Experts

a. Federal Sources
b. Private Experts

(1) Professional Computer Organizations
(2) Universities
(3) Computer and Telecommunications Industry Personnel
(4) The Victim

3. What the Experts Can Do

a. Search Planning and Execution
b. Electronic Analysis
c. Trial Preparation
d. Training for Field Agents

V. NETWORKS AND BULLETIN BOARDS

A. INTRODUCTION
B. THE PRIVACY PROTECTION ACT, 42 U.S.C. § 2000aa
1. A Brief History of the Privacy Protection Act
2. Work Product Materials
3. Documentary Materials
4. Computer Searches and the Privacy Protection Act

a. The Reasonable Belief Standard
b. Similar Form of Public Communication
c. Unique Problems: Unknown Targets and Commingled Materials

5. Approval of Deputy Assistant Attorney General Required

C. STORED ELECTRONIC COMMUNICATIONS

VI. DRAFTING THE WARRANT

A. DRAFTING A WARRANT TO SEIZE HARDWARE
B. DRAFTING A WARRANT TO SEIZE INFORMATION
1. Describing the Place to be Searched

a. General Rule: Obtain a Second Warrant
b. Handling Multiple Sites within the Same District
c. Handling Multiple Sites in Different Districts
d. Information at an Unknown Site
e. Information/Devices Which Have Been Moved

2. Describing the Items to be Seized
3. Removing Hardware to Search Off-Site: Ask th Magistrate for Explicit Permission.
4. Seeking Authority for a No-Knock Warrant

a. In General
b. In Computer-Related Cases

VII. POST-SEARCH PROCEDURES

A. INTRODUCTION
B. PROCEDURES FOR PRESERVING EVIDENCE
1. Chain of Custody
2. Organization
3. Keeping Records
4. Returning Seized Computers and Materials

a. Federal Rules of Criminal Procedure: Rule 41(e)
b. Hardware
c. Documentation
d. Notes and Papers
e. Third-Party Owners

VIII. EVIDENCE

A. INTRODUCTION
B. THE BEST EVIDENCE RULE
C. AUTHENTICATING ELECTRONIC DOCUMENTS
1. "Distinctive" Evidence
2. Chain of Custody
3. Electronic Processing of Evidence

D. THE HEARSAY RULE

IX. APPENDICES
APPENDIX A: SAMPLE COMPUTER LANGUAGE FOR SEARCH WARRANTS

1. Tangible Objects
a. Justify Seizing the Objects
b. List and Describe the Objects

(1) Hardware
(2) Software
(3) Documentation
(4) Passwords and Data Security Devices

2. Information: Records, Documents, Data

a. Describe the Content of Records, Documents, or other Information
b. Describe the Form which the Relevant Information May Take
c. Electronic Mail: Searching and Seizing Data from a BBS Server under 18 U.S.C. § 2703

(1) If All the E-Mail is Evidence of Crime
(2) If Some of the E-Mail is Evidence of Crime
(3) If None of the E-Mail is Evidence of Crime

d. Ask Permission to Seize Storage Devices when Off-Site Search is Necessary
e. Ask Permission to Seize, Use, and Return Auxiliary Items, as Necessary
f. Data Analysis Techniques

3. Stipulation for Returning Original Electronic Data

APPENDIX B: GLOSSARY
APPENDIX C: FEDERAL EXPERTS FOR COMPUTER CRIME INVESTIGATIONS
APPENDIX D: COMPUTER SEARCH AND SEIZURE WORKING GROUP
APPENDIX E: STATUTORY POPULAR NAME TABLE
APPENDIX F: TABLE OF AUTHORITIES

Cases
Statutes
Federal Rules
Federal Regulations
Legislative History
Reference Materials

Go to . . . CCIPS Home || Home Page