Introduction
Evidence Collection Constraints
Keeping up with the criminal element is an on-going challenge for the legal system in the USA. As more and more fantastic advances are made in digital technology, the cyber-criminal seems to grasp this new technology and adapt it to illegal use before the criminal justice participants have the opportunity to study and understand it.
The front line law enforcement agencies, prosecutors, and judges are often overwhelmed by the amount of information required to keep pace with the ever-evolving changes involving computers and their associated hardware, software and operating characteristics. The criminal element continually alters, revises, or creates hardware, software, viruses, malware, and other attacks in an effort to mask criminal activity and prevent detection. As if keeping up with digital technology isn’t enough, the criminal justice system must keep pace with the latest revisions and modifications of existing laws and push legislatures and the congress to create new laws as each new cyber-threat appears.
While computer technology has been with us for nearly 60 years, our problems really began in the late 1980s. An example of how this technology has leap-frogged along includes child pornography cases where evidence appeared mostly in underground magazines consisting of photographs, 8mm film and videotapes. But in the mid-1990s, the Internet began its evolution and brought with it significant change. Now it is unusual to find child pornography that involves anything other than digital images and hardcopies of those images.
Once the province of “computer crime” such as hacking, digital evidence is now found in virtually every crime category. But all too often law enforcement agencies and the judicial system are ill-prepared to deal with the issues created by the increasing use of cyber-technology.
Specially trained and experienced investigators should not assume that prosecutors fully grasp the problems they encounter in the recovery and analysis of digital evidence. Thus… the burden for education must be borne equally by prosecutors, investigators, and examiners who are obliged to share their knowledge of the technical complexities and map strategies.
Search and Seizure
The collection of digital evidence in criminal cases falls under the Federal and State levels by myriad constitutional and statutory requirements, including those laws regulating the communications and computer industries and that directly detail the collection and use of digital evidence. Previous court decisions and procedural rules established to implement them also need to be included.
The Privacy Protection Act (PPA) (42 U.S.C. § 2000aa et seq.) limits law enforcement’s use of a search warrant to search for or seize certain materials possessed for the purpose of public dissemination. The protected materials may be either “work products” (i.e., materials created by the author or publisher) or “documentary materials” (i.e., any materials that document or support the work product).
For example, a person who is creating an online newsletter may possess interview notes that could be considered “documentary materials”; the text of the newsletter to be published could be considered a “work product.”
If the material is covered by PPA, law enforcement cannot use a search warrant to obtain it.
PPA’s prohibition on the use of a search warrant may not apply when:
- Materials searched for or seized are “fruits” or instrumentalities of the crime or are contraband.
- There is reason to believe that the immediate seizure of such materials is necessary to prevent death or serious bodily injury.
- There is probable cause to believe that the person possessing the materials has committed or is committing a criminal offense to which the materials relate. (Except for the possession of child pornography and certain government information, this exception does not apply where the mere possession of the materials constitutes the offense.)
Of course, the criminal justice system must also consider constitutional issues as well. Searches for digital evidence, like searches for other forms of evidence, are subject to the constraints of Federal and State constitutional search and seizure laws and court rules. Traditional Fourth Amendment principles, such as those governing closed containers, apply to digital evidence.
Additionally, there is the issue of privileged information:
In some instances, law enforcement may have reason to believe that the place to be searched will contain information that is considered “privileged” under statute or common law (e.g., the office of a lawyer, health professional, or member of the clergy). Before drafting a warrant and conducting the search, law enforcement should take care to identify and comply with the legal limitations that the jurisdiction may impose. Law enforcement also may wish to:
- Consider the use of taint teams (also known as privilege teams), special masters, or another process, as approved by the court.
- Consider in advance whether the media to be seized contain privileged or proprietary information.
- Consider obtaining a stipulation before seizing information from the target to avoid confiscating potentially privileged or proprietary information. (See appendix D, “Stipulation Regarding Evidence Returned to the Defendant,” for an example.)
- To avoid tainting the acquisition of evidence, ensure that the prosecution team addresses the issue of privileged or proprietary information when drafting the search warrant.
Handling traditional forms of physical evidence has resulted in specific guidelines that have been a part of crime scene protocol for a considerable time, but maintaining the integrity of digital evidence throughout the examination procedure presents different problems. Some common problems are further complicated by the complexity of networked computers. This text assumes that the seized media contains relevant information and that the forensic procedures used to examine that media have not altered the evidence from the time it was seized. After seizure, ensuring that the traditional chain of custody remains unbroken is necessary but not sufficient to establish the authenticity of the data or evidence obtained from the forensic examination. Additionally… the traditional chain of custody and its associated precautions may be required for examining digital evidence.
An additional concern is that the examination of digital devices be accomplished through the use of tools recognized and accepted by the forensic community. Because the process used to acquire the data is itself electronic, both the evidence and the process may be subject to legal challenges. Additional expert testimony may be required to authenticate the machine, applications, and forensic tools.
Both for purposes of admissibility and persuasive value of digital evidence, the prosecutor must show to the court that the information obtained from the media is a true and accurate representation of the data originally contained in the media, irrespective of whether the acquisition was done entirely by law enforcement or in part or entirely by a third party of civilian origin.
Thorough and accurate documentation of the evidence is critical. It is essential to establish both admissibility … and the persuasive force of the evidence. A well-documented case is much more likely to result in a guilty plea, saving valuable prosecutorial and court resources. (Previous test) describes the information that law enforcement should gather to document what happened with respect to the data before seizure. Law enforcement also must thoroughly document its own actions with respect to the data. Documentation should include the steps taken to acquire, examine, and store the data.
With respect to examination notes, keep the following in mind:
- Comply with agency policy with regard to preparation and retention of notes.
- Be aware that retained notes and other records may be discoverable. The prosecutor must be notified and given an opportunity to review them.
- Do not commingle notes from different cases.
Italicized segments in this article are verbatim from the NIJ Manual, “Digital Evidence in the Courtroom: A Guide for Law Enforcement and Prosecutors.”
To keep up to date on new posts to this blog: Sign up for Email Alerts
Comments
You can follow this conversation by subscribing to the comment feed for this post.