From: Jim Choate <ravage@ssz.com>
To: cypherpunks@ssz.com
Message Hash: 8ecba142eeda86d6b63798befa3a2475e87fc8303d71c4177e87613a11cc5470
Message ID: <199801230215.UAA11347@einstein.ssz.com>
Reply To: N/A
UTC Datetime: 1998-01-23 02:29:48 UTC
Raw Date: Fri, 23 Jan 1998 10:29:48 +0800
From: Jim Choate <ravage@ssz.com>
Date: Fri, 23 Jan 1998 10:29:48 +0800
To: cypherpunks@ssz.com
Subject: toc.htm
Message-ID: <199801230215.UAA11347@einstein.ssz.com>
MIME-Version: 1.0
Content-Type: text/plain
FEDERAL GUIDELINES
FOR SEARCHING AND SEIZING COMPUTERS
TABLE OF CONTENTS
PREFACE
INTRODUCTION
I. KEY TERMS AND CONCEPTS
A. DEFINITIONS
B. LIST OF COMPUTER SYSTEM COMPONENTS
C. DETERMINING THE COMPUTER'S ROLE IN THE OFFENSE
II. GENERAL PRINCIPLES
A. SEARCH WARRANTS
B. PLAIN VIEW
C. EXIGENT CIRCUMSTANCES
D. BORDER SEARCHES
E. CONSENT SEARCHES
1. Scope of the Consent
2. Third-Party Consent
a. General Rules
b. Spouses
c. Parents
d. Employers
e. Networks: System Administrators
F. INFORMANTS AND UNDERCOVER AGENTS
III. SEIZING HARDWARE
A. THE INDEPENDENT COMPONENT DOCTRINE
B. HARDWARE AS CONTRABAND OR FRUITS OF CRIME
1. Authority for Seizing Contraband or Fruits of Crime
2. Contraband and Fruits of Crime Defined
C. HARDWARE AS AN INSTRUMENTALITY OF THE OFFENSE
1. Authority for Seizing Instrumentalities
2. Instrumentalities Defined
D. HARDWARE AS EVIDENCE OF AN OFFENSE
1. Authority for Seizing Evidence
2. Evidence Defined
E. TRANSPORTING HARDWARE FROM THE SCENE
IV. SEARCHING FOR AND SEIZING INFORMATION
A. INTRODUCTION
B. INFORMATION AS CONTRABAND
C. INFORMATION AS AN INSTRUMENTALITY
D. INFORMATION AS EVIDENCE
1. Evidence of Identity
2. Specific Types of Evidence
a. Hard Copy Printouts
b. Handwritten Notes
E. PRIVILEGED AND CONFIDENTIAL INFORMATION
1. In General
a. Doctors, Lawyers, and Clergy
b. Publishers and Authors
2. Targets
3. Using Special Masters
F. UNDERSTANDING WHERE THE EVIDENCE MIGHT BE: STAND-ALONE PCs,
NETWORKS AND FILE-SERVERS, BACKUPS, ELECTRONIC BULLETIN BOARDS,
AND ELECTRONIC MAIL
1. Stand-Alone PCs
a. Input/Output Devices: Do Monitors, Modems, Printers, and
Keyboards Ever Need to be Searched?
b. Routine Data Backups
2. Networked PCs
a. Routine Backups
b. Disaster Backups
G. SEARCHING FOR INFORMATION
1. Business Records and Other Documents
2. Data Created or Maintained by Targets
3. Limited Data Searches
4. Discovering the Unexpected
a. Items Different from the Description in the Warrant
b. Encryption
H. DECIDING WHETHER TO CONDUCT THE SEARCH ON-SITE OR
TO REMOVE HARDWARE TO ANOTHER LOCATION
1. Seizing Computers because of the Volume of Evidence
a. Broad Warrant Authorizes Voluminous Seizure of Documents
b. Warrant is Narrowly Drawn but Number of Document
to be Sifted through is Enormous
c. Warrant Executed in the Home
d. Applying Existing Rules to Computers
2. Seizing Computers because of Technical Concerns
a. Conducting a Controlled Search to Avoid
Destroying Data
b. Seizing Hardware and Documentation so the
System Will Operate at the Lab
I. EXPERT ASSISTANCE
1. Introduction
2. Finding Experts
a. Federal Sources
b. Private Experts
(1) Professional Computer Organizations
(2) Universities
(3) Computer and Telecommunications Industry Personnel
(4) The Victim
3. What the Experts Can Do
a. Search Planning and Execution
b. Electronic Analysis
c. Trial Preparation
d. Training for Field Agents
V. NETWORKS AND BULLETIN BOARDS
A. INTRODUCTION
B. THE PRIVACY PROTECTION ACT, 42 U.S.C. 2000aa
1. A Brief History of the Privacy Protection Act
2. Work Product Materials
3. Documentary Materials
4. Computer Searches and the Privacy Protection Act
a. The Reasonable Belief Standard
b. Similar Form of Public Communication
c. Unique Problems: Unknown Targets and Commingled
Materials
5. Approval of Deputy Assistant Attorney General Required
C. STORED ELECTRONIC COMMUNICATIONS
VI. DRAFTING THE WARRANT
A. DRAFTING A WARRANT TO SEIZE HARDWARE
B. DRAFTING A WARRANT TO SEIZE INFORMATION
1. Describing the Place to be Searched
a. General Rule: Obtain a Second Warrant
b. Handling Multiple Sites within the Same District
c. Handling Multiple Sites in Different Districts
d. Information at an Unknown Site
e. Information/Devices Which Have Been Moved
2. Describing the Items to be Seized
3. Removing Hardware to Search Off-Site: Ask th
Magistrate for Explicit Permission.
4. Seeking Authority for a No-Knock Warrant
a. In General
b. In Computer-Related Cases
VII. POST-SEARCH PROCEDURES
A. INTRODUCTION
B. PROCEDURES FOR PRESERVING EVIDENCE
1. Chain of Custody
2. Organization
3. Keeping Records
4. Returning Seized Computers and Materials
a. Federal Rules of Criminal Procedure: Rule 41(e)
b. Hardware
c. Documentation
d. Notes and Papers
e. Third-Party Owners
VIII. EVIDENCE
A. INTRODUCTION
B. THE BEST EVIDENCE RULE
C. AUTHENTICATING ELECTRONIC DOCUMENTS
1. "Distinctive" Evidence
2. Chain of Custody
3. Electronic Processing of Evidence
D. THE HEARSAY RULE
IX. APPENDICES
APPENDIX A: SAMPLE COMPUTER LANGUAGE FOR SEARCH WARRANTS
1. Tangible Objects
a. Justify Seizing the Objects
b. List and Describe the Objects
(1) Hardware
(2) Software
(3) Documentation
(4) Passwords and Data Security Devices
2. Information: Records, Documents, Data
a. Describe the Content of Records, Documents,
or other Information
b. Describe the Form which the Relevant Information
May Take
c. Electronic Mail: Searching and Seizing Data
from a BBS Server under 18 U.S.C. 2703
(1) If All the E-Mail is Evidence of Crime
(2) If Some of the E-Mail is Evidence of Crime
(3) If None of the E-Mail is Evidence of Crime
d. Ask Permission to Seize Storage Devices when
Off-Site Search is Necessary
e. Ask Permission to Seize, Use, and Return
Auxiliary Items, as Necessary
f. Data Analysis Techniques
3. Stipulation for Returning Original Electronic Data
APPENDIX B: GLOSSARY
APPENDIX C: FEDERAL EXPERTS FOR COMPUTER CRIME INVESTIGATIONS
APPENDIX D: COMPUTER SEARCH AND SEIZURE WORKING GROUP
APPENDIX E: STATUTORY POPULAR NAME TABLE
APPENDIX F: TABLE OF AUTHORITIES
Cases
Statutes
Federal Rules
Federal Regulations
Legislative History
Reference Materials
Go to . . . CCIPS Home || Justice Home Page
_________________________________________________________________
Updated page May 9 , 1997
usdoj-jmd/irm/css/mlb
_________________________________________________________________
Return to January 1998
Return to “Jim Choate <ravage@ssz.com>”
1998-01-23 (Fri, 23 Jan 1998 10:29:48 +0800) - toc.htm - Jim Choate <ravage@ssz.com>