searching for information in digital crime scene exhibits
sarada avadhanam

1. G. SEARCHING FOR INFORMATION
1.1. 1. Business Records and Other Documents Electronic records are easier to alter or destroy. It is important to control remote access to data while the search is being conducted by prohibiting access to the file or file server in question, either by software commands or by physically disconnecting cables. This should only be done by an expert, however, because altering the system's configuration may have significant unintended results. If the system administrator is cooperating with investigators, the task becomes much easier, and agents should use the least intrusive means possible to obtain the data .if the entire business is under investigation or if records may be altered or destroyed, a search warrant should be used.
1.2. 2. Data Created or Maintained by Targets Targets may have data on a multi-user computer system. Where the target owns or operates the computer use warrants. Where the target does not control the system but merely has data on it, the system operator may be willing to provide the requested data assuming he has the authority to do so.
1.3. He can, as a practical matter, probably retrieve the needed data rather easily. Ordinarily, a multi-user computer system will have specific accounts assigned to each user or groups of users. The sysop has "superuser" authority or "root" access.
1.4. Some systems, by their rules, may expressly limit the purposes for which sysops may exercise their access. In those cases, sysops may insist on a court order or subpoena. If, on the other hand, users have consented to complete sysop access in order to use the system, a request to the sysop for the information may be all that is required.
1.5. In either event, rarely will it be wise for investigating agents to search large computer systems by themselves. Without the sysop's help, it may be difficult (if not impossible) for agents to comb a multi-user computer system the way they search file cabinets for paper records.
1.6. He must not only copy the data "as is," but must also confirm to the police that the copy has been made. If all this is not done, the data may be altered or erased--deliberately, accidentally, or in the normal course of business.
1.7. 3. Limited Data Searches "utilities" will greatly help to look for specified names, dates, and file extensions. They can scan disks for recently deleted data and recover it in partial or sometimes complete format. They can also identify and expose hidden files. In some cases, analysts may find files that are not in a readable format; the data may have been compressed to save space or encrypted to control access to it.
2. Reasons to do a limited rather than a complete search through the data.
2.1. First of all, the law in general prefers searches of all things--computer data included--to be as discrete and specific as possible.
2.2. Second, the warrant may specify particular files, directories, or sub-directories, or certain categories of data.
2.3. Finally, even if the facts of a case give an analyst free rein to search all the data, the economies of scale usually require a more systematic approach.
3. At the least, analysts should plan for a methodical inventory of directories and sub-directories and prepare to document all the steps taken in the search. Because data is so easy to alter or destroy, analysts must have a careful record so that their efforts can be re-created for a court. In addition to searching by file, sub-directory, or directory, the power of the computer allows analysts to design a limited search in other ways as well.
4. Computer experts can search data for specific names (like names of clients, co-conspirators, or victims), words (like "drugs," "tax," or "hacking"), places (either geographic locations or electronic ones), or any combination of them. As legal researchers know, if the keyword search is well defined, it can be the most efficient way to find the needle in the haystack. You need a tip or experience or trial and error to arrive at right key word.
5. Encryption, compression, graphics, and certain software formatting schemes may leave data difficult to search by key word.
6. The other is file extension search. File extensions are associated with spreadsheets (that could hold accounting data), databases (that can have client information), word processing (which could hold any sort of alphanumeric text), or graphics. There will also be a date and time listed for every file created. It may accurately reflect the last time the file was revised.
7. The kind of software found loaded on a computer may reveal how the computer has been used. Eg, communications software to communicate to send incriminating data to another computer system at another location. A modem may expand the investigation and create a need for a new warrant. Phone bills indicating frequent long-distance calls to one particular number. If this number reveals a modem tone, then further investigation.
8. 4. Discovering the Unexpected
8.1. a. Items Different from the Description in the Warrant
8.2. generic classifications in a warrant are acceptable only when a more precise description is not possible. Despite defense objections, the court upheld the seizure of computer disks not named in the The warrant in that case authorized agents to seize various specific records, and the court reasoned that because of the changing technology, the government could not necessarily predict what form the records would take. The safest course is always to assume that particular, clearly described "records" or "documents" may be in electronic form and to provide for this possibility in the warrant.
8.3. B. EncryptionIf agents have authority to search the data in a computer or on a disk and find it has been encrypted, the authority granted by the warrant to search for and seize the encrypted information also brings the implied authority to decrypt: to "break the lock" on the cabinet or to "translate" the document. If the search is based upon consent. Ask explicitly for consent to search the encrypted material, as well as for the password. If the target refuses, agents should obtain a warrant for the encrypted data. As a practical matter, getting past the encryption may not be easy, but there are several approaches to try. First of all, the computer crime lab or the software manufacturer may be able to assist in decrypting the file. Investigators should not be discouraged by claims that the password "can't be broken," as this may simply be untrue. Some can be done easily with the right software. If that fails, there may be clues to the password in the other evidence seized--stray notes on hardware or desks; scribbles in the margins of manuals or on the jackets of disks. Consider whether the suspect or someone else will provide the password if requested/ compel a third party who may know the password .
9. H. DECIDING WHETHER TO CONDUCT THE SEARCH ON-SITE OR TO REMOVE HARDWARE TO ANOTHER LOCATION volume of evidence, the scope of the warrant, and the special problems that may arise when attempting to search computers.
9.1. 1. Seizing Computers because of the Volume of Evidence Since any document search can be a time-consuming process, (1) how extensive is the warrant and (2) what type of place is to be searched.
9.2. A. Broad Warrant When the warrant directs agents to seize broad categories of records, or even all records (because the suspect's business is completely criminal or infected by some pervasive, illegal scheme), then it is not difficult to argue all papers and storage devices should be seized. The warrant did not require on-site sorting, and the defendants later accused agents of going on a "seizing frenzy."
9.3. A search does not become invalid merely because some items not covered by a warrant are seized . . . . Absent flagrant disregard for the limitations of a search warrant, the items covered by the warrant will be admissible. The agents' decision not to comb through all the files at the scene, the court noted, was "prompted largely by practical considerations and time constraints."
10. B.Warrant is Narrowly Drawn but Number of Documents to be Sifted through is Enormous.
10.1. Th0e more difficult cases are those in which the sought-after evidence is far more limited and the description in the warrant is (and should be) more limited as well. "When the probable cause covers fewer documents in a system of files, the warrant must be more confined and tell the officers how to separate the documents to be seized from others. The wholesale seizure for later detailed examination of records not described in a warrant is significantly more intrusive, and has been characterized as 'the kind of investigatory dragnet . Where documents are so intermingled that they cannot feasibly be sorted on site sealing and holding the documents pending approval by a magistrate of a further search, in accordance with the procedures
10.2. c. Warrant Executed in the Homewhen a search is conducted at a home instead of a business, courts seem more understanding of an agent's predilections to seize now and sort later. Given the fact that the search warrant entitled the agents to search for documents, acted reasonably when they removed the documents to another location for subsequent examination . . . D. Applying Existing Rules to Computers While computers are often set up with directories and subdirectories (much like a file cabinet is set up with file folders), many users put data on disks in random fashion. Thus, a particular letter or file could be anywhere on a hard disk or in a box of floppies.