Recently, a patron was purchasing a pair of sunglasses at a shopping mall kiosk.
The patron handed the clerk her credit card and waited patiently for the clerk to process it and return with the receipt. Instead, the clerk passed the credit card through a magnetic-strip reader attached to a small handheld computer and then through to the business' credit card reader. The patron observed the credit card being double read, and asked the clerk what she was doing. Not being satisfied with the response, the patron notified security. The clerk was discovered to be collecting the account information from the credit cards she was swiping at the handheld computer. She informed the police she had been collecting this information for her boyfriend who was later selling the credit card information.
As we enter the 21st century, currently called the 'Information Age,' we have become accustomed to seeing a wide variety of computers, electronic storage media and information processing devices in our lives. As these devices are convenient, their intended purposes can easily be perverted, and frequently constitute evidence in the proof of criminal matters. All types of criminals are employing computers and computing devices to carry on their misdeeds. Confidence scheme operators, narcotics traffickers, child pornographers, counterfeiters, hackers and others, freely use computers to further their criminal enterprises.
The prime target for criminal or civil seizure is the computer system and its accompanying electronic storage media. These items are considered property, and are addressed in the United States under the Fourth Amendment to the Constitution. The provisions of the Fourth Amendment are as clear today as when they were written: "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."
Most countries and jurisdictions have similar laws where citizens' rights to their possessions are protected from unjustified seizure by government agents. In most cases, governmental seizures must be predicated upon statements made to judicial or similar officials, where the basis for the seizure is stated, and at some time may be contested by the person from whom the property was seized. If the official deems there isn't sufficient cause to warrant seizure, then the property is returned to its owner. In the case of private citizens unlawfully seizing property, these matters are addressed by theft and robbery laws.
Generally, the computer has one or two roles in the commission of a crime or civil action.
- File Cabinet. The computer may be a repository of records, similar to a filing cabinet, and these records provide evidence of defendant's participation in an act. Records contained in the computer are evidence just the same as the contents of a box or cabinet.
- Instrumentality. The computer itself may be the means by which an unlawful act was committed. This makes the computer the equivalent of a gun or stick of dynamite. In such cases, seizing the computer as evidence of the defendant's ability to commit the crime is crucial.
Laws relative to searches and seizures are many, and well documented, so I'll concentrate on the details of searching and seizing computers. As a general rule, if a law officer is going to seize a computer or its contents, regardless of its location in a residence or business, the officer is going to need a search warrant, court order or similar legal instrument. However, most jurisdictions have exceptions to the search warrant rule. Here are some examples:
- Exigent circumstances. A threat to the safety of the evidence, in this case a computer containing evidence, may justify a warrantless seizure. It's important to note that unless there is a critical urgency to search it immediately, it would be best to obtain a search warrant or court order before performing any type of examination. Careful and detailed documentation of the facts and circumstances of the computer's seizure may have clarifying effects at subsequent hearings.
- Seizure incident to arrest. This is a search of the area surrounding an individual who is being placed under arrest. If evidence is present in this area of control, it may be seized without a search or similar warrant. It is important to note that this area may be the person of the arrestee. However, a warrant or court order should be obtained before any examination of the computer's contents may be performed.
- Plain View. If a law officer has legitimate access to an area, e.g. vehicle, residence, business, and a computer is located in plain sight, and the officer has probable cause to believe the computer may be evidence of a crime or may contain evidence of a crime, then it may be seized. However, before reviewing its contents, obtaining a search warrant is likely to be required.
- Consent. Computer criminals are often cooperative and consent to a search of their computer. At times, they have encrypted files and they think they have avoided detection. It is important to know that a person cannot consent to the search of a jointly used computer beyond the extent to which they use it or those files they use. It is important to note that consent may be withdrawn by the cooperating person at any time, and may not extend to files that have passwords or are encrypted.
In consensual searches the courts have decided that observations made in a consensual search, may be used as probable cause in securing a search warrant. If consent to search is obtained, documentation of observations may be significant in obtaining a search warrant for the premises once the consent is withdrawn. These observations may consist of video camera recordings, still camera photographs or merely handwritten notebook entries.
In suppression hearings, one of the more common attacks against a computer search warrant is that the seizure was overly broad. Just as in any other type of search warrant, law officers aren't allowed to seize material not covered in the search warrant or through a recognized legal exception. A court will likely suppress evidence that should not have been seized, and it is possible the court will suppress all of the evidence obtained by that search warrant. Additionally, it is possible that the person who suffered the loss of property may seek civil recourse against the government agency and its officers for incorrectly seizing their property.
In the examination of seized electronic media, one of the prime areas for computer evidence is the retention of email on the defendant's electronic storage media. It is estimated that over 100 million people send an average of one billion email messages every day. However, most computer users feel the words constituting an email message, are gone after sending the message. We know this isn't the case. Email are usually retained on the workstation's hard drive and may be stored in one or more email servers at the server or ISP level waiting to be collected via a search warrant or court order. Even if deleted, a skillful examiner may recover email. The story they tell is significant when placed in the context of a criminal or civil allegation.
'Carefully' would be the best word to describe the manner in which electronic evidence is seized, collected, and examined. If there are any doubts as to the means by which computers and electronic media can be seized and examined, consultation with legal counsel should be sought.
(A further resource regarding the seizure of computers in the U.S. can be located at: www.usdoj.gov/criminal/cybercrime/searching.html.)
Alan B. Sterneckert, CISSP, CISA, CFE, CCCI, is a retired Special Agent, Federal Bureau of Investigation. He is an information security consultant, lecturer and author. He may be contacted at [email protected].