In a recent case scenario, an adult female victim indicated to the police that she had just been sexually assaulted by an adult male subject in his apartment. She stated that the subject forcibly removed her clothing and photographed the sexual assault. A rape kit was collected from the victim along with her clothing. Investigators obtained a search warrant for the subject’s premises and it was executed later that day. The warrant identified the location to be searched, the subject’s apartment, and the property to be seized: the clothing the subject was wearing at the time of the allegation, sheets from the bedroom, and cameras. The apartment was also to be processed for latent fingerprints and potential trace evidence. At the scene, the subject was arrested and advised of his rights. He indicated that no assault occurred and that he and the alleged victim had consensual sex. He further stated that when the alleged victim asked for fifty dollars before leaving, he refused to pay her the money. He claimed an argument pursued and that the alleged victim stated she was going to get him for not paying her the fifty dollars.

Investigators seized clothing, sheets, a digital camera, and processed the apartment for latent fingerprints. In the bedroom, investigators observed an operating laptop computer displaying a picture of the subject and alleged victim engaged in a sexual act. Although the computer was not listed in the warrant, it was seized by the investigators. All the evidence was submitted to a forensic laboratory for analysis. Due to backlogs in the laboratory, the analysis took six weeks to complete. The results were as follows:

1. The subject’s DNA was identified on swabs from the rape kit.
2. Fibers consistent with those from the victim’s blouse were found on the subject’s jeans.
3. Cotton threads on one of the straps on the victim’s bra appeared to be torn.
4. Two aluminum foil packets containing cocaine were discovered in one pocket of the subject’s jeans.
5. Dried stains found on the sheets contained a mixture of DNA from the subject and the victim.
6. Latent fingerprints found in the bedroom were identified as being those of the victim.
7. Sweepings from the sheets contained fibers which were consistent with those from the victim’s jeans, blouse, and bra.
8. The digital camera’s memory card contained several pictures of the subject and victim engaged in sexual acts.
9. No additional pictures of the victim were found on the laptop computer’s hard drive. However, hundreds of other pornographic pictures and movies were found, many of which appeared to depict underage children.

After reviewing the forensic results, investigators additionally charged the subject with possession of a controlled substance and possession of child pornography.

The Scope of the Search Warrant
Since there were no witnesses, this type of case usually evolves into a “he said, she said” allegation. Physical evidence can often be a deciding factor in litigation. Forensic analysis can link a subject and victim, thereby substantiating the allegation that a crime was committed. However, even though the evidence points toward the commission of a crime, it is the court’s responsibility to determine the relevancy and admissibility of that evidence. Indeed, one of the first tasks that a defense attorney is going to carry out is to examine the initial search warrant to determine if it was issued and executed correctly. As we are aware, every day courts dismiss probative evidence because of illegal searches and seizures. Pertaining to the above case scenario, what evidence is going to be allowed or disallowed by the court?

Based upon the circumstances described by the victim in the case scenario, investigators wrote the warrant and executed it within the requirements of the law. Normally, those requirements include:

1. An affidavit in support of the warrant.
2. Executing the warrant within ten days of its issuance.
3. Serving it during daytime hours.
4. Noting the exact date and time the warrant is served.
5. Preparing an inventory of items seized.
6. Providing a copy of the warrant and a receipt for the seized property to the subject.
7. Returning the warrant and inventory list to the judge designated in the warrant.

Pertaining to the seizure of digital devices, there is some misunderstanding concerning what “executing the warrant within ten days” actually means. Many investigators (and some prosecutors) have interpreted this to also mean that the forensic analysis of the digital devices must be completed within ten days after they are seized. This is not a correct interpretation. There is no requirement or mention in the Federal Rules of Criminal Procedure regarding any time limits for the forensic examination of evidence.¹ Investigators only have to execute (serve) the warrant within ten days after it is issued to avoid it becoming “stale.”²

In this scenario, investigators seized the subject’s laptop computer even though it was not listed in the warrant. This should not be an issue. Investigators were in a lawful position to observe the computer. It was already running and it was displaying a picture of the subject and victim engaged in a sexual act. Its incriminating character was immediately apparent.³ Concerning computers (and other digital devices or digital media), there are different interpretations as to whether another search warrant is necessary to conduct further analysis after seizure. Normally, when a computer is going to be seized, the investigator would clearly explain in the supporting affidavit that after its seizure and removal from the scene, it is going to be searched for evidence. Often, investigators will detail what types of computer files they are going to be looking for so as not to run afoul of the Fourth Amendment which requires that every warrant must “particularly describ[e]…the…things to be seized.”⁴ This requirement restricts and prevents law enforcement from executing a general warrant to search for evidence of a crime.

To Seek or Not to Seek a Warrant

In our scenario, the investigator instructed the forensic examiner to recover picture files and/or movies from the computer’s hard drive. No search warrant was obtained. After creating a forensic image of the hard drive, the examiner analyzed (searched) the forensic image with the use of automated scripts and discovered hundreds of pornographic pictures and movies depicting underage children. He then exported all the incriminating data and the subject was charged with possession of child pornography. The question arises as to whether the search of the computer’s hard drive was legal and whether or not the child pornography would be admissible at the time of trial.

Under the plain view exception to a warrant, evidence of a crime may be seized if an investigator is in a lawful position to observe the evidence and its incriminating character is immediately apparent. In the scenario, this standard was met. However, the examination of the computer’s hard drive without an additional warrant may become problematic. Initially, probably no additional warrant was needed since the examiner knew that there was at least one picture of the subject and victim engaged in a sexual act. He needed to discern if there were others. Manually searching and analyzing the forensic image for specific types of picture or movie files (.jpg, .jpeg, .tiff, .asf, .avi, .wmv, etc.) is virtually impossible. Thus the investigator ran automated scripts to search for these file types. This is an extremely efficient, time-saving feature of forensic software. (It does raise the interesting question as to whether the examiner or the forensic software is performing the analysis of the evidence). Unfortunately, the forensic software cannot separate out those files containing pictures of the subject and victim from all the other similar files with the same extensions. Thus, the examiner is faced with the daunting task of viewing literally hundreds or thousands of files, searching for those that contain the subject and victim. Of concern is whether or not the plain view doctrine would allow the examiner to view all the files without the benefit of a warrant since the files that must be viewed are not in “plain view.”⁵ Furthermore, the question also arises as to whether each file that is stored on a hard drive should be considered an individually closed and separate container. Not surprisingly, the courts have issued differing opinions and conclusions. For instance, in Carey⁶, a police detective with a warrant to search a hard drive for drug trafficking evidence opened a file and discovered child pornography. He then abandoned his search for drug-related evidence and spent several hours searching for and exporting hundreds of additional photographs of child pornography. At the time of trial, the defendant moved to have the child pornography excluded on the grounds that the detective exceeded the scope of his warrant. The court agreed and all the files except the first one that the detective discovered were disallowed. The interpretation appears to be that the first file that came into plain view during the execution of the search warrant could be seized, but that the plain view exception did not justify the continued search for child pornography. However, in Runyan⁷ and Slanina⁸, the Fifth Circuit suggested that the plain view of a single file on a computer’s hard drive could provide the basis for a more extensive search without an additional warrant.

Likely Course of Action
When investigators initially seize a computer without a warrant, they usually obtain one prior to the forensic examiner beginning his/her analysis. The warrant would indicate the scope of the search, specifically listing the potentially incriminating files or data that the computer’s hard drive may contain. However, since the computer is already in police custody, this raises the interesting question as to how to maintain the legal requirements of serving a warrant. The warrant would have to be served on the computer itself. As strange as this may sound, a number of investigators have indicated to me that this does occasionally occur in their jurisdictions, and I have actually witnessed this practice on several occasions.

Referring back to the case scenario, the best course of action would have been for the investigator to obtain a warrant to search the computer after it was seized and then serve the warrant on the computer. Since this was not done, the next best course of action would have been to suspend further analysis once the examiner found the first evidence of child pornography. The investigator could then view the picture and obtain a warrant to specifically search for further evidence of child pornography. The courts are quite clear on this matter. In Walser⁹ the investigator had a warrant to search a computer for records of drug transactions, but during the search discovered child pornography. He suspended his search and returned to the magistrate for a second warrant to instead search for child pornography. In Gray¹⁰ the investigator searching a computer with a warrant for evidence of hacking instead found child pornography. He suspended his search and obtained a second warrant to search for child pornography. In both instances, the courts upheld the searches when the second warrants were obtained. Simply stated, investigators should obtain a warrant prior to having a computer searched. Likewise, forensic examiners should contact investigators to ascertain if a warrant has been obtained before searching a computer for incriminating data.

References

1. Federal Rules of Criminal Procedure, Rule 41 Search and Seizure (The rule does not provide for a specific time limit in which a computer may undergo a forensic examination after it has been seized pursuant to a search warrant).
2. United States v. Sanchez, 689 F.2d 508, 512 n.5 (5th Cir. 1982).
3. Horton v. California, 496 U.S. 128 (1990).
4. U.S. Constitution, Amendment IV.
5. United States v. Maxwell, 45 M.J. 406, 422 (C.A.A.F. 1996).
6. United States v. Carey, 172 F.3d 1268, 1273 (10th Cir. 1999).
7. United States v. Runyan, 275 F.3d 449, 464-65 (5th Cir. 2001).
8. United States v. Slanina, 283 F.3d 670, 680 (5th Cir. 2002).
9. United States v. Walser, 275 F.3d 981, 986-87 (10th Cir. 2001).
10. Gray, 78 F. Supp. 2d at 530-31.

John J. Barbara owns Digital Forensics Consulting, LLC, providing consulting services for companies and laboratories seeking digital forensics accreditation. An ASCLD/LAB inspector since 1993, John has conducted inspections in several forensic disciplines including Digital Evidence. John is the General Editor for the “Handbook of Digital & Multimedia Forensic Evidence” published by Humana Press. John can be reached at jjb@digforcon.com.