In a real case scenario, investigators seized a laptop computer from a crime scene without a warrant. An allegation by the victim indicated the subject took pictures of an alleged sexual assault. Since investigators were in a lawful position to observe a picture of the subject and victim engaged in a sexual act on the computer’s screen, the seizure of the computer was justified. Subsequently, the investigator instructed the forensic examiner to recover picture files and/or movies from the computer’s hard drive. No search warrant was obtained. After creating a forensic image of the hard drive, the examiner analyzed (searched) the forensic image with the use of automated scripts and discovered hundreds of pornographic pictures and movies depicting underage children. He then exported all the incriminating data and the subject was charged with possession of child pornography. The question arises as to whether the search of the computer’s hard drive was legal and whether or not the child pornography would be admissible at the time of trial.

Is a Warrant Warranted?
Under the plain view exception to a warrant, evidence of a crime may be seized if an investigator is in a lawful position to observe the evidence and its incriminating character is immediately apparent. In the scenario, this standard was met. However, the examination of the computer’s hard drive without an additional warrant may become problematic. Initially, probably no additional warrant was needed since the examiner knew that there was at least one picture of the subject and victim engaged in a sexual act. He needed to discern if there were others. Manually searching and analyzing the forensic image for specific types of picture or movie files (.jpg, .jpeg, .tiff, .asf, .avi, .wmv, etc.) is virtually impossible. Thus the investigator ran automated scripts to search for these file types. This is an extremely efficient, time-saving feature of forensic software. (It does raise the interesting question as to whether the examiner or the forensic software is performing the analysis of the evidence). Unfortunately, the forensic software cannot separate out those files containing pictures of the subject and victim from all the other similar files with the same extensions. Thus, the examiner is faced with the daunting task of viewing literally hundreds or thousands of files, searching for those that contain the subject and victim. Of concern is whether or not the plain view doctrine would allow the examiner to view all the files without the benefit of a warrant since the files that must be viewed are not in “plain view.”1 Furthermore, the question also arises as to whether each file that is stored on a hard drive should be considered an individually closed and separate container. Not surprisingly, the courts have issued differing opinions and conclusions. For instance, in Carey2, a police detective with a warrant to search a hard drive for drug trafficking evidence opened a file and discovered child pornography. He then abandoned his search for drug-related evidence and spent several hours searching for and exporting hundreds of additional photographs of child pornography. At the time of trial, the defendant moved to have the child pornography excluded on the grounds that the detective exceeded the scope of his warrant. The court agreed and all the files except the first one that the detective discovered were disallowed. The interpretation appears to be that the first file that came into plain view during the execution of the search warrant could be seized, but that the plain view exception did not justify the continued search for child pornography. However, in Runyan3 and Slanina4, the Fifth Circuit suggested that the plain view of a single file on a computer’s hard drive could provide the basis for a more extensive search without an additional warrant.

Likely Course of Action
When investigators initially seize a computer without a warrant, they usually obtain one prior to the forensic examiner beginning his/her analysis. The warrant would indicate the scope of the search, specifically listing the potentially incriminating files or data that the computer’s hard drive may contain. However, since the computer is already in police custody, this raises the interesting question as to how to maintain the legal requirements of serving a warrant (see previous column). The warrant would have to be served on the computer itself. As strange as this may sound, a number of investigators have indicated to me that this does occasionally occur in their jurisdictions, and I have actually witnessed this practice on several occasions.

Referring back to the case scenario, the best course of action would have been for the investigator to obtain a warrant to search the computer after it was seized and then serve the warrant on the computer. Since this was not done, the next best course of action would have been to suspend further analysis once the examiner found the first evidence of child pornography. The investigator could then view the picture and obtain a warrant to specifically search for further evidence of child pornography. The courts are quite clear on this matter. In Walser5 the investigator had a warrant to search a computer for records of drug transactions, but during the search discovered child pornography. He suspended his search and returned to the magistrate for a second warrant to instead search for child pornography. In Gray6 the investigator searching a computer with a warrant for evidence of hacking instead found child pornography. He suspended his search and obtained a second warrant to search for child pornography. In both instances, the courts upheld the searches when the second warrants were obtained. Simply stated, investigators should obtain a warrant prior to having a computer searched. Likewise, forensic examiners should contact investigators to ascertain if a warrant has been obtained before searching a computer for incriminating data.

References:

1. United States v. Maxwell, 45 M.J. 406, 422 (C.A.A.F. 1996).
2. United States v. Carey, 172 F.3d 1268, 1273 (10th Cir. 1999)
3. United States v. Runyan, 275 F.3d 449, 464-65 (5th Cir. 2001).
4. United States v. Slanina, 283 F.3d 670, 680 (5th Cir. 2002).
5. United States v. Walser, 275 F.3d 981, 986-87 (10th Cir. 2001).
6. Gray, 78 F. Supp. 2d at 530-31.

John J. Barbara owns Digital Forensics Consulting, LLC, providing consulting services for companies and laboratories seeking digital forensics accreditation. An ASCLD/LAB inspector since 1993, John has conducted inspections in several forensic disciplines including Digital Evidence. John is the General Editor for the “Handbook of Digital & Multimedia Forensic Evidence” published by Humana Press. John can be reached at jjb@digforcon.com.