Updated: May 16, 2020
Unless the Digital Forensics examiner is the lead investigator in an investigation, the examination of digital evidence is usually initiated by someone else who suspects evidence is contained within the devices to be examined that could be beneficial in proving, or disproving, the allegations of the investigation. Due to the nature of digital forensics, the requestor may not know enough about what can be discovered within the examined devices to properly form a request that lawfully remains within the scope of the authority given to examine the evidence.
Examples of Lawful Authority for digital examination include:
Company policies indicating no expectation of privacy on company equipment
Each method of authority given have their own advantage and disadvantage; such as:
Verbal consent is the easiest, but there is no record of the consent and the consent can easily be denied by the grantor
Written consent is easily obtained, however, once the consent is revoked, all work must cease
Company policies indicating that all data stored on company equipment makes it easy to begin a digital forensics examination. However, the utilization of company equipment to access private accounts (like bank accounts, external email, etc.) create privacy issues that the company may not legally entitled to obtain.
Although more powerful, Court Orders and subpoenas require more time in obtaining an attorney or prosecutor to draft and issue the demand for the data to be extracted for examination.
Search Warrants, properly drafted, allow for the recovery of digital evidence and set the boundaries for the scope of the warrant. Search Warrants take the most amount of time in drafting and getting a judge to issue the order.
Once the Legal Authority is obtained, and the equipment and data sources are available to the examiner, the examiner must pay very close attention to the wording of the request and the legal authority. Failing to stay within the boundaries of the requests and legal authority can lead to many problems. These problems can result in mistrials, civil lawsuits, evidence being prohibited from being submitted in trial and criminal charges. The following are examples of exceeding the scope of the requests and legal authority:
This is an example of a company where the Human Resources is investigating inappropriate communications utilizing the companies messaging system. The request is to review all communications between the two subjects in the complaint. The investigator has the legal authority granted by the company’s policies to examine the communications and does as requested. In this scenario, the examiner has been told by managers not to exceed the scope of the request, and that “sometimes its best not to know.” The examiner is now facing a dilemma in following the law and disobeying a direct order, or ‘turning a blind eye’ to a crime that has been committed. What should the examiner do? On one hand the examiner could be disciplined for disobeying a direct order. On the other hand, the examiner could face accusation of covering up a crime, should it be discovered in the future.
This example is regarding private forensic investigator who was referred to assist a private attorney with a client in recovering data off a cell phone. The client gives written consent to the examiner to extract the text messages and emails off his 14-year-old son’s cell phone. However, upon investigation, the examiner realizes that the cell phone belongs to the client’s estranged wife accused in having an extra-marital affair. What should the examiner do? Lawsuits against the examiner could arise from both parties.
This example is regarding a law enforcement forensic examiner who is requested in examining ‘pings’ from cell phone towers regarding a homicide investigation. The request comes from a member of the police department’s violent crimes task force. The task force has a county prosecuting attorney assigned to it, who has issued a subpoena for the information. After the data has been analyzed and is in court, the defense attorney makes a motion suppress the evidence obtained from the cell phone towers, citing case law stating that a search warrant for cell phone location is necessary. What should have been done? Lawyer's Double-Murder Trial Delayed Over Use of Subpoena Rather than Warrant for Cellphone Search
This example is of a law enforcement forensic examiner who is requested to find evidence of fraud of a submitted laptop. The search warrant gives legal authority in obtaining evidence of fraud. However, during the examination, the examiner discovers images of child pornography. What should the examiner do? In this case, the examination must stop, and a new warrant must be ordered by the judge allowing for the examination to continue with the scope of the investigation for child pornography. Failing to obtain to obtain a new warrant and request can result in the case ending in a mistrial. Civil Liability for Exceeding the Scope of a Search Warrant
This example is of a law enforcement forensic examiner who is requested to find evidence of child pornography, and a search warrant gives an order granting the scope of the investigation. However, the forensic examiner also finds evidence of fraud. What should the examiner do? United States v. Mann : Computer Search Warrants: Where Can We Look?
The logical conclusion is that it is imperative that the digital forensic examiner to know the scope of the request for service, the boundaries of the legal authority and to communicate with the requestors.
Private examiners must have written agreements to protect themselves from deceit from the requestor and to make it understood that unlawful activities discovered during an examination may result in notification to law enforcement.
Communication is the key to avoid many problems. Most requestors need to be educated in what can be found and have the requestor to make proper adjustments to the request and legal authority prior to the submission of the evidence and formal request. Attorneys are highly educated; however, they also appreciate expert advice regarding the technical knowledge that digital forensics investigators possess. So, do not rely on them to know everything. If you believe that something could pose a problem with the examination, then speak up from the beginning.
Search warrants are the best documents granting legal authority for an examination. However, the trend for search warrants has been to be more restrictive for the scope of the investigation. No longer do judges sign an order granting the investigation for “all illegal activity” on examined devices.
Communication between the lead investigator, prosecutor and forensic examiner is imperative in order to have a search warrant that will allow for smooth and legal examinations of digital devices.