WPC,  WP_TV98486212WPTVWPC2WPTVWPC2<` 0@ 8{WP}01h0  HH  2$HH  Geneva  <Px443!#4$*$$*$ KK  Geneva  Geneva .,6 43.0)3.0, 1989, 1993 WordPerfect Corporation(3.0Created with WordPerfect 3.0.(?I' WordPerfectx HH@Rd(hh @d t\PSet:PJobFTStlRversjWDatSTR PtPtoo<(4d mx t4qH fm|v{WP}10{WP}01"H%Z" ""?{WP}10FPx<Px <<KK ۪HH% Ы ?," ", " "  ? 0@P`pB ? ܖ  This document was obtained under the Freedom of Information  Act by the Electronic Privacy Information Center in November  1994 and scanned in by the Bureau of National Affairs. It is  not copyrighted and may be freely distributed. A analysis of this document is available from EPIC atcpsr.org /cpsr/privacy/epic/guidelines_analysis.txt. EPIC,with the cooperation of the Bureau of National Affairs, ismaking the guidelines available electronically. The document is available via FTP/Gopher/WAIS/listserv from the0EPIC online archive at cpsr.org@/cpsr/privacy/epic/fed_computer_siezure_guidelines.txt. APprinted version appears in the Bureau of National Affairs`publication, Criminal Law Reporter, Vol. 56, No. 12p(December 21 1994).ܖ  !!""#  ?#$0$%@%&PC ?&'`F'(ppp(( HFUS Department of Justice ()Criminal Division )*Office of Professional Development and Training*++,ܖ,--. FEDERAL GUIDELINES FOR SEARCHING AND SEIZING COMPUTERS.//0ܖ 0112 JULY 199423034@45PPREFACE56`67p78These Guidelines are the product of an interagency group, informally89called the Computer Search and Seizure Working Group. Its members were9:lawyers, agents, and technical experts from the Federal Bureau of:;Investigation; the United States Secret Service; the Internal Revenue;<Service; the Drug Enforcement Administration; the United States Customs<=Service; the Bureau of Alcohol, Tobacco, and Firearms; the United States=>Air Force; the Department of Justice; and United States Attorneys'>?offices. Most of us have consulted widely within our own agencies to find?@the diversity of opinion on these topics. Our object was to offer some@Asystematic guidance to all federal agents and attorneys as they wrestleAB with cases in this emerging area of the law. These Guidelines have notBC0been officially adopted by any of the agencies, and are intended only asCD@assistance, not as authority. They have no regulatory effect, and conferDEPno right or remedy on anyone. Moreover, the facts of any particular caseEF`may require you to deviate from the methods we generally recommend, orFGpmay even demand that you try a completely new approach.GH Many of our recommendations must be tentative, because there is often soHIlittle law directly on point. As the law develops and as technologyIJchanges (thereby altering or even transforming our assumptions), theJKWorking Group may well find itself a Standing Committee with openKLmembership.LM If you have any comments, corrections, or contributions, please contactMNMarty StansellGamm at the Computer Crime Unit, General LitigationNOSection, Department of Justice (2025141026). As you confront theseFOPp(P HFissues in your practice, we will be eager to hear about your experiencePQ and to assist in any way we can.QR0RS@Scott C. Charney, Chief, Computer Crime UnitSTPTU`Martha J. StansellGammUVp Computer Crime UnitVW Chair, Computer Search and Seizure Working GroupWXXYGeneral Litigation and Legal Advice Section Criminal Division DepartmentYZof JusticeZ[[\\]TABLE OF CONTENTS]^^_INTRODUCTION ...................................................1_``a I. KEY TERMS AND CONCEPTSab0bc@A. DEFINITIONS ................................................ 3 cdPB. LIST OF COMPUTER SYSTEM COMPONENTS .........................5 de`C. DETERMINING THE COMPUTER'S ROLE IN THE OFFENSE .............$7efpfgII. GENERAL PRINCIPLESghhiA. SEARCH WARRANTS ............................................ 9 ijB. PLAIN VIEW .................................................!9 jkC. EXIGENT CIRCUMSTANCES ......................................9 klD. BORDER SEARCHES ............................................12 lmE. CONSENT SEARCHES . . . . . . . . . . . . . . . . . . . . . . 13mn 1. Scope of the Consent .................................... 13no 2. ThirdParty Consent ......................................14op a. General Rules ........................................14pq  b. Spouses . . . . . . . . . . . . . . . . . . . . . . . 17qr0 c. Parents . . . . . . . . . . . . . . . . . . . . . . . 17rs@ d. Employers .. . . .. . . .. . . .. . . . .. . . . .. . 18stP e. Networks: System Administrators ......................22tu`uvpF. INFORMANTS AND UNDERCOVER AGENTS ...........................24vwFwxp(x HF[page ii]xyyzIII. SEIZING HARDWAREH?z{?z{A. THE INDEPENDENT COMPONENT DOCTRINE .........................25 {|B. HARDWARE AS CONTRABAND OR FRUITS OF CRIME ..................26|}}~ 1. Authority for Seizing Contraband or Fruits of Crime .....26~ 2. Contraband and Fruits of Crime Defined .................. 27 0C. HARDWARE AS AN INSTRUMENTALITY OF THE OFFENSE .............. 28@P 1. Authority for Seizing Instrumentalities .................28` 2. Instrumentalities Defined ..............................."28pD. HARDWARE AS EVIDENCE OF AN OFFENSE .........................30G 1. Authority for Seizing Evidence ..........................30 2. Evidence Defined ........................................30E. TRANSPORTING HARDWARE FROM THE SCENE .......................31IV. SEARCHING FOR AND SEIZING INFORMATION  A. INTRODUCTION ...............................................35  B. INFORMATION AS CONTRABAND ..................................36  0C. INFORMATION AS AN INSTRUMENTALITY ..........................36  @D. INFORMATION AS EVIDENCE ....................................37 P 1. Evidence of Identity ....................................38 ` 2. Specific Types of Evidence ..............................$39 p a. Hard Copy Printouts .................................. 39  b. Handwritten Notes .................................... 40  E. PRIVILEGED AND CONFIDENTIAL INFORMATION ........... .. . . . 40   1. In General ..............................................40  a. Doctors, Lawyers, and Clergy .........................41  b. Publishers and Authors ...............................41  2. Targets ................................................. 42  3. Using Special Masters ................................... 43  F  p( 0 HF[page iii]  @ PF. UNDERSTANDING WHERE THE EVIDENCE MIGHT BE: STANDALONE ` PCs, NETWORKS AND FILESERVERS, BACKUPS, ELECTRONIC BULLETIN p BOARDS, AND ELECTRONIC MAIL................................43   1. StandAlone PCs.........................................43   a. Input/Output Devices: Do Monitors, Modems, Printers,  and Keyboards Ever Need to be Searched? ............................"44  b. Routine Data Backups..................................46L? ?  2. Networked PCs...........................................46  a. Routine Backups .....................................48  b. Disaster Backups.....................................49  G. SEARCHING FOR INFORMATION ..................................49 0 1. Business Records and Other Documents ....................49 @ 2. Data Created or Maintained by Targets ...................!50 P 3. Limited Data Searches ...................................51 ` 4. Discovering the Unexpected ..............................53K p a. Items Different from the Description in the Warrant ..53  b. Encryption ...........................................54  H. DECIDING WHETHER TO CONDUCT THE SEARCH ONSITE OR TO  REMOVE HARDWARE TO ANOTHER LOCATION ........................55  1. Seizing Computers because of the Volume of Evidence .....56  a. Broad Warrant Authorizes Voluminous Seizure of Document."56  b. Warrant is Narrowly Drawn but Number of Documents to be  Sifted through is Enormous ..........................."58  c. Warrant Executed in the Home .........................59  d. Applying Existing Rules to Computers .................60  0 2. Seizing Computers because of Technical Concerns ........61 @ P a. Conducting a Controlled Search to Avoid Destroying Data 61 ` b. Seizing Hardware and Documentation so the System Will Operate p at the Lab ................................................ 62  I.EXPERT ASSISTANCE .......................................... 63 $1. Introduction ............................................ 63F  p(  HF$2. Finding Experts ......................................... 64 $ a. Federal Sources....................................... 65 $ b. Private Experts....................................... 66 $ (1) Professional Computer Organizations............... 66 $ (2) Universities...................................... 67 $ (3) Computer and Telecommunications Industry Personnel 67 $ (4) The Victim ....................................... 67 0$3. What the Experts Can Do ................................. 68 @$ a. Search Planning and Execution ........................ 68 P$ b. Electronic Analysis .................................. 68 ` p[page iv]  c. Trial Preparation .................................... 69  d. Training for Field Agents ............................ 70  V. NETWORKS AND BULLETIN BOARDS  A. INTRODUCTION ..................................................... 71  B.THE PRIVACY PROTECTION ACT, 42 U.S.C. 2000aa ................72$1. A Brief History of the Privacy Protection Act .............72$2. Work Product Materials ....................................73 $3. Documentary Materials .....................................770$4. Computer Searches and the Privacy Protection Act ..........78@$ a. The Reasonable Belief Standard .........................79P$ b. Similar Form of Public Communication ...................82`$ c. Unique Problems: Unknown Targets and Commingled Materialsp ...83$5. Approval of Deputy Assistant Attorney General Required ....84C. STORED ELECTRONIC COMMUNICATIONS ..................................85Vl. DRAFTING THE WARRANTA. DRAFTING A WARRANT TO SEIZE HARDWARE ............................. 91B. DRAFTING A WARRANT TO SEIZE INFORMATION .......................... 92 1. Describing the Place to be Searched ........................... 92  a. General Rule: Obtain a Second Warrant ...................... 930 b. Handling Multiple Sites within the Same District ........... 93F@@p(P HF c. Handling Multiple Sites in Different Districts ............. 94` d. Information at an Unknown Site ............................. 95p e. Information/Devices Which Have Been Moved .................. 96 2. Describing the Items to be Seized ............................. 97 3. Removing Hardware to Search OffSite: Ask the Magistrate forExplicit Permission..................................................... 99 4. Seeking Authority for a NoKnock Warrant ..................... 100 a. In General ................................................ 100 b. In ComputerRelated Cases ................................. 101[page v]VII. POSTSEARCH PROCEDURES 0A. INTRODUCTION .....................................................103@PB. PROCEDURES FOR PRESERVING EVIDENCE ........................ 104` 1. Chain of Custody .......................................104p 2. Organization ...........................................$104 3. Keeping Records ........................................105 4. Returning Seized Computers and Materials ...............105 a. Federal Rules of Criminal Procedure: Rule 41(e) .....106 b. Hardware ............................................109 c. Documentation .......................................110 d. Notes and Papers ....................................110  e. ThirdParty Owners ..................................111    VIII. EVIDENCE     A. INTRODUCTION ..............................................113 0@B. THE BEST EVIDENCE RULE .................................... 114P`C. AUTHENTICATING ELECTRONIC DOCUMENTS .......................115p 1. "Distinctive" Evidence ...............................116 2. Chain of Custody .......................................119 3. Electronic Processing of Evidence ......................120D. THE HEARSAY RULE ..........................................122Fp( HFIX APPENDICESAPPENDIX A: SAMPLE COMPUTER LANGUAGE FOR SEARCH WARRANTS ...... 125 1. Tangible Objects ....................................125  a. Justify Seizing the Objects ......................1250 b. List and Describe the Objects .................... 126@ (1) Hardware . . . . . . . . . . . . . . . . . ...... . 127P (2) Software .....................................127 ` (3) Documentation . . . . . . . . . . . . . . ...... . 128 !p (4) Passwords and Data Security Devices ..........128 !""#[page vi]#$ 2. Information: Records, Documents, Data ...............128$% a. Describe the Content of Records, Documents, or other %& Information ... 129&' b. Describe the Form which the Relevant Information May Take '( ........ 130() c. Electronic Mail: Searching and Seizing Data from a BBS Server)* under 18 U.S.C. .................................................131*+ (1) If All the EMail is Evidence of Crime ............... 131+,  (2) If Some of the EMail is Evidence of Crime ........... 132,-0 (3) If None of the EMail is Evidence of Crime ........... 132-.@ d. Ask Permission to Seize Storage Devices when an OffSite Search./Pis Necessary . . . . . . . . . . . . . . . . . . . . . . . . . .. . .133/0` e. Ask Permission to Seize, Use, and Return Auxiliary Items, as01pNecessary ...........................................................13412 f. Data Analysis Techniques .................................. 135233. Stipulation for Returning Original Electronic Data .............. 1353445APPENDIX B: GLOSSARY ............................................... 1395667APPENDIX C: FEDERAL EXPERTS FOR COMPUTER CRIME INVESTIGATIONS....... 1437889APPENDIX D: COMPUTER SEARCH AND SEIZURE WORKING GROUP ...............1459::;APPENDIX E: STATUTORY POPULAR NAME TABLE.............................153;< <=0APPENDIX F: TABLE OF AUTHORITIES .................................. 155=>@ Cases .... . . . . . . . . . . . . . . . . . . . . . 155>?P Statutes . . . . . . . . . . . . . . . . . . . . . . . 162F?@``p(@p HF Federal Rules ..........................................162@A Federal Regulations ....................................163AB Legislative History . . . . . . . . . . . . . . . . . . 163BC Reference Materials ....................................164CD[page a]DEEFINTRODUCTIONFGGH As computers and telecommunications explode into the next century,HIprosecutors and agents have begun to confront new kinds of problems.IJThese Guidelines illustrate some of the ways in which searching aJK computer is different from searching a desk, a file cabinet, or anKL0automobile. For example, when prosecutors must interpret Rule 41 (whichLM@requires that the government obtain a search warrant in the districtMNPwhere the property to be searched is "located"), applying it to searchesNO`of physical items is usually uncomplicated. But when they must try toOPp"locate" electronic data, the discussion can quickly become morePQmetaphysical than physical.QR Even so, it is important to remember throughout the process that asRSdazzling and confounding as these newage searches and seizures may be,STthey are in many essential ways just like all other searches. The causeTUmust be just as probable; the description of items, just as particular.UVThe standard investigative techniques that work in other cases (likeVWfinding witnesses and informants) are just as valuable in computer cases.WXThe evidence that seals a case may not be on the hardware or software,XYbut in an oldfashioned form: phone bills, notes in the margins ofYZmanuals, or letters in a drawer.Z[  The sections that follow are an integration of many legal sources,[\0practical experiences, and philosophical points of view. We have often\]@had to extrapolate from existing law or policies to try to strike old]^Pbalances in new areas. We have done our best to anticipate the questions^_`ahead from the data available today. Even so, we recognize that rapid_`padvances in computer and telecommunications technologies may require that`awe revisit these Guidelines,~perhaps in the near future. In the meantime,abas law struggles to catch up to technology, it is important to rememberbcthat computer cases are just like all others in one respect at least:cdunder all the "facts and circumstances," there is no substitute fordereasonable judgment.effg[no page 2] [page 3]Fghp(h  HFܿhiI. KEY TERMS AND CONCEPTSij jk0 Searching and seizing computers raises unique issues for law enforcementkl@personnel. Before addressing these issues, however, it is important tolmPhave a basic understanding of key terms and fundamental concepts thatmn`will influence the government's search and seizure decisions. Thisnopsection describes these central terms and concepts. A more completeopglossary can be found at APPENDIX B, p. 139.pqqrA. DEFINITIONSrsstWhen people speak of searching or seizing computers, they usually are nottureferring only to the CPU (Central Processing Unit). After all, auvcomputer is useless without the devices that allow for input (e.g., avwkeyboard or mouse) and output (e.g., a monitor or printer) ofwxinformation. These devices, known as "peripherals,"' are an integral partxyof any "computer system."yz z{0Failure to more specifically define the term "computer" may cause{|@misunderstandings. Having probable cause to seize a "computer" does not|}Pnecessarily mean there is probable cause to seize the attached printer.}~`Therefore, we need to be clear about our terms.~p1. Hardware "The physical components or equipment that make up acomputer system...." Webster's Dictionary of Computer Terms 170 (3d ed.1988). Examples include keyboards, monitors, and printers.2. Software "The programs or instructions that tell a computer what todo." Id. at 350. This includes system programs which control the internaloperation of the computer system (such as Microsoft's Disk OperatingSystem, "MSDOS," that controls _________________________ 01 Peripheral equipment means "[t]he input/output units and auxiliary@storage units of a computer system, attached by cables to the centralPprocessing unit." Webster's Dictionary of Computer Terms 279 (3d ed.`1988).pFp(  HF[page 3]IBMcompatible PCs) and applications programs which enable the computerto produce useful work (e.g., a word processing program such asWordPerfect).3. Data "A formalized representation of facts or concepts suitable forcommunication, interpretation, or processing by people or by automaticmeans." Id. at 84. Data is often used to refer to the information stored in the computer.0@4. Documentation Documents that describe technical specifications ofPhardware components and/or software applications and how to use them.`p5. Input/Output (I/O) Device A piece of equipment which sends data to,or receives data from, a computer. Keyboards, monitors, and printers areall common I/O devices.6. Network "A system of interconnected computer systems andterminals." Id. at 253.7. System Administrator (or System Operator, "sysop") The individualresponsible for assuring that the computer system is functioningproperly. He is often responsible for computer security as well. For search and seizure purposes, unless the text specifically indicates0otherwise, the term "computer" refers to the box that houses the CPU,@along with any internal storage devices (such as internal hard drives)Pand internal communications devices (such as an internal modem or fax`card). Thus, "computer" refers to the hardware, software, and datapcontained in the main unit. Printers, external modems (attached by cableto the main unit), monitors, and other external attachments will bereferred to collectively as "peripherals" and discussed individuallywhere appropriate. When we are referring to both the computer and allattached peripherals as one huge package, we will use the term "computersystem." "Information" refers to all the information on a computersystem, including both software applications and data.It is important to remember that computer systems can be configured in anunlimited number of ways with assorted input and output devices. In someFp(   HFcases, a specific device may have particular evidentiary value (e.g., if0the case involves@P[page 5] a bookie who prints betting slips, the printer may constitute`valuable evidence); in others, it may be the information stored in thepcomputer that may be important. In either event, the warrant mustdescribe, with particularity, what agents should search for and seize.B. LIST OF COMPUTER SYSTEM COMPONENTSThe following is an abridged list of hardware components which may play arole in a criminal offense and, therefore, be subject to search andseizure under warrant. For a more extensive list, see the "GLOSSARY" atAPPENDIX B, p. 139. It is important to remember that electroniccomponents are constantly changing, both in nature and in number, and nolist can be comprehensive. 0Device Name Description@PCPU:The central processing unit.`pHard Disk Drive:A storage device based on a fixed, permanentlymounted disk drive. It may be either internal or external. Bothapplications and data may be stored on the disk.Floppy Disk Drive:A drive that reads from or writes to floppydiskettes. Information is stored on the diskettes themselves, not on thedrive.Mouse:A pointing device that controls input. Normally, the user pointsto an object on the screen and then presses a button on the mouse toindicate her selection. 0Modem:A device allowing the computer to communicate with another@computer, normally over standard telephone lines. Modems may be eitherPexternal or internal.`p[page 6] Fax Peripheral: A device, normally inserted as an internal card,that allows the computer to function as a fax machine.Fp(  HFܿCD ROM:CD ROM stands for Compact Disk ReadOnly Memory. CD ROMs storeand read massive amounts of information on a removable disk platter.Unlike hard drives and diskettes, CD ROMs are readonly and data cannotbe written to the platter.Laser Disk:Similar to a CD ROM drive but uses lasers to read and write information.0@Scanner:Any optical device which can recognize characters onPpaper and, using specialized software, convert them into digital form.`pPrinter:A number of technologies exist, using various techniques.The most common printers are:1. Dot matrix characters and graphics are created by pins hitting theribbon and paper;2. Laser electrostatically charges the printed page and applies toner;3. Ink jet injects (sprays) ink onto the paper;  4. Thermal a hot printer head contacts special paper that reacts to heat; 0 @5. Band a rotating metal band is impacted as it spins; P `6. Daisy wheel a small print wheel containing the form of each pcharacter rotates and hits the paper, character by character; [page 7]  7. Plotter moves ink pens over the paper surface, typically used for large engineering and architectural drawings.  C. DETERMINING THE COMPUTER'S ROLE IN THE OFFENSE  Before preparing a warrant to seize all or part of a computer system and the information it contains, it is critical to determine the computer's!role in the offense. First, the computer system may be a tool of the!offense. This occurs when the computer system is actively used by a! defendant to commit the offense. For example, a counterfeiter might useF!0!0p( !@ HFhis computer, scanner, and color printer to scan U.S. currency and then !Pprint money. Second, the computer system may be incidental to the  !`offense, but a repository of evidence. For example, a drug dealer may  !pstore records pertaining to customers, prices, and quantities delivered  !on a personal computer, or a blackmailer may type and store threatening  !letters in his computer. !!In each case, the role of the computer differs. It may constitute "the!smoking gun" (i.e., be an instrumentality of the offense), or it may be!nothing more than an electronic filing cabinet (i.e., a storage device).!In some cases, the computer may serve both functions at once. Hackers,!for example, often use their computers both to attack other computer"systems and to store stolen files. In this case, the hacker's computer is"both a tool and storage device. Whatever the computer's role in each" case, prosecutors must consider this and tailor warrants accordingly."0"@By understanding the role that the computer has played in the offense, it"Pis possible to focus on certain key questions:"`"pIs there probable cause to seize hardware?""Is there probable cause to seize software?""Is there probable cause to seize data? " !"[page 8]!"""#"Where will this search be conducted? Is it practical to search the#$#computer system on site, or must the examination be conducted at a field$%#office or laboratory?%&# &'#0If agents remove the system from the premises to conduct the search, must'(#@they return the computer system, or copies of the seized data, to its()#Powner/user before trial?)*#`*+#pConsidering the incredible storage capacities of computers, how will+,#agents search this data in an efficient, timely manner?,-#-.#Before addressing these questions, it is important to recognize that./#general Fourth Amendment principles apply to computer searches, andF/0##p(0# HFtraditional law enforcement techniques may provide significant evidence01#of criminal activity, even in computer crime cases. Therefore, we begin12#with a brief overview of the Fourth Amendment.23$34$[page 9]45$ 56$0II. GENERAL PRINCIPLES67$@78$PA. SEARCH WARRANTS89$`9:$pThere is, of course, "a strong preference for warrants," and courts will:;$scrutinize a warrantless search. Indeed, as the Supreme Court indicated;<$in United States v. Leon, 468 U.S. 897, 914 (1984), a warrant can save a<=$search where probable cause is doubtful or marginal. Most searches of=>$computer systems will be pursuant to warrant, but the recognized>?$exceptions to the warrant requirement apply equally to the search and?@$seizure of computers.@A$AB$B. PLAIN VIEWBC%CD%Evidence of a crime may be seized without a warrant under the plain viewDE% exception to the warrant requirement. To rely on this exception, theEF%0officer must be in a lawful position to observe the evidence, and itsFG%@incriminating character must be immediately apparent. See Horton v.GH%PCalifornia, 496 U.S. 128 (1990). For example, if agents with a warrant toHI%`search a computer for evidence of narcotics trafficking find a long listIJ%pof access codes taped to the computer monitor, the list should also beJK%seized.KL%LM%C. EXIGENT CIRCUMSTANCESMN%NO%"When destruction of evidence is imminent, a warrantless seizure of thatOP%evidence is justified if there is probable cause to believe that the itemPQ%seized constitutes evidence of criminal activity." United States v.QR%David. 756 F. Supp. 1385, 1392 (D. Nev. l991).2 If a target's screen isRS&displaying evidenceST&TU& ܖ 2 See also United States v. Talkington, 875UV&0F.2d 591 (7th Cir. 1989) (warrantless entry to residence and seizure ofVW&@counterfeit money was justified since agents knew that (1) the suspectsFWX&P&Pp(X&` HFhad previously discussed burning money; (2) there was a fire in theXY&pbackyard: and (3) the agents were confident that residents were notYZ&having a cookout.Z[&[\&[page 10]\]&]^&^_&_`& which agents reasonably believe to be in danger, the "exigent`a&circumstances" doctrine would justify downloading the information beforeab'obtaining a warrant. For example, agents may know that the incriminatingbc'data is not actually stored on the suspect's machine, but is onlycd' temporarily on line from a second network storage site in anotherde'0building, city, or district. Thus, even if the agents could secure theef'@target's computer in front of them, someone could still electronicallyfg'Pdamage or destroy the data either from the second computer where it isgh'`stored or from a third, unknown site. Of course, when agents know theyhi'pmust search and seize data from two or more computers on a wideareaij'network, they should, if possible, simultaneously execute separate searchjk'warrants. (See "Describing the Place to be Searched," infra p. 92.) Butkl'sometimes that is not possible, and agents must then analyze thelm'particular situation to decide whether the "exigent circumstances"mn'exception applies. In computer network cases, as in all others, theno'answer is absolutely tied to the facts.op'pq'In determining whether exigent circumstances exist, agents shouldqr(consider: (1) the degree of urgency involved, (2) the amount of timers(necessary to obtain a warrant, (3) whether the evidence is about to best( removed or destroyed, (4) the possibility of danger at the site, (5)tu(0information indicating the possessors of the contraband know the policeuv(@are on their trail, and (6) the ready destructibility of the contraband.vw(PUnited States v. Reed, 935 F.2d 641, 642 (4th Cir.), cert. denied, 112 S.wx(`Ct. 423 (1991).xy(pyz(Under the "exigent circumstances" exception to the warrant requirement,z{(agents can search without a warrant if the circumstances would cause a{|(reasonable person to believe it to be necessary. The Supreme Court has|}(upheld warrantless entries and searches when police officers reasonably}~(believe that someone inside needs "immediate aid," Mincey v. Arizona, 437~(U.S. 385, 392~93 (1978), or to prevent the destruction of relevantF((p(( HFevidence, the escape of a suspect, or the frustration of some other)legitimate law enforcement objective. United States v. Arias, 923 F.2d)1387 (9th Cir.), cert. denied, 112 S. Ct. 130 (1991). The officer's fears) need not be correct so long as they are reasonable. See United States v.)0Reed, supra (proper inquiry is what objective officer could reasonably)@believe).)P)`[page 11])p)Recognizing the strong preference for warrants, courts have suppressed)evidence where the officers had time to get a warrant but failed to do)so. United States v. Houle, 603 F.2d 1297 (8th Cir. 1979). Some courts)have even ruled that exigent circumstances did not exist if the law)enforcement officers had time to obtain a warrant by telephone. United)States v. Patino, 830 F.2d 1413, 1416 (7th Cir. 1987)(warrantless search)not justified when officer had adequate opportunity to obtain telephone)warrant during 30minute wait for backup assistance; not permissible for*agents to wait for exigency and then exploit it), cert. denied, 490 U.S.*1069 (1989).* *0Additionally, while exigencies may justify the seizure of hardware (i.e.,*@the storage device), this does not necessarily mean that they support a*Pwarrantless search. In United States v. David, 756 F. Supp. 1385 (D. Nev.*`1991), the court held that although the agent was correct to seize the*pdefendant's computer memo book without a warrant (because the agent saw*him deleting files), the agent should have gotten a search warrant before*re~accessing and searching the book. The court held the exigencies*allowed the agent to take the computer memo book but, once taken, there*was time to get a warrant to look inside. Therefore, the seized evidence*had to be suppressed. Id. at 1392.**This holding is, of course, analogous to cases which address other kinds*of containers. In the David case, the computer book itself was not+contraband, instrumentality, fruit, or evidence of crime. It was,+instead, a small file cabinet, a locked box, a container of data. The+ agent was not interested in the hardware but in the information inside.+0As the cases make clear, authority to seize a container does not+@necessarily authorize a warrantless search of the container's contents.+PSee Texas v. Brown, 460 U.S. 730, 750 (1983)(Stevens, J.,+`concurring)(plain view justified seizure of party balloon but additionalF+p+pp(+ HFjustification was required to open balloon without warrant). Courts have+suppressed warrantless searches when the defendant still had a reasonable+expectation of privacy in the contents of the container. See United+States v. Turk, 526 F.2d 654 (5th Cir.)(although seizure of tape was+proper, playing taped conversation of private telephone communication was+not), cert. denied, 429 U.S. 823 (1976); Blair v. United States, 665 F.2d+500 (4th Cir. 1981).+,Agents must always remember, however, that electronic data is perishable.,Humidity, temperature, vibrations, physical mutilation, magnetic fields, created by passing a strong magnet over a disk, or computer commands,0(such as "erase *.*" or "format") can destroy data in a matter of,@seconds. [page 12],P,`Thus, the exigent circumstances doctrine may justify a warrantless,pseizure in appropriate cases.,,D. BORDER SEARCHES,,The law recognizes a limited exception to the Fourth Amendment's probable,cause requirement at the nation's borders. Officials may search people,and property without a warrant and without probable cause as a condition,of crossing the border or its "functional equivalent." United States v.,Ramsey, 431 U.S. 606 (1977), cert. denied, 434 U.S. 1062 (1978). Both-incoming international baggage (United States v. Scheer, 600 F.2d 5 (3d-Cir. 1979) and incoming international mail at the border are subject to- search without a warrant to determine whether they contain items which-0may not lawfully be brought into the country. Border searches or-@international mail searches of diskettes, tapes, computer hard drives-P(such as laptops carried by international travelers), or other media-`should fall under the same rules which apply to incoming persons,-pdocuments, and international mail.--On the other hand, the border search exception to the warrant requirement-probably will not apply to data transmitted electronically (or by other-nonphysical methods) into the United States from other countries. For-example, if an individual in the United States downloads child-pornography from a foreign BBS, a warrantless search of his home computer-could not be supported by the border search exception. In such cases, it-is difficult to find a "border" or its functional equivalent as dataF..p(. HFtravels over international telephone lines or satellite links. What seems. clear, however, is that once data has been received by a computer within.0the United States, that data resides in the country and has passed beyond.@the border or its functional equivalent. Because the justification for.Pthe border search exception is grounded on the sovereign's power to.`exclude illegal articles from the country, that exception no longer.papplies once such articles (in this case electronic data) have come into.the country undetected...[page 13] E. CONSENT SEARCHES..Agents may search a place or object without a warrant or, for that.matter, without probable cause, if a person with authority has consented..Schneckloth v. Bustamonte, 412 U.S. 218, 219 (1973). This consent may be.explicit or implicit. United States v. MilanRodriguez, 759 F.2d 1558,/156364 (11th Cir.)(telling police where to find a key constitutes/implicit consent to a search of the locked area), cert. denied, 474 U.S./ 845 (1985), and cert. denied, 486 U.S. 1054 (1988)./0/@Whether consent was voluntarily given is a question of fact which the/Pcourt will decide. United States v. Scott, 578 F.2d 1186, 1189 (6th/`Cir.), cert. denied, 439 U.S. 870 (1978). The burden is on the government/pto prove that the consent was voluntary, United States v. Price, 599 F.2d/494, 503 (2nd Cir. 1979), and, in making its decision, the court will/consider all the facts surrounding the consent. Schneckloth, supra, at/2267; United States v. Mendenhall, 446 U.S. 544, 5578 (1980). See/generally United States v. Caballos, 812 F.2d 42 (2d Cir. 1987). While no/single aspect controls the result, the Supreme Court has identified the/following important factors: the age of the person giving consent; the/person's education, intelligence, mental and physical condition; whether/the person was under arrest; and whether he had been advised of his right0to refuse consent. Schneckloth, supra, at 226.00 In computer crime cases, several consent issues are likely to arise.00First, did the scope of the search exceed the consent given? For example,0@what if a target consents to a search of his machine, but the data is0Pencrypted? Does his consent authorize breaking the encryption scheme?0`Second, who is the proper party to consent to a search? Does a system0padministrator have the authority to consent to a search of a file server0containing the files of all the system users?F00p(0 HFܿ01. Scope of the Consent00A person who consents to a search may explicitly limit this consent to a0certain area. United States v. Griffin, 530 F.2d 739, 744 (7th Cir.01976). When the limits of the consent are clearly given, either at the1time of the search or even afterwards, agents must respect their bounds.1In Vaughn v. Baldwin,1 10[page 14]1@1P950 F.2d 331 (6th Cir. 1991), the plaintiff dentist had voluntarily1`turned over records to the IRS. The IRS agent kept the records for months1pand refused several informal requests for their return. Plaintiff then1formally, in writing, revoked his consent to the IRS, which still kept1the records to make copies. Finally, plaintiff sued and the IRS returned1the originals but kept the copies. The court found that the IRS had 1violated the Fourth Amendment. Although the IRS was entitled to copy the  1records while they lawfully had them, they could not keep the records  1once plaintiff revoked his consent. Moreover, considering the long period  1of time that the IRS held the documents, the court rejected the argument  1that once the plaintiff demanded return of his documents the government 2should be entitled to retain them for a reasonable period for copying.22 Consent may also be limited implicitly. In United States v. David, 756 F.20Supp. 1385 (D. Nev. 1991), the court held that while the defendant had2@consented, pursuant to a cooperation agreement, to share some of the2Pinformation contained in his handheld computer memo book, his attempt to2`prevent agents from seeing the file password constituted a limit on his2pconsent. Although the agent did nothing wrong by leaning over defendant's2shoulder to watch him enter the password, the government clearly exceeded2the implicit limits of David's consent when agents used the password to2read the whole computer book without David's permission. For a more2extensive discussion of encryption issues, see, infra p. 54.222. ThirdParty Consent22a. General Rules33It is not uncommon for several people to use or own the target computerF 3 3 p( 30 HFequipment. If any one of those people gives permission to search for !3@data, agents may generally rely on that consent, so long as that person!"3Phas authority over the computer. In these cases, all users have assumed"#3`the risk that a co~user might not just discover everything in the#$3pcomputer but might also permit law enforcement to discover the "common$%3area" as well.%&3&'3[page 15]'(3()3In United States v. Matlock, 415 U.S. 164 (1974), the Supreme Court)*3stated that one who has common authority over premises or effects may*+3consent to a search even if the absent couser objects. In an important+,3footnote, the Court said that "common authority" is not a property law,-4concept but-.4./4 rests rather on mutual use of the property by persons generally having/040joint access or control for most purposes, so that it is reasonable to014@recognize that any of the coinhabitants has the right to permit the124Pinspection in his own right and that the others have assumed the risk234`that one of their number might permit the common area to be searched.344p454Id. at 171 n.7.564674Extending this analysis, a third party with common authority may consent784even if he is antagonistic toward the defendant. One could even argue894that sharing access to a common premises with an unsympathetic person9:4would objectively increase the risk of disclosure, and thus reasonable:;4expectations of privacy actually diminish. This is especially true where;<4the consenting individual agrees to a search of common premises to<=5exculpate himself from the defendant's criminal activity. See 3 W.=>5LaFave, Search and Seizure: A Treatise on the Fourth Amendment 8.3(b) at>?5 24445 (2d ed. 1987). See also United States v. Long, 524 F.2d 660 (9th?@50Cir. 1975) (wife in fear of her husband could still consent to a search@A5@of the jointly owned house even though she had moved out and he hadAB5Pchanged the locks).BC5`CD5pWhere two or more people enjoy equal property rights over a place, theyDE5may still have exclusive, private zones within the shared premises.EF5Housemates with separate bedrooms, spouses with private areas orFG5containers, and housemates with separate directories on a shared computerFGH55p(H5 HFmay reasonably expect to own that space alone. But when do theseHI5individual expectations overcome another's common authority over premisesIJ5or property? Although there is no bright line test, courts will generallyJK5regard a defendant's claims of exclusive control in this situation withKL6some skepticism. See Frazier v. Cupp, 394 U.S. 731, 740 (1969).LM6MN6 Even so, courts may honor claims to privacy where the defendant has takenNO60some special steps to protect his personal effects from the scrutiny ofOP6@others, and others lack ready access. 3 W. LaFave, supra 8.3(f), atPQ6P25960. In United States v. Block, 590 F.2d 535 (4th Cir. 1978), theQR6`Fourth CircuitRS6pST6[page 16]TU6UV6held that a mother's authority to permit police officers to inspect herVW623yearold son's room did not include his locked footlocker in the room.WX6The court stated that the authority to consent to searchXY6YZ6cannot be thought automatically to extend to the interiors of everyZ[6discrete enclosed space capable of search within the area.... Common[\7experience .... teaches all of us that the law's "enclosed spaces"\]7mankind's valises, suitcases, footlockers, strong boxes, etc. are]^7 frequently the objects of his highest privacy expectations, and that the^_70expectations may well be at their most intense when such effects are_`7@deposited temporarily or kept semipermanently in public places or in`a7Pplaces under the general control of another.ab7`bc7pId. at 541.cd7de7In a footnote, however, the Block court noted that not every "enclosedef7space" within a room is exempt from the reach of the authorized searchfg7area. A rule of reason applies, one that considers the circumstancesgh7"indicating the presence or absence of a discrete expectation of privacyhi7with respect to a particular object: whether it is secured, whether it isij7commonly used for preserving privacy, etc." Id. at n.8. Cf. United Statesjk7v. Sealey, 830 F.2d 1028, 1031 (9th Cir. 1987) (spousal consent validkl8because sealed containers were not marked in any way that would indicatelm8defendant's sole ownership). Thus, creating a separate personal directorymn8 on a computer may not sufficiently mark it as exclusive, but protectingno80that separate directory with a secret password may "lock the container."Fop8@8@p(p8P HFIn that event, if law enforcement analysts search the directory bypq8`breaking the password (because the couser who consented to the searchqr8pdid not know that password), a court would probably suppress the result.rs8st8Matlock did not address whether a consent search is valid when policetu8have reasonably, but mistakenly, relied upon the consent of someone whouv8appeared to have common authority over the premises, but in fact did not.vw8In Illinois v. Rodriguez, 497 U.S. 177 (1990), however, the Supreme Courtwx8held that a consent search is valid when police are reasonable inxy8thinking they have been given authorized consent. The Court cautioned,yz8however, that police cannot simply rely upon someone at the scene whoz{9claims to have authority if the surrounding circumstances indicate{|9otherwise. If such authority is unclear, the police are obligated to ask|}9 more questions. Determining who has power to consent is an objective}~90exercise, the Court stated, and the test is whether the~9@9P[page 17]9`9pfacts available to the police officer at the moment would warrant a9person of reasonable caution to believe that the consenting party had9authority over the premises. Id. at 2801.99b. Spouses99Under the Matlock "common authority" approach, most spousal consent9searches are valid. Although spouses who create exclusive areas may9preclude their partners from consenting to a search, that circumstance:will be unusual. Indeed* spouses do not establish "exclusive use" just by:being the only one who uses the area; there must be a showing that the: consenting spouse was denied access. 3 W. LaFave, supra p. 11, 8.4(a),:0at 278. In United States v. Duran, 957 F.2d 499, 5045 (7th Cir. 1992),:@for example, the defendant and his wife lived on a farm with several:Poutbuildings. The wife consented to the search of a building which she:`believed defendant used as a private gym, but the police found marijuana:pplants inside. The court emphasized the presumption that the entire:marital premises are jointly held and controlled by the partners, and:said this presumption can be overcome only by showing that the consenting:spouse was actually denied access to the area in question.::With spouses, as with roommates, the Rodriguez "reasonable belief" ruleF::p(: HF(supra p. 16) allows investigating agents to draw reasonable conclusions,:based upon the situation they encounter, about who has authority to;consent. In the absence of objective evidence to the contrary, agents;will be reasonable in presuming that spouses have authority to consent to; a search of anything on the marital property. Illinois v. Rodriguez,;0supra.;@;Pc. Parents;`;pIn some recent computer crime cases the perpetrators have been relatively;young and, even if no longer legally minors, have resided with their;parents. Under the Matlock rationale, it is clear that parents may;consent to a search of common areas in the family home. Additionally,;with regard to minor children, the courts have found parents to hold;superior rights in the;;[page 18];<home and "even rather extraordinary efforts by the child to establish<exclusive use may not be effective to undermine the parents' authority< over their home, including rooms occupied by the child." 3 W. LaFave,<0supra p. 15, 8.4(b), at 283. Therefore, if parents consent to a search<@and seizure of floppy disks or passwords locked in the minor child'sworkplace, however, suggest that an employee's expectation of privacy>must be reduced to the degree that fellow employees, supervisors,> subordinates, guests, and even the general public may have access to that>0individual's work space. Recognizing that government agencies could not>@function properly if supervisors had to establish probable cause and>Pobtain a warrant whenever they needed to look for a file in an employee's>`office, the Supreme Court held that two kinds of searches are exempt.>pSpecifically, both (1) a noninvestigatory, workrelated intrusion and>(2) an investigatory search for evidence of suspected workrelated>employee misfeasance are permissible without a warrant and should be>judged by the standard of reasonableness. Id. at 7256.>>[page 19]>>Even so, the court made clear that "[n]ot everything that passes through>the confines of the business address can be considered part of the?workplace context...." Id. at 717. For example, the contents of an?employee's purse, briefcase, or closed luggage do not lose their private? character just because the employee has brought them to work. Thus, while?0the circumstances may permit a supervisor to search in an employee's desk?@for a workrelated file, the supervisor usually will have to stop at the?Pemployee's gym bag or briefcase. This analysis may have interesting?`implications for "containers" like floppy disks, which certainly may be?peither workrelated or private, depending on the circumstances. It will?probably be reasonable for employers to assume that floppy disks found at?an office are part of the workplace, but there may be cases where a court?will treat a floppy disk as if it were a personal container of private?items.??Of course, there may be some government agencies where employees do?consent (either expressly or tacitly) to searches of even private parcelsF??p(@ HFbecause of the nature of the job. For example, employees with security@clearances who work with classified material may expect that their@ purses, briefcases, and other bags may be inspected under certain@0circumstances. The factual variations on this "reasonable expectation"@@theme are endless, and are tied absolutely to the details of each case.@P@`The O'Connor Court did not address the appropriate standard to be applied@pwhen a government employee is being investigated for criminal misconduct@or breaches of other nonworkrelated statutory or regulatory standards.@Id. at 729. In a case involving employee drug testing, at least one court@has noted, in dicta, that "[t]he government may not take advantage of any@arguably relaxed `employer' standard for warrantless searches....when its@true purpose is to obtain evidence of criminal activity without complying@with the more stringent standards that normally protect citizens against@unreasonably intrusive evidencegathering." National Federation of@Federal Employees v. Weinberger, 818 F.2d 935, 943 n.12 (D.C. Cir. 1987).ATherefore, it would appear that whenever law enforcement is conducting anAevidencegathering search, even if the search is to take place at aA government office, agents must either obtain a warrant or fall withinA0some generally recognized exception to the warrant requirement.A@Appropriate consent from a third party is, of course, one of thoseAPexceptions.A`ApGenerally speaking, an employer (government or private) may consent to aAsearch of an employee's computer and peripherals if the employer hasAA[page 20]AAcommon authority over them. Agents and prosecutors must consider whether,Aunder the facts, the employee would expect privacy in those items andAwhether that expectation would be objectively reasonable. RelevantAfactors include whether (1) the area/item to be searched has been setBaside for the employee's exclusive or personal use (e.g., does the Bemployee have the only key to the computer or do others have access to  B the data); (2) the employee has been given permission to store personal  B0information on the system or in the area to be searched; (3) the employee  B@has been advised that the system may be accessed or looked at by others;  BP(4) there have been past inspections of the area/item and this fact is B`known to the employee; and (5) there is an employment policy thatBpsearches of the work area may be conducted at any time for any reason.FBBp(B HFAnd when the employer is the federal government, another factor is (6)Bwhether the purpose of the search was workrelated, rather than primarilyBfor law enforcement objectives. See generally O'Connor, 480 U.S. at 717B(employee's expectation of privacy must be assessed in the context of theBemployment relationship).BBThere are currently no cases specifically addressing an employer'sCconsent to search and seize an employee's computer (and related items).CBut there are cases that discuss searches of an employee's designatedC work area or desk. For example, the Seventh Circuit has upheld the searchC0of a hotel room that served as a welfare hotel's business office afterC@the hotel owner consented. United States v. Bilanzich, 771 F.2d 292 (7thCPCir. 1985). The room searched was used by the defendant/manager of theC`hotel for hotel business, the hotel's books were stored there, and theCproom was also used by doctors and welfare officials when they visitedCresidents. The manager kept the key to the room. In affirming the Cmanager's theft and forgery convictions (based in large part on documents !Cseized from the business office/hotel room), the Seventh Circuit found!"Cthat the hotel owner had the requisite control over and relationship to"#Cthe business office to consent to its search. The court rejected the#$Cmanager's argument that she had sole control over the business office$%Cbecause she generally had the key, finding that the owner could request%&Caccess to the room at any time, that the room was shared with others&'D(visiting physicians and welfare officials), and that the items sought'(Dwere business records (e.g., welfare checks that the manager had forged).()D Thus, the manager did not have exclusive control over the area nor was it)*D0for her personal use. In addition, the purpose of the search was*+D@"employment related," since the manager was defrauding the employer and+,DPthe customers.,-D`-.Dp[page 21]./D/0DIn United States v. Gargiso, 456 F.2d 584, 587 (2d Cir. 1972), the Second01DCircuit upheld the search of a locked, wiredoff area in the basement of12Da book company a search to which the highest official of the book23Dcompany then on the scene (the company's vice president) had consented.34DThe defendant, an employee of the book company, objected to the search.45DBoth the defendant and the vice president had supervisory authority over56Dthe area searched, and both also had keys to the area, as did other67Ecompany personnel. The court found that the vice president's control overF78EEp(8E  HFthe area was equal to that of the employee's, making the consent89E0effective. The vice president had sufficient control over the area to9:E@permit inspection in his own right and the employee had assumed the risk:;EPthat the vice president would do so.;<E`<=EpIn Donovan v. A.A. Beiro Construction Co.. Inc., 746 F.2d 894, 900 (D.C.=>ECir. 1984), the D.C. Circuit found the D.C. Government's consent to a>?Esearch conducted by OSHA inspectors of a D.C. construction site effective?@Eagainst one of the contractors. The site was a large, multiemployer area@AEsurrounded by a chain link fence with no interior fences separating theABEvarious contractors' work areas. There was considerable overlap andBCEinteraction among the various contractors and their employees. The CourtCDEfound that the defendant/contractor had no reasonable expectation ofDEEprivacy in the area searched, because it was a common construction siteEFFshared by many. Thus, the defendant/contractor had assumed the risk thatFGFanyone with authority at the site would permit inspection of the commonGHF construction area.HIF0IJF@In an earlier case, United States v. Blok, 188 F.2d 1019 (D.C. Cir.JKFP1951), the D.C. Circuit affirmed the reversal of a petty larcenyKLF`conviction of a government employee, finding that the search of theLMFpemployee's desk violated the employee's right of privacy. The court foundMNFthat the employee had exclusive use of the desk and a reasonableNOFexpectation of privacy in it. Her employer's consent to a police searchOPFof the desk did not make the search reasonable. There was no policyPQFputting employees on notice that they should not expect privacy in theirQRFdesks. Nor was the search conducted by the employer for employmentRSFpurposes (e.g., searching for a file). "It was precisely the kind ofSTFsearch by policemen for evidence of a crime against which theTUFconstitutional prohibition was directed." Id. at 1021 (quoting theUVGdistrict court). Thus, the employer's consent was ineffective because theVWGarea searched was for the employee's exclusive and personal use (factorWXG number 1 above); theXYG0YZG@[page 22]Z[GP[\G`purpose of the search was not workrelated (factor number 6 above); and\]Gpthere was no policy putting the employee on notice that her desk might be]^Gsubject to search (factors number 3 and 5 above). Significantly, the^_GO'Connor Court cited Blok with approval. O'Connor, 480 U.S. at 719.F_`GGp(`G HFܿ`aGe. Networks: System AdministratorsabGbcGCase law demonstrates that the courts will examine the totality of thecdGcircumstances in determining whether an employee has a reasonabledeHexpectation of privacy or whether an employer shares authority over theefHemployee's space and can consent to a search. But applying thisfgH employerconsent case law to computer searches can become especiallyghH0troublesome when the employee's computer is not a standalone container,hiH@but an account on a large network server. The difficulty is a practicalijHPone. In the physical world, individuals often intuitively understandjkH`their rights to control physical space and to restrict access by othersklHpbecause they can observe how everyone uses the space. For example, withlmHfiling cabinets, employees can see whether they are located in privatemnHareas, whether others have access, whether the cabinets are locked, andnoHwho has the keys. While explicit company policies certainly help toopHclarify the situation, employees can physically observe company practicespqHand will probably conclude from their observations that certain propertyqrHis or is not private.rsHstHBy contrast, in an electronic environment, employees cannot "see" when atuInetwork administrator, supervisor, or anyone else accesses their data.uvIThey cannot watch the way people behave with data, as they can with avwI file cabinet, and deduce from their observations the measure of privacywxI0they ought to expect. As a practical matter, system administrators can,xyI@and sometimes do, look at data. But when they do, they leave no physicalyzIPclues which would tell a user they have opened one of his files. Lackingz{I`these physical clues, some users who are unfamiliar with computer{|Iptechnology may falsely but honestly believe that their data is completely|}Iprivate. Will the courts hold this false belief to be one that society is}~Iprepared to recognize as reasonable? Will the courts still find it~Ireasonable, even when a user knows that there are such people as systemIadministrators who are responsible in some fashion for operating andIsecuring the entire network? If so, do users who actually understand theItechnology and the scope of a system operator's access to dataIIJ[page 23] have a lesser expectation of privacy and fewer Fourth AmendmentJprotections than users who are not so well informed? And what happens inJ the years ahead as our population becomes increasingly computer literate?FJ0J0p(J@ HF Of course, these search and seizure questions are not limited toJPcomputer networks in the workplace. Universities, libraries, and otherJ`organizations, both public and private, may operate computer networks onJpwhich users store data which they consider privateeither partly orJcompletely. If those networks provide services to the public, they willJbe controlled by the provisions of 18 U.S.C. 2702, which limits theJsituations in which a service provider may release the contents ofJqualifying electronic mail. (For a detailed discussion of this statute,Jsee "STORED ELECTRONIC COMMUNICATIONS," infra p. 85.) But for materialJwhich falls outside this statute, the Fourth Amendment analysis discussedJabove will still apply.J Prosecutors who face these issues at trial should be ready to argue thatKreasonable network users do, indeed, understand the role and power ofKsystem operators well enough to expect them to be able to protect andK even restore their files. Therefore, absent some guarantees to theK0contrary, reasonable users will also expect system administrators to beK@able to access all data on the system. Certainly, if the system hasKPpublished clear policies about privacy on the network or has evenK`explained to users that its network administrators have oversightKpresponsibility and control, this will support the position that a systemKoperator's consent to a search was valid. But if the network and itsKusers have not addressed these issues and the situation is ambiguous, theKsafest course will be to get a warrant. (Of course, if the systemKadministrator does have authority to access and produce a user's filesKand simply will not do it on request, agents should use a subpoena.)K If agents choose to apply for a warrant and are concerned that aKtarget/user will delete his data before they can execute the search, theKagents should consider asking a cooperating system operator to make andLkeep a backup of the target's data, which they can later procure underLthe warrant or subpoena. The circumstances of each case will dictate theL wisest approach, but agents and prosecutors should explore all theseL0questions before they just ask a system administrator to produce a user'sL@files. [page 24]LPL`F. INFORMANTS AND UNDERCOVER AGENTSLp As in other types of investigations, it is often helpful to useLinformants or undercover agents to develop evidence. In some cases, ofLcourse, they may be of limited value (e.g., a case involving a loneLhacker). Additionally, as a matter of policy, there may be restrictionsLon the type of undercover activities in which agents may engage. ForFLLp(L HFexample, the FBI does not access bulletin boards simply to view boardLactivities when there is no reason to believe the board is involved inLcriminal activity.M Generally speaking, however, the law allows informers to read materialMon electronic bulletin boards if they have the sysop's permission,M explicit or implicit, to access the material on the board. Many BBSs, forM0example, have parts of the board which are open to the public and whichM@require no password or identification for access. Other boards may haveMPisolated directories, known as subboards, that are open only to payingM`subscribers or trusted members, and those individuals must identifyMpthemselves with passwords. Some sysops will ask newcomers to "introduce"Mthemselves and will verify the new user's name, address, and otherMinformation before granting access with a password. These introductionsMshould follow the same rules that undercover work has traditionallyMobserved. Law enforcement agents need not identify themselves as such,Mbut they must confine their activities to those that are authorized: theyMshould not break into sections of the board for which they have not beenMgiven access. Indeed, the Ninth and Tenth Circuits have both written, inMdicta, that an undercover participant must adhere scrupulously to theNscope of a defendant's invitation to join the organization. United StatesNv. Aguilar, 883 F.2d 662, 705 (9th Cir. 1989), cert. denied, 498 U.S.N 1046 (1991); Pleasant v. Lovell, 876 F.2d 787, 803 (10th Cir. 1989).N0Thus, an informant or undercover agent must not exceed his authorizedN@access, and having been granted access to some "levels" of the board doesNPnot give him permission to break into others.N`Np[page 25]NNIII. SEIZING HARDWAREN Depending on the facts of the case, the seizure of computer hardwareNitself can be justified on one of three theories without regard to theNdata it contains: (1) the hardware is itself contraband; (2) the hardwareNwas an instrumentality of the offense; or (3) the hardware constitutesNevidence of an offense. Of course, in many cases, hardware may beNseizable under more than one theory. For example, if a hacker uses hisOcomputer to insert viruses into other systems, his computer mayOconstitute both an instrumentality of the offense and evidence admissibleO in court.O0 As noted above under Definitions, (supra p. 2), hardware is defined asO@the physical components of a computer system such as the centralFOPOPp(O` HFprocessing unit (CPU), keyboard, monitor, modem, and printer.OpOA. THE INDEPENDENT COMPONENT DOCTRINEO We must highlight once again that computer systems are really aOcombination of connected components (often by wire but increasingly byOwireless means). To say that the government has probable cause to seize aO"computer" does not necessarily mean it has probable cause to seize theOentire computer system (i.e., the computer and all connected peripheralOdevices). Indeed, each component in a computer system should beOconsidered independently.P In a strictly corporeal world, this doctrine is easy to understand andPapply. For example, suppose a defendant stole a television and placed itP on a television stand that he lawfully owned. Agents with a warrant forP0that television would not seize the stand, recognizing that the two itemsP@are easily separable and that there is, simply put, no justification forPPtaking the stand.P` With computers, the roles of the different attached components are notPpalways separable and it is more difficult to think in such concretePterms. For example, agents with a warrant to seize a target's workstationPmay discover that the workstation is nothing more than a dumb terminal,Pand that all the evidence is in the server to which the dumb terminal isPconnected by wire.PP[page 26]PP Nonetheless, it is simply unacceptable to suggest that any itemQconnected to the target device is automatically seizable. In an era ofQincreased networking, this kind of approach can lead to absurd results.Q In a networked environment, the computer that contains the relevantQ0evidence may be connected to hundreds of computers in a localareaQ@network (LAN) spread throughout a floor, building, or university campus.QPThat LAN may also be connected to a globalarea network (GAN) such as theQ`Internet. Taken to its logical extreme, the "take it because it'sQpconnected" theory means that in any given case, thousands of machinesQaround the world can be seized because the target machine shares theQInternet.Q Obviously, this is not the proper approach. The better view is to seizeQonly those pieces of equipment necessary for basic input/output (i.e.,Qthe computer itself, plus the keyboard and monitor) so that theQgovernment can successfully execute the warrant. When agents prepareFQQp( Q HFwarrants for other devices, they should list only those components forRwhich they can articulate an independent basis for search or seizureR(i.e., the component itself is contraband, an instrumentality, orR evidence). Certainly, the independent component doctrine does not meanR0that connected devices are exempt; it only requires that agents andR@prosecutors articulate a reason for taking the item they wish to seize.RPFor example, if the defendant has sent letters to the White HouseR`threatening the President's life, agents should explain, as a basis forRpseizing the target's printer, the need to compare its type with the Rletter. Additionally, there may be other times when the government should  Rseize peripherals that do not contain evidence but, again, there must be  Ra separate basis for the seizure. See, e.g., "Seizing Hardware and  RDocumentation so the System Will Operate at the Lab," infra p. 62.  R RB. HARDWARE AS CONTRABAND OR FRUITS OF CRIMER Federal Rule of Criminal Procedure 41(b)(2) authorizes warrants to seizeR"contraband, the fruits of crime, or things otherwise criminallySpossessed." The rationale behind such seizures is to prevent and deterScrime. See Warden v. Hayden, 387 U.S. 294, 306 n.11 (1967). Often theS fruits of crime andS0S@[page 27]SPS`objects illegally possessed will also constitute evidence of a crime, soSpthat they also can be seized to help apprehend and convict criminals (seeSinfra p. 30).SS 2. Contraband and Fruits of Crime Defined The fruits of crime includeSproperty obtained by criminal activity, United States v. Santarsiero, 566SF. Supp. 536 (S.D.N.Y. 1983) (cash and jewelry obtained by use of aScounterfeit credit card), and contraband is property which the privateScitizen is not permitted to possess, Warden v. Hayden, supra; Aguilar v. STexas, 378 U.S. 108 (1964) (narcotics). Even plans to commit a crime may !Tconstitute contraband. Yancey v. Jenkins, 638 F. Supp. 340 (N.D. Ill.!"T1986)."#T  Of course, many objects which are fruits of crime or illegally possessed#$T0are innocent in themselves and can be possessed by at least certain$%T@persons under certain conditions. See, e.g. United States v. Truitt, 521%&TPF.2d 1174, 1177 (6th Cir. 1975) (noting that a person legally can possess&'T`a sawedoff shotgun if it is properly registered to its owner, though itsF'(TpTpp((!!T HFlawful possession is rare). A court reviewing a seizure under Rule()T41(b)(2) will examine whether the circumstances would have led a)*Treasonably cautious agent to believe that the object was a fruit of crime*+Tor was illegally possessed. For example, the seizure of jewelry as a+,Tfruit of crime in Santarsiero was upheld because a reliable informant had,-Ttold officers that the suspect had boasted of using counterfeit credit-.Tcards to purchase jewelry. 566 F. Supp. at 54445../T Certainly, there are instances where computer hardware and software are/0Ucontraband or a fruit of crime. For example, there have been several01Urecent cases involving the theft of computer equipment. Additionally,12U hackers have been known to penetrate credit reporting companies,23U0illegally obtain credit card numbers, and then order computer equipment34U@with these illegal access devices. In such cases, the equipment that they45UPreceive is a product of the fraud and should be seized as such.56U`67Up[page 28]78U89UC. HARDWARE AS AN INSTRUMENTALITY OF THE OFFENSE9:U:;U 1. Authority for Seizing Instrumentalities;<U Federal Rule of Criminal Procedure 41(b)(3) authorizes warrants to seize<=Uthe instrumentalities of crime; that is, "property designed or intended=>Ufor use or which is or has been used as the means of committing a>?Ucriminal offense." The historical justification for the government's?@Vability to seize instrumentalities of crime is the prevention of their@AVuse to commit future crimes. See Warden v. Hayden, 387 U.S. 294, 306 n.11ABV (1967); United States v. Boyette, 299 F.2d 92, 98 (4th Cir.) (Sobeloff,BCV0C.J., dissenting), cert. denied, 369 U.S. 844 (1962).CDV@DEVP 2. Instrumentalities DefinedEFV` An instrumentality of an offense is any machinery, weapon, instrument,FGVpor other tangible object that has played a significant role in a crime.GHVSee, e.g., United States v. Viera, 569 F. Supp. 1419, 1428 (S.D.N.Y.HIV1983) (sophisticated scale used in narcotics trafficking and black lightIJVused in counterfeiting currency). Where the object itself is innocent inJKVcharacter, courts will assess its role in the crime to determine whetherKLVit was an instrumentality. Compare United States v. Markis, 352 F.2d 860,LMV86465 (2d Cir. 1965) (telephone used to take bets by operators ofMNVillegal wagering business was an instrumentality because it was integralNOVto the criminal enterprise), vacated without opinion, 387 U.S. 425FOPWWp(P""W HF(1967), with United States v. Stern, 225 F. Supp. 187, 192 (S.D.N.Y.PQW 1964) (Rolodex file was not instrumentality where it contained names ofQRW0individuals involved in tax fraud scheme). As stated by the SouthernRSW@District of New York:STWPTUW`Not every article that plays some part in the commission of the allegedUVWpcrime is a means of committing it. .... Although it is not necessaryVWWthat the crime alleged could not have been committed but for the use ofWXWthe article seized, after a consideration of all the circumstances itXYWmust appear that the article played a significant role in the commissionYZWof the crime alleged.Z[W[\W[page 29]\]W]^WStern, 225 F. Supp. at 192 (emphasis in original).^_X Before the Supreme Court's decision in Warden v. Hayden, 387 U.S. 294_`X(1967), courts held that seizable property included instrumentalities,`aX but did not include mere evidence. See generally 3 Wright & Miller,abX0Federal Practice and Procedure: Criminal 2d 664 (1982). In practice,bcX@however, judges were reluctant to suppress useful pieces of evidence atcdXPtrial, preferring instead to interpret the term "instrumentality" broadlydeX`enough to encompass items of evidentiary value. For example, the districtefXpcourt in United States v. Robinson, 287 F. Supp. 245 (N.D. Ind. 1968),fgXupheld the seizure of the following items, all of which connected theghXdefendant to the murder of a federal narcotics agent, ashiX"instrumentalities" of the crime and not "mere evidence": a pair ofijXshoes, a shirt, a jacket, handkerchiefs, spent shell casings, and wetjkXwashcloths. Such legal gymnastics were abandoned when the Supreme CourtklXheld, in Hayden, that the Fourth Amendment principally protected privacylmXrights, not property rights, and secured "the same protection of privacymnXwhether the search is for 'mere evidence' or for fruits,noYinstrumentalities or contraband." Hayden, 387 U.S. at 30607.opY Although items that are evidence of crime may now be seized along withpqY instrumentalities, fruits, and contraband, this historical perspective isqrY0important for understanding why some early decisions may have categorizedrsY@evidentiary items as instrumentalities. Moreover, the distinction betweenstYP"an instrumentality" and "mere evidence" remains critical in computertuY`crime cases because it may determine the government's ability to seizeuvYphardware. If a computer and all its peripherals are instrumentalities ofvwYa crime, the warrant should authorize the seizure of these items. But ifFwxYYp(x##Y HFwe are seeking the computer only for the documents (mere evidence) itxyYcontains, it may be more difficult to justify the seizure or retention ofyzYhardware.z{Y Applying the independent component doctrine to the rule permitting{|Yseizure of instrumentalities will, in most cases, not be difficult. For|}Yexample, if an individual engaging in wire fraud printed out thousands of}~Zphony invoices on his home computer, it would be reasonable to take the~Zcomputer, monitor, keyboard, and printer. If the individualZ electronically mailed these invoices to his victims, it would also beZ0appropriate to seize his external modem (if the modem were internal itZ@would, of course, be seized when the agents took the computer itself).ZPIf, instead of using electronic mail, he used a conventional fax machine,Z`it would be reasonable to seize the fax as it, too would have played aZpsignificant role in the commission of the offense.ZZ[page 30]ZZD. HARDWARE AS EVIDENCE OF AN OFFENSEZ 1. Authority for Seizing EvidenceZ In 1972, Federal Rule of Criminal Procedure 41(b) was amended toZauthorize seizing "mere evidence" of a crime. In relevant part, the RuleZnow states: "A warrant may be issued under this rule to search for and[seize any (1) property that constitutes evidence of the commission of a[criminal offense...."[ [0 2. Evidence Defined[@ A physical item is evidence if it will aid in apprehending or convicting[Pa person who has committed a crime. The evidence seized need not be[`admissible at trial.[p Courts will evaluate a seizure under this test according to what a[reasonable person would believe under the circumstances, and law[enforcement officers will not be judged afterthefact on how helpful the[seized evidence actually was in apprehending or convicting a suspect. See[Andresen v. Maryland, 427 U.S. 463, 483 (1976) (holding that the "trained[special investigator reasonably could have believed" the seized evidence[could be used to show criminal intent); United States v. Truitt, 521 F.2d[1174, 117678 (6th Cir. 1975) (holding that a reasonably cautious police[officer could have believed under the circumstances that a sawedoff\shotgun, although legal if registered, was incriminating evidence).\ Of course, simply because an item is "evidence of a crime" does not meanF\ \ p($$\0 HFthat other restrictions may not apply. Law enforcement officials should\@be aware of other limits imposed by the Constitution, statutes, and\Pregulations upon the seizure of evidence. See, e.g., Guidelines on\`Methods of Obtaining Documentary Materials Held by Third Parties, 28\pC.F.R. 59.1.6 (governing the application for search warrants for\documentary evidence held by nonsuspect third parties).\\[page 31]\\Although computers commonly contain evidence, sometimes they are\evidence. If an extortionist sent a letter to his victim with unique\print characteristics (e.g., the top half of the letter "W" was missing),\his daisy~wheel printer would constitute evidence which could be seized.]]E. TRANSPORTING HARDWARE FROM THE SCENE] ]0Whether a computer is seized as contraband, an instrumentality, or]@evidence, it is important to transport it properly. With some simple]Pcomputers, moving the equipment is a straightforward proposition. But]`computer systems are becoming so increasingly complex and diverse that it]pis harder than ever for technically untrained agents to avoid mistakes.]These Guidelines cannot possibly substitute for the expertise that comes]from special training courses in seizing, searching, and preserving]electronic evidence. Indeed, the discussion that follows is meant only as]introduction and orientation to these issues, and not as a comprehensive]guide to all the technical contingencies which may arise during a search.]The team for a computerrelated search should, if possible, include at]least one technically trained agent to act as a leader in these areas.]Clearly, as complex computer systems become increasingly common, law^enforcement agencies will need more trained agents at almost every crime^scene. In the meantime, the following discussion may help prosecutors and^ investigators to anticipate the problems which can confront them.^0^@First, agents must protect the equipment from damage. Second, to the^Pextent they are transporting information storage devices (e.g., hard^`drives, floppy disks), improper handling can cause loss of data. Third,^pit may be impossible to make the system work in the field office,^laboratory, or courtroom if the seizing agents did not carefully pack and^move the computer system so that it can be successfully reassembled^later.F^^p(%%^ HFܿ^Before the search begins, the search leader should prepare a detailed^plan for documenting and preserving electronic evidence, and should take^time to carefully brief the entire search team to protect both the_identity and integrity of all the data. At the scene, agents must_remember to collect traditional types of evidence (e.g., latent_ fingerprints off the keyboard) before touching anything. They must_0remember, too, that computer data can be destroyed by strong magnetic_@fields. (Low density magnetic media is more susceptible to such_P_`[page 32]_p_interference than high density media.) Last, some computer experts will_not examine evidence if anyone else has already tried to search or_manipulate the data. Their chainofcustody and integrityofevidence_procedures will not allow them to examine the computer if its original_crimescene seal has been broken.__The agents executing the actual search must take special precautions when_disassembling and packing computer equipment. This careful approach`protects not only the hardware items, but also the integrity and`accessibility of the data inside. Before disconnecting any cables, it is` helpful to videotape or photograph the site (including the screen, if`0possible, and all wiring connections) and prepare a wiring schematic.`@This will document the condition of the equipment upon the agents'`Parrival and show how the system was configured. Agents should disconnect``all remote access to the system (e.g., unplug the telephone cord, not the`ppower cord, from the modem) and disconnect network cables from the`servers so that no one can alter or erase information during the search.`Investigators need to accurately label each cable and the device and port`to which the cable connects before disconnecting anything. It is a good`idea to attach tags at every connection point on every cable to record`all relevant information. It is especially important to label every`vacant port as "vacant" so that there is no confusion later. (If vacant`ports are not labeled, it is impossible for an expert to tell whether the`unlabeled port was in fact vacant, or whether an important label simplyafell off.) Once this is done, agents are ready to disassemble, tag andainventory the equipment.a a0Investigators must determine which drives, disks, and other magneticFa@a@p(&&aP HFmedia need to be protected. If a hard disk drive is being moved, theya`must insure that the read/write heads are secured to prevent damage. Someapsystems secure (park) the heads automatically whenever the machine is notain use, but other systems may require that a specific command be executedaor that the heads be secured mechanically. The manufacturer's operatingamanual should specify the proper procedure for each system.aaAgents should protect floppy disk drives according to manufacturer'sarecommendations. Some suggest inserting a new diskette or piece ofacardboard in the drive slot; others do not. (As with hard drives, eachamanufacturer's instructions may be found in the system manual).bInvestigators must also label diskettes (either individually or inbgroups), mark them as evidence and place them in nonplastic evidenceb containers.b0b@[page 33]bPb`Agents must be conscious of static electricity buildup during thebpexecution of the warrant since static electricity can "zap" a disk andbdamage data. So can degaussing equipment (an electronic appliance thatbcreates a strong magnetic field and can be used to effectively erase abmagnetic tape or disk). A wellknown story in law enforcement circlesbinvolves a hacker who allegedly magnetized his metal door frame, thusbcreating a magnetic field that erased magnetic media as agents carried itbthrough the doorway. This story has not been verified and, even if true, bsuch an event is unlikely to occur now because high density media is not  beasily disrupted by magnetic fields. Nonetheless, a device to measure  cmagnetic fields (a compass or, even better, a gaussmeter) can determine  cwhether such fields exist and, as a general rule, agents should avoid  c placing magnetic media near any strong magnetic field. Magnetic fields c0may be created by telephones, radio transmitters, and photocopiers.c@Additionally, although magnetic media has often been taken throughcPairport metal detectors and Xray machines without damage, it is wiserc`not to take magnetic media through these devices. (It is the motorcpdriving the conveyor belt on the Xray machine, not the fluoroscopecitself, that creates the magnetic field which causes the damage.)ccTransporting agents should keep all hardware and software in dustfree,cclimatecontrolled environments. Computerrelated evidence is sensitivecto heat and humidity and should not be stored in the back seat or trunkFccp(''c HFof a car without special precautions. Temperature extremes may rendercmagnetically stored evidence unreadable, and various types ofdcontamination can damage electronic equipment. A safe range for storingdmagnetic media is between 4090F and 20%80% humidity, free of dust andd tobacco smoke.d0d@[no page 34] [page 35]dP d`IV. SEARCHING FOR AND SEIZING INFORMATION !dp!"dA. INTRODUCTION"#d#$dHardware searches are not conceptually difficult. Like searching for$%dweapons, the items sought are tangible. They occupy physical space and%&dcan be moved in familiar ways. Searches for data and software are far&'dmore complex. For purposes of clarity, these types of searches must be'(dexamined in two distinct groups: (1) searches where the information()dsought is on the computer at the search scene and (2) searches where the)*einformation sought has been stored offsite, and the computer at the*+esearch scene is used to access this offsite location.3+,e ,-e0In some cases, the distinction is insignificant, and many topics covered-.e@in this section apply equally to both types of searches. On the other./ePhand, there are certain unique issues that arise only when the computer/0e`is part of a network. For example, since Fed. R. Crim. P. 41(a) requires01epthat a search warrant be issued by a court in the district where the12eproperty is located, agents may have to get a second warrant in another23edistrict if the target has sent data to a distant computer. See34e"Describing the Place to be Searched," infra p. 92.45e56eAlthough "property" is defined in Federal Rule of Criminal Procedure67e41(h) to include "documents, books, papers and other tangible objects,"78e(emphasis added), courts have held that intangible property such as89einformation may be seized. In United States v. Villegas, 899 F.2d 1324,9:f133435 (2d Cir.), cert. denied, 498 U.S. 991 (1990), the Second Circuit:;fnoted that warrants had been upheld for intangible property such as;<f telephone numbers called from a given phone line and recorded by a pen<=f0register, conversations overheard by means of a microphone touching a=>f@heating duct, the movement of property as tracked by locationmonitoring>?fPbeepers, and images seized with video cameras and telescopes. The courtF?@f`f`p(@((fp HFin Villegas upheld a warrant which authorized agents to search a cocaine@Affactory and covertly take photographs without authorizing the seizure ofABfany tangible objects. But see United StatesBCfCDf DEfEFf3 Any home PC can be connected to a network simply by adding a modem.FGfThus, in any ease where a modem is present, agents should consider theGHfpossibility that the computer user has stored valuable information atHIgsome remote location.IJgJKg [page 36]KLg0LMg@v. Johns, 948 F.2d 599 (9th Cir. 1991), cert. denied, 112 S. Ct. 3046MNgP(1992) (a "sneak and peek" warrant executed without giving notice to theNOg`defendants that the search had occurred violated Rule 41(d)).OPgpPQgB. INFORMATION AS CONTRABANDQRgRSgThe same theories which justify seizing hardwarecontraband or fruit ofSTgcrime, instrumentality, or evidencealso apply to seizing information.TUgSee "Authority for Seizing Contraband or Fruits of Crime," supra p. 26.UVgBecause individuals often obtain copies of software in violation ofVWgcopyright laws, it may be appropriate to seize that software as well asWXgany documentation (such as photocopied software manuals) because theyXYh are likely to be illegally obtained. (Software producers may allow aYZhpurchaser to make a backup copy of the software bought, but these copiesZ[h may not be disseminated because of copyright laws.) Lists of telephone[\h0card access codes and passwords for government computer networks may also\]h@be considered contraband, because their possession is prohibited by]^hPstatute if the possessor has the requisite mens rea. 18 U.S.C.^_h`1029(a)(3), 18 U.S.C. 1030(a)(6)._`hp`ahC. INFORMATION AS AN INSTRUMENTALITYabhbchRule 41(b) broadly defines what may be seized as an instrumentality: anycdh"property designed or intended for use or which is or has been used asdehthe means of committing a criminal offense." Fed. R. Crim. P. 41(b)(3).efhThis includes both tangible and intangible property. See United Statesfghv. Villegas, supra, p. 35. Thus, in some cases, informational documentsFghhhp(h))i HFand financial instruments which have been used in the commission of anhiioffense may be seized as instrumentalities of crime. Compare Abel v.iji United States, 362 U.S. 217, 2379 (1960) (documents used in connectionjki0with suspect's illegal alien status were instrumentalities, includingkli@phony birth certificates, bank records,lmiPmni`[page 37]noipopiand vaccination records) with Application of Commercial Inv. Co., 305 F.pqiSupp. 967 (S.D.N.Y. 1969) ($5 million in securities were notqriinstrumentalities where the government suspected improprieties with anrsi$18,000 brokerage account and the securities were at most "incidental" tostithe offense).tuiuviLikewise, investigators should seize objects if they are "designed orvwiintended for use" as instrumentalities. Fed. R. Crim. P. 41(b)(3).wxjSometimes an item will obviously fit that description (like softwarexyjdesigned to help hackers crack passwords or lists of stolen credit cardyzj numbers) but, at other times, it may not be so simple. Even so, as longz{j0as a reasonable person in the agent's position would believe the item to{|j@be an instrumentality, the courts will probably respect the agent's|}jPjudgment. This is, after all, the same test used to determine when an}~j`object would aid apprehension or conviction of a criminal. See Andresen~jpv. Maryland, 427 U.S. 463, 483 (1976). As such, the particular facts ofjthe case are very important. For example, if an agent investigating thejsysop of an illegal bulletin board knows that the board only operates onjone personal computer, a second computer sitting in the same room isjprobably not an instrumentality. But if the agent has heard from ajreliable informant that the suspect has boasted about expanding hisjoperation to a second board, that second computer is probably "intended"jas an instrumentality, and the agent should take it. Additionally, if thejsuspect has substantially modified a personal computer to enhance itskusefulness for a particular crime (perhaps by installingkpasswordcracking software), an agent might well reasonably believe thatk the computer and the software was "designed" for criminal activity.k0k@D. INFORMATION AS EVIDENCEkPk`Before the Supreme Court's rejection of the "mere evidence" rule inkpWarden v. Hayden, 387 U.S. 294, 300301 (1967), courts were inconsistentFkkp(**k HFin ruling whether records that helped to connect the criminal to thekoffense were instrumentalities of crime (and thus seizable), or werekinstead merely evidence of crime (and thus not seizable). Compare Marronkv. United States, 275 U.S. 192 (1927) (approving prohibition agent'skseizure of bills and ledger books belonging to speakeasy operators askinstrumentalities of crime) with United States v. Lefkowitz, 285 U.S. 452k(1932)(disapproving prohibition agent's seizure of papers intended tolsolicit orders for illegal liquor). Indeed, several courts have concludedlthat, when it comes to documents, it is impossible tol l0[page 38]l@lPseparate the two categories. See Hayden, 387 U.S. at 302 (stating thatl`the distinction between mere evidence and instrumentalities "is whollylpirrational, since, depending on the circumstances, the same `papers andleffects' may be `mere evidence' in one case and `instrumentality' inlanother"); United States v. Stern, 225 F. Supp. 187, 191 (S.D.N.Y. 1964)l("It would be hazardous to attempt any definition [of papers that arelinstrumentalities of crime and not mere evidence]; we shall not."). Nowlthat evidence of crime may be seized in the same way as instrumentalitieslof crime, it is useful to acknowledge that, in most instances, documentsland other information connecting the criminal to his offense should belviewed as evidence of the crime, and not as instrumentalities. Formexample, in United States v. Lindenfield, 142 F.2d 829, 83032 (2d Cir.),mcert. denied, 323 U.S. 761 (1944), the prescription records of a doctorm who illegally prescribed morphine to "patients" were classified asm0evidence, not as instrumentalities.m@mPThe prescription records in Lindenfield illustrate the sort of documentm`that may be seized as evidence: records that reveal the operation of thempcriminal enterprise over time. Other examples include the customer listsmof narcotics traffickers, telephone bills of hackers who break intomcomputer networks, and plans for the fraud or embezzlement of corporatemand financial targets. This documentary evidence may be in paper or bookmform, or it may be stored electronically in a computer or on a backupmtape. As with other types of evidence, documents may be seized if theymaid in showing intent and the absence of mistake on the suspect's part,meven though they may not relate directly to the commission of the crime,mbut to some other similar transaction instead. See Andresen v. Maryland,n427 U.S. 463, at 48384 (1976)(approving seizure of documents about aFnnp(++n  HFsecond transaction because they showed criminal intent and absence ofn0mistake in the first transaction).n@nP1. Evidence of Identityn`npEvidence of a crime also includes various types of identificationnevidence. For example, courts have recognized that clothing seen worn byna criminal during the commission of the offense constitutes evidence ofnthe crime,nn[page 39]nnbecause it helps to tie the suspect to the crime. See, e.g., UnitednStates v. Korman, 614 F.2d 541, 547 (6th Cir.)(approving the seizure of aogreen ski jacket as both evidence of and an instrumentality of theocrime), cert. denied, 446 U.S. 952 (1980).o o0Documents that incriminate a suspect's coconspirators also may be seizedo@as evidence because they help identify other involved parties and connectoPthem with the suspect. See, e.g., United States v. Santarsiero, 566 F.o`Supp. 536, 544 (S.D.N.Y. 1983) (approving the seizure of the suspect'sopnotebook in a counterfeit credit card investigation where others wereoworking with or purchasing cards from him, and the notebook containedotelephone numbers that the investigating officers could reasonablyobelieve would help in identifying and connecting others with theosuspect's crimes). In many computer crimes, we have found that hackersowork jointly and pool hacking information. In these cases, telephoneorecords may prove this connection. Moreover, agents may seize evidenceothat helps identify the occupant of a home or office connected to theocrime, where the home or office is used regularly by more than onepperson. See, e.g., United States v. Whitten, 706 F.2d 1000, 100809 (9thpCir. 1983)(approving the seizure of telephone books, diaries, photos,p utility bills, telephone bills, personal property, cancelled mail, keys,p0rent receipts, deeds, and leases that helped establish who owned andp@occupied premises used for a large scale narcotics operation, where thepPpremises were used by more than one person and the warrant authorizedp`seizing items "indicating the ownership or occupancy of the residence"),ppcert. denied, 465 U.S. 1100 (1984). As with houses and offices, computerspare often used by more than one person, and this sort of evidence mayphelp establish just who used the computer or computers to commit theFppp(,,p HFcrime.pp2. Specific Types of Evidenceppa. Hard Copy PrintoutsqqAny information contained in a computer system may have been printed outq by the target of the investigation. Finding a printed copy may beq0valuable for a number of reasons. First, a printout may display anq@earlier version ofqPq`[page 40]qpqdata that has sincebeen altered or deleted. Second, in certainqelectronic environments (such as bulletin boards), individuals may claimqto lack knowledge about what information is electronically stored in theqcomputer (e.g., a bulletin board operator may disavow any knowledge thatqhis board contained illegal access codes that were posted and downloadedqby others). Finding printed copies in someone's possession may negateqthis defense. Third, the printouts may tie the crime to a particularqprinter which, in turn, may be seizable as an instrumentality (e.g., therprintouts may reveal that extortionate notes were printed on a certainrprinter, thus warranting seizure of the printer).r r0b. Handwritten Notesr@rPFinally, agents should be alert for notes in manuals, on the equipment,r`or in the area of the computer. These may provide critical keys torpbreaking passwords, finding the file or directory names of importantrdata, operating the hardware or software, identifying the suspect'srelectronic or telephone connections with coconspirators and victims, orrfinding login names or accounts.rrE. PRIVILEGED AND CONFIDENTIAL INFORMATIONrr1. In GeneralrsWarrants to search computers which contain privileged information mustsmeet the same requirements as warrants to search for and seize papers documents under similar conditions; that is, the warrant should beFs0s0p(--s@ HFnarrowly drawn to include only the data pertinent to the investigation, sPand that data should be described as specifically as possible. See, e.g.  s`Klitzman v. Krut, 744 F.2d 955 (3d Cir. 1984). Since a broad search of  spcomputers used by confidential fiduciaries (e.g., attorneys or  sphysicians) is likely to uncover personal information about individuals  swho are unconnected with the ss[page 41]ssinvestigation, it is important to instruct any assisting forensicscomputer experts not to examine files about uninvolved third parties anysmore than absolutely necessary to locate and seize the informationtdescribed in the warrant.tt a. Doctors, Lawyers, and Clergyt0t@Federal law recognizes some, but not all, of the common law testimonialtPprivileges. Fed. R. Evid. 501. Indeed, Congress has recognized a "specialt`concern for privacy interests in cases in which a search or seizure fortp.... documents would intrude upon a known confidential relationship suchtas that which may exist between clergyman and parishioner; lawyer andtclient; or doctor and patient." 42 U.S.C. 2000aa11(1)(3). At Congress'stdirection, see 42 U.S.C. 2000aa11(a), the Attorney General has issuedtguidelines for federal officers who want to obtain documentary materials tfrom disinterested third parties. 42 U.S.C. 2000aa11. Under these !trules, they should not use a search warrant to obtain documentary!"tmaterials believed to be in the private possession of a disinterested"#tthird party physician, lawyer, or clergyman where the material sought or#$ulikely to be reviewed during the execution of the warrant contains$%uconfidential information on patients, clients, or parishioners. 28 C.F.R.%&u 59.4(b). A search warrant can be used, however, if using less intrusive&'u0means would substantially jeopardize the availability or usefulness of'(u@the materials sought; access to the documentary materials appears to be()uPof substantial importance to the investigation; and the application for)*u`the warrant has been recommended by the U.S. Attorney and approved by the*+upappropriate Deputy Assistant Attorney General. 28 C.F.R. 59.4(b)(1) and+,u(2).,-u-.ub. Publishers and Authors./uF/0uup(0..u HFAdditionally, Congress has expressed a special concern for publishers and01ujournalists in the Privacy Protection Act, 42 U.S.C. 2000aa. Generally12uspeaking, agents may not search for or seize any "work product materials"23v(defined by statute) from someone "reasonably believed to have a purpose34vto disseminate to the public a newspaper, book, broadcast, or other45v similar form of public communication." 42 U.S.C. 2000aa(a). In56v0addition, as an even67v@78vP[page 42]89v`9:vpbroader proposition, government officers cannot search for or seize:;v"documentary materials" (also defined) from someone who possesses them in;<vconnection with a purpose to similarly publish. 42 U.S.C. 2000aa(b).<=vThese protections do not apply to contraband, fruits of a crime, or=>vthings otherwise criminally possessed. 42 U.S.C. 2000aa7.>?v?@vAlthough this provision may seem, at first blush, to have a somewhat@Avlimited application for law enforcement, it has emerged as a frequentABvissue in computer searches. Because even a standalone computer can holdBCwthousands of pages of information, it is common for users to mix data soCDwthat evidence of crime is commingled with material which is innocuousorDEw even statutorily protected. And as a technical matter, analysts sometimesEFw0cannot recover the electronic evidence without, in some manner, brieflyFGw@searching or seizing the protected data. Moreover, this problem becomesGHwPexponentially more difficult, both legally and practically, if the targetHIw`computers are part of a network which holds the work of many differentIJwppeople. The larger the network and the more varied its services, theJKwharder it is to predict whether there might be information on the systemKLwwhich could arguably qualify for statutory protection. (This complex areaLMwof the law is discussed in detail at "THE PRIVACY PROTECTION ACT, 42MNwU.S.C. 2000aa," infra p. 72. It is critical that prosecutors and agentsNOwread this section and the statute with care before undertaking a searchOPwwhich may intrude on protected materials.)PQwQRw2. TargetsRSxSTxIf the person who holds the documents sought is not "disinterested" but aTUx target of the investigation, the rules are understandably different. InUVx0those cases, agents may get a warrant to search the files forVWx@confidential information (regardless of whether that information isFWXxPxPp(X//x` HFtechnically "privileged" under Federal law), but the warrant should beXYxpdrawn as narrowly as possible to include only information specificallyYZxabout the case under investigation.Z[x[\xWhen the target of an investigation has complete control of the computer\]xto be searched (such as a standalone PC), it may be difficult to find]^xall the evidence without examining the entire disk drive or storage^_xdiskettes. Even in situations like these, it may be possible to get other_`xpeople in the suspect's office to help locate the pertinent files without`axexamining everything. When aabybcy[page 43]cdy dey0computer must be removed from the target's premises to examine it, agentsefy@must take care that other investigators avoid reading confidential filesfgyPunrelated to the case. Before examining everything on the computer,ghy`analysts should try to use other methods to locate only the materialhiypdescribed in the warrant. Finally, as experts comb for hidden or erasedijyfiles or information contained between disk sectors, they must continuejkyto protect the unrelated, confidential information as much as possible.klylmy3. Using Special MastersmnynoyIn rare instances, the court may appoint a special master to help searchopya computer which contains privileged information. See, e.g., DeMassa v.pqyNunez, 747 F.2d 1283 (9th Cir. 1984). A neutral master would beqrzresponsible to the court, and could examine all the documents andrszdetermine what is privileged. If the court appoints a master, thestz government should ask for a neutral computer expert to help the mastertuz0recover all the data without destroying or altering anything. In casesuvz@like these, the computer expert needs detailed instructions on the searchvwzPprocedures to be performed. In no event should the target of the searchwxz`or his employees serve as the master's computer expert.xyzpyzzF. UNDERSTANDING WHERE THE EVIDENCE MIGHT BE: STAND ALONE PCs, NETWORKSz{zAND FILESERVERS, BACKUPS, ELECTRONIC BULLETIN BOARDS, AND ELECTRONIC{|zMAIL|}z}~z1. StandAlone PCs~zFzzp(00z HFWhen searching for information, agents must not overlook any storage{devices. This includes hard drives, floppy disks, backup tapes, CDROMs4,{{ [page 44]{0{@WORM drives 5, and anything else that could hold data. In addition,{Pnotwithstanding the hightech nature of computer searches, investigators{`must remember basic evidentiary techniques. If identification is an{pissue, they should look for fingerprints or other handwritten notes and{labels that may help prove identity. If data is encrypted, a written copy{of the password is clearly important.{{ܖ{{4 CDROM stands for Compact DiskRead Only Memory. Much like a compact{disk for music, it allows the user to search for and read information{without being able to alter it.||5 WORM stands for Write Once Read Many. The user can write large amounts| of information to a platter (a large disk); but once written, the platter|0can only be read, not altered.|@|Pa. Input/Output Devices: Do Monitors, Modems, Printers, and Keyboards|`Ever Need to be Searched?|p|Prosecutors must always keep in mind the independent component doctrine (|supra p. 25); that is, there must be a basis for seizing each particular|item. If agents are only searching for information, it may be senseless|to seize hardware that cannot store information.||That said, it is important to remember that information can be retrieved|from many hardware devices, even those not normally associated with a|storage function. Generally speaking, input and output (I/O) devices such}as keyboards, monitors, and printers do not permanently store data. Most}data is stored on devices such as hard drives, CDROMs, and floppy disks.} By contrast, I/O devices are used to send data to, and receive data from,}0the computer. Once the computer is turned off, I/O devices do not store}@information. For example, when a computer is turned off, the information}Pon the screen is lost unless it has been saved to a storage device.}`F}p}pp(11} HFHowever, there are significant exceptions to this general rule. A trained}computer specialist, using specialized techniques, may find data or other}evidence even on I/O devices. The following list is not allinclusive,}but rather offers some examples of I/O devices that may provide useful}evidence even after they have been turned off.}}(1) Laser printers It may be possible to search for images of the last}page printed on laser printers. This technique requires planning because~the expert must examine the printer before it is moved. If this type of~evidence may be needed, a computer expert must be ready at the~ ~0[page 45]~@~Pscene with the necessary equipment. Additionally, paper containing~`information may still be inside a laser printer due to a paper jam that~pwas not cleared.~~(2) Hard disk print buffers Some laser printers have five or~tenmegabyte hard drives that store an image before it prints, and the~information will stay on the drive until the printer runs out of memory~space and writes over it. One example of a printer that may have an~internal hard drive is the Qume 1000 Color Printer. An expert would be~able to search the hard drive for information sent to and stored by that~printer.(3) Print Spooler Device This device holds information to be printed. The spooler may be holding a print job if the printer was not ready to0print when the print command was given (e.g., the printer was not turned@on or was out of paper). This device should be handled at the scene sincePthe information will be lost when power is disrupted.`p(4) Ribbon printers Like old typewriter ribbons, printer ribbonscontain impressions from printed jobs. These impressions can be recoveredby examining the ribbon.(5) Monitors Any burning of the screen phosphorus may reveal data orgraphics commonly left on the screen.(6) Keyboards Although they do not normally store information, someunusual keyboards are actually computer workstations and may contain anFp(22 HFinternal diskette drive. 0(7) Hard Cards These appear to be a typical function board but they@function like a hard disk drive and store information.P`(8) Scanner Flatbed type scanners may have hard paper copy underneathpthe cover.(9) Fax machines Although some kinds of standalone fax machinessimply scan and send data without storing it, other models can store thedata (e.g., on a hard drive) before sending it. Significantly, the dataremains in the machine's memory until overwritten. Some fax machinescontain two or more megabytes of memoryenough to hold hundreds of pagesof information.[page 46] b. Routine Data Backups Even on standalone systems, computer users often make backup copies of0files to protect against hardware failure or other physical disruptions.@If the computer has any sort of failure which destroys the original copyPof data or programs (e.g., a hard disk failure), the data can then be`restored from the backups. How often backups are made is solely up to thepuser. As a practical matter, however, most computerliterate users willback up data regularly since mechanical failures are not uncommon and itis often difficult and time~consuming to recreate data that has beenirretrievably lost. Backup copies can be made on magnetic tape, disks, orcartridges.2. Networked PCsIncreasingly, computers are linked with other computers. This can be donewith coaxial cable in a local area network, via common telephone lines,or even through a wireless network, using radio frequency (RF) communications. Due to this interconnectivity, it has become more0important than ever to ascertain from sources or surveillance what type@of system agents will encounter. Without knowing generally what is therePbefore the search, investigators could end up with nothing more than a`"dumb terminal" (no storage capability) connected to a system whichpstores the files in the next county or state. It would be akin toexecuting a search warrant for a book~making operation on a vacant roomFp(33 HFthat only has a phone which forwards calls to the actual operation site.During the planning stage of a search, the government must consider thepossibility of offsite storage locations.The following are systems or devices which make it possible for a suspectto store data miles, or even continents, away from her own computer:FILE SERVER: A file server is a computer on a network that stores the programs and data files shared by the users of the network. A file server0acts like a remote disk drive, enabling someone to store information on a@computer system other than his own. It can be located in another judicialPdistrict from the target machine. [page 47]`pELECTRONIC MAIL: Electronic mail provides for the transmission ofmessages and files between computers over a communications network.Sending information in this way is similar in some ways to mailing aletter through the postal service. The messages are sent from one computer through a network to the electronic address of another specific  computer or to a series of computers of the sender's choice. The  transmitted messages (and attached files) are either stored at the  computer of the addressee (such as someone's personal computer) or at a  mail server (a machine dedicated, at least in part, to storing mail). If the undelivered mail is stored on a server, it will remain there untilthe addressee retrieves it. When people "pick up" email from the mail server, they usually receive only a copy of their mail, and the stored0message is maintained in the mail server until the addressee deletes it@(some systems allow senders to delete mail on the server beforePdelivery). Of course, deleted mail may sometimes be recovered by`undeleting the message (if not yet overwritten) or by obtaining a backuppcopy (if the server was backed up before the message was deleted).ELECTRONIC BULLETIN BOARD SYSTEMS (BBS): A bulletin board system is acomputer dedicated, in whole or in part, to serving as an electronicmeeting place. A BBS computer system may contain information, programs,and email, and is set up so that users can dial the bulletin boardsystem, read and leave messages for other users, and download and uploadsoftware programs for common use. Some BBSs also have gateways whichallow users to connect to other bulletin boards or networks. A BBS canhave multiple telephone lines (so that many people can use it at the sametime) or a single line where a user's access is firstcome, firstserved.F  p( 440 HFBBSs can have several levels of access, sometimes called "subboards" or !@"conferences." Access to the different conferences is usually controlled!"Pby the system operator with a password system. A single user may have"#`several different passwords, one for each different level or conference.#$pA user may store documents, data, programs, messages, and even$%photographs in the different levels of the BBS.%&&'A bulletin board system may be located anywhere telephone lines go.'(Therefore, if a suspect may have stored important information on a BBS, a()pen register on the suspect's phone may reveal the location of these)*stored files. Agents must be careful, though, because sysops have been*+known to forward incoming calls through a simple phone in one spot to+,,-[page 48]-../ their BBS computers somewhere else. Sometimes these calls hop between/00houses, and sometimes, between jurisdictions. Investigators cannot assume01@that the phone number called by the suspect is always the end of the12Pline.23`34pVOICEMAIL SYSTEMS: A voicemail system is a complex phone answering45machine (computer) which allows individuals to send and receive telephone56voice messages to a specific "mailbox" number. A person can call the67voicemail system (often a 1800 number) and leave a message in a78particular person's mailbox, retrieve messages left by other people, or89transfer one message to many different mailboxes in a list. Usually,9:anyone can leave messages, but it takes a password to pick them up or:;change the initial greeting. The system turns the user's voice into;<digital data and stores it until the addressee erases it or another<=message overwrites it. Criminals sometimes use voice mailboxes=>(especially mailboxes of unsuspecting people, if the criminals can beat>? the mailbox password) as remote deaddrops for information which may be?@0valuable in a criminal case. Voice mailboxes are located in the message@A@system computer of the commercial vendor which supplies the voicemailABPservice, or they can be found on the computer at the location called.BC`Voice mail messages can be written on magnetic disk or remain in theCDpcomputer's memory, depending on the vendor's system.DEEFOf course, all networked systems, whether data or voice, may keep routineFGand disaster backups.FGHp(H55 HFܿHIa. Routine BackupsIJJKMaking backups is a routine, mandatory discipline on multiuser systems.KLOn larger systems, backups may be created as often as two to three timesLMper working shift. Usually backups are made once per day on largerMN systems and once per week on smaller ones. Backups are usually stored inNO0a controlled environment to protect the integrity of the data (e.g.,OP@locked in a file cabinet or safe). The system administrators will usuallyPQPhave written procedures which set out how often backup copies will beQR`made and where they will be kept. Backups for large systems are oftenRSpstored at remote locations.STTU[page 49]UVVWb. Disaster BackupsWXXYThese are additional backups of important data meant to survive allYZcontingencies, such as fire, flood, etc. As extra protection, the data isZ[stored offsite usually in another building belonging to the business or[\in rented storage space. It would be unusual to find the disaster backups\]near the routine backups or original data. Again, these copies can be]^ stored on diskettes, magnetic tape, or cartridge.^_0_`@G . SEARCHING FOR INFORMATION`aPab`1. Business Records and Other DocumentsbcpcdObtaining records from a multiuser computer system raises certain issuesdethat are uncommon in the paper world. When dealing with papers stored ineffiling cabinets, agents can secure the scene and protect the integrity offgthe evidence by physically restricting access to the storage containerghand its papers. Electronic records are, of course, easier to alter orhidestroy. More important, such alteration or destruction may occur whileijthe agent is looking at a copy of the document on A workstation terminal.jkTherefore, it is important to control remote access to data while theklsearch is being conducted. This can often be done by prohibiting accesslmto the file or file server in question, either by software commands or bymn physically disconnecting cables. This should only be done by an expert,no0however, because altering the system's configuration may have significantFop@@p(p66P HFunintended results.pq`qrpIf the system administrator is cooperating with investigators, the taskrsbecomes much easier, and agents should use the least intrusive meansstpossible to obtain the data (e.g., a request, grand jury subpoena, ortuadministrative subpoena). Of course, if the entire business is underuvinvestigation or there is reason to believe that records may be alteredvwor destroyed, a search warrant should be used.wxxy[page 50]yzz{2. Data Created or Maintained by Targets{||} Targets of criminal investigations, particularly computer crimes, may}~0have data on a multiuser computer system. Where the target owns or~@operates the computer system in question, it is safest to use warrants,Palthough subpoenas may be appropriate in the right case.`pWhere the target does not control the system but merely has data on it,the sysop may be willing to provide the requested data assuming he hasthe authority to do so. Never forgetting the legal restraints of 18U.S.C. 2702 (see "Stored Electronic Communications," infra p. 85), thesysop can, as a practical matter, probably retrieve the needed datarather easily. Ordinarily, a multiuser computer system will havespecific accounts assigned to each user or groups of users. While thevarious "users" may not be able to get into each others' files, thesystem operator (like a landlord with passkeys) can usually examine andcopy any file in the computer system. (Typically, the sysop has what iscalled "superuser" authority or "root" access.) 0Some systems, by their rules, may prohibit the system managers or@operators from reading files in specific data areas or may expresslyPlimit the purposes for which sysops may exercise their access. In those`cases, sysops may insist on a court order or subpoena. If, on the otherphand, users have consented to complete sysop access in order to use thesystem, a request to the sysop for the information may be all that isrequired. In either event, rarely will it be wise for investigatingagents to search large computer systems by themselves. Without thesysop's help, it may be difficult (if not impossible) for agents to comba multiuser computer system the way they search file cabinets for paperFp(77 HFrecords.When using a subpoena with a future return date, agents shouldspecifically ask for the computerized records as they exist at time of service, and state clearly that service of the subpoena obliges the0recipient to preserve and safeguard the subpoenaed information by@making a copy. Investigators should explain that even if the recipientPcontests the subpoena, he must not only copy the data "as is," but must`also confirm to the agent that the copy has been made. The subpoenapshould also say that failure to preserve the subpoenaed information maysubject the recipient to sanctions for contempt. In some[page 51]circumstances, a "forthwith subpoena" may even be appropriate. If allthis is not done, the data may be altered or eraseddeliberately,accidentally, or in the normal course of businessbefore the return dateon the subpoena.3. Limited Data Searches 0Once analysts have determined the operating system and have taken@precautions to protect the integrity of the data, they will select toolsPto aid in the search. Using specially designed software called`"utilities" will greatly help, because analysts can tailor the search toplook for specified names, dates, and file extensions. They can scan disksfor recently deleted data and recover it in partial or sometimes completeformat. They can also identify and expose hidden files. In some cases,analysts may find files that are not in a readable format; the data mayhave been compressed to save space or encrypted to control access to it.Here again, utility packages will help recover the data. In designing thedata search, they might use a variety of utilities. Some areoff~theshelf software available from most computer retailers. Bututility software can also be custommade, especially designed to performspecific search functions that are specified in standard laboratoryprocedures. Obviously, agents should rely upon experts for this kind of analysis. (See APPENDIX C, p. 143, for a list of federal sources for0experts.)@PThere are several reasons why analysts will probably want to do a limitedF``p(88p HFrather than a complete search through the data. First of all, the law ingeneral prefers searches of all thingscomputer data includedto be asdiscrete and specific as possible. Second, the warrant may specifyparticular files, directories, or subdirectories, or certain categoriesof data. Finally, even if the facts of a case give an analyst free reinto search all the data, the economies of scale usually require a moresystematic approach. At the least, analysts should plan for a methodicalinventory of directories and subdirectories and prepare to document allthe steps taken in the search. Because data is so easy to alter ordestroy, analysts must have a careful record so that their efforts can bere~created for a court. In examining the data, analysts will probably have to do some sortingexamining things that could be relevant and0bypassing the unrelated items. Only rarely will they be allowed to or@even want to read everything on the computer system being searched. EvenPso, caution is advised, because directory headings and file names may`often be misleading.p[page 52]In addition to searching by file, subdirectory, or directory, the powerof the computer allows analysts to design a limited search in other waysas well. Computer experts can search data for specific names (like namesof clients, co~conspirators, or victims), words (like "drugs," "tax," or"hacking"), places (either geographic locations or electronic ones), orany combination of them. As legal researchers know, if the keyword searchis well defined, it can be the most efficient way to find the needle inthe haystack. But unless analysts are working from a tip and know how the data is organized, there will probably be some trial and error before0they can find the key words, names, or places. In addition, technical@problems may complicate a keyword search. For example, encryption,Pcompression, graphics, and certain software formatting schemes may leave`data difficult to search in this fashion.pIn the list of files contained in a directory or subdirectory, therewill be other kinds of information that may indicate whether a particularfile should be searched. The names of files in a directory often carryextensions that indicate what sort of file is or what it does. These fileextensions are often associated with common applications software, suchas spreadsheets (that could hold accounting data), databases (that canhave client information), word processing (which could hold any sort ofFp(99 HFalphanumeric text), or graphics. There will also be a date and timelisted for every file created. Although this information can easily be altered and may be misleading, in some cases it may accurately reflect0the last time the file was revised.@PFurther, the kind of software found loaded on a computer may reveal how`the computer has been used. If there is communications software, forpexample, the computer may have been used to send incriminating data toanother computer system at another location. A modem or other evidence ofremote access should also tip off the searcher to this possibility, whichmay expand the investigation and create a need for a new warrant. Forexample, the original search may disclose phone bills indicating frequentlongdistance calls to one particular number. If a call to this numberreveals a modem tone, then further investigation would be warranted.Clearly, the person conducting a computer search should have highleveltechnical skills to ensure success. Moreover, a wellmeaning investigatorwith amateur skills could inadvertently, but irretrievably, damage the data. When in doubt, rely only on experts.0@[page 53]P`4. Discovering the Unexpectedp a. Items Different from the Description in the Warrant    The Fourth Amendment requires specific descriptions of the places,  people, and things to be searched as well as the items to be seized.  Specificity has two aspectsparticularity and overbreadth.  "Particularity" is about detail: the warrant must clearly describe what  it seeks. "Breadth" is about scope: the warrant cannot include items for  which there is no probable cause. Together, the particularly and breadth  limitations prevent general searches of a person's properly. Thus,  generic classifications in a warrant are acceptable only when a more  precise description is not possible. In Re Grand Jury Subpoenas, 926 F.2d  0847, 8567 (9th Cir. 1991).  @  PDespite defense objections, the court upheld the seizure of computer  `disks not named in the warrant in United States v. Musson, 650 F. Supp.  p525, 532 (D. Colo. 1986). The warrant in that case authorized agents toF  p( :: HFseize various specific records, and the court reasoned that because of  the changing technology, the government could not necessarily predict  what form the records would take. See also United States v. Reyes, 798  F.2d 380, 383 (10th Cir. 1986); United States v. Lucas, 932 F.2d 1210,  1216 (8th Cir.), cert. denied, 112 S. Ct. 399 (1991). In these days, the  safest course is always to assume that particular, clearly described  "records" or "documents" may be in electronic form and to provide for  this possibility in the warrant. (See "SAMPLE COMPUTER LANGUAGE FOR  SEARCH WARRANTS," APPENDIX A, p. 125.)     0Other courts, however, have suppressed the results of search warrants  @which broadly covered electronic "records" in form, but were too vague  Pabout their content. In Application of Lafayette Academy, Inc., 610 F.2d  `1 (1st Cir. 1979), the court struck a warrant which expressly authorized  pthe seizure of computer tapes, disks, operation manuals, tape logs, tape  layouts, and tape printouts. Although the warrant specified that the  items must also be evidence of criminal fraud and conspiracy, that limit  !on content was not sufficiently particular to save the evidence. Id. at ! "3. See also Voss v. Bergsgaard, 774 F.2d 402, 4045 (10th Cir. 1985). " # # $[page 54] $ % % & b. Encryption & ' ' (If agents have authority to search the data in a computer or on a disk ( ) and find it has been encrypted, how should they proceedboth legally and ) *0practically? * +@ + ,PAlthough an encrypted computer file has been analogized to a locked file , -`cabinet (because the owner is attempting to preserve secrecy), it is also - .panalogous to a document written in a language which is foreign to the . /reader. As both of these metaphors demonstrate, the authority granted by / 0the warrant to search for and seized encrypted information also brings 0 1the implied authority to decrypt: to "break the lock" on the cabinet or 1 2to "translate" the document. Indeed, a warrant to seize a car and its 2 3contents implicitly authorizes agents to unlock it. 3 4 4 5Of course, the rule may be different if the search is based upon consent. 5 6A court might well find that a target who has encrypted his data and has 6 7not disclosed the necessary password has tacitly limited the scope of hisF 7 8p( 8;;  HFconsent. In that case, the better practice is to ask explicitly for 8 90consent to search the encrypted material, as well as the password. If the 9 :@target refuses, agents should obtain a warrant for the encrypted data. : ;P ; <`In United States v. David, 756 F. Supp. 1385 (D. Nev. 1991), the < =pdefendant was cooperating with the government by giving them drugdealing = >information from encrypted files in his computer memo book. During one > ?interview, the agent learned the defendant's password by standing over ? @his shoulder and watching as he typed it. Later, when the defendant @ Astopped cooperating and started destroying information in the notebook, A Bthe agent seized it and used the defendant's password to access the B Cremaining information. The court reasoned that the agent's learning the C Dpassword was like his picking up the key to the container. When the D Edefendant withdrew his consent to give more information from the memo E Fbook, the act which required a warrant was looking inside the F Gcontainerwhether locked or unlockednot the acquisition or even the G H use of the key. If the agent did not have authority to search the data, H I0then knowing the password would not confer it. Id. at 1391. Conversely, I J@if the agent does have a warrant for the data, she may break the "lock" J KPto search it. For more comment on the consent issues in the David case, K L`see the discussion at p. 14. L Mp M N[[page 55] N O O PAs a practical matter, getting past the encryption may not be easy, but P Qthere are several approaches to try. First of all, the computer crime lab Q Ror the software manufacturer may be able to assist in decrypting the R Sfile. Investigators should not be discouraged by claims that the password S T"can't be broken," as this may simply be untrue. Some can be done easily T Uwith the right software. If that fails, there may be clues to the U Vpassword in the other evidence seizedstray notes on hardware or desks; V Wscribbles in the margins of manuals or on the jackets of disks. Agents W X should consider whether the suspect or someone else will provide the X Y0password if requested. In some cases, it might be appropriate to compel a Y Z@third party who may know the password (or even the suspect) to disclose Z [Pit by subpoena (with limited immunity, if appropriate). [ \` \ ]pH. DECIDING WHETHER TO CONDUCT THE SEARCH ONSITE OR TO REMOVE HARDWARE ] ^TO ANOTHER LOCATION ^ _F _ `p( `<< HFIt is possible for analysts to search for electronic evidence in several ` aplaces: onsite, at an investigative agency field office, or at a a blaboratory. The key decision is whether to search at the scene or b csomewhere else, since an off~site search will require packing and moving c dthe property and may constitute a greater intrusion on the property d erights of the computer owner/user.6 In addressing this issue, it is e fnecessary to consider many factors such as the volume of evidence, the f g scope of the warrant, and the special problems that may arise when g h0attempting to search computers. h i@ i jPAlthough it may, practically speaking, be necessary to remove the j k`computer in order to search it, that logistical reality does not expand k lpthe theoretical basis of probable cause. This is a completely separate l missue, and agents must not write broad warrants simply because, in m nreality, it will be necessary to seize the entire filing cabinet or n ocomputer. Rather, they should draft the warrant for computer records as o pspecifically as possible (akin to a search warrant papers in a file p qcabinet) by focusing on the content of the record. Then, as a separate q rlogical step, they should address the practical aspects of each case: r swhenever searching data "containers" on site would be unreasonable, s tagents should explain in the affidavit why this is true and ask for t u u v[page 56] v w  w x0permission to seize the containers in order to find the relevant x y@documents. (See "DRAFTING A WARRANT TO SEIZE INFORMATION: Describing the y zPItems to be Seized," infra p. 97.) (If the particular computer storage z {`devices which contain the evidence may also hold electronic mail { |pprotected by 18 U.S.C. 2701, et seq., see STORED ELECTRONIC | }COMMUNICATIONS," infra p. 85. If they may contain material covered by the } ~Privacy Protection Act, 42 U.S.C. 2000aa, see "THE PRIVACY PROTECTION ~ ACT," infra p. 72.)    1. Seizing Computers because of the Volume of Evidence    Since any document search can be a timeconsuming process, cases  discussing file cabinet searches are helpful. Although not technically  complex, it can take days to search a file cabinet, and courts have  sustained offsite searches when they are "reasonable under the  circumstances." The key issues here are: (1) how extensive is theF  00p( ==@ HFwarrant and (2) what type of place is to be searched.  P  `ܖ  p  6. If hardware is going to be removed from the site, refer to the  suggestions on packing and moving hardware, supra p. 31.      a. Broad Warrant Authorizes Voluminous Seizure of Documents    In determining whether agents may take documents from the scene for later  examination, they must consider the scope of the warrant. When the  warrant directs agents to seize broad categories of records, or even all  records (because the suspect's business is completely criminal or  infected by some pervasive, illegal scheme), then it is not difficult to  0argue all papers and storage devices should be seized. In these cases,  @courts have supported the carting off of whole file cabinets containing  Ppounds of unsorted paper. U.S. Postal Service v. C.E.C. Services, 869  `F.2d 184, 187 (2d Cir. 1989); United States v. Sawyer, 799 F.2d 1494,  p1508 (11th Cir. 1986), cert. denied sub nom. Leavitt v. U.S. , 479 U.S.  1069 (1987). "When there is probable cause to seize all [items], the  warrant may be broad because it is unnecessary to distinguish things that  may be taken from things that must be left undisturbed." U.S. v.  Bentley, 825 F.2d 1104, 1110 (7th Cir.), cert. denied, 484    [page 57]    U.S. 901 (1987). In such cases, it is not necessary to carefully sort  through documents at the scene to insure that the warrant has been  properly executed.    0This rationale has been extended to computers. In U.S. v. Henson, 848  @F.2d 1374 (6th Cir. 1988), cert. denied, 488 U.S. 1005 (1989), agents  Psearched several used car dealerships for evidence of an interstate  `odometer rollback scheme. The warrant authorized agents to seize, among  pother things, "modules, modems and connectors, computer, computer  terminals, hard copy user documentation pertaining to files and/or  programs, cables, printers, discs, floppy discs, tapes, vendor phone  numbers, all original and backup tapes and discs, any other informational  data input, all vendor manuals for hardware and software, printouts...."F  p( >> HFId. at 1382. The warrant did not require onsite sorting, and the  defendants later accused agents of going on a "seizing frenzy." The  court, however, sustained the search, observing that the extensive  seizures were authorized by the warrant, and the warrant was broad  because so was the criminality. The court relied on the rule of  reasonableness in concluding that officers were right not to try to sort  0through everything at the scene. Since the extensive seizure of records  @was authorized by the terms of the warrant, it was inevitable that the  Pofficers would seize documents that were not relevant to the proceedings  `at hand. We do not think it is reasonable to have required the officers  pto sift through the large mass of documents and computer files found in  the Hensons' office, in an effort to segregate those few papers that were  outside the warrant.    Id. at 13834 (emphasis added).    Although the Henson defendants argued that agents seized items not  covered by the warrant, this did not invalidate the search. As noted by  the court,    A search does not become invalid merely because some items not covered by  a warrant are seized.... Absent flagrant disregard for the limitations  0of a search warrant, the items covered by the warrant will be admissible.  @  PId. at 1383 (citations omitted). See also U.S. v. Snow, 919 F.2d 1458,  `1461 (10th Cir. 1990).  p  [page 58]    The Eleventh Circuit expressed a similar rule of reasonableness in United  States v. Wuagneux, 683 F.2d 1343, 1353 (11th Cir. 1982), cert. denied,  464 U.S. 814 (1983). In Wuagneux, a dozen agents searched the records of  a business for a day and a half, and seized between 50,000 and 100,000  documents (approximately one to two percent of those on the premises).  Defendants complained that the agents should not have removed whole files  or folders in order to take a particular document, but the court  disagreed: "To require otherwise `would substantially increase the time  required to conduct the search, thereby aggravating the intrusiveness of  0the search,' " citing United States v. Beusch, 596 F.2d 871, 8767 (9th  @Cir. 1979). The Eighth Circuit reached the same conclusion in Marvin v.F  PPp( ??` HFU.S. , 732 F.2d 669 (8th Cir. 1984), where agents searched a clinic for  pfinancial information related to tax fraud. The agents seized many files  without examining the contents at the scene, intending to copy and sort  them later. Although the agents seized some files that were completely  outside the warrant, the district court's remedy, upheld on appeal, was  to order return of the irrelevant items. The agents' decision not to comb  through all the files at the scene, the court noted, was "prompted  largely by practical considerations and time constraints." Id. at 675.  Accord Naugle v. Witney, 755 F. Supp. 1504, 1516 (D. Utah 1990)(Removing  an entire filing cabinet, including items not described in the warrant,  was reasonable since the alternative would require officers to remain on  the premises for days, a result less reasonable and more intrusive.)    0b. Warrant is Narrowly Drawn but Number of Documents to be Sifted  @through is Enormous  P  `The more difficult cases are those in which the soughtafter evidence is  pfar more limited and the description in the warrant is (and should be)  more limited as well. "When the probable cause covers fewer documents in  a system of files, the warrant must be more confined and tell the  officers how to separate the documents to be seized from others." United  States v. Bentley, supra, at 1110.    The problem of the narrowly drawn, tightly focused warrant is illustrated  by U.S. v. Tamura, 694 F.2d 591 (9th Cir. 1982). Because agents knew  exactly what records they sought at a particular business, they were able  (and it was reasonable for them) to draft the warrant very specifically.  But it    0[page 59]  @  Pwas much easier to describe the records than to find them, especially  `when the company employees refused to help. In the end, the agents simply  ptook all the records including eleven boxes of computer printouts, 34  file drawers of vouchers, and 17 drawers of cancelled checks. Unlike most  other cases that address these issues, this court faced a seizure where  most of the documents taken were outside the warrant. It concluded,  therefore, that "the wholesale seizure for later detailed examination of  records not described in a warrant is significantly more intrusive, and  has been characterized as `the kind of investigatory dragnet that theF  p( @@ HFFourth Amendment was designed to prevent.'" Id. at 595 (citations  omitted). Although the court found reversal was not compelled (because  the government had been "motivated by considerations of practicality"),   it also found this a "close case." Their advice for law enforcement is  0concrete:  @  PIn the comparatively rare instances where documents are so intermingled  `that they cannot feasibly be sorted on site, we suggest that the  pGovernment and law enforcement officials generally can avoid violating  Fourth Amendment rights by sealing and holding the documents pending  approval by a magistrate of a further search, in accordance with the  procedures set forth in the American Law Institute's Model Code of  PreArraignment Procedure. If the need for transporting the documents is  known to the officers prior to the search, they may apply for specific  authorization for largescale removal of material, which should be  granted by the magistrate issuing the warrant only where onsite sorting  is infeasible and no other practical alternative exists.    Id. at 5956 (footnote omitted).     0c. Warrant Executed in the Home  @  PWhen a search is conducted at a home instead of a business, courts seem  `more understanding of an agent's predilections to seize now and sort  plater. In United States v. Fawole, 785 F.2d 1141, 1144 (4th Cir. 1986),  ten agents had searched the defendant's home for three and a half hours  removing, among other things, 350 documents. Almost half of those papers  were in a briefcase, which the agents seized without sorting. Although  many things in the briefcase    [page 60]    were outside the scope of the warrant, the court found that, under the  !circumstances, the seizure did not amount to a general, exploratory ! "rummaging in a person's belongings. " #  # $0Even more extensive were the seizures in United States v. Santarelli, $ %@778 F.2d 609 (11th Cir. 1985). In that case, agents searched the home of % &Pa suspected loanshark, confiscating the entire contents of a fourdrawer & '`file cabinet. In the end, they left with eight large boxes of items whichF ' (ppp( (AA HFthey inventoried at the local FBI office. When the defendant objected to ( )this process, the court strongly disagreed: ) * * +Given the fact that the search warrant entitled the agents to search for + ,documents .... it is clear that the agents were entitled to examine each , -document in the bedroom or in the filing cabinet to determine whether it - .constituted evidence.... It follows that Santarelli would have no cause . /to object if the agents had entered his home to examine the documents and / 0remained there as long as the search required. The district court 0 1estimated that a brief examination of each document would have taken 1 2 several days. Under these circumstances, we believe that the agents acted 2 30reasonably when they removed the documents to another location for 3 4@subsequent examination.... [T]o require an onpremises examination under 4 5Psuch circumstances would significantly aggravate the intrusiveness of the 5 6`search by prolonging the time the police would be required to remain in 6 7pthe home. 7 8 8 9Id. at 6156 (citation omitted). 9 : : ;d. Applying Existing Rules to Computers ; < < =Clearly, the Tamura court could not have anticipated that the explosion = >in computers would result in the widespread commingling of documents. > ?While computers are often set up with directories and subdirectories ? @(much like a file cabinet is set up with file folders), many users put @ Adata on disks in random fashion. Thus, a particular letter or file could A B be anywhere on a hard disk or in a box of floppies. B C0 C D@[page 61] D EP E F`Most important, all of the filecabinet cases discussed above implicitly F Gprely on the premise that "documents" are readily accessible and G Hascertainable items; that any agent can find them and (unless the subject H Iis quite technical) can read, sort, and copy those covered by warrant. I JThe biggest problem in the paper cases is time, the days it takes to do a J Kpainstaking job. But computer searches have added a formidable new K Lbarrier, because searching and seizing are no longer as simple as opening L Ma file cabinet drawer. When agents seize data from computer storage M Ndevices, they will need technical skill just to get the file drawer open. N OWhile some agents will be "computer literate," only a few will beF O Pp( PBB HFexpert; and none can be expert on every sort of system. Courts have not P Q yet addressed this reality. In the meantime, search warrant planning in Q R0every computer case should explore whether agents will ask for offsite R S@search authority in the warrant application. S TP T U`2. Seizing Computers because of Technical Concerns U Vp V Wa. Conducting a Controlled Search to Avoid Destroying Data W X X YThe computer expert who searches a target's computer system for Y Zinformation may need to know about specialized hardware, operating Z [systems, or applications software just to get to the information. For [ \example, an agent who has never used Lotus 123 (a spreadsheet program) \ ]will not be able to safely retrieve and print Lotus 123 files. If the ] ^agent entered the wrong computer command, he could unwittingly alter or ^ _destroy the data on the system. This sort of mistake not only alters _ `evidence, but could create problems for the system's owner as well. Since ` a it is the government's responsibility to recover evidence without a b0altering data, the safest course is to rely on experts working in b c@controlled environments. c dP d e`Additionally, savvy computer criminals may know how to tripwire their e fpcomputers with "hot keys" or other selfdestruct programs that could f gerase vital evidence if the system were examined by anyone other than an g hexpert. For example, a criminal could write a very short program that h iwould cause the computer to demand a password periodically and, if the i jcorrect password is not entered within ten seconds, it would destroy data j kautomatically. In some cases, k l l m[page 62] m n n ovaluable evidence has been lost because of the way the computers were o phandled. Therefore, this concern may make it doubly important to remove p q the computers, unless an expert determines that an onsite search will be q r0adequate. r s@ s tPQuite obviously, some computers (such as large mainframes) are not easily t u`moved. And some defendants will no doubt argue that if the government can u vpsearch a mainframe computer on site, it can search PCs on site as well. v wEven so, the test should not be what is arguably possible, but ratherF w xp( xCC HFwhat is the most reasonable, most reliable, and least intrusive way to x ysearch each system. The fact that mainframes may pose unique problems y zshould not lead courts to adopt impractical rules for other searches. z { { |In sum, there is ample authority to justify removing computer systems (or | }the relevant parts of them) to a field office or laboratory in order to } ~search them for information. This is especially true where the warrant is ~ broad, an onsite search will be intrusive, or technical concerns warrant  moving the system to a lab. This will not always be the case, however,  0and agents and their experts should explore searching on site (or making  @exact copies to search later) whenever it is appropriate. Before agents  Pask for authority to seize any hardware for an offsite data search, they  `should analyze the reasons and set them out clearly for the magistrate.  p  b. Seizing Hardware and Documentation so the System Will Operate at the  Lab    With an everincreasing array of computer components on the marketand  with existing hardware and software becoming obsoleteit may be  impossible to seize parts of a computer system (e.g., the CPU and hard  drive) and operate them at the laboratory. In fact, there may be times  when agents will need to seize every component in the computer system and  later have a laboratory computer specialist determine whether or not each  piece can be returned. Many hardware incompatibilities exist (even within  a given computer family such as IBMcompatible PCs), and the laboratory  0experts may need to properly reconfigure the system back at the lab in  @order to read data from it.  P  `[page 63]  p  Peripherals such as printers and special input and display devices may be  necessary to operate and display certain software applications. Agents  should attempt to learn as much about the system to be searched as  possible so that appropriate seizure decisions can be made. If certain  peripherals must be seized to insure that the data can be retrieved from  storage devices, this should be articulated in the warrant affidavit and  covered in the warrant. Then an expert should examine the seized  equipment as soon as practicable to determine whether the peripheral  devices need to be retained. This approach relies completely on the facts  of each case. It will seem reasonable and temperate when the I/O devicesF   p( DD0 HFseized are essential, but not when the items seized are commercially  @available and the only justification for the seizure/retention is  Pconvenience and not necessity. If in doubt, agents should seek permission  `to seize the peripherals, and then insure a prompt review at the lab.  p  Similarly, when agents search and seize a computer system, they should  ask for authority to seize any documentation that explains the hardware  and software being seized. Documentation found at the scene may be a key  in re~assembling the computer, operating it, or using the software on the  machine properly. If the computer's user is experienced, he may have  customized the software, and the documentation may be required to  retrieve data. Although a computer lab may have or be able to obtain many  standard varieties of documentation, some of it may not be easily  available for purchase. As with hardware or software, the documentation  should not be seized unless needed and, if seized, should be returned  when no longer required.  0  @I. EXPERT ASSISTANCE  P  `1. Introduction  p  While planning is important to the success of any search, it is critical  in searching and seizing information from computers. Agents should  determine, to the extent possible, the type of computer involved, what  operating system it uses, and whether the information sought can be  accessed by, or is controlled by, a computer literate target.    [page 64]    Answering these questions is key, because no expert can be expert on all  systems. Mainframes, for example, are made by various companies (e.g.,  IBM, DEC, Cray) and often run unique, proprietary operating systems. Even  0the PC market offers significantly different hardware/software  @configurations. Although the most common desktop computer is an IBM or  PIBMcompatible system, it runs a range of operating systems including DOS  `(with or without Windows), OS/2, and UNIX. Apple Computers are also  ppopular and run their own unique operating system.    Computer literate targets may attempt to frustrate the proper execution  of a search warrant. For example, an ingenious owner might have installedF  p( EE HFhidden commands that could delete important data if certain startup  procedures are not followed. If this might be the case, experts will take  special precautions before the search: they will, for example, start (or  "boot") the computer from a "clean" system diskette in a floppy drive,  not from the operating software installed on the system. These hidden  traps, as well as passwords and other security devices, are all obstacles  that might be encountered in a search.  0  @In sum, since computer experts cannot possibly be expert on all systems,  Pit is important lo have the correct expert on the scene. Knowing the type  `of computer to be searched, and the type of operating system being used,  pwill allow the appropriate expert to be selected. This, in turn, will  streamline the search process, since the expert may be familiar with the  software and file structures on the target machine.    2. Finding Experts    Most situations will require an expert to retrieve, analyze, and preserve  data from the computers to be searched. Oftentimes the job may not be so  complex: the records may be stored with a standard brand of software  using the DOS (Disk Operating System) format. Some of the most common  software programs are WordPerfect (for text), Lotus (for spreadsheets),  and dBase (for databases). If it is more complicated than this, however,  0only an expert in the hardware and software at hand should do the work.  @  P  `[page 65]  p  To determine what type of expert will be needed, agents should get as  much information about the targeted system as possible. Sources like  undercover agents, informants, former employees, or mail covers can  provide information about the system at the search site. Once the  computer systems and software involved have been identified, an  appropriate expert can be found from either the federal or private  sector. Ultimately, the expert must use sound scientific techniques to  examine any computer evidence.    a. Federal Sources    0The best place to find an expert may be in the investigating agencyF  @@p( FFP HFitself. Many federal agencies have experienced people on staff who can  `help quickly when the need arises, and the list at APPENDIX C provides  pcontact points for various agencies. If the investigating agency lacks an  expert in the particular system to be searched, other federal agencies  may be able to assist. The trick, of course, is to find the expert while  planning for the search and not to start looking after the agents execute  the warrant. Prosecutors must allow time to explore the federal network  and find the right person.    Most of the federal agencies that routinely execute search warrants for  computer evidence have analysts at central laboratories or field experts  who can search the seized computer evidence. Many of them will also work  on evidence from other federal or state agencies as time permits. It is  important to call early to get specific instructions for handling the  0evidence, and these experts can provide other technical assistance as  @well. For example, there are many kinds of software (both government and  Pprivate) which will help process evidence, break passwords, decrypt  `files, recover hidden or deleted data, or assist investigators in other  pimportant ways. Because these utilities are constantly changing, it is  important to consult with experts who have them and know how to use them.    Each agency organizes its computer experts differently. For example, the  Computer Analysis and Response Team (CART) is a specialized team within  the central FBI Laboratory in Washington, D.C., that examines various  types of computer evidence for FBI agents nationwide. The IRS, on the  other hand, has about seventy decentralized experts, called Seized  Computer Evidence Recovery (SCER) Specialists who work in controlled  environments    [page 66]  0  @across the country. Almost every IRS District has at least one SCER  PSpecialist, and many have two. The Drug Enforcement Administration's  `forensic computer experts are also experienced in all phases of computer  poperations related to criminal cases, including data retrieval from  damaged media and decryption. The U.S. Secret Service has approximately  twelve special agents who are members of the Electronic Crimes Special  Agent Program (ECSAP). These agents are assigned to field offices on a  regional basis and are trained in the area of computer investigations and  computer forensics. (For a list of federal sources for computer experts,F  p( GG HFsee APPENDIX C, p. 143.)    b. Private Experts     Whatever the source of a private expert, the affidavit should ask  0permission to use nonlawenforcement personnel during the execution of  @the search warrant. The issuing magistrate should know why an expert is  Pneeded and what his role will be during the search. Agents must carefully  `monitor the expert to insure that he does not exceed the limits described  !pin the search warrant. Certain expertsthose not familiar with the ! "judicial systemare not likely to be expert on how to execute a search " #warrant, protect chainof~custody, or resolve search issues that may # $affect the evidence's admissibility at trial. Thus, a private expert $ %should be paired with an experienced agent every step of the way. In % &addition, the expert's employment contract should address confidentiality & 'issues, and include a nondisclosure clause and a statement of Privacy ' (Act restrictions. If the contracting agency is the IRS, pay special note ( )to Internal Revenue Code provisions at 26 U.S.C. 6103, which address ) *rules for confidentiality and nondisclosure of tax return information. * + + , (1) Professional Computer Organizations , -0 - .@Many professional computer organizations have members who are experts in . /Pa wide variety of hardware and software. Computer experts from the / 0`government are a good source for finding a private expert, for the 0 1porganizations and contacts between them change almost as fast as the 1 2technology. Also, one advantage of using a professional organization as 2 3the source of an expert is that 3 4 4 5[page 67] 5 6 6 7these organizations usually have members who work routinely with federal 7 8or state law enforcement and are therefore familiar with handling 8 9evidence and testifying. 9 : : ;(2) Universities ; <  < =0Another source for experts is a university, especially for hightech = >@crimes involving rare kinds of hardware or software. The academic > ?Penvironment attracts problemsolvers who may have skills and researchF ? @``p( @HHp HFcontacts unavailable in law enforcement. @ A A B(3) Computer and Telecommunications Industry Personnel B C C DIn some cases, the very best expert may come from a vendor or service D Eprovider, particularly when the case involves mainframes, networks, or E Funusual systems. Many companies such as IBM and Data General employ some F Gexperts solely to assist various law enforcement agencies on search G Hwarrants. H I I J(4) The Victim J K  K L0Finally, in some circumstances, an expert from the victim organization L M@may be the best choice, especially if the hardware configuration or M NPsoftware applications are unique to that organization. Agents and N O`prosecutors must, of course, be sensitive to potential claims of bias. O PpMany relevant issues, such as estimates of loss, may pose a considerable P Qgray area. Even if the victimexpert is completely dispassionate and Q Rneutral in her evaluation, her affiliation with and loyalty to the victim R Sorganization may create a bias issue later at trial. S T T U U V[page 68] V W W X3. What the Experts Can Do X Y Y Za. Search Planning and Execution Z [  [ \0Agents and prosecutors who anticipate searching and seizing computers \ ]@should include a computer expert in the planning team as early as ] ^Ppossible. Experts can help immeasurably in anticipating the technical ^ _`aspects of the search. This not only makes the search smoother, it is _ `pimportant information for designing the scope of the warrant. In ` aparticular, if agents can give the expert any information about the a btarget's specific computer system, the expert may be better able to b cpredict which items can be searched at the scene, which must be seized c dfor later analysis, and which may be left behind. d e e fFurther, if the computer system is unusual or complex, technical experts f gcan be invaluable help at the scene during the search. Particularly whenF g hp( hII HFevidence resides on computer networks, backup tapes, or in h icustomtailored systems, the evidence will be safest in the hands of an i j expert. j k0 k l@b. Electronic Analysis l mP m n`The experts will examine all the seized computer items (so long as they n opare properly preserved and sealed) and will recover whatever evidence o pthey can. Most forensic computer examiners will perform at least the p qfollowing: (1) make the equipment operate properly; (2) retrieve q rinformation; (3) unblock "deleted" or "erased" data storage devices; r s(4) bypass or defeat passwords; (5) decipher encrypted data; and (6) s tdetect the presence of known viruses. t u u vThe data to be searched can consist of hundreds or even thousands of v wfiles and directories. In some cases, there will be evidence in most of w xthe files seized, and in others, only a small fraction of them. Once the x yanalyst has protected the original data from change, she must begin to y z search for the relevant material. z {0 { |@ | }P[page 69] } ~` ~ pA good first step is to print out a directory of the information  contained on a hard drive or floppy disk. Directories give valuable  information about what is in the files, when they were created, and how  long they are. Of course, analysts will not entirely trust file names, as  hackers have been known to hide highly incriminating material in files  with innocuous names and misleading dates.    Once the analyst has printed a directory, he will probably log onto the  hard or floppy drive and look at each file, noting on the printed  directory (or a separate log sheet if available) the type of information  in each file and whether it appears relevant. Relevant files can be  copied onto a separate disk or printed out in hard copy. It is a good  0idea always to review files from bitstream copies (which record each  @separate bit of information, including hidden files) or in "read only"  Pmode so that the reviewer can read the document but cannot edit it. This  `way, the agents can later testify that the seized material could not have  pbeen mistakenly altered during the review. Of course, there is more thanF  p( JJ HFone "right way" to analyze electronic evidence, and experts must deal  with the circumstances of each case. Ultimately the analyst must adhere  to sound scientific protocols in recovering and examining  computerrelated evidence, and keep clear and complete records of the  process.    c. Trial Preparation    Computer forensic experts can help prosecute the case with advice about  how to present computerrelated evidence in court. Many are experienced  0expert witnesses and they can (1) help prepare the direct case; and (2)  @anticipate and rebut defense claims. In addition, computer experts can  Passist prosecutors in complying with the new federal rules pertaining to  `expert witnesses, Fed. R. Evid. 16(a)(1)(E) and 16(b)(1)(C), effective  pDecember 1, 1993. Under these rules, the government must provide, upon  request, a written summary of expert testimony which it intends to use  during its case in chief. There is a reciprocal requirement for the  summary of defense expert witness testimony, as long as the defense has  requested a summary from the government, and the government has complied.    [page 70]      d. Training for Field Agents    Before a computer case ever arises, experts can train agents and  0prosecutors about computer search problems and opportunities. They can  @teach investigators how to preserve and submit computer evidence for  Pexamination, and many will also provide field support as time permits.  `  p[page 71]    V. NETWORKS AND BULLETIN BOARDS    A. INTRODUCTION    Electronic Bulletin Board Services (BBSs) are computers set up to serve  in the electronic world as places where users can post and read  messagesmuch like traditional bulletin boards. In addition, however, a  BBS may also permit users to communicate via private electronic mail, toF  p( KK  HFengage in "chat sessions" (realtime conversations where the "speakers"  0talk by using their keyboards instead of their voices), to upload and download files, and to share information on topics of common interest (e.g., a newsletter on stamp collecting). A sysop runs the bulletin board, and BBS users access it with their computers over regular telephone lines.  Some bulletin boards, known as "pirate bulletin boards," aremaintained for illegal purposes such as distributing copyrighted software, credit card numbers, telephone access codes, and pornography. A BBSdedicated to  phone fraud is also called a "phone phreaker board," and those which @distribute child pornography and adult obscenity are called, not Psurprisingly, "porn boards." The illegal material on these boards is not `protected by the First Amendment since such items are "fruits ofcrime" pand "contraband" and do not convey any thought, opinion, or artistic expression. Nor can these operations claim some sort of "press protection" for publishing these items, since the Constitution does not shield the press against laws of general applicability. In short, the First Amendment is not a license to commit crimes. See Securities and Exchange Commission v. McGoff, 647 F.2d 185 (D.C. Cir.), cert. denied, 452 U.S. 963 (1981); Cf. Pell v. Procunier, 417 U.S. 817, 8335 (1974)(the right to speak and publish does not carry an unrestrained right to gather information; a prison may restrict the press's accesstoF  p(dd0 HFits inmates in accord with the state's legitimate incarceration policy @objectives). P `It gets more complex, however, because many bulletin boards are not pdevoted solely to illegal activities, but are hybrid boards: they contain both illegal and legal material. To complicate matters further, the legitimate material on the board (or stored on the same computerwhich runs the board) may be statutorily protected. For example, someprivate electronic mail may be covered under 18 U.S.C. 2701, et seq., Stored Wire  [page 72]   and Electronic Communications. (For further discussion, see "STORED 0ELECTRONIC COMMUNICATIONS," infra p. 85). Even more difficult, some @material may be specifically protected from search and seizure by a Pcomplex statute called the Privacy Protection Act, 42 U.S.C. 2000aa.In `order to understand the scope and intricacy of this statute and how it might apply to computer searches, it helps to begin with the casewhich prompted it.  B. THE PRIVACY PROTECTION ACT, 42 U.S.C. 2000aa  1. A Brief History of the Privacy Protection Act  On April 9, 1971, nine police officers in California responded to Stanford University Hospital to disperse a large group ofdemonstrators.  The demonstrators resisted, and they ultimately attacked and injuredall @nine officers. Two days later, on April 11, The Stanford Daily, a student `newspaper, carried articles and photographs devoted to the student pprotest and the clash between these protestors and the police.Believing that The Stanford Daily might possess additional photographs thatwouldF p(ee HFidentify other protestors, the police sought and obtained a search warrant to search the newspaper's offices.  A month after the search, The Stanford Daily brought a civil action alleging violations of the First, Fourth and Fourteenth Amendments. In support of their claims, the plaintiffs alleged that (1) the Fourth  Amendment forbade the issuance of search warrants for evidence inthe 0possession of those not suspected of criminal activity and (2) the First PAmendment prohibited the use of search warrants against membersof the `press and, instead, required the use of subpoenas duces tecum.Zurcher v. Stanford Daily, 436 U.S. 547 (1978). The Supreme Court disagreed with both claims, holding that the use of a search warrant, even for the pursuit of "mere evidence," was permitted on both non~suspect third parties and members of the news media.   [page 73]  In response to Zurcher, Congress passed the Privacy Protection Act of  1980, 42 U.S.C. 2000aa (hereinafter the PPA). The purpose of this 0legislation, as stated in the Senate Report, is to afford "the press and @certain other persons not suspected of committing a crime with Pprotections not provided currently by the Fourth Amendment." S. Rep.No. `874, 96th Cong., 2d Sess. 4 (1980). As the legislative history indicates,  the purpose of this statute is to limit searches for materials held by persons involved in First Amendment activities who are themselvesnot suspected of participation in the criminal activity for which the materials are sought, and not to limit the ability of law enforcement officers to search for and seize materials held by those suspected of committing the crime under investigation.7 Id. at 11.  The PPA protects two classes of materialsdefined as "work product  materials" and "documentary materials"by restricting beyond the 0existing limits of the Fourth Amendment when government agents can6@p(ffP H6get @warrants to search for or seize them. p It is important to note that, although victims of a search whichviolates the PPA may not move to suppress the results, the statute doescreate civil remedies. Moreover, the PPA specifically precludes thegovernment from asserting a good faith defense to civil claims, so in this respect 2000aa is a strict liability statute.  2. Work Product Materials   0In general terms, the first category of protected material covers @original work in the possession of anyone (including authors and Ppublishers) who intends (from an objective view) to publish it. In `construing this statute, the exact language of the definitions is pimportant. Specifically, "work product materials" are defined in 42 U.S.C. 2000aa7(b) as  7 The Department had previously promulgated regulations on issuing subpoenas directly to members of the news media or indirectly fortheir telephone toll records. The regulations also addressed interrogating,  indicting, or arresting members of the press. See 28 C.F.R. 50.10.      [page 74]    !0materials, other than contraband or the fruits of a crime or things "@otherwise criminally possessed, or property designed or intended foruse, #Por which is or has been used, as the means of committing a criminal $poffense, and % &(1) in anticipation of communicating such materials to the public, are 'prepared, produced, authored, or created, whether by the person in (possession of the materials or by any other person; )F *p(gg HF(2) are possessed for the purposes of communicating such materialsto the +public; and , - (3) include mental impressions, conclusions, opinions, or theories ofthe .0person who prepared, produced, authored, or created such material. /P 0 `When "work product materials" are involved, Title 42, Section2000aa(a) 1"pprovides that: 2# 3$Notwithstanding any other law, it shall be unlawful for a government 4%officer or employee, in connection with the investigation orprosecution 5'of a criminal offense, to search for or seize any work productmaterials 6)possessed by a person reasonably believed to have a purpose to 7* disseminate to the public a newspaper, book, broadcast, or othersimilar 8, form of public communication, in or affecting interstate or foreign 9- 0commerce. . (emphasis added). . .[unless] :. @ ;/ P(1) there is probable cause to believe that the person possessing such <0 `materials has committed or is committing the criminal offense towhich =2 pthe materials relate: Provided, however, That a government officer or >3 employee may not search for or seize such materials under theprovisions ?5 of this paragraph if the offense to which the materials relate consists @6 of the receipt, possession, communication, or withholding of such A7 materials or the information contained therein (but such a search or B8 seizure may be conducted under the provisions of this paragraph ifthe C: offense consists of the receipt, possession, or communication of D; information relating to the national defense, classified information, or E< restricted data under the provisions of section 793, 794, 797, or F= 0 G> @[page 75] H? PF I@ ` `p(@hh p HF798 of Title 18, or section 2274, 2275 or 2277 of this title, or section JA 783 of Title 50); or KB  LC (2) there is reason to believe that the immediate seizure of such MD materials is necessary to prevent the death of, or serious bodilyinjury NF to, a human being. OG  PH Thus, under 2000aa(a), there are three situations in whichgovernment QJ agents may search for or seize these materials without running afoulof RL the statute. First, the definition itself specifically excludes SM @contraband or the fruits or instrumentalities of a crime. 42 U.S.C. TN P2000aa7(b). As the drafting Committee noted, UO ` VP p[T]hese kinds of evidence are so intimately related to the commissionof WR a crime, and so often essential to securing a conviction, that they XS should be available for law enforcement purposes, and, therefore,must YU fall outside the no search rule that is applied to work product. ZV  [W S. Rep. 96874, 96th Cong., 2d Sess. 17, reprinted in 1980 U.S. Code \X Cong. & Admin. News 3964. In BBS cases, the most common objects ofthe ]Z warrantstolen access codes, child pornography, and illegally copied ^[ softwarewould clearly fall within the contraband exclusion, so thePPA _] 0would not affect a warrant drawn for these materials. `^ P a_ `In addition, as quoted above, the PPA creates two exceptions to the b` pgeneral prohibition against seizing "work product." One excepts ca situations in which life and limb are at stake. The other applies when db (1) the work product is evidence of crime, and (2) the person who ec possesses the materials probably committed it. Even so, this fd evidenceofcrime exception does not apply if the particular crime ge "consists of the receipt, possession, communication or withholding of hf such material....'' unless the work product was classified or ig restricted, and the offense is specifically listed in the PPA. 42 U.S.C.F jh  p(hii  HF2000aa(a)(1) and (b)(1). This general evidenceofcrime exception was ki intended to lj  mk 0codify a core principle of this section, which is to protect from search nl @only those persons involved in First Amendment activities who are om Pthemselves not implicated in the crime under investigation, and not to pn `shield those who participate in crime. qo p rp [page 76] sq  tr H.R. Rep. No. 1064, 96th Cong., 2d Sess. 7. To trigger the exception, us however, law enforcement officials are held to a higherthanusual vt requirement: they must show probable cause to believe the personwho wv holds the evidentiary materials is a suspect of the crimethe same xw showing of cause required for an arrest warrant. S. Rep. No. 874, 96th yxCong., 2d Sess. 11, reprinted in 1980 U.S. Code Cong. & Admin. News3950, zz3957. {{0 ||@It may, of course, be difficult to invoke this evidenceofcrime }}Pexception, particularly at early stages of the investigation. As the ~~`Supreme Court noted in Zurcher (and a number of commentators have preiterated since), a search warrant is often most useful early in an investigation when agents have probable cause to believe there is evidence on the premises, but are not ready to arrest any particular person. See Zurcher v. Stanford Daily, 436 U.S. at 561; Testimony of Richard J. Williams, Vice President, National District Attorney's Association, in Hearing before the Committee on the Judiciary, United States Senate, 96th Cong., 2d Sess. on S. 115, S. 1790, and S. 1816(Mar. 28, 1980) Serial No. 9659, at 1523.  The receivingstolenproperty exemptionwhich prevents agentsfrom using  the evidenceofcrime exception when the crime is receipt,possession, @communication, or withholding of the same work product materials  was `included to prevent law enforcement officials from classifying workF p(jj HFproduct as "stolen goods" to justify seizing it. The Committee report gave as its primary example the case of a reporter who receives an underthetable copy of a corporate memo discussing a defectiveproduct. Knowing the report to be stolen, the reporter might be guilty of receiving or possessing stolen property and thus unprotected by thePPA.  The Committee believed that it would unduly broaden the suspectexception  to use the reporter's crime of simple "possession" or "receipt" of the @materials (or the similar secondary crimes of "withholding" or P"communicating" the materials) as a vehicle for invoking theexception `when the reporter himself had not participated in the commission ofthe crimes through which the materials were obtained  H. Rep. No. 1064, 96th Cong., 2d Sess. 7 (emphasis added). In light of Congress's stated concern, perhaps this counterexception does notapply when anything more than simple possession is involved: that is, possession is combined with the mens rea necessary to constitutesome other offense (e.g.,   0[page 77] @ Ppossession with intent to defraud). See 18 U.S.C. 1029(a)(3) (making it `a crime to "knowingly and with intent to defraud" possess fifteen ormore pdevices which are counterfeit or unauthorized access devices); 18U.S.C. 1030(a)(6) (making it a crime to "knowingly and with intent todefraud" traffic in any password or similar information through which acomputer may be accessed without authorization).  3. Documentary MaterialsF p(kk  HFܿ 0In addition to protecting work product, the PPA covers a second,larger @class of items called "documentary materials." The statute definesthis `term in extraordinarily broad fashiona definition which coversalmost all forms of recorded information which are "... possessed by a personin connection with a purpose to disseminate to the public a newspaper,book, broadcast, or other similar form of public communication...." 42 U.S.C. 2000aa(b) (emphasis added). Specifically, "documentary materials" encompass  materials upon which information is recorded, and includes, but is not  limited to, written or printed materials, photographs, motion picture 0films, negatives, video tapes, audio tapes, and other mechanically, @magnetically or electronically recorded cards, tapes, or discs, butdoes Pnot include contraband or the fruits of a crime or things otherwise pcriminally possessed, or property designed or intended for use, orwhich is or has been used as, the means of committing a criminal offense.  42 U.S.C. 2000aa7(a).  As with "work product materials," the statute excludes from the definition of "documentary materials" any items which arecontraband or the fruits or instrumentalities of a crime. 42 U.S.C. 2000aa7(a). Further, the two exceptions to the workproduct search prohibition,  discussed above, also apply to searches for documentary materials:they 0may be searched and seized under warrant in order to (1) preventdeath or Pserious injury; or (2) to search for evidence of crime held by a suspect pof that crime. (This last exception includes all its attendant internal exemptions, examined above, relating to crimes of possession orreceipt.)F p(ll HFܿ  [page 78  Additionally, the PPA allows agents to get a warrant for documentary materials under two more circumstances found at 42 U.S.C. 2000aa(b):  0(3) there is reason to believe that the giving of notice pursuant to a @subpena duces tecum would result in the destruction, alteration, or Pconcealment of such materials; or ` p(4) such materials have not been produced in response to a courtorder directing compliance with a subpena duces tecum, and  (A) all appellate remedies have been exhausted; or  (B) there is reason to believe that the delay in an investigation or trial occasioned by further proceedings relating to the subpena would threaten the interests of justice.  In drawing these additional exceptions, Congress anticipated some ofthe  factors a court might consider in determining whether relevant @documentary materials could be lost to the government. These factors Pinclude whether there is (1) a close relationship (personal, family, or `business) between the suspect and the person who holds thematerial, or p(2) evidence that someone may hide, move, or destroy it. S. Rep. 96  874, 96th Cong., 2d Sess. 13, reprinted in U.S. Code Cong. & Admin. News3950, 395960.  4. Computer Searches and the Privacy Protection Act   The Privacy Protection Act only applies to situations where law  enforcement officers are searching or seizing (1) work product60p(mm@ H6materials  0possessed by a person reasonably believed to have a purpose to  `disseminate to the public a newspaper, book, broadcast, or othersimilar  pform of public communication; or (2) documentary materialspossessed by a person in connection with a purpose to disseminate to the public a newspaper, book, broadcast, or other similar form of public communication. 42 U.S.C.  [page 79]   2000aa(a) and (b). Before the computer revolution, the statute's most obvious application was to traditional publishers, such as newspaperor  book publishers. The legislative history makes clear, however, thatthe @PPA was not intended to apply solely to the traditional news mediabut `was meant to have a more sweeping application. As thenAssistantAttorney General for the Criminal Division Phillip B. Heymann testified:  While we considered the option of a pressonly bill, this format was  rejected partially because of the extreme difficulties of arriving at a !workable definition of the press, but more importantly because theFirst #Amendment pursuits of others who are not members of the press $establishment are equally as important and equally as susceptible tothe &chilling effect of governmental searches as are those of members ofthe (0news media. )P *`H. Rep. No. 1064, 96th Cong., 2d Sess., Transcript of Statement on File, +pat 4. , -With the widespread proliferation of personal computers, desktop .publishing, and BBS services, virtually anyone with a personalcomputerF 0p(0nn HFand modem can disseminate to other members of the public(especially 2those who have appropriate hardware and software) a "newspaper ...or 4other similar form of public communication." Thus, the scope of thePPA 6 may have been greatly expanded as a practical consequence of the 7@revolution in information technologya result which was probablynot 9Penvisioned by the Act's drafters. :p ;Before searching any BBS, therefore, agents must carefully considerthe =restrictions of the PPA, along with its exceptions. Additionally, they >should include any information bearing on the applicability of this ?statute (and its many exceptions and subexceptions) in the warrant @affidavit. That said, it is also important to recognize that not every Asysop who possesses information necessarily has an intent todisseminate Cit to the public. Nor is every BBS engaged in a "similar form of public Dcommunication." E  F0a. The Reasonable Belief Standard G@ HPWhen addressing work product materials, the statute, by its terms,only J`applies when the materials are possessed by a person "reasonablybelieved L M[page 80] N Oto have a purpose to disseminate to the public a newspaper, book, Pbroadcast, or other similar form of public communication." 42 U.S.C. Q2000aa(a). In non~computer contexts, the courts have concluded thatit is Snot enough just to possess materials a professional reporter might Tpossess. In addition, there must be some indication the personintended !V to disseminate them. In Lambert v. Polk County, Iowa, 723 F. Supp.128F "X@Pp(Xoo` HF(S.D. Iowa 1989), for example, the plaintiff Lambert captured a fatal #Ypbeating on videotape. Police investigating the incident seized the tape $Zfrom Lambert and, shortly thereafter, Lambert contracted to sell thetape %\to a local television station. After the police refused to relinquish the &]tape, the television station and Lambert sued for injunctive relief '^claiming, among other things, a violation of 42 U.S.C. 2000aa. Whilethe (`district court granted relief on other grounds, it held that neither the )atelevision station nor Lambert was likely to prevail on a 42 U.S.C. *b2000aa claim. The television station was not the aggrieved party, and +c"there was nothing about the way Lambert presented himself [to the ,d officers] that would have led them to reasonably believe thatLambert's -f0purpose was to make a dissemination of the videotape to the public." .gPLambert, 723 F. Supp. at 132. But cf. Minneapolis Star & Tribune Co. v. /h`United States, 713 F. Supp. 1308 (D. Minn. 1989)(plaintiffs from whom 0ipvideotapes were seized at robbery scene were successful in PPA claim 1jbecause agents apparently had independent knowledge that plaintiffs 2krepresented the established media). 3l 4mThe reasonable belief standard was also important in the districtcourt 5oopinion in Steve Jackson Games v. United States, 816 F. Supp. 432 (W.D. 6pTex. 1993), appeal filed on other grounds, (Sept. 17, 1993). To 7qunderstand the scope of this opinion, it is important to put it in the 8rcontext of its facts. In early 1990, the United States Secret Service 9sbegan investigating potential federal computer crimes under 18 U.S.C. :t 1030. The Secret Service learned that a Bell South computer systemhad ;v0been invaded, and that the computer hackers were attempting todecrypt <xPpasswords which would allow them into computer systems belongingto the =zpDepartment of Defense. >{ ?|During the course of this investigation, the Secret Service received @}information implicating an individual who was employed by SteveJackson AGames, a Texas company that published books, magazines, box games,6p(pp H6and Brelated products. Steve Jackson Games used computers for a varietyof Cbusiness purposes, including operating an electronic bulletin board D0system ("BBS"). The Secret Service was informed that the suspect wasone E@of the sysops of the Steve Jackson Games BBS, and that he coulddelete F`any documents or information in the Steve Jackson Games computersand Gbulletin H I[page 81] J Kboard. Even so, none of the other sysops nor the company itself wasever La suspect in the investigation. M  N On February 28, 1990, the Secret Service obtained a federal warrantto O search the offices of Steve Jackson Games and to seize variouscomputer P @materials. The warrant covered: Q ` R pComputer hardware * * * and computer software * * * and writtenmaterial S and documents relating to the use of the computer system,documentation T relating to the attacking of computers and advertising the results of U computer attacks * * *, and financial documents and licensinginformation V relative to the computer programs and equipment at [the company's W offices] which constitute evidence, instrumentalities and fruits of X!federal crimes, including interstate transportation of stolen property Y!(18 U.S.C. 2314) and interstate transportation of computer access Z! information (18 U.S.C. 1030(a)(6)). This warrant is for the seizure of [!0the above described computer and computer data and for theauthorization \!@to read information stored and contained in the above describedcomputerF ]!`!pp(qq! HFand computer data. ^! _!The Secret Service executed the warrant on March 1, 1990. The agents `!seized two of thirteen functioning computers, and one othercomputer that a!was disassembled for repair. The Secret Service also seized a large b!number of floppy disks, a printer, other computer components, and c!computer software documentation. Steve Jackson Games immediately d"requested the return of the seized materials, but the agency retained e"most of the materials for several months before returning them. No f" criminal charges were brought as a result of this investigation. g"0 h"@In May 1991, plaintiffs (Steve Jackson Games; the company's ownerand i"Psole shareholder, Steve Jackson; and several individual users of the j"pcompany's BBS) filed suit against the Secret Service and the United k"States, alleging violations of the Privacy Protection Act. They also l"claimed violations of the Stored Electronic Communications Statute, m"discussed in greater detail at "STORED ELECTRONIC COMMUNICATIONS,"infra n"p. 85. o" p"Following a bench trial, the court determined that the defendants had q"violated the Privacy Protection Act. The court held that the materials r#seized by the Secret Service (in particular, the draft of a book aboutto s#be published) t#0 u#@[page 82] v#P w#`included "work product materials" and "documentary materials"protected x#pby the Privacy Protection Act. The court decided that seizing these y#materials did not immediately violate the statute, however, becauseat z#the time of the seizure, the agents did not (in the language of the {#statute) "reasonably believe[]" that Steve Jackson Games "ha[d] apurpose |#to disseminate to the public a news~paper, book, broadcast, or other }#similar form of public communication * * * ." This was true even6$p(rr$ H6though ~$"only a few hours of investigation" would have revealed it. Id. at 440 $0n.8. However, the court held that a violation did occur on the dayafter $@the search when at least one agent learned the materials wereprotected $`by the statute and failed to return them promptly. $ $b. Similar Form of Public Communication $ $As noted above, the PPA applies only when the materials arepossessed by $a person reasonably believed to have a purpose to disseminate to the $public "a newspaper, book, broadcast, or other similar form of public $communication." 42 U.S.C. 2000aa (emphasis added). Not every BBSwill %satisfy this standard. For example, a BBS that supplies unauthorized % access codes to a small group of phone phreakers is not disseminating %0information to the public, nor is it engaging in a form of public %@communication similar to a newspaper. (Of course, the contraband %Pexception will probably also apply in such a case). %` %pThe exact scope of the PPA remains uncertain, and the recent opinionin %Steve Jackson Games does not clarify the issue. There the court founda %cognizable PPA violation arising from the Secret Service's search and %prolonged seizure of the successive drafts of a book Steve Jacksonwas %soon to publish. But, just as important, the court did not hold that %seizing the Steve Jackson BBS likewise violated the statute. Instead,the &court held that "[i]n any event, it is the seizure of the 'work product & materials' that leads to the liability of the United States Secret &0Service and the United States in this case." 816 F. Supp at 441. Indeed, &@one of the attorneys who represented Steve Jackson Games reached a &Psimilar conclusion: &` &pThough the results in the SJG case were very good on balance, acouple ofF &&p(ss& HFmajor BBS issues were left for better resolution on another day....[One &issue] is the finding that SJG was a & &[page 83] & ''publisher' for purposes of the PPA. This holding ... leaves the 'applicability of the PPA largely undetermined for other BBS'. Steve ' Jackson Games was a print publisher, and its computers were used to '0support the print publishing operation. What about BBS' that publish '@their information in electronic form only? What about BBS' that do not 'Ppublish anything themselves in the traditional sense, but host public '`conferences? The SJG case simply does not give guidance on when a 'pnonprinting BBS qualifies as a publisher or journalistic operation for 'purposes of PPA protection. Rose, Steve Jackson Games Decision Stopsthe 'Insanity, Boardwatch, May 1993, at 53, 57.  '  'c. Unique Problems: Unknown Targets and Commingled Materials  '  'Applying the PPA to computer BBS searches is especially difficult fortwo 'reasons. First, early in an investigation, it is often impossible to tell (whether the BBS sysop is involved in the crime under investigation.But ( unless agents have probable cause to arrest the sysop at the time ofthe (@search, the evidenceheldbyatarget exception in 42 U.S.C. 2000aa (`would not apply. (p (Second, because most computers store thousands of pages ofinformation, (targets can easily mix contraband with protected work product or (documentary materials. For example, a BBS trafficking in illegallycopied (software (which, along with the computers used to make the copies,is (subject to forfeiture) may also be publishing a newsletter on stamp )collecting. If agents seized the computer (or even all the data), the )seizure would necessarily include both the pirated software and theF  ) ) p( tt)0 HFnewsletter. Assuming the stampcollectors' newsletter wascompletely ")@unrelated to the criminal copyright violations and also that it qualified #)`as a "similar form of public communication," the seizure might violate $)pthe plain wording of the PPA. %) &)There are, as yet, no cases addressing the status of PPAprotected ')materials which are commingled with contraband or evidence ofcrime. ))However, in construing the Fourth Amendment, the courts haverecognized +)that there is sometimes no practical alternative to seizing ,)nonevidentiary items and sorting them out later. See National City -*Trading Corp. v. United States, 635 .* /* [page 84] 0*0 1*@F.2d 1020 (2d Cir. 1980)(space used by a law office and by a targeted 2*Pbusiness operation was so commingled that the entire suite, reallybeing 4*`one set of offices, was properly subject to search); United States v. 5*Hillyard, 677 F.2d 1336, 1340 (9th Cir. 1982)("Cases may arise in which 6*stolen goods are intermingled with and practically indistinguishablefrom 8*legitimate goods. If commingling prevents on site inspection, and no 9*practical alternative exists, the entire property may be seizable, at :*least temporarily."); United States v. Tropp, 725 F. Supp. 482, 48788 ;*(D. Wyo. 1989)("Some evidence not pertinent to the warrant wasseized ... =*only because it had been commingled or misfiled with relevantdocuments. ?+That evidence was returned.... In sum, the search warrant comportedwith A+0the mandate of the Fourth Amendment and the search conductedpursuant C+Pthereto was not unreasonable."). (For a more extensive discussion of D+pcommingled materials and offsite searches, see "DECIDING WHETHERTO F+CONDUCT THE SEARCH ONSITE OR TO REMOVE HARDWARE TO ANOTHERLOCATION,"F H++p(Huu+ HFsupra p. 55.) Of course, these commingling cases involve the Fourth I+Amendment, not 42 U.S.C. 2000aa, and it remains to be seen whetherthese K+holdings will apply to the Privacy Protection Act L, M,5. Approval of Deputy Assistant Attorney General Required N,  O,0On September 15, 1993, Deputy Attorney General Philip B. Heymannissued a Q,@memorandum which requires that all applications for a warrant issued R,`under 42 U.S.C. 2000aa(a) must be authorized by the AssistantAttorney T,pGeneral for the Criminal Division (AAG), upon the recommendation ofthe V,U.S. Attorney or (for direct Department of Justice cases) thesupervising X,Department of Justice attorney. Y, Z,On December 9, 1993, Jo Ann Harris, the Assistant Attorney General(AAG) \,for the Criminal Division, delegated this authority by memorandum tothe ^-Deputy Assistant Attorneys General of the Criminal Division. There are _-0emergency procedures for expediting the approval in cases whichrequire a-@it. All requests for authorizationemergency or routineshould be b-`directed to the Chief, Legal Support Unit of the Office of Enforcement c-pOperations in the Criminal Division (2025140856). d- e-If agents or prosecutors are planning a search and seizure ofelectronic g-evidence in a case in which the PPA may apply, we urge them tocontact i-the j- k-[page 85] l. m.Computer Crime Unit (2025141026) immediately to discuss the n. investigation and any new legal developments in this area. o.0F p.@.@p(pvv.P HFC. STORED ELECTRONIC COMMUNICATIONS q.` r.pThere are special statutory rules protecting some electronic s.communications in electronic storage. Anyone who provides anelectronic u.communication service or remote computing services to the public, is v.prohibited by 18 U.S.C. 2702 from voluntarily disclosing the contentsof x.the electronic communications it stores or maintains on the service. A y."remote computing service" means the provision to the public ofcomputer {.storage or processing services by means of an electroniccommunications}/system. 18 U.S.C. 2711(2).~/0/@It is not entirely clear what sorts of electronic communicationsservices/Pwill be found to provide "public" service. Generally speaking, "public"/pmeans available to all who seek the service, even if there is some/requirement, such as a fee. It is probably safe to assume that any/service permitting "guest" or "visitor" access is "public." On the other/hand, the term should not be read to cover business networks openonly to/employees for company business. If that business network isconnected to /the Internet (an extensive worldwide network), it may be part of a /"public" system, but this does not necessarily mean that thecorporate 0LAN (localarea network) becomes a "public" service. 0  00There are several important exceptions to 2702's nondisclosure rule,0@including (1) a provision under 18 U.S.C. 2702(b)(3) allowing a person0Por entity to disclose the contents of a communication with the lawful0`consent of the originator, an addressee, or the intended recipient of0psuch communication (or the subscriber in the case of a remotecomputing0service), and (2) a provision under 18 U.S.C. 2702(b)(6) allowing0disclosure to a law enforcement agency if the contents wereinadvertently0obtained and appear to pertain to the commission of a crime.F00p(ww0 HFܿ0For the government to obtain access to a "stored electronic1communication," it must follow the dictates of 18 U.S.C. 2703, which1sets out different rules depending upon how long the particular1 communication has been in electronic storage. That section providesthat10"a governmental entity1P1`[pshr 86]1p1may require the disclosure by a provider of electronic communication1service of the contents of an electronic communication, that is in 1electronic storage ... for one hundred and eighty days or less, only!1pursuant to a warrant issued under the Federal Rules of Criminal"1Procedure or equivalent state warrant." 18 U.S.C. 2703(a) (emphasis#1added). If the information has been stored for more than 180 days,$1prosecutors may use either a Rule 41 search warrant (without noticeto%1the customer or subscriber) or an administrative subpoena, grand jury&2subpoena, trial subpoena, or a court order pursuant to 18 U.S.C. 2703(d)'2 (with notice to the customer or subscriber).(2@)2PThe two terms underlined above merit further discussion. First of all,it*2`is important to note that not all electronically stored communications+2are covered by this section. The electronic communication must be,2transmitted on a system that affects interstate or foreign commerce,18-2U.S.C. 2510(12), and must be in electronic storage. "Electronicstorage".2means any temporary, intermediate storage of a wire or electronic/2communication incidental to the electronic transmission thereof orany02backup of this communication. 18 U.S.C. 2510(17).1323 To understand the importance of this definition, it is critical to know330how electronic mail works. Generally speaking, email messages arenot43@transmitted directly from the sender's machine to the recipient'sF53`3`p(xx3p HFmachine; rather, the email message goes from the sending machineto an63email server where it is stored (i.e., kept in "electronic storage"). A73message is then sent from the server to the addressee indicating thata83message for the addressee has been stored. The actual messageremains on93the server, however, until the addressee retrieves it by having a copy:3sent to his machine. Often, both the sender and receiver can deletethe;4email from the server.<4 =40Section 2703 protects the electronic communication while it is storedin>4@the server in this intermediate state.8 Once a message is opened,?4`however, its storage is no longer "temporary" nor "incidental to. .@4p.transmission," and it thus takes on the legal character of all otherA4stored data. Therefore, the statuteB4C4[page 87]D4E48 When a sysop backs up the mail server to protect against systemF4failure, all emails stored on the server will be copied. Thus, if theG4email is later deleted from the server, the backup copy remains. TheH4statute protects this copy as well. 18 U.S.C. 2510(17)(B).I5J5does not apply to all stored communications, such as word processingK5 files residing on a hard drive, even when these files were onceL50transmitted via e~mail.M5@N5PThe other highlighted term"require the disclosure"seems tosuggestO5`that 2703 only applies when the government seeks to compel theserviceP5provider to produce the electronic mail, not when government agentsQ5actually seize it. With this in mind, the statute's crossreference toR5Rule 41 is confusing, because Rule 41 authorizes the government toS5"seize" items, not to "require [their] disclosure." To speak in terms ofT5requiring the disclosure of electronic mail, rather than of seizing it,U5seems to connote a process of serving subpoenas, not of executingFV55p(yy6 HFwarrants.W6X6 On the other hand, Congress may have simply assumed that mostsystemY60providers would be disinterested in the "search," and that, as aZ6Ppractical matter, the service provider would actually retrieve andturn[6`over to the government those files of suspectusers listed in the\6warrant. In mentioning Rule 41, Congress may not have been focusingon]6who would actually do the retrieval, but rather on what level of proof^6would be required before electronic communications in electronicstorage_6could be procured for a criminal investigation. Therefore, the statute's`6references to warrants and Rule 41 seem designed to insure that, noa6matter who actually searches the system, the government will beheld to ab7probablecause standardeven if the system provider would havebeen justc7 as willing to honor a subpoena. See H.R. Rep. No. 647, 99th Cong., 2dd7@Sess., at 68 ("The Committee required the government to obtain asearche7Pwarrant because it concluded that the contents of a message instoragef7pwere protected by the Fourth Amendment.... To the extent that therecordg7is kept beyond [180 days] it is closer to a regular business recordh7maintained by a third party and, therefore, deserving of a differenti7standard of protection.").j7k7Indeed, it is entirely reasonable to read this statute as Congress'sl7effort to regulate primarily the duties of service providers to protectm8the privacy of their subscribers in regard to all third parties,n 8including law enforcement. The statute may not have fullycontemplatedo 8 those cases in which the system provider (rather than the subscriber)is,p 8@or may be, implicated in the criminal investigation.q8`r8pThere is, unfortunately, no case law clearly addressing this issue. In aFs88p(zz8 HFrecent civil suit, the government was held liable for seizing electronict8mail onu8v8[page 88]w8x8an electronic bulletin board service (BBS), even though the agents haday8valid warrant.9 Steve Jackson Games. Inc. v. U.S. Secret Service, 816 F.z9Supp. 432 (W.D. Tex. 1993), appeal filed on other grounds, (Sept. 17,{9 1993). In that case, plaintiffs sued following a search by the Secret|90Service of computers and other electronic storage devices whichbelonged}9@to the company. (For a more complete description of the facts of the~9`case, see the discussion at p. 80.) One of the computers seized by the9pSecret Service was the computer used by Steve Jackson Games tooperate 9its BBS. The hard disk of the BBS computer contained a number ofprivate"9email messages, some of which had not yet been accessed by their#9addressees. The district court found that the Secret Service read e  mail%9messages on the computer and subsequently deleted certaininformation and'9communications, either intentionally or accidentally, before returning(:the computer to Steve Jackson Games. Id. at 441. Here, the court held): that the Secret Service "exceeded the Government's authority underthe+:0statute" by seizing and examining the contents of "all of theelectronic-:Pcommunications stored in the [company's] bulletin board" without.:pcomplying with the statute's requirements for government access.The0:court's opinion never addressed, however, the interplay between 2703 and2:Rule 41, so it sheds no light on the proper interpretation of 2703(a).3:In fact, the court never cited 2703(a) at all. Instead, the court4:discussed the requirements of 2703(d), a provision that allows the5:government to get a court order, upon a showing that thecommunication7:sought is relevant to a legitimate law enforcement inquiry, when theF8;;p(8{{;  HFcommunication has been in storage more than 180 days or is held by a9;0remote computing service. (The court did not find how long thesearched;;@communications were in storage, but did hold that Steve Jackson wasa=;`remote computing service.) Even under this lesser standard 2703(a)>;requires a search warrant based upon probable causethe court heldthat@;the government's search was improper, noting that the governmentdid notB;advise the magistrate, by affidavit or otherwise, that the BBScontainedD;private electronic communications between users, nor how thedisclosureF;of the contents of those communications related to the investigation.G<H< In most cases, of course, the electronic communications sought willbe inJ<0storage 180 days or less, and, therefore, may be obtained "onlypursuantLVI. DRAFTING THE WARRANTf>g> A. DRAFTING A WARRANT TO SEIZE HARDWAREh>0i>@If a computer component is contraband, an instrumentality of theoffense,k>Por evidence, the focus of the warrant should be on the computercomponentm>pitself and not on the information it contains. The warrant should be asn>specific as possible about which computer components to seize and,o>consistent with other types of warrants, it should describe the itemtoq>be seized in as much detail as possible, especially if there may be twor>or more computers at the scene. Include, where possible, thes>manufacturer, model number, and any other identifying informationt>regarding the device. (For further information, see "SAMPLE COMPUTERu?LANGUAGE FOR SEARCH WARRANTS," APPENDIX A, p. 125.)v?w? It may also be appropriateto seek a "noknock" warrant in caseswherey?0knocking and announcing may cause (1) the officer or any otherindividual{?Pto be hurt; (2) the suspect to flee; or (3) the evidence to be destroyed.|?p(See "Seeking Authority for a NoKnock Warrant," infra p. 100.)}?~?In computer cases, the evidence is especially perishable, and agents?should never underestimate the subjects of the investigation. Theymay be?knowledgeable about telecommunications and may have anticipated asearch.?As a result, computers and memory devices on telephone speeddialers may?be "boobytrapped" to erase if they are improperly entered or if the@power is cut off.@ F@0@0p(}}@@ HF[page 92]@P@`B. DRAFTING A WARRANT TO SEIZE INFORMATION@p@1. Describing the Place to be Searched@@Until recently, when a warrant specified where a search was to occur,the@exercise was bound by physical laws: agents took objects they couldcarry@from places they could touch. But computers create a "virtual" world@where data exists "in effect or essence though not in actual fact orAform." The American Heritage Dictionary, (2d ed. 1983).AA Rule 41(a) failed to anticipate the creation of this "virtual" world. ByA0its very terms, a warrant may be issued "for a search of property ...A@within the district." Specifically, it provides that,APA`Upon the request of a federal law enforcement officer or an attorneyforApthe government, a search warrant authorized by this rule may beissuedA(1) by a federal magistrate, or a state court of record within theAfederal district, for a search of property or for a person within theAdistrict and (2) by a federal magistrate for a search of property or forAa person either within or outside the district if the property or personAis within the district when the warrant is sought but might moveoutsideAthe district before the warrant is executed.BB Fed. R. Crim. P. 41(a)(emphasis added).B0B@In a networked environment, however, the physical location of storedBPinformation may be unknown. For example, an informant indicatesthat theB`business where he works has a duplicate set of books used to defraudtheBInternal Revenue Service. He has seen these books on his computerBterminal in his Manhattan office. Based upon this information, agentsBobtain a warrant in the Southern District of New York authorizing aFBBp(~~B HFsearch for, and seizure of, these records. With the informant's help,Bagents access his computer workstation, bring up the incriminatingBdocuments, and copy them to a diskette.CC[page 93]C C0Unfortunately, unbeknownst to the agents, prosecutor, or informant,theC@file server that held those documents was physically located inanotherC`office, building, district, state, or country.10CCThere are, under Rule 41, at least three variations on this problem.CFirst, information is stored offsite, and agents know this second siteCis within the same district. Second, information is stored offsite, butCthis second site is outside the district. Third, information is storedCoffsite, but its location is unknown.CCa. General Rule: Obtain a Second WarrantDDWhenever agents know that the information is stored at a locationotherD than the one described in the warrant, they should obtain a secondD@warrant. In some cases, that will mean going to another federalDPdistrictnearby or across the country. If the data is locatedoverseas,D`the Criminal Division's Office of International Affairs (2025140000)Dand our foreign law enforcement counterparts can assist in obtainingandDexecuting the foreign warrant. The Computer Crime Unit (202514  1026) canDhelp in expediting international computer crime investigations.D Db. Handling Multiple Sites within the Same District D EAssuming that the server was simply in another office on the samefloor, Ethe warrant might well be broad enough to cover the search. Indeed,even E0with physical searches, courts have sometimes allowed a second butFEPEPp(E` HFrelated search to be covered by one warrant. In United States v. Judd,Ep687 F. Supp. 1052, 10579 (N.D. Miss. 1988), aff'd 889 F.2d 1410 (5thECir. 1989), cert. denied,EE10 In this example, the storage of information in an outofdistrictEserver was fortuitous; i.e., a product of the network architecture. InEfact, hackers may deliberately store their information remotely. ThisEallows them to recover after their personal computers fail(essentiallyEby creating offsite backup copies). Additionally, if agents seize aFhacker's personal computer, no evidence will be found, and the hackercanFstill copy or destroy the remotely stored data by accessing it fromF0another computer.F@FPF`[page 94]FpF494 U.S. 1036 (1989), the FBI executed a search warrant for records atFAddress #1, and learned that additional records were located atAddress F#2. Without obtaining a second warrant, and relying only on the first,!Fthe agents entered Address #2 and seized the additional records."F#FThe district court framed the question like this: was the partially$Fincorrect description in the warrant sufficient to include bothbusiness%Gaddresses, which in this case, happened to be in the same building?The&G court held that since Address #2 was "part" of Address #l, and sincethey'G@were both used for the business pursuits of the same company, thesearch(G`was proper. See also United States v. Prout, 526 F.2d 380, 388 (5thCir.))G(search of adjacent separate apartment that was omitted from thewarrant*Gwas proper), cert. denied, 429 U.S. 840 (1976).+G,GIt becomes more problematic when the server is in another building,6Gp(G H6one-Gclearly not described in the warrant. In situations where a second.Hwarrant was not obtained, there is still an argument that remotely/H accessing information from a computer named in the warrant doesnot0H0violate Fourth Amendment law. See discussion of United States v.1HPRodriguez, infra.2H`3Hpc. Handling Multiple Sites in Different Districts4 H5 HWhat if, unbeknownst to the agents executing the search warrant,the6 Hproperty seized was located in another district? Although the defense7 Hcould argue that the court lacked jurisdiction to issue the warrant,the8Hagents executing the warrant never left the district in which thewarrant9Hwas issued. Moreover, in some cases, it may be difficult, if not:Iimpossible, to ascertain the physical location of a given file serverand;I obtain the evidence any other way. In these cases, prosecutorsshould<I@argue that the warrant authorized the seizure.=I`>IpIf agents have reason to believe the second computer may be in a?Idifferent district, however, the issue should be addressed with the@Imagistrate. While some courts may strictly construe the language ofRuleAI41 and require data to be retrieved only from the district where itBIpermanently resides, other courts may follow the logic of the recentCISecond Circuit case United States v. Rodriguez, 968 F.2d 130 (2d Cir.),DIcert. denied, 113 S. Ct. 140 (1992). Although that case addressed theE Iissue of "place" under the wiretap statute (18F!JG"J[page 95]H#J I$J0U.S.C. 2518) and not under Rule 41, the constraints of the statutewereJ&J@quite similar. ("Upon such application the judge may enter an ex parteK'J`order ... approving interception ... within the territorial jurisdictionFL(JpJpp((J HFof the court in which the judge is sitting.... ")M)JN*JIn Rodriguez, the Second Circuit held that a wiretap occurs in twoplacesO,Jsimultaneously: the place where the tapped phone is located and theplaceP.Jwhere law enforcement overhears it. If those two places are indifferentQ0Jjurisdictions, a judge in either one can authorize the interception. InR1Kthis case, the DEA was tapping several phones in New York from itsS2K Manhattan headquarters. In addition, they tapped a phone in NewJersey byT4K0leasing a phone line from the service carrier and running it to thesameU6KPNew York office from which they monitored all the calls on all thelines.V8KpThe court cited "sound policy reasons" for allowing one court toW9Kauthorize all the taps, since all the reception and monitoring occurredX:Kin that same jurisdiction.Y;KZ<KIf the DEA can lease a phone line running from New Jersey to NewYork in[>Korder to consolidate its efforts, courts may also find it completely\?Kreasonable lo conclude that computer network data searches, like]@Ltelecommunications interceptions, can occur in more than one place.^AL_BL d. Information at an Unknown Site`CL0aDL@Unfortunately, it may be impossible to isolate the location ofbELPinformation. What then? Does a warrant authorizing the search andseizurecGL`of one computer automatically allow agents to search and seize anydatadILthat it has sent to other computers? If the original warrant does noteJLallow investigators to physically enter another building and searchfKLanother computer, does it permit them to "go" there electronically,usinggMLas their vehicle only the computer that they have been authorized tohNLsearch? What if the other computer is physically located in anotheriOLdistrict? Finally, if the warrant does not authorize seizing the offsiteFjPMMp(PM HFdata (no matter how it is obtained), are there circumstances underwhichkRM it could be taken without a warrant?lSM@mTMPIf agents have reason to believe there is offsite storage but no waytonVM`identify the site, they should tell the magistrate. Of course, theoWMstandard to use in evaluating a description in the warrant is whetherpXM"the description is suchqYMrZM[page 96s[Mt\Mthat the officer with a search warrant can, with reasonable effortu]Mascertain and identify the place intended." Steele v. United States,267v_MU.S. 498, 503 (1925). See also United States v. Darensbourg, 520 F.2dw`N985, 987 (5th Cir. 1975), quoting United States v. Sklaroff, 323 F. Supp.xaN 296, 321 (S.D. Fla. 1971).ybN0zcN@Drawing upon Steele, it may be prudent for the warrant to specifically{dNPinclude any data stored offsite in devices which the subjectcomputer|fN`has been configured by its operator to readily access, and which have}gNbeen regularly used as a component of the subject computer. This ismore~iNlikely to be upheld if the government has reason to believe thesuspectkNis using an offsite computer and has no way to determine where itis,mNeither geographically or electronically, until the suspect's computer isnNexamined. In such cases, the affidavit should indicate why a completeoOaddress is not available, including any attempts that have been madetoqOget the information (e.g., informants, undercover agents, penregisters,sO0electronic or video surveillance) on the subject computer. It will betOPimportant to show a clear relationship between the computerdescribed invO`the warrant and the second computer at the different location. If thewOsecond computer is somewhere in the same district, that also holds6Op(xO H6theyOsecond data search closer to the physical terms of Rule 41.zO{Oe. Information/Devices Which Have Been Moved|O}OWhat happens if the targets: (1) move computers and storage devices(diskPdrives, floppies, etc.) between two or more districts (e.g., a laptopP computer); or (2) transmit data to offsite devices located in anotherP0district?P@PPUnder Rule 41(a)(2), a magistrate in one district can issue a warrant toP`be executed in another district provided the property was "within"PpDistrict A when the warrant was issued. Again, this rule is relativelyPeasy to apply when physical devices are the object of the search. ButhowPdoes that rule apply to electronic data? If a suspect creates data inPDistrict A and uploads11 that dataPP11 "Upload" means to transfer data from a user's system to a remotePcomputer system. Wehster's, supra. Of course, only a copy istransferred,Pand the original remains on the user's machine. It may be significanttoQsearch for the uploaded data even if the original has been seized. ForQ0example, the user may have altered the original.Q@QPQ`[page 97]QpQto a computer in District B, has he "moved" it between districts, thusQauthorizing a District A magistrate to issue a warrant for a search ofQthe District B computer, even though the District B computer wasneverQphysically transported from or even located in District A?QQThe key to resolving these issues is understanding what agents areQseizing. If they are going to seize the computer hardware in District BRto get the data, they must get a warrant in District B (after all, theRDistrict B computer was never moved). If agents are simply copying6R p(R0 H6data,R however, it could be argued that the data uploaded from District A toRPDistrict B is property that has been moved. Since the item to be seizedR`is data and not its storage device, the "within the district"requirementRpis fulfilled.RR2. Describing the Items to be SeizedRRWhen the evidence consists of information in a computer system, buttheRcomputer itself is not an instrumentality of the offense or otherwiseRseizable, the hardware is simply a storage device. First and foremost,Sall technical matters aside, searching the computer is conceptuallySsimilar to searching a file cabinet for papers. One importantdifferenceS is that while the storage capacity of a file cabinet is limited, theS@storage capacity of computers continues to increase. A standardSP40megabyte hard drive contains approximately 20,000 pages ofS`information, and 200+ megabyte drives are already quite common.SpTherefore, although the computer itself is no more important to anSinvestigation than the old cabinet was, the technology maycomplicateSenormously the process of extracting the information.SSBearing this analogy in mind, if agents have probable cause only fortheSdocuments in the computer and not for the box itself, they shoulddraftSthe warrant with the same degree of specificity as for any otherdocumentTor business record in a similar situation. For example, the detail usedT0to describe a paper sales receipt (for a certain product sold on aT@certain date) should not be any less specific merely because therecordTPis electronic.TpTAs with other kinds of document cases, the breadth of a warrant'sTauthority to search through a suspect's computer will depend on theTbreadth of the criminality. Where there is probable cause to believe6Tp(T H6thatTan enterpriseTT[page 98]UUis pervasively illegal, the warrant will authorize the seizure ofrecordsU (both paper and electronic) far more extensively than if probablecauseU@is narrow and specific. "When there is probable cause to seize allU`[items], the warrant may be broad because it is unnecessary toUpdistinguish things that may be taken from things that must be leftUundisturbed." United States v. Bentley, 825 F.2d 1104, 1110 (7th Cir.),Ucert. denied, 484 U.S. 901 (1987). But by the same token, "[w]hen theUprobable cause covers fewer documents in a system of files, thewarrantUmust be more confined and tell officers how to separate documentsto beUseized from others." Id. at 1110. See also Application of LafayetteUAcademy, Inc., 610 F.2d 1 (lst Cir. 1979). There is nothing about theVnature of searching for documents on a computer which changes thisVunderlying legal analysis. Each warrant must be crafted broadly orV specifically according to the extent of the probable cause, and itshouldV0focus on the content of the relevant documents rather than on thestorageVPdevices which may contain them.VpVThe difficulties arise when, armed with a narrow and specific warrant,Vagents begin the search. If agents know exactly what they arelooking forV(a certain letter; a voucher filed on a particular date), it may beVsimple enough to state it in the warrant. But because computers, likeVfile cabinets, can store thousands of pages of information, thespecificVletter may be much easier to describe than to find. Some may argue,withWgood reason, that the sheer volume of evidence makes it impracticaltoW search on site. (For a more extensive discussion of these issues, seeFW@W@p(WP HF"DECIDING WHETHER TO CONDUCT THE SEARCH ONSITE OR TO REMOVEHARDWARE TOW`ANOTHER LOCATION," supra p. 55.)WWEven so, the volumeofevidence argument, by itself, may not justifyWseizing all the information storage devicesor even all of theWinformation on themwhen only some of it is relevant. In In Re GrandWJury Subpoena Duces Tecum Dated November 15. 1993, 846 F. Supp. 1 1W(S.D.N.Y. 1994), the district court applied a similar analysis to a grandWjury subpoena for digital storage devices. In that case, thegovernmentWhad subpoenaed the central processing units, hard disks, floppy disks,Xand any other storage devices supplied by the target corporation ("XX Corporation") to specified officers and employees of the corporation.OfX0course, these storage devices also contained unrelated information,XPincluding some that was quite personal: an employee's will andindividualX`financial records and information. When "X Corporation" moved toquashXthe subpoena, the government acknowledged that searching thestorageXdevices by 'key word' would identify the relevant documents for thegrandXjury's investigation. Even so, prosecutors continued to argue for X X[page 99] Y Yenforcement of the subpoena as written, particularly because thegrandY jury was also investigating the corporation for obstruction of justice.Y@In quashing the subpoena, the judge clearly distinguished betweenYPdocuments or records and the computer devices which contain them.Y`YpThe subpoena at issue here is not framed in terms of specifiedcategoriesYof information. Rather, it demands specified information storageYdevices.... Implicit in [an earlier case] is a determination thatYsubpoenas properly are interpreted as seeking categories of paperYdocuments, not categories of filing cabinets. Because it is easier in6Yp(Y H6theYcomputer age to separate relevant from irrelevant documents, [the]Zontological choice between filing cabinets and paper documents hasevenZgreater force when applied to the modern analogues of these earlierZ0methods of storing information. Z@ ZPAlthough the judge found that investigating the corporation for  Z`"obstruction and related charges indeed justifies a commensurately !Zpbroader subpoena ...," he declined to modify, rather than quash, the "Zsubpoena at issue because "this Court does not have sufficient#Zinformation to identify relevant documents (including directory$Zfiles)...." The court's reference to directory files seems to imply that%Zthe directory would necessarily list everything in the storage&Zdevicewhich is, of course, not true. A directory would not display'Zhidden, erased, or overwritten files which could still be recoverableby)Za computer expert. Perhaps the judge's conclusion might have been*[different if the government had proceeded by search warrant ratherthan,[subpoena. In any case, it is interesting to note that the court, in-[0trying to find a balance, suggested that when a grand jury suspects"that/[@subpoenaed documents are being withheld, a courtappointed expertcould1[`search the hard drives and floppy disks."2[3[3. Removing Hardware to Search OffSite: Ask the Magistrate forExplicit5[Permission.6[7[Because the complexities of computer data searches may requireagents to9[remove computers from a search scene, agents and prosecutorsshould;\anticipate this issue and, whenever it arises, ask for the magistrate's <\ express!=\0">\@[page 100]#?\PF$@\`\`p(@\p HFpermission. Obviously, the more information they have to support this%A\decision, the betterand the affidavit should set out all the relevant&B\details. It will be most important to have this explicit permission in'C\the warrant for those cases where (as in Tamura, supra p. 58) agentsmust(E\seize the haystack to find the needle.)F\*G\If the original warrant has not authorized this kind of seizure, but the+H\agent discovers that the search requires it, she should return to the,I]magistrate and amend the warrant, unless exigencies preclude it.-J].K] 4. Seeking Authority for a NoKnock Warrant/L]00M]@a. In General1N]P2O]`Under 18 U.S.C. 3109, an agent executing a search warrant mustannounce3Q]phis authority for acting and the purpose of his call. See, e.g., United4R]States v. Barrett, 725 F. Supp. 9 (D.D.C. 1989)("Police, search warrant,5S]open up"). This knockandannounce requirement, although statutory,has6U]been incorporated into the Fourth Amendment, United States v.7V]BustamanteGamez, 488 F.2d 4, 1112 (9th Cir. 1973), cert. denied,4168X]U.S. 970 (1974), and therefore a statutory violation may also be a9Y^constitutional one. United States v. Murrie, 534 F.2d 695, 698 (6th Cir.:Z^1976); United States v. Valenzuela, 596 F.2d 824, 830 (9th Cir.), cert.;[^ denied, 441 U.S. 965 (1979). The knock~andannounce rule is designedto<]^0reduce the possibility of violence (the occupant of the premises may=^^Pbelieve a burglary is occurring), reduce the risk of damage to private>_^`property (by allowing the occupant to open the door), protect the?`^pinnocent (the agent may be executing the warrant at the wronglocation),@b^and symbolize the government's respect for private property.Ac^Bd^Of course, if no one is present, there is no one to notify, and agentsCe^can search the place without waiting for its occupant. United States v.Df^Brown, 556 F.2d 304 (5th Cir. 1977). The knockandannouncerequirementFEh^^p(h_ HFalso does not apply when the door is open. United States v. Remigio,767Fj_F.2d 730 (10th Cir.), cert. denied, 474 U.S. 1009 (1985). It is unclearGk_0whether the rule applies to businesses, as different courts havereachedHm_@different conclusions.In_`Jo_p[page 101]Kp_Lq_Cf. United States v. Agrusa, 541 F.2d 690 (8th Cir. 1976)( 3109 appliesMr_to businesses), cert. denied, 429 U.S. 1045 (1977), with United Statesv.Nt_Francis, 646 F.2d 251 (6th Cir.)( 3109 applies only to dwellings), cert.Ou_denied, 454 U.S. 1082 (1981).Pv_Qw_After knocking and announcing, agents must give the occupants aRx`reasonable opportunity to respond, although exigent circumstancesmaySz`justify breaking in without an actual refusal. Compare United Statesv.T|`0Ruminer, 786 F.2d 381 (10th Cir. 1986)(breakin authorized wherepoliceU~`Pwaited five seconds and saw people running in house), with UnitedStatesV`pv. Sinclair, 742 F. Supp. 688, 6901 (D.D.C. 1990)(one to twosecondW`delay, even with noise inside, was insufficient to warrant breakin).X`Y`Moreover, exigent circumstances may justify forcible entry withoutZ`"knocking and announcing" at all. Circumstances are exigent if agents[`reasonably believe that giving notice to people inside could cause (1)\`the officer or any other individual to be hurt; (2) a suspect to flee; or]`(3) the evidence to be destroyed. Additionally, investigators need not^aknock and announce when it would be a "useless gesture" becausethe_apeople inside already know their authority and purpose.`a0aa@b. In ComputerRelated CasesbaPca`In many computer crime cases, the primary concern will be preservingtheFdapap(a HFevidence. Technically adept suspects may "hotwire" their computersin aneaeffort to hide evidence. Although there are many ways to do this, twofamore common practices involve "hot keys" and timedelay functions.A "hotgakey" program is designed to destroy evidence, usually by overwritingorhareformatting a disk, when a certain key is pressed.12 Thus, whenofficersibknock at the door and announce their presence, the subject of thesearchjb0can hit the key that activates the program. A timedelay function is akbPprogram that monitors the keyboard to determine whether the userhaslb`pressed any key. If no key ismbnb12 Of course, the fact that this occurs does not mean the evidencecannotobhe salvaged. Experts can often recover data which has been deletedorpboverwritten.qbrb[page 102]sctcpressed within a certain period of time, such as 30 seconds, theprogramuc activates and destroys data. A target may, therefore, answer thedoorvc@slowly and attempt to delay the agent's access to the machine.wc`xcpThese problems, which may be present in every computer crimeycinvestigation, are not, standing alone, sufficient to justify dispensingzcwith the knockandannounce rule. Most courts have required agentsto{cstate specifically why these premises or these people make it either|cdangerous or imprudent to knock and announce before a search. SeeUnited}cStates v. Carter, 566 F.2d 1265 (5th Cir. 1978)(someone inside yelled~c"It's the cops" and the agent, who had a warrant to search for heroin,dheard running inside), cert. denied, 436 U.S. 956 (1978); United StatesFddp(d  HFv. Stewart, 867 F.2d 581 (10th Cir. 1989)(collecting cases). But cf.d0United States v. Wysong, 528 F.2d 345 (9th Cir. 1976)(mere fact thatd@police knew defendant was trafficking in an easily destroyable liquiddPnarcotic created exigent circumstance that justified entry withoutd`knocking and announcing).dpdIn short, most cases hold that agents must have some reasonable,darticulable basis to dispense with the knockandannouncerequirement.dMoreover, in light of the salutary purposes served by the rule, theydshould have very good reasons before deviating from it. Inappropriatedcases, however, a noknock warrant should be obtained. In decidingdwhether to seek a noknock warrant, agents should consider, amongotherethings: (1) what offense is being investigated (is it a narcotics casee where the subjects may be armed, or is it nonviolent hacking?); (2) ise0there information indicating evidence will be destroyed (in one recente@hacker case, the targets talked about destroying evidence if raided byePthe police); (3) the age and technical sophistication of the target; ande`(4) whether the target knows, or may know, he is under investigation.epe[page 103]eeVII. POSTSEARCH PROCEDURESeeA. INTRODUCTIONeeAs noted above, the government is permitted to search for and toseizeeproperty that is contraband, evidence, or an instrumentality of thefoffense. The law does not authorize the government to seize itemswhichf do not have evidentiary value, and generally agents cannot takethingsf@from a search site when their nonevidentiary nature is apparent atthef`time of the search.ffWith computer crimes, however, it is not always possible to examine6fp(f H6andfseparate wheat from chaff at the search location. There may bethousandsfof pages of data on the system; they may be encrypted orcompressed (andfthus unreadable); and searching computers frequently requires expertgcomputer skills and equipment. All these factors contribute to theg impracticality of onsite processing. Accordingly, agents will ofteng0seize evidentiary materials that are mixed in with collateral items.(Seeg@"DECIDING WHETHER TO CONDUCT THE SEARCH ONSITE OR TO REMOVEHARDWARE TOg`ANOTHER LOCATION," supra p. 55.)ggFor several reasons, it is important to separate evidence (andgcontraband, fruits, and instrumentalities) from irrelevant items. First,gas noted above, the law does not generally authorize seizinggnonevidentiary property. But to the extent agents sort and returnthesegmaterials after a search, the courts are less likely to require thatglarge amounts of data be sorted at the scene. Put another way, if lawhenforcement authorities routinely retain boxes of property that arenothevidence, the courts surely will become less sympathetic in thosecasesh0where it is, in fact, appropriate to seize entire systems and analyzehPthem later at the lab.h`hpA second reason to promptly sort seized evidence is that the processwillhhelp to organize the investigation. Agents and prosecutors willobviouslyhwant to focus on the evidence when preparing complaints orindictments.hGetting a handle on the items that advance the case will help agentshassess quickly and accurately where the case should go. As much ashoverbroad seizures offend theii[page 104]i Fi0i0p(i@ HFlaw, they are just as bad for the investigation. Investigators should iPcull out the things that do not help the case right away to avoid i`endlessly sifting through unimportant materials as the investigation ipprogresses. i iProcedures for sorting, searching, and returning seized items willdependiin part upon the type of evidence involved. There are, however,certainibasic concepts that apply across the board. The basics include theifollowing.ijB. PROCEDURES FOR PRESERVING EVIDENCEjj 1. Chain of Custodyj0j@Computer evidence requires the same chain of custody procedures asotherjPtypes of evidence. Of course, the custodian must strictly controlaccessjpand keep accurate records to show who has examined the evidenceand when.j(For a further discussion of this issue, see "EVIDENCE: Chain ofjCustody," infra p. 119.) j!j2. Organization"j#jAs with other parts of the investigation, the sorting process should be$kas organized as possible. If there are only a few agents involved,each&kwith discrete tasks, the job is likely to be quick and efficient. Many'k0agents, unsure of their tasks, are more likely to misplace or overlook(k@evidence. An organized review process, which is part of a larger,)kPwellbriefed search plan, is also easier to describe and defend incourt.+k`,k-k[page 105].k/k3. Keeping RecordsF0kkp(0k HFܿ1kAgents should always document their investigative activities. Thisallows3kother agents and attorneys to keep track of complex investigations,and5lwill help the case agent reconstruct the sorting process at a latertime7l0if necessary. A log should be kept that describes each item seized,8lPwhether it was examined, and whether it contained evidence.9l`:lpWhen items are returned, a receipt should set out: (a) a clear;ldescription of the item, (b) the person who received it (with asignature=land identification), and (c) when the item was released. It oftenmakes?lsense to return all items at one time rather than to do it piecemeal.@lAlso, it is a good idea to keep photographs of the property returned inAlorder to avoid disputes.BlCm4. Returning Seized Computers and MaterialsDmEm Once agents have removed the computer system from the scene, anexpertGm0should examine the seized material as soon as practicable. ThisHmPexamination may be conducted by a trained field office agent, aspecialJm`agent sent to the field office for this purpose, or by aKmproperlyqualified private expert. Some agencies may require that theLmcomputer system be shipped to a laboratory. Each agency shouldestablishNmand follow a reasonable procedure for handling computerizedevidence.PmQmOnce the analyst has examined the computer system and data anddecidedSmthat some items or information need not be kept, the governmentshouldUnreturn this property as soon as practicable. The courts haveacknowledgedWn0an individual's property interest in seized items, and the owner ofFXnPnPp(Xn` HFseized property can move the court for a return of property underFed. R.ZnpCrim. P. 41(e). That remedy is available not only when the search was[nillegal, but also if the person simply alleges a "deprivation of property\nby the Government." In Re Southeastern Equipment Co. SearchWarrant, 746^nF. Supp. 1563 (S.D. Ga. 1990)._n`n[page 106]anboAgents and prosecutors must remember that while a computer may becoanalogous to a filing cabinet for the agents who search it, it is muchdo more to most computer users. It can be a data processor, graphicseo0designer, publisher, and telecommunications center. Courts will nodoubtgo@recognize the increasingly important role computers play in oursociety,io`and the public's extensive reliance on these computers to support theway kowe live and do business. As a result, law enforcement should beprepared moto look carefully at the circumstances of each case and to seize nocomputers only as needed, keeping them only as necessary. oo poa. Federal Rules of Criminal Procedure: Rule 41(e)qorpWhile computerowners may be especially eager for return of theirsphardware, software, data, and related materials, the issue of whethertoup retain or return lawfully seized property before trial is not unique tovp@computers. Rule 41(e) of the Federal Rules of Criminal Procedure setsoutxpPthe standards and procedures for returning all property seized duringthezppexecution of a search warrant. The Rule, in general, provides that a{pparty who is "aggrieved by an unlawful search and seizure or by the|pdeprivation of property" may file a motion for the return of theproperty~pon the ground that the party is entitled "to lawful possession of thepproperty." 13Fppp(p HFܿqA Rule 41(e) motion for return of property can be made either beforeorqafter indictment. However, a district court's jurisdiction over aq0preindictment motion is more limited than if the indictment has beenq@returned. Preindictment remedies are equitable in nature and mustonlyqPbe exercised with "caution and restraint." Floyd v. United States, 860qpF.2d 999, 1003 (10th Cir. 1988). The Tenth Circuit, the only Circuit to qaddress this issue, held that two conditions must be satisfied before a!qdistrict court may assume jurisdiction over a pre~indictment Rule41(e)"qmotion: "a movant must demonstrate that being deprived#q$q13 Rule 41(e) does not distinguish according to how the property wasused%qin the offense; thus, a computer used as an instrumentality of anoffense&r(e.g., to duplicate copyrighted software or hack into other systems) is'r not treated differently for Rule 41 analysis from a computer used as a(r0"storage cabinet" for documents. Of course the government's interestin)r@seizing and keeping the computer in each case is different and, thus,*r`from a realistic standpoint, how the computer was used in theoffense is+rpimportant in determining whether to retain or return it.,r-r[page 107].r/rof actual possession of the seized property causes 'irreparable injury'0rand must be otherwise without adequate remedy at law." Matter ofSearch1rof Kitty's East, 905 F.2d 1367, 1371 (1Oth Cir. 1990).2s3sBecause of the paucity of cases in this area, it is very difficult to say4s what facts will satisfy this twopart test. However, the reported5s0decisions do offer guidance in responding to a request for the returnof6s@seized property. The Tenth Circuit in Kitty's East held that the7s`"irreparable injury" element is not satisfied by the threat of anF8spspp(s HFimminent indictment. 905 F.2d at 1371, citing Blinder, Robinson & Co.v.9sUnited States, 897 F.2d 1549, 1557 (1Oth Cir. 1990). The appellate court:sin Kitty's East upheld the district court's decision to take jurisdiction;sbecause the nature of the seized materialspornographic<svideotapesinvoked the First Amendment right of free speech."Although=sthe interests of the commercial speech at issue here may not equatewith>tthose of political speech, we agree that the special protections of the?t First Amendment justified the exercise of equitable jurisdiction in this@t0case." Id. Conversely, the Blinder court rejected the movant'scontentionAt@that it was irreparably injured by the government's failure to returnBt`original documents: "[T]he record strongly suggests that [the movant]isCtpable to operate with photocopies of the documents seized by theDtgovernment and either has copies or can make copies of all thepropertyEtthat the government seized." Blinder, 897 F.2d at 1557.FtGtOnce jurisdiction has been established, Rule 41(e), according to theHtTenth Circuit, requires the party to also show that the retention of theItproperty by the government is unreasonable:JuKuReasonableness under all of the circumstances must be the test whenaLu person seeks to obtain the return of property. If the United States hasaMu@need for the property in an investigation or prosecution, its retentionNu`of the property generally is reasonable. But, if the United States'Ouplegitimate interests can be satisfied even if the property is returned,Pucontinued retention of the property would become unreasonable.QuRuId., quoting Committee Note to 1989 Amendment at 30, 124 F.R.D. at428.SuTuAs described, the Kitty's East court initially held the district courtUuhad properly exercised jurisdiction over the motion because of theVupossibility that the movant's First Amendment rights would be6vp(v H6impaired.WvHowever, the court then denied the Rule 41(e) motion for the returnofXv0the seized property. TheYvPZv`[page 108][vp\vcourt held that Kitty's East failed to demonstrate that it wasaggrieved]vby an unreasonable retention of the property:^v_vWith regard to the videotapes seized, Kitty's has made no argumentthat`vthe seizure has precluded all exhibition or rental of the videotapes inavquestion. Kitty's First Amendment rights are not sufficiently infringedbwby the government's seizure for evidence of a few copies of a limitedcwnumber of videotapes to be 'aggrieved' under Rule 41(e).... Further,dw return of the videotapes would pose too great a risk of loss ofpotentialew0evidence. As the Supreme Court has noted, 'such films may becompact,fwPreadily transported for exhibition in other jurisdictions, easilygwpdestructible, and particularly susceptible to alteration by cutting andhwsplicing critical areas of film.' We hold therefore, that theiwgovernment's retention of no more than two evidentiary copies ofeachjwfilm is reasonable and does not 'aggrieve' Kitty's under Rule 41(e).kwlw905 F.2d at 1376 (citations omitted).mwnwIn United States v. Taft, 769 F. Supp. 1295, 1307 (D. Vt. 1991) the courtoxrelied on Kitty's East to deny a motion for the return of two firearmspxwhich had been legally seized by the government during theexecution of aqx search warrant. Moreover, the court refused to second guess therx@government about the evidentiary value of the guns: "[H]avingdecidedsxPthat the government legally seized the two firearms, this court willnottxpopine as to the evidentiary value of the guns in the instant6xp(x H6prosecutionuxfor cultivation of marijuana."vxwxThe decisions addressing Rule 41(e) impose a heavy burden on a partyxxseeking the return of property, including computers, lawfully seizedbyyxthe government. However, unless there is a reason not to do it,agentszyshould explore giving the computer owner copies of the computerdisks{y0seizedeven when Rule 41(e) does not require it. This is especiallytrue|yPif the owner needs the data to run a business. Of course, if the}ypinformation stored on the disks is contraband or if copying the~yinformation would jeopardize the investigation, agents should notmakeycopies for the owner. y ySimilarly, if the owner of a seized computer needs it for business,there ymay be intermediate solutions. For example, using careful scientific yprotocols and keeping exacting records, an analyst can makeprintoutszfrom the hard drives to have "original" records to admit in court.z Following the same process, the analyst can then make a mirrorimage (orz0"bitstream") data copyzPz`[page 109]zpzof the hard drives for later analysis. Before returning the computers,zagents should explain the printout and copying processes used, andgivezthe defense an opportunity to object to the integrity and admissibilityzof the printouts and copies at that time. Best practice is to ask thezdefense counsel to sign an explicit waiver of those issues at the timezthe computer is returned and to stipulate that printouts andelectroniczcopies will be admissible under Fed. R. Evid. 1001. (For a moreextensiveF {{ p( {0 HFdiscussion of admitting electronic evidence, see "EVIDENCE," infra p.!{@113.) If the defense refuses to concede the accuracy and admissibilityof#{Pthe printouts and copies, the government should keep the computer.(For a%{pform "Stipulation for Returning Original Electronic Data," see APPENDIX&{A, p. 135).'{({b. Hardware){*{In deciding whether to retain hardware, agents should considerseveral,{factors. Aspects that weigh in favor of keeping hardware include: (1)the.|hardware was used to commit a crime, was obtained through criminal/| activity, or is evidence of criminal activity, (2) the owner of the0|0hardware would use it to commit additional crimes if it werereturned,2|@(3) the hardware is unique and is either essential for recovering data3|`from storage devices or difficult to describe without the physical item4|ppresent in court, and (4) the hardware does not serve legitimate5|purposes. Factors that weigh in favor of returning hardware include:(1)7|a photograph of the hardware would serve the same evidentiarypurpose as9|having the machines in court, (2) the hardware is an ordinary,:|unspecialized piece of equipment such as a telephone, (3) thehardware is<|used primarily for legal purposes, and (4) the hardware is unlikely tobe>}used criminally if returned.?} @}0Although the result will depend on the precise facts of each case,someB}@basic principles are clear. Where hardware was used to commit acrimeD}`(instrumentality) or is the proceeds of crime (fruit) and it belongs toE}the suspect, agents should generally keep it. When the hardwareclearlyG}is not evidence of a crime (e.g. an electronic wristwatch which turns6}p(H} H6outI}to have no memory), it should generally be returned.J}K}[page 110]L~M~The difficult situations arise when hardware was only tangential intheO~ crime, played primarily a noncriminal role, or does not belong to theP~@suspect. In these cases, agents and prosecutors must balance theQ~Pgovernment's need to retain the original items against the propertyR~`owner's interest in getting them back. In any case, aggrievedpropertyT~powners can ask the court to order the government to return evenU~lawfullyseized items. See Fed. R. Crim. P. 41(e).V~W~c. DocumentationX~Y~Warrants often include computer books, programming guides, usermanuals[~and the like. These items may have evidentiary significance in several\ways: they may be proprietary (e.g. telephone company technicalmanual^for employees); they may indicate that software, hardware, or themanuals`0themselves were obtained illegally; they may be necessary forsearching abPparticular, customized machine also covered by the warrant; or theymaydpcontain handwritten notes about how the subject used the machine.In thisfcase, agents should treat the books and manuals as evidence andretainhthem.ijVery often, however, books and manuals are not unique. Most of thetime,lthey will be publicly available user guides without significantmhandwritten notes. They may be convenient references forinvestigators,o but they do not add anything that could not be commercially6@p(pP H6purchased. Inq@such cases, Rule 41(e) does not require subjects to supply suchequipmentspor technical information, so these items (if they contain no evidence)tshould be returned.uvd. Notes and PaperswxNotes and papers often contain extremely valuable information likeypasswords, login sequences, and other suspects' telephone numbersor{names. Notes also tend to be rather cryptic, so agents will not always|know right away what they are. Accordingly, it may be appropriate to} retain notes and papers until they can be carefully examined, butagents0should return records that are clearly not evidence or instrumentality.P`[page 111]pe. ThirdParty OwnersThe retainorreturn question is particularly delicate when theevidence(usually hardware) belongs to innocent third parties. While thegovernment is clearly entitled to seize evidence no matter who ownsit,Rule 41(e) of the Federal Rules of Criminal Procedure recognizes thattheproperty owner may move for return of unreasonably held items. SeeFed. R. Crim. P. 41(e) advisory committee note (1989)("reasonablenessunder@all of the circumstances must be the test when a person seeks toobtain`the return of property"). The committee notes further point out thatthegovernment's legitimate interests can often be satisfied "by copyingdocuments or by conditioning the return on government access to theproperty at a future time." Id.Fp( HFWhen a third party claims ownership, it is important to evaluatecompeting claims before deciding what to do. The worst solution is toreturn property to someone who later turns out not to have been therightful owner. Thus, whenever it is appropriate to return property, agents must verify ownership with documents or other reliableevidence.0If in doubt, it is best to retain the item and let the aggrieved partiesPassert their various claims in court. This way, the government will not`become embroiled in complicated ownership investigations, and willnotprelease property to the wrong party. [no page 112] [Page 113]VIII. EVIDENCEA. INTRODUCTIONAlthough the primary concern of these Guidelines is search andseizure,the ultimate goal is to obtain evidence admissible in court. From themoment agents seize electronic evidence, they should understandboth the legal and technical issues that this sort of evidence presents underthe@Federal Rules of Evidence.`pIt can be especially confusing to think about digital proof because,bothin our current discussions and in early cases, legal analysts havetendedto treat "computer evidence" as if it were its own separate,overarchingevidentiary category. Of course, in some very practical wayselectronicevidence is unique: it can be created, altered, stored, copied, andmovedwith unprecedented ease, which creates both problems andopportunities for advocates. But in many important respects, "computer evidence,"like@any other, must pass a variety of traditional admissibility tests.F``p(p HFܿSpecifically, some commentary is not very clear whether admittingcomputer records requires a "best evidence" analysis, anauthenticationprocess, a hearsay examination, or all of the above. Advocates andcourtshave sometimes mixed, matched, and lumped these ideas together bytalkingsimply about the "reliability" or "trustworthiness" of computerevidencein general, sweeping terms, rather than asking critically whether the  evidence was "trustworthy" in all required aspects. 0 @Part of the reason for this is probably that the first computerevidence Poffered in court was information generated by businesses. Longbefore pmost people used computers in their homes, telephone companies andbankswere using them to record, process, and report information that theirbusinesses required. Not surprisingly, many of the early decisions linkcomputer evidence with the business records exception to thehearsayrule. Of course, that exceptionwhich is meant to address asubstantivehearsay problemalso includes a sort of internal authenticationanalysis. (Fed. R. Evid. 803(6) 0[Page 114]@Prequires a showing that a record was made "at or near the time by, or`from information transmitted by, a person with knowledge. . .").pBut "computer evidence" as we know it today covers the universe ofdocumentary materials, and is certainly not limited to businessrecords.Computer evidence may or may not contain hearsay statements. Itwillalways need to be authenticated in some way. And data that has beenproduced, processed, and retrieved under circumstances other than6p( H6thediscipline of a business probably will not contain the qualities that  make electronic evidence "reliable" as a business record. Evenbusiness!0records, themselves, may require a closer look, depending on whatthe"Pproponent wants to do with them at trial.#p$The key for advocates will be in understanding the true nature of each%electronic exhibit they offer or oppose: for what purpose and by what&process (both human and technological) was it created? And whatspecific'issues of evidence (rules of form? rules of substance?) does that(particular electronic item raise?)*B. THE BEST EVIDENCE RULE+,One of the issues that investigators and lawyers sometimes cite as- troublesome in working with electronic evidence turns out, on.0examination, to be a largely surmountable hurdle: the "best evidence/@rule." This rule provides that "[t]o prove the content of a writing,0Precording, or photograph, the original writing, recording, orphotograph1`is required, except as otherwise provided in these rules or by Act of2Congress." Fed. R. Evid. 1002.34The impact of this rule is softened considerably by its reference to5other rules. Indeed, Fed. R. Evid. 1001 makes clear in two separate6provisions that when it comes to electronic documents, the term7"original" has an expansive meaning. First of all, Fed. R. Evid. 1001(1)8defines "writings and recordings" to explicitly include magnetic,9mechanical, or electronic methods of "setting down" letters, words,:numbers, or their equivalents. Clearly, then, when someone creates a; document on a computer hard drive, for example, the electronic data<  stored on that drive is an admissible writing. A proponent could= 0obviously offer it to a court by producing the hard drive in court and> @displaying? P@`[Page 115]ApFBp( HFit with a monitor. But that somewhat cumbersome process is not theonlyCchoice. In telling us what constitutes an "original" writing orDrecording, Fed. R. Evid. 1001(3) says further that "[i]f data are storedEin a computer or similar device, any printout or other output readablebyFsight, shown to reflect the data accurately, is an 'original."' Thus, soGlong as they are accurate, paper printouts from electronic storageHdevices qualify as "originals" under the rule, and there is clearly noI evidentiary need to haul computer equipment into a courtroom simplytoJ0admit a documentalthough there sometimes may be tacticalreasons forKPdoing so.LpMBut even having set up that inclusive definition of "original" writing,N the Federal Rules go much further to relax the common law standard.Fed.O"R. Evid. 1003 provides that "[a] duplicate is admissible to the sameP#extent as an original unless (1) a genuine question is raised as to theQ$authenticity of the original or (2) in the circumstances it would beR%unfair to admit the duplicate in lieu of the original." Therefore, unlessS&authenticity or some "unfairness" is at issue, courts may freely admitT'duplicate electronic documents. "Duplicate" is defined in Fed. R. Evid.U(1001(4) as "a counterpart produced by the same impression as theoriginalV* ... by mechanical or electronic rerecording ... or by other equivalentW+@techniques which accurately reproduces (sic) the original." ManyX,Pinvestigative agencies analyze data evidence from exact electroniccopiesY.`(called "bitstream" copies) made with commercial or custommadeZ/software. So long as the copies have been properly made andmaintained,[1the Federal Rules allow judges to accept these copies (or expertopinions\3based on them) as readily as the originals.]4^5Thus, the Federal Rules have, despite their nod to the best evidence_6rule, made way for a lively courtroom use of electronic evidence in all`7its many forms. Questions of admissibility turn not on whether the6p(8  H6dataa9before a court is on a hard drive, a duplicate floppy disk, or a printoutb:@of either one. Instead, courts must ask whether the original data isc;Pauthentic and whether any copies offered are accurate.d<`e=pC. AUTHENTICATING ELECTRONIC DOCUMENTSf>g?Of course, every time trial lawyers offer any piece of evidence, theyh@must be ready to show that, as the authentication rule, Fed. R. Evid.iA901(a),jBkC[Page 116]lDmEstates, "the matter in question is what its proponent claims." Clearly,nFthere are many ways to do this, including the ten illustrations offeredoGby Fed. R. Evid. 901 (b).pH qI01. "Distinctive" EvidencerJ@sKPOne of the most common methods for authenticating evidence is toshow thetM`item's identity through some distinctive characteristic or quality.uNIndeed, the authentication requirement of Fed. R. Evid. 901(a) isvOsatisfied if an item is "distinctive" in its "appearance, contents,wPsubstance, internal patterns, or other distinctive characteristics,takenxRin conjunction with circumstances." Fed. R. Evid. 901(b)(4). In fact, itySis standard practice to use this method to authenticate some kinds ofzTevidence which may now be digitally created, stored, and reproduced.For{Vexample, attorneys offering photographs into evidence invariably justask|Xa "witness with knowledge" (under Fed. R. Evid. 901(b)(1)) whether a}Y0particular photo is "a fair and accurate representation" of somethingor~[@someone. But should the process of authenticating photographsrecognize]`that, with the advent of digital photography, it is now possible toalter_an electronic image without leaving a trace? Consider the followingF`p(` HFexample.abAgents and prosecutors were shown a photograph of a bodytwistedon thedfloor, a gaping wound in the chest. Across the room, on the floor, wasaflarge pistol. On the white wall above the victim's body, scrawled intheh victim's own blood, were the words, "I'll kill again. You'll never catchi@me."jPk`Unlike conventional photographs, however, this picture was notcreatedmpwith film, but with a digital camera. The entire picture was made upofobinary digits, ones and zeros, which could be altered withoutdetection.qSo two law enforcement agents, using commercially availablesoftware,sstarted rearranging the digits. They "cleaned" the wall, removing thetbloody words. They closed the chest wound, choosing instead to havebloodvtrickling from the victim's temple. Last, they moved the gun into thew victim's hand. The case was now solved: the report would claim, andthey0photograph would "prove," the victim committed suicide.zP{`[Page 117]|p}This was, of course, only a demonstration, which took place in thesummerof 1991 at a meeting of the Federal Computer InvestigationsCommittee.The Committee had been established by a handful of federal and statelawenforcement personnel who were among the first to appreciate howemergingtechnologies were both providing new opportunities for criminals andcreating new challenges for law enforcement officials. For this group, the point of this demonstration was apparent: not only could ordinaryF00p(@ HFphotographs not be trusted in the same old way to be reliable, but anPordinary agent might be duped if he or she were not technologically`astute enough to realize the potential for sophisticated digitalpalteration. The key, of course, is that there is no negative, and thealteration leaves no tracks.Nor will these authenticity problems be limited to photographs. Forexample, some package delivery services now allow recipients to signfortheir packages on a handheld device which creates a digital copy oftherecipient's signature. Although this makes it easy to transfer theinformation to a computer, it also enables the computer to recreatethesignature. If the hand~held device measures and records the pressure0applied by the signer and if the computer reprints that signature withan@inkbased printer, the computer~generated copy will look absolutely`authenticeven to the author.pDespite these examples, there will be many times when electronicevidencewhether photographs or documentswill indeed beidentifiablebased on distinctive characteristics alone. An eyewitness can just aseasily identify a digital photograph of a person as he could aconventional photo. The question for both judge and jury will be thewitness's ability and veracity in observing and recalling the originalperson, photo, scene, or document with which he compares the in  courtversion. The fact that it is possible to alter a photofor example, to extend the skid marks at an accident sceneis far less significant if0the authenticating witness is independently sure from observing thesite@that the skid marks were, in fact, ten feet long. Similarly, the`recipient of a discarded electronic ransom note may recall the contentofpthe original note well enough to authenticate a printout from theaccused's computer.But to the extent that incourt photos or documents support6p( H6incomplete orfading witness memoriesor even substitute for witness memoryaltogetherlawyers must realize that "distinctive characteristics" inelectronic evidence may be easy to alter, and may not, depending onthecircumstances, satisfy a court. What witness can independently verifythe0distinctive accuracy of long lists of names or numbers? Can he saythat aPdigital photo is "a fair and accuratep[Page 118]representation of a crime scene" in all detailsno matter how minortheymay have seemed at the time? While he will probably be able torememberwhether there was a knife sticking out of a body, will he be able toverify the precise location of a shoe across the room? An eyewitnesswhopicked out the defendant at a lineup should be able to look at a photograph of the array and find the defendant again. But can she sayfor0sure, when testifying at a hearing on defendant's motion to suppressanPallegedly suggestive lineup, that all the other people in the picturepare exactly as she saw them? Has there been no mustache added inthispicture, no height or weight changed in any way? And although therecipient of a ransom note may well be able to recall the exact wordsofthe note, will he recall the type face?It is important to remember that the traditional process ofauthenticating an item through its uniqueness often carries anunspokenassumption that the thingthe murder weapon, the photo, or theletter, for exampleis a package deal. It either is or is not the thing the@witness remembers. Thus, if the witness can identify particular6Pp(` H6aspectsPof the item with certainty (such as the content of the ransom note),theother aspects (such as the type face) usually follow along withoutmuchdebate. Of course, there are times, even with conventionalphotography,when an authenticating witness will be asked about internal details:"When you saw the crime scene at 5:30, were the shoes both on therightside of the room?" In those circumstances, attorneys and judgesnaturallytend to be more exacting in establishing that the witness can0authenticate not only part of the package, but all the parts thatmatter.@`But with digital photography, this rather minor problem ofauthenticationptakes on a new life. Depending on the way electronic evidence hasbeenproduced, stored, and reproduced, the collection of ones and zerosthatconstitutes the "package" of the photograph is infinitely andindependently variablenot by moving shoes at the crime scene, butbychanging any digits at any time before the exhibit photo is printed.Perhaps judges will find themselves admitting digital photographsanddocuments based on "distinctive characteristics" if a witness with0knowledge can identify and authenticate the item in all relevantdetail.@But that, of course, requires a judge to know in advance which details`will be relevant to the case and which are insignificant. If thepcharacteristic that makes the item distinctive is not the same onethatmakes it relevant, judges might and should be wary about admittingdigital[Page 119]Fp( HFevidence in this way. Even if judges are satisfied, attorneys whocrossexamine an authenticating witness on minute details of digital photographs may affect the witness's credibility with the jury,0especially if the attorney shows how easily the evidence could be@altered.P`One of the potential solutions to this problem which arises from thepnature of electronic evidence may actually be electronic: digital signatures. The Digital Signature Standard, proposed by the National Institute of Standards and Technology (NIST) in the Department of Commerce, would allow authors to encrypt their documents with akey known only to them. Assuming the author has not disclosed his password toothers, this identifying key could serve as a sort of electronicevidenceseal. In that event, the signature would be just the kind of distinctivecharacteristic the rules already recognize. For the time being, however, most computer evidence can still bealtered0electronicallyin dramatic ways or in imperceptible detailwithoutanyPsign of erasure. But this does not mean that electronic evidence,havingpbecome less distinctive, has become any less admissible. It simplymayrequire us to authenticate it in other ways.2. Chain of Custody When prosecutors present evidence to a court, they must be ready toshow !that the thing they offer is the same thing the agents seized. Whenthat #evidence is not distinctive but fungible (whether little bags ofcocaine, %0bullet shell casings, or electronic data), the "process or system" (to &Puse the language of Fed. R. Evid. 901(b)(9)) which authenticates theitemF(`pp(( HFis a handtohand chain of accountability.)*Although courts generally have allowed any witness with knowledgeto,authenticate a photograph without requiring the photographer totestify,.that may not suffice for digital photos. Indeed, judges may nowdemand0that the proponent of a digital picture be ready to establish acomplete2chain of custody from the photographer to the person whoproduced the40printout for trial. Even so, the printout itself may be a distinctive5Pitem when it bears the authenticator's initials, or some other6`recognizable mark. If the photographer takes a picture, and then7pimmediately prints and initials the image that becomes89[Page 120]:;an exhibit, the chain of custody is just that simple. But if the exhibit<was made by another person or at a later time, the proponent shouldbe>ready to show where the data has been stored and how it wasprotected@from alteration. A!B 3. Electronic Processing of Evidence"C0#D@When data goes into computers, there are many methods and formsfor$FPgetting it out. To the extent that computers simply store informationfor%Hplater retrieval, a data printout may qualify as an original document&Iunder Fed. R. Evid. 1001(3). Where the computer has merely acted as a'Jtechnological file cabinet, advocates must be ready to authenticatethe(Lincourt version of the document as genuine, but the evidentiaryissues)N(at least those connected to the computer) do not pertain to the*Osubstance or content of the document.F+Pp(P HFܿ,Q But in many cases, attorneys want to introduce evidence that thecomputer-S0has not only stored, but has also processed in some fashion. If the.TPcomputer, its operating system, and its applications software have/U`reorganized the relevant informationby comparing, calculating,0Vpevaluating, regrouping, or selectively retrievingthis processing has1Waltered at least the form of the information, and probably thesubstance2Yas well.3Z4[The fact that the computer has changed, selected, or evaluated data5\naturally does not make the resulting product inadmissible, but itdoes6^require another analytical step. The computer processing itself often7_creates a new meaning, adds new informationwhich is really the8`equivalent of an implicit statement. If an advocate wishes tointroduce9b this processed product, he usually offers it for the truth of the:c@conclusion it asserts. For example, when the telephone companycompiles;ePraw data into a phone bill for a subscriber, the bill is literally a<fpstatement: "The following long distance calls (and no others) wereplaced=hfrom your phone to these numbers on these days and times.">i?jIf the computer has created a hearsay statement by turning rawevidence@linto processed evidence, its proponent should be ready to show thattheAnprocess is reliable. Computers process data in many different ways byBorunning programs, which can be commercially or privately written.Any ofCqthese programs can contain logical errors, called "bugs," which couldDr0significantly affect the accuracy of the computer process. And even ifEs@there is no error inFtPGu`[Page 121]HvpIwthe code, a technician may run the program in a way that creates a6p(x H6falseJyresult. For example, a particular computer search program may be"caseK{sensitive," which means that the upper and lowercase versions ofanyL}given letter are not interchangeable. If an author working inWordPerfectM(a popular word~processing program), searches a document for thewordN "Evidence," the computer will not find the word "evidence," becausetheO@letter "e" was not capitalized. What does it mean, then, when theP`computer reports that the word was "not found"? Under whatcircumstancesQpshould a computer's conclusion be admissible in court?RSConsider a failuretofile tax case. If a prosecutor asks the IRS toTsearch its databanks to see whether a taxpayer filed a return in aUparticular year, the IRS may give her two very different products. IftheVtaxpayer filed electronically, the IRS can produce either an originalWdocument from its computers (a printout of the filing) or anadmissibleXduplicate in the form of an electronic copy. In that case, the IRSY computers simply acted as storage cabinets to hold and reproduce theZ0information that was entered by the taxpayer. Tax return in; taxreturn[@out.\`]pBut if, on the other hand, the IRS searches its databanks and finds^nothing, the IRS's negative report is clearly a hearsay statementwhich_results from a computer processthe electronic search for thetaxpayer's`tax return. The hearsay rule (Fed. R. Evid. 803(10)) allows the absenceaof a public record to be shown by testimony "that diligent searchfailedbto disclose the record ...." But testimony in what form? Will thecnegative computer report suffice, or should the technician who rantheFd p(0 HFsearch testify? Must the technician explain not only what keystrokeshee@entered to conduct the search, but also establish the errorfree logicoff`the program he used? Must he know not only that the programsearches forgboth lower and uppercase versions of the taxpayer's name, but alsohexactly how it accomplishes that task? While the absence of a recordisioften admitted in evidence, prosecutors can expect that as attorneysjbecome more computerliterate, defense counsel will raise newchallengeskin this area. Indeed, the accuracy or inaccuracy of the IRS's negativelreport rests on many different components, including the reliabilitym(both human and technical) of the computer process.n o0Certainly, the mathematical validity of any program is a question ofp@facta question which the opponent of a piece of processed evidenceqPshould have an opportunity at some point to explore and to contest.r`Similarly, the methods and safeguards involved in executing theprogramspmust also be fair ground fortu[Page 122]vwanalysis and challenge. While it would clearly be both unnecessaryandxburdensome to prove every step of a computer process in every case,ycourts must also be ready to look behind these processes when thefactszwarrant. As lawyers and judges learn more about all the variables{ involved in creating evidence through computer processing, this areamay|0become a new battleground for technical experts.}P~`D. THE HEARSAY RULEpMost agents and prosecutors are familiar with the business recordsexception to the hearsay rule. Fed. R. Evid. 803(6). Generally speaking,any "memorandum, report, record, or data compilation" (1) made at or6p( H6nearthe time of the event, (2) by, or from information transmitted by, aperson with knowledge, is admissible if the record was kept in thecourseof a regularly conducted business activity, and it was the regularpractice of that business activity to make the record. 0A business computer's processing and rearranging of digitalinformation@is often part of a company's overall practice of recording its regularly`conducted activity. Information from telephone calls, banktransactions,pand employee time sheets is regularly processed, as a fundamentalpart ofthe business, into customer phone bills, bank account statements, andpayroll checks. Logic argues that if the business relies on theaccuracyof the computer process, the court probably can as well.This is different, however, from using a company's raw data (collectedand stored in the course of business, perhaps) and electronicallyprocessing it in a new or unusual way to create an exhibit for trial.For example, banks regularly process data to show each accountholder's@transactions for the month, and most courts would readily accept thatPmonthly statement as a qualifying business record. But may a court`presume a similar regularity when the same bank runs a special datapsearch for all checks paid from the accountholder's account over thepast year to an account in Switzerland? In this case, even though thereport was not made at or near the time of the event, the documentisprobably admissible as a summary under Fed. R. Evid. 1006. That ruleallows courts to admit a "chart, summary, or calculation" as asubstitutefor "voluminous writing, recordings, or photographs." Nonetheless,[Page 123] other parties still have the right to examine and copy the unabridged0original data, and to challenge the accuracy of the summary. Of6@p(P H6course,@this also opens the way to challenges of any computer process whichpcreated the summary.In most other respects, of course, the hearsay rule operates withcomputer evidence exactly as it does with any other sort of evidence.Forinstance, statements for purposes of medical treatment, vitalstatistics,or statements against interest may all qualify as exceptions to thehearsay rule, whether they are oral, written, or electronic. Clearly, anelectronic statement against interest must also be authenticatedproperly, but it does not fail as hearsay. Conversely, a correctly authenticated electronic message may contain all sorts of hearsay0statements for which there are no exceptions.@PThe key is that computer evidence is no longer limited to business`records, and the cases that carry that assumption are distinguishablepwhen advocates work with other kinds of electronic evidence. Butevenwith business records, a trial lawyer well versed in the technologicalworld who knows how to ask the right questions may find that the"methodor circumstances of preparation indicate lack of trustworthiness,"under Fed. R. Evid. 803(6), to such a degree that a court will sustain, or at least consider, a challenge to the admissibility of the evidence. Computers and their products are not inherently reliable, and it is always wise to ask, in any particular case, what computers do andhow they do it.@P[no page 124] [Page 125]`pIX. APPENDICESAPPENDIX A: SAMPLE COMPUTER LANGUAGE FOR SEARCH WARRANTSIT IS ESSENTIAL to evaluate each case on its facts and craft the6p( H6languageof the warrant accordingly. Computer search warrants, even morethan mostothers, are never onesizefitsall products. The following paragraphs are a starting point for recurring situations, but may be adjusted in0infinite ways. If you have any questions about tailoring an affidavitand@warrant for your case, please call the Computer Crime Unit at `2025141026 for more suggestions.!p"Your affiant knows that computer hardware, software,documentation,$passwords, and data security devices may be important to a criminal%investigation in two distinct and important respects: (1) the objects&themselves may be instrumentalities, fruits, or evidence of crime,and/or((2) the objects may have been used to collect and store informationabout*crimes (in the form of electronic data). Rule 41 of the Federal Rules of+Criminal Procedure permits the government to search and seizecomputer- hardware, software, documentation, passwords, and data securitydevices/@which are (1) instrumentalities, fruits, or evidence of crime, or (2)0`storage devices for information about crime.1p21. Tangible Objects34a. Justify Seizing the Objects56Explain why, in this case, the tangible computer items are7instrumentalities, fruits, or evidence of crimeindependent of the8information they may hold.9:[Page 126];< Your affiant knows that [subject's] regional offices concertedly and=0systematically supplied various specialized computer programs to its>@individual local offices. These computer programs were designed to?Pmanipulate data in ways which would automatically add a few6`p(@p H6pennies toA`the amount billed to customers for each transaction. By using thisBspecially designed program in its computers, the [subject] was able toCcommit a pervasive and significant fraud on all customers whichwould beEvery difficult for any one of them to detect.FG* * * * * * *HIor * * * * * * *JK Your affiant knows that [subject] accessed computers withoutauthorityM0from his home by using computer hardware, software, relatedNPdocumentation, passwords, data security devices, and data, moreO`specifically described as follows: [ ].PpQ* * * * * * *RSandTU* * * * * * *VWAs described above, the [subject's] computer hardware, software,relatedYdocumentation, passwords, data security devices, and data wereintegral[tools of this crime and constitute the means of committing it. As such,\0they are instrumentalities and evidence of the violations designated.]@Rule 41 of the Federal Rules of Criminal Procedure authorizes the^Pgovernment to seize and retain evidence and instrumentalities of acrime``for a reasonable time, and to examine, analyze, and test them.abb. List and Describe the ObjectscdThe tangible objects listed below may be named and seized as theobjectsfof the search when they are, themselves, instrumentalities, fruits, orgevidence of crime. Depending on the facts of the case, the list may beFhp(h HFlong or veryij [Page 127]k0l@short. The affidavit should describe the specific tangible objects with mPas much particularity as the facts allow. The following paragraphs are n`designed to be expansive and allinclusive for those cases in whichthe ppgovernment has probable cause to search and seize all computerhardware, rsoftware, documentation, and data security devices (includingpasswords) ton site. However, most cases will call for a much more limited listuv(1) HardwarewxComputer hardware consists of all equipment which can collect,analyze,zcreate, display, convert, store, conceal, or transmit electronic,{0magnetic, optical, or similar computer impulses or data. Hardware|@includes (but is not limited to) any dataprocessing devices (such as}Pcentral processing units, memory typewriters, and self~contained~`"laptop" or "notebook" computers); internal and peripheral storagepdevices (such as fixed disks, external hard disks, floppy disk drivesanddiskettes, tape drives and tapes, optical storage devices,transistorlike binary devices, and other memory storage devices),peripheral input/output devices (such as keyboards, printers,scanners,plotters, video display monitors, and optical readers); and relatedcommunications devices (such as modems, cables and connections,recordingequipment, RAM or ROM units, acoustic couplers, automatic dialers,speeddialers, programmable telephone dialing or signaling devices, and0electronic tonegenerating devices); as well as any devices,mechanisms, @or parts that can be used to restrict access to computer hardware(such!`as physical keys and locks).F"p( HFܿ#(2) Software$%Computer software is digital information which can be interpreted bya&computer and any of its related components to direct the way theywork.'Software is stored in electronic, magnetic, optical, or other digital(form. Itcommonly includes programs to run operating) *0[Page 128]+@,Psystems, applications (like wordprocessing, graphics, or spreadsheet-`programs), utilities, compilers, interpreters, and communications.pprograms./0(3) Documentation12Computerrelated documentation consists of written, recorded,printed, or3electronically stored material which explains or illustrates how to4configure or use computer hardware, software, or other relateditems.56(4) Passwords and Data Security Devices7 80Computer passwords and other data security devices are designed to9@restrict access to or hide computer software, documentation, or data.:PData security devices may consist of hardware, software, or other;`programming code. A password (a string of alphanumeric characters)<pusually operates as a sort of digital key to "unlock" particular data=security devices. Data security hardware may include encryptiondevices,>chips, and circuit boards. Data security software or digital code may?include programming code that creates "test" keys or "hot" keys,which@perform certain preset security functions when touched. DatasecurityAsoftware or code may also encrypt, compress, hide, or "boobytrap"Bprotected data to make it inaccessible or unusable, as well as reverseFCp(  HFthe process to restore it.D0E@2. Information: Records, Documents, DataFPG`For clarity, most "information" warrants need one paragraph listingallHpthe kinds of evidence they seek (content). Then they need a separateIparagraph detailing all the various forms this evidence could take, soitJis clear that all forms apply to all records. Most warrants will needKanother section (in appropriate cases) explaining why agents need toLseize data storage devices forMN[Page 129]OPoffsite searches. It may also be necessary to ask the magistrate forQ permission to take some peripheral hardware and software eventhough itR0does not directly contain evidence.SPT`a. Describe the Content of Records, Documents, or other InformationUpVIf the object of the search is information which has been recorded inWsome fashion (including digital form), it is important to begin with theXcontent of the record and not with its form. Depending on the case,theYprobable cause may be limited to one very specific document orextend toZevery record in a wholly criminal enterprise. Describe the content ofthe[document with the same specificity and particularity as for paper\records.] ^0Based on the facts as recited above, your affiant has probable causeto_@believe the following records are located at [the suspect's] residence``and contain evidence of the crimes described:apbA letter dated July 31, 1991 from [the suspect] to his mother.cFdp( HFTax records and all accompanying accounts, records, checks, receipts,estatements, and related information for tax year 1991.fgLists of illegal or unauthorized access codes or passwords, includingh(but not limited to) telephone, credit card, and computer accesscodes.ij All records relating to [the suspect's] drug trafficking, including (butk0not limited to) lists of customers and related identifying information;l@types, amounts, and prices of drugs trafficked as well as dates,places,mPand amounts of specific transactions; any information related tosourcesnpof narcotic drugs (including names, addresses, phone numbers, or anyoother identifying information); any information recording [thesuspect's]pq[Page 130]rsschedule or travel from 1988 to present; all bank records, checks,credittcard bills, account information, and other financial records.uv b. Describe the Form which the Relevant Information May Takew0x@If you know the records are stored on a computer or in some otherdigitalyPform, you should limit the scope of the search to digital records. Ifyouzpcannot determine in advance the form of the records (or if therecords{are in several different forms) the following language is a starting|point. BUT BE SURE TO ELIMINATE ANYTHING WHICH DOES NOT APPLY TOYOUR}CASE. Once again, because cases which have nothing else in commonmay all~have digital evidence, the following list is extremely broad. Forexample, in child pornography or counterfeiting cases, the nondigitalevidence may be photographs, films, or drawings. But in drug cases,taxF 0p(@ HFcases, or computer crimes, the agents may not be searching forgraphics Por other pictures. p The terms "records," "documents," and "materials" include all of the foregoing items of evidence in whatever form and by whatevermeans suchrecords, documents, or materials, their drafts, or their modificationsmay have been created or stored, including (but not limited to) anyhandmade form (such as writing, drawing, painting, with anyimplement onany surface, directly or indirectly); any photographic form (such asmicrofilm, microfiche, prints, slides, negatives, videotapes, motionpictures, photocopies); any mechanical form (such as phonographrecords, printing, or typing); any electrical, electronic, or magnetic form (such@as tape recordings, cassettes, compact discs, or any information on anPelectronic or magnetic storage device, such as floppy diskettes, hard`disks, backup tapes, CDROMs, optical discs, printer buffers, smartpcards, memory calculators, electronic dialers, Bernoulli drives, orelectronic notebooks, as well as printouts or readouts from anymagneticstorage device). [Page 131]!"c. Electronic Mail: Searching and Seizing Data from a BBS Server under18$U.S.C. 2703%& In some situations, you may know or suspect that the target'scomputer is(0the server for an electronic bulletin board service (BBS). If you needto*Pseize the computer, the data on it, or backups of the data, considerthe,papplicability of 18 U.S.C. 2703. (See "STORED ELECTRONIC-COMMUNICATIONS," supra p. 85.) If the statute applies and there is ormay/be qualifying email on the computer, consider whether the6p(0 H6government has1probable cause to believe that all or any of it is evidence of crime.23Your affiant has probable cause to believe that [the suspect]'scomputer5operates, in part, as the server (or communications center) of an60electronic bulletin board service ("BBS"). This BBS [appears to]7@provide[s] "electronic communication service" to other persons, and[may]9Pcontain[s] their "electronic communications," which may have been in:p"electronic storage" on [the suspect's] computer for less than 180days<(as those terms are defined in 18 U.S. C. 2510). The affiant is aware of=the requirements of Title 18 U.S.C. 2703 describing law enforcement's>obligations regarding electronic communications in temporary storage?incident to transmission, as defined in that statute.@A(1) If All the EMail is Evidence of CrimeBCIf the whole BBS is dedicated to criminal enterprise (such as aspecialtyE"porn board" or "pirate board"), the facts may support searching andF0seizing all the email, including the electronic mail which qualifiesG@under the statute.HPI`[Your affiant, as an undercover subscriber and user of (the suspect's)JpBBS network, has learned that it is dedicated to exchanging illegalKcopies of computer software and stolen access codes among users. AllLusers are asked to furnish pirated software products and activeaccessNcodes (phone cards, credit cards, PBX codes, and computer passwords)inPreturn for the privilege of illegally downloading from the BBS otherQillegal software or codes they may choose. Your affiant has used theRelectronic mail services of the BBS, and knowsST[Page 132]U V0that the subscribers use it primarily to share information about otherW@sources of illegal software and about how to use stolen access codes6Pp(X` H6andYPcomputer passwords. Thus, your affiant has probable cause to believethat[any electronic mail residing on the system contains evidence of these\illegal activities.]]^(2) If Some of the EMail is Evidence of Crime_`If you have probable cause to believe that there will be evidence ofacrime in the email of some users and not others, the affidavit andbwarrant should distinguish and describe which will be searched andseizeddand which will not. In most cases like this, the government will bee0focusing on the electronic communications of the suspect/sysop'sf@coconspirators. The affidavit should identify the particulargPindividuals, if possible (by name or "hacker handle"), so that datah`analysts will know which email to search and which to leaveunopened. Injpsome cases, the government may have probable cause to search e  mail fromlsome "subboards" of the BBS, but not from others. In other cases,thenmagistrate may allow the government to run "string searches" of allthepemail for certain specified key words or phrases. There are too manyqvariations in these cases to draft useful models, but the wisestcoursesis to address this issue in the affidavit and set out a search andt seizure plan which the magistrate can approve. Please call theComputerv0Crime Unit (202514~1026) for more specific assistance.wPx`(3) If None of the EMail is Evidence of Crimeypz€In some cases. the suspect's criminal uses of his computer are quite{separate from and coincidental to his using it as the server for a BBS.| For example, a sysop who runs a legal bulletin board from his homemay~°also use the same computer to store personal copies of childpornography,Fp( HFor records of his drugdealing business, or a deaththreat letter tothePresident of the United States. None of these criminal uses hasanything to do with the legal (and perhaps statutorily protected) private@electronic communications of his BBS subscribersexcept for the factPthat they reside on the same computer system.`p[Page 133]ÀÐAnd even when this computer system clearly is an instrumentality oftheàsuspect/sysop's crime, the government may be obliged to protect theunrelated, qualifying email of innocent third parties and set it aside,unopened. In any event, the government should consider and addressthisissue with the magistrate and devise a plan which will work in thecaseat hand. Call the Computer Crime Unit for more help. 0d. Ask Permission to Seize Storage Devices when an Off~Site Search is@NecessaryP`Based upon your affiant's knowledge, training and experience, andpconsultations with [NAME AND QUALIFICATIONS OF EXPERT], your affiantĀknows that searching and seizing information from computers oftenĐrequires agents to seize most or all electronic storage devices (alongĠwith related peripherals) to be searched later by a qualified computerİexpert in a laboratory or other controlled environment. This is truebecause of the following:1) The volume of evidence. Computer storage devices (like hard disks,diskettes, tapes, laser disks, Bernoulli drives) can store the equivalentof thousands of pages of information. Additionally, a suspect may trytoconceal criminal evidence; he or she might store it in random orderwith0deceptive file names. This may require searching authorities toexaminePall the stored data to determine which particular files are evidence orFppp(ŀ HFinstrumentalities of crime. This sorting process can take weeks orŐmonths, depending on the volume of data stored, and it would beŠimpractical to attempt this kind of data search on site.Ű2) Technical requirements. Searching computer systems for criminalevidence is a highly technical process requiring expert skill and aproperly controlled environment. The vast array of computerhardware andsoftware available requires even computer experts to specialize insomesystems and applications, so it is difficult to know before a search0which expert is qualified to analyze the system and its data. In any@event, however, data search protocols are exacting scientificproceduresPdesigned to protect the integrity of the evidence p ƀ[Page 134] Ɛ Ơand to recover even "hidden," erased, compressed, password~  protected, or ưencrypted files. Since computer evidence is extremely vulnerable toinadvertent or intentional modification or destruction (both fromexternal sources or from destructive code imbedded in the system asa"booby trap"), a controlled environment is essential to its completeandaccurate analysis.0@e. Ask Permission to Seize, Use, and Return Auxiliary Items, asNecessaryPpIn cases where you must seize hardware, software, documentation,and dataǀsecurity devices in order to search and seize the data for which youhaveǠprobable cause, ask the magistrate's permission in the affidavit. Thelanguage which follows is general and will be most applicable tocomputers which are not part of an extensive network. Of course, ifyouhave specific information in your case to support seizing auxiliary6p( H6items(e.g., the computer hardware is rare; the operating system is0customdesigned), cite those factors rather than using the general@description which follows.P`Based upon your affiant's knowledge, training and experience, and[NAME pAND QUALIFICATIONS OF EXPERT], your affiant knows that searching!Ȑcomputerized information for evidence or instrumentalities of crime"Ƞcommonly requires agents to seize most or all of a computer system's#Ȱinput/output peripheral devices, related software, documentation,and$data security devices (including passwords) so that a qualifiedcomputer%expert can accurately retrieve the system's data in a laboratory orother&controlled environment. This is true because of the following:' (0The peripheral devices which allow users lo enter or retrieve datafrom)@the storage devices vary widely in their compatibility with other*`hardware and software. Many system storage devices requireparticular+pinput/output (or "I/O") devices in order to read the data on thesystem.,ɐIt is important that the analyst be able to properly re~configure the-ɰsystem as it now operates in order to accurately retrieve theevidence.listed above. In addition, the analyst needs the relevant systemsoftware/(operating systems, interfaces, and01[Page 135]2 30hardware drivers) and any applications software which may havebeen used4@to create the data (whether stored on hard drives or on externalmedia),5`as well as all related instruction manuals or other documentation and6ʀdata security devices.F7ʐʐp(ʠ HFܿ8ʰIf, after inspecting the l/O devices, software, documentation, anddata9security devices, the analyst determines that these items are nolonger:necessary to retrieve and preserve the data evidence, thegovernment will;return them within a reasonable time.< =0f. Data Analysis Techniques>@?PData analysts may use several different techniques to searchelectronic@`data for evidence or instrumentalities of crime. These include, but areAˀnot limited to the following: examining file directories andBːsubdirectories for the lists of files they contain; "opening" or readingCˠthe first few "pages" of selected files to determine their contents;D ˰scanning for deleted or hidden data; searching for key words orphrasesE ("string searches").F G 3. Stipulation for Returning Original Electronic DataHIIn some cases, you may want to return data storage devices whichcontainJ original electronic evidence to the suspect and keep "bitstream" orK@"mirrorimage" copies for processing and for use at trial. Forexample,LPthe suspect may be a large business which employs many innocentpeopleMpand which needs its computers and data in order to run the businessandN̐pay the employees. If you do wish to return the equipment and databeforeO̰trial, consider using some version of the following stipulation to avoidPevidentiary issues. Of course, whether the copies are, indeed, "exact"Qcopies is a question of fact, and the defense will have to satisfy itselfRthat the government's copying process was accurate. But if, afterSexploring the issue, the defense refuses toTFU   p( 0 HF[Page 136]V!@W"Psign a stipulation and cannot be satisfied about the reliability of theX#`duplicates, you will probably need to keep the originals. (See"ReturningY%pSeized Computers and Materials," supra p. 105, and "EVIDENCE," suprap.Z'͐113.) (For a form stipulation, see p. 137.)[(Ͱ\)[Page 137]]*^+UNITED STATES DISTRICT COURT_,`-In the Matter of the Search of ____a.b/ STIPULATION OF THE PARTIES.c00d1@It is hereby stipulated and agreed between ____ and ____ as anindividuale3Pand as an agent for ____ that:f4pg5΀(1) the electronic information contained on the [Bernoulli 90MB disk,h6ΐnumber ____] is a complete, exact, and accurate duplicate ofi7Πthe electronic information contained on [the hard drive of an IBMj8ΰpersonal computer, serial number ____] [the hard drive of a personalk9computer identified as "Fred's" by an evidence tag attached to thetop ofl;the CPU cover, said personal computer bearing no serial number orotherm=identifying information] [a floppy disk marked with an evidencestickern?as "item number ____, and bearing the initials "_ _ _"]; whicho@0computers/floppy disk were/was seized from ____ on ____, 199_, byagentspB@of the ____.qC`rDp(2) the electronic information contained on the [Bernoulli 90MB disk,sEπnumber ____] accurately reproduces the original data describedabove astGϐof____, 199_.FuHϰϰp(H HFܿvIAssistant U.S. Attorney DefendantwJxKAgency AttorneyyLzM[No page 138] [Page 139]{N |O0APPENDIX B: GLOSSARY14}P@~QPBBS See "Electronic Bulletin Board Systems."R`SpCD ROM CD ROM stands for Compact Disk ReadOnly Memory. CDROMs storeUЀand read massive amounts of information on a removable disk platterorWРsolid state storage chip. Unlike the data on hard drives and diskettes,Xdata on CD ROMs can only be readnot alteredby the user. AlsocalledZ"firmware."[\CPU The central processing unit.]^ DATA "A formalized representation of facts or concepts suitable for_0communication, interpretation, or processing by people or automated`@means." The term "data" is often used to refer to the informationstoredbPin the computer.cpdрDOCUMENTATION Documents that describe technical specificationsforfѐcomputerrelated products and how to use hardware componentsand/orhѰsoftware applications.ijELECTRONIC BULLETIN BOARD SYSTEMS (BBS) A bulletin board system isalcomputer dedicated, in whole or in part, to serving as an electronicmmeeting place. A BBS computer system may contain information,programs,o and email, and is set up so that users can dial the bulletin boardFp@@p(pP HFsystem, read and leave messages for other users, and download anduploadr`software programs for common use. A BBS can have multipletelephone linestҀ(so that many people can use it at the same time) or a single linewherevҠa user's access is firstcome, firstserved. BBSs can have severallevelsxof access, sometimes called "subboards" or "conferences." Access tothezdifferent conferences is controlled by the system operator with a{password system. A single user may have several differentpasswords, one}for each different level or conference. A user may store documents,data,0programs, messages, and even photographs in the different levels ofthePBBS. A bulletin board system may be located anywhere telephone linesgo.pӐ14 All quotations in this Glossary are taken from Webster's DictionaryofӠComputer Terms (3d ed. 1988).[Page 140]ELECTRONIC MAIL Electronic mail provides for the transmission ofmessages and files between computers over a communicationsnetwork.Sending information in this way is similar in some ways to mailing a0letter through the postal service. The messages are sent from one@computer through a network server to the electronic address ofanotherPspecific computer or to a series of computers of the sender's choice.Theptransmitted messages (and attached files) are either stored at theԐcomputer of the addressee (such as someone's personal computer) orat theԠmail server (a machine dedicated, at least in part, to storing mail),andFp( HFwill remain there until the addressee retrieves the mail from theserver.When people "pick up" email from the mail server, they usuallyreceiveonly a copy of their mail, and the stored message is maintained in the0mail server until the addressee deletes it. (Some systems allowsenders@to delete mail on the server before delivery.) Of course, deleted mail`may sometimes be recovered by "undeleting" the message (if not yetpoverwritten) or by obtaining a backup copy (if the server was backedupՀbefore the message was deleted).ՠհFAX PERIPHERAL A device, normally inserted as an internal card, thatallows the computer to function as a fax machine. (An abbreviation of"facsimile.")FILE SERVER A file server is a computer on a network that storestheprograms and data files shared by the users of the network. A fileserver is the nerve center of the network, and also acts as a remote diskdrive,@enabling users to store information. It can be physically located in`another judicial district from the suspect's machine.pրFLOPPY DISK DRIVE A drive that reads from or writes to separate֐diskettes which the user inserts. Information is stored on thediskettes֠themselves, not on the drive.HARD DISK DRIVE A storage device based on a fixed, permanentlymounteddisk drive. It may be either internal (part of the computer itself) orexternal (a separate but connected component). Both applications anddatamay be stored on the disk.0@HARDWARE "The physical components or equipment that make up acomputerFP`p(p HFsystem..." Examples include keyboards, monitors, and printers.׀א[Page 141]נװINPUT/OUTPUT DEVICE A piece of equipment which sends data to, orreceives data from, a computer. Keyboards, monitors, and printersare allcommon I/O devices.LASER DISK Similar to a CD ROM drive but uses lasers to read andsometimes write information. 0MODEM A device ("modulate/demodulate") which allows onecomputer to@communicate with another computer, normally over standardtelephone`lines. It converts the computer's digital information to analoguesignals؀for outgoing telephone transmission, and reverses the conversion forؠincoming messages. Modems may be either part of (internal) orexternal toذthe computer.MOUSE A pointing device that controls input by moving a cursor orother figure on the screen. Normally, the user points to an object onthescreen and then presses a button on the mouse to indicate herselection. @NETWORK "A system of interconnected computer systems andterminals."PpPRINTER A number of technologies exist, using various techniques.Theـmost common types of computer printers are:٠ٰ1. Band a rotating metal band is impacted as it spins;2. Daisy wheel a small print wheel containing the form of eachcharacter rotates and hits the paper, character by character;Fp( HFܿ3. Dot matrix characters and graphics are created by pins hitting the ribbon and paper;0@4. Ink jet injects (sprays) ink onto the paper;P`5. Laser electrostatically charges the printed page and appliestoner;pڐ6. Plotter moves ink pens over the paper surface, typically used forڠlarge engineering and architectural drawings.ڰ7. Thermal a hot printer head contacts special paper that reacts toheat.[Page 142]SCANNER Any optical device which can recognize characters onpaper and, using specialized software, convert them into digital form.@PSERVER See "File Server."`pSOFTWARE "The programs or instructions that tell a computer whattoۀdo." This includes operating system programs which control the basic۠functions of the computer system (such as Microsoft's Disk Operating۰System"MSDOS"that controls IBMcompatible PCs) andapplicationsprograms which enable the computer to produce useful work (e.g., awordprocessing program such as WordPerfect). SYSOP See "System Administrator."   0SYSTEM ADMINISTRATOR The individual responsible for assuring thatthe  @computer network is functioning properly. He is often responsible for `computer security as well. pF ܀܀p(ܐ HFSYSTEM OPERATOR See "System Administrator." ܠܰVOICEMAIL SYSTEMS A voicemail system is a complex phoneansweringmachine (run by a computer) which allows individuals to send andreceivetelephone voice messages to a specific "mailbox" number. A personcancall the voicemail system (often a 1800 number) and leave amessage in a particular person's mailbox, retrieve messages left by other people,or@transfer one message to many different mailboxes in a list. Usually,`anyone can leave messages, but it takes a password to pick them uporpchange the initial greeting. The system turns the user's voice into ݐdigital information and stores it until the addressee erases it or!ݠanother message overwrites it. Criminals sometimes use voicemailboxes#ݰ(especially, if they can beat the password, those of unsuspectingpeople)%as remote deaddrops for information that may be valuable in acriminal'case. The server for the voice mailboxes is usually located in the(message system computer of the commercial vendor which suppliesthe* voicemail service. Sometimes it can be found on the+@customer~organization's computer server at the location called.Voice-Pmail messages can be written on magnetic disk or remain in thecomputer's/pmemory, depending on the vendor's system. 0ސ!1ޠ[No page 142] [Page 143]"2ް#3APPENDIX C: FEDERAL EXPERTS FOR COMPUTER CRIME INVESTIGATIONS$4%5The following is a list of some federal resources in alphabetical order:&6'71. Bureau of Alcohol, Tobacco, and Firearms Forensic Science6p(8  H6Laboratory(91401 Research Blvd. Rockville, MD 20850 3012175717):@*;P2. Drug Enforcement Administration Chief, Technical Operations Section+<`8199 Backlick Road Lorton, VA 20079 7035578250,=p->߀3. Federal Bureau of Investigation Computer Crime Squad Washington.?ߐMetropolitan Field Office 7799 Leesburg Pike Suite 200, South TowerFalls/AߠChurch, VA 22043 20232491640B1C4. Federal Bureau of Investigation Laboratory Division 9th and2DPennsylvania Ave., N.W. Washington, DC 20535 20232430003E4F5. Internal Revenue Service SCER Program Coordinator Criminal5GInvestigation Division CI:R:I Room 2246 1111 Constitution Ave., N.W.6H Washington, DC 20224 20253591307I08J@[Page 144]9KP:L`United States Air Force Computer Crime Division Office of Special;MpInvestigations HQ AFOSI/IVSC Bolling Air Force Base Washington, DC<N203326001 2027675847=O>PUnited States Secret Service Electronic Crimes Branch 1310 L Street,N.W.?RWashington, DC 20005 2024357700@SAT[Page 145]BUCVAPPENDIX D:DWEX COMPUTER SEARCH AND SEIZURE WORKING GROUPFY0GZ@The following agencies and individuals contributed to these guidelines.H[P * Designates those no longer in government service.I\`J]pUnited States Department of DefenseK^L_United States Air ForceFM`p(` HFܿNaComputer Crime Division Office of Special Investigations HQ AFOSI/IVSCObBolling AFB Washington, DC 203326001 2027675847PcQdJim Christy, ChiefReSfUnited States Department of JusticeTg Uh0Criminal DivisionVi@WjPKevin Di Gregory, Deputy Assistant Attorney GeneralXk`YlpRobert Litt, Deputy Assistant Attorney GeneralZm[n[Page 146] General Litigation and Legal Advice Section 1001 G Street,\oN.W., Suite 200 Washington, DC 20001 2025141026]p^qMary C. Spearing, Chief Scott Charney, Chief, Computer Crime UnitMartha_sStansellGamm, Working Group Chair Laura Blumenfeld William D.Braun`uWilliam C. Brown Elena Duarte Gerald Grzenda Annette Long StevanMitchellawMichael J. Rhim Daniel Schneider Joshua Silverman Phillip Talbert *Peterby0Toren George Toscas Candice Will Paula WolffczPd{`Office of Professional Development and Training 1001 G Street, N.W.,e|pSuite 250 Washington, DC 20001 2025141323f}g~Debra Crawfordhi[Page 147]jkDrug Enforcement AdministrationlmCriminal Law Section Office of the Chief Counsel 700 Army Navy Drive,nWest Bldg. Arlington, VA 22202 2023078014op Greg MitchellFq00p(@ HFܿrPFederal Bureau of Investigations`tpComputer Analysis and Response Team Laboratory Division, Room 32189thuand Pennsylvania Ave., N.W. Washington, DC 20535 2023242104vwSteve McFall, Chief Mike NoblettxyComputer Crime Squad Washington Metropolitan Field Office 7799LeesburgzPike Suite 200, South Tower Falls Church, VA 22043 2023249164{|James Settle, Chief *} ~0[Page 148]@PTax Division`pCriminal Law Section Main Justice Bldg., Room 4625 10th andConstitutionAve., N.W. Washington, DC 20530 2025142832Tony WhitledgeUnited States Attorneys OfficesNorthern District of California 450 Golden Gate Ave., 11th Floor Box36055 San Francisco, CA 94102 4155564229 Robert K. Crowe0@Southern District of California 940 Front St., Room 5NI9 San Diego,CAP921890150 6195576962pMitchell D. DembinNorthern District of Georgia Richard Russell Bldg., Room 1800 75 SpringStreet Atlanta, GA 30335 4043316954Fp( HFܿKent Alexander, United States Attorney Randy Chartash[Page 149] Southern District of New York One St. Andrews Plaza New York, NY1000702127910055P`Steve Fishbein *pEastern District of Virginia 600 E. Main St., Suite 1800 Richmond, VA23219 8047712186Win GrantUnited States Department of the TreasuryBureau of Alcohol, Tobacco, and FirearmsForensic Science Laboratory 1401 Research Blvd. Rockville, MD 20850 30121757170@John MinsekP`Systems Operation/Software Engineering Support Branches 650MassachusettspAve., N.W., Room 6004 Washington, DC 20226 2029276095Dan Lofton Michael Park[Page 150]Internal Revenue ServiceCriminal Investigation Division 1111 Constitution Ave., N.W., Room2246Washington, DC 20224 20253591300@Timothy Whitley, Senior AnalystFPPp(` HFܿpCriminal Investigation Training Federal Law Enforcement TrainingCenterBuilding 69, Third Floor Glynco, GA 31524 9122672378Dan Duncan, Attorney Chuck Rehling, Special AgentSeized Computer & Evidence Recovery Specialists ComputerInvestigativeSpecialists 515 N. Sam Houston Pkwy., East Mail Stop 9123 NWHouston, TX77060 7138785897 0Ken Scales, Special Agent@PUnited States Customs Service`pOffice of Investigative Programs Special Investigations Division 1301Constitution Ave., N.W., Room 6130 Washington, DC 20229 202377  9283John Seither, Senior Special Agent[Page 151]United States Secret ServiceElectronic Crimes Branch Financial Crimes Division 1310 L Street, N.W., Room 200 Washington, DC 20005 20243577000@Jack Lewis Tom MoyleP`[No page 152] [Page 153]pAPPENDIX E: STATUTORY POPULAR NAME TABLEAccess Device Fraud Statute ..... . . . . . . . . . . . 18 U.S.C. 1029Computer Fraud and Abuse Act ..........................18 U.S.C. 1030NoKnock Statute ..........................$18 U.S.C. 3109Privacy Protection Act ....................... $42 U.S.C. 2000aaFp( HFStored Communications Access ................. 18 U.S.C. 2701, et seq.Wiretap Statute ("Title III") ................18 U.S.C. 2510, et seq. [No page 154] [Page 155]0@APPENDIX F: TABLE OF AUTHORITIESP`Cases [number following case is page number on which case is cited]p Abel v. United States, 362 U.S. 217 (1960) 36  Aguilar v. Texas, 378 U.S. 108 (1964) 27  Andresen v. Maryland, 427 U.S. 463 (1976) 30, 37, 38Application of Commercial Inv. Co., 305 F. Supp. 967 (S.D.N.Y. 1969) 37Blair v. United States, 665 F.2d 500 (4th Cir. 1981) 11 Blinder. Robinson & Co. v. United States, 897 F.2d 1549, 46 CrL 15370(10th Cir. 1990) 107@PDeMassa v. Nunez, 747 F.2d 1283 (9th Cir. 1984) 43`pDonovan v. A.A. Beiro Construction Co., Inc., 746 F.2d 894 (D.C. Cir.1984) 21Floyd v. United States, 860 F.2d 999 (1Oth Cir. 1988) 106Frazier v. Cupp, 394 U.S. 731 (1969) 15Horton v. California, 496 U.S. 128, 47 CrL 2135 (1990) 9 !Illinois v. Rodriguez, 497 U.S. 177, 47 CrL 2177 (1990) 16, 17"# In Re Grand Jury Subpoena Duces Tecum Dated November 15, 1993, 846F.%0Supp. 11, 54 CrL 1506 (S.D.N.Y. 1994) 98&P'`In Re Grand Jury Subpoenas, 926 F.2d 847 (9th Cir. 1991) 53F(ppp(( HFܿ)In Re Southeastern Equipment Co. Search Warrant, 746 F. Supp.1563(S.D.+Ga. 1990) 105, -Klitzman v. Krut, 744 F.2d 955 (3d Cir. 1984) 40 . /Lafayette Academy, Inc., Application of, 610 F.2d 1 (1st Cir. 1979) 53, 098 12 Lambert v. Polk County, Iowa, 723 F. Supp. 128 (S.D. Iowa 1989) 80304@Marron v. United States, 275 U.S. 192 (1927) 375P6`Marvin v. United States, 732 F.2d 669 (8th Cir. 1984) 587p8Matter of Search of Kitty's East, 905 F.2d 1367 (10th Cir. 1990) 106.107:;Mincey v. Arizona, 437 U.S. 385 (1978) 10<=Minneapolis Star & Tribune Co. v. United States, 713 F. Supp. 1308 (D.>Minn. 1989) 80?@National City Trading Corp. v. United States, 635 F.2d 1020 (2d Cir.A1980) 83B C0National Federation of Federal Employees v. Weinberger, 818 F.2d 935D@(D.C. Cir. 1987) 19 EP!F`Naugle v. Witney, 755 F. Supp. 1504 (D. Utah 1990) 58"Gp#HO'Connor v. Ortega, 480 U.S. 709 (1987) 18, 19, 21$I%JPell v. Procunier, 417 U.S. 817 (1974) 71&K'LPleasant v. Lovell, 876 F.2d 787 (10th Cir. 1989) 24(M)NSchneckloth v. Bustamonte, 412 U.S. 218 (1973) 12, 13*OF+Pp(P HFSecurities and Exchange Commission v. McGoff, 647 F.2d 185 (D.C. Cir.),,Q cert. denied, 452 U.S. 963 (1981) 71-R0.S@Steele v. United States, 267 U.S. 498 (1925) 96/TP0U`Steve Jackson Games. Inc. v. U.S. Secret Service, 816 F. Supp. 432 (W.D.1VpTex. 1993), appeal filed on other grounds, (Sept. 17, 1993) 82, 83, 882W3XTexas v. Brown, 460 U.S. 730 (1983) 114Y5ZUnited States Postal Service v. C.E.C. Services, 869 F.2d 184 (2d Cir.6[1989) 567\8]United States v. Agrusa, 541 F.2d 690 (8th Cir. 1976) cert. denied, 4299^U.S. 1045 (1977) 101:_;`United States v. Aguilar, 883 F.2d 662 (9th Cir. 1989), cert. denied, 498<a U.S. 1046 (1991) 24=b0>c@United States v. Arias, 923 F.2d 1387 (9th Cir.), cert. denied, 112 S.?dPCt. 130 (1991) 10@e`AfpUnited States v. Barrett, 725 F. Supp. 9 (D.D.C. 1989) 100BgChUnited States v. Bentley, 825 F.2d 1104 (7th Cir.), cert. denied, 484DiU.S. 901 (1987) 56, 58, 98EjFkUnited States v. Beusch, 596 F.2d 871 (9th Cir. 1979) 58GlHmUnited States v. Bilanzich, 771 F.2d 292 (7th Cir. 1985) 20InJoUnited States v. Block, 590 F.2d 535 (4th Cir. 1978) 15, 18KpLq United States v. Blok, 188 F.2d 1019 (D.C. Cir. 1951) 21Mr0Ns@United States v. Boyette, 299 F.2d 92 (4th Cir.), cert. denied, 369 U.S.OtP844 (1962) 28Pu`QvpUnited States v. Brown, 556 F.2d 304 (5th Cir. 1977) 100RwFSxp(x HFUnited States v. BustamanteGamez, 488 F.2d 4 (9th Cir. 1973), cert.Tydenied, 416 U.S. 970 (1974)100UzV{United States v. Caballos, 812 F.2d 42 (2d Cir. 1987) 13W|X}United States v. Carter, 566 F.2d 1265 (5th Cir. 1978), cert. denied, 436Y~U.S. 956 (1978) 102Z[ United States v. Darensbourg, 520 F.2d 985 (5th Cir. 1975) 96\0]@United States v. David, 756 F. Supp. 1385 (D. Nev. 1991) 9, 11, 14, 54^P_`United States v. Duran, 957 F.2d 499, 51 CrL 1009 (7th Cir. 1992) 17`paUnited States v. Fawole, 785 F.2d 1141 (4th Cir. 1986) 59bcUnited States v. Francis, 646 F.2d 251 (6th Cir.), cert. denied, 454 U.S.d1082 (1981) 101efUnited States v. Gargiso, 456 F.2d 584 (2d Cir. 1972) 20ghUnited States v. Griffin, 530 F.2d 739 (7th Cir. 1976) 13ijUnited States v. Henson, 848 F.2d 1374 (6th Cir. 1988),k  cert. denied, 488 U.S. 1005 (1989) 57l0m@United States v. Hillyard, 677 F.2d 1336 (9th Cir. 1982) 84nPo`United States v. Houle, 603 F.2d 1297 (8th Cir. 1979) 11ppqUnited States v. Johns, 948 F.2d 599, 50 CrL 1224 (9th Cir. 1991), cert.rdenied, 112 S. Ct. 3046 (1992) 35stUnited States v. Judd, 687 F. Supp. 1052 (N.D. Miss. 1988), aff'd 889uF.2d 1410 (5th Cir. 1989), cert. denied, 494 U.S. 1036 (1989) 93vwUnited States v. Korman, 614 F.2d 541 (6th Cir.), cert denied, 446 U.S.x952 (1980) 39yzUnited States v. Lefkowitz, 285 U.S. 452 (1932) 37F{  p(0 HFܿ|@United States v. Leon, 468 U.S. 897 (1984) 9}P~`United States v. Lindenfield, 142 F.2d 829 (2d Cir.), cert. denied, 323pU.S. 761 (1944) 38United States v. Long, 524 F.2d 660 (9th Cir. 1975) 15United States v. Lucas, 932 F.2d 1210, 49 CrL 1138 (8th Cir.), cert.denied, 112 S. Ct. 399 (1991) 53United States v. Markis, 352 F.2d 860 (2d Cir. 1965), vacated withoutopinion, 387 U.S. 425 (1967) 28United States v. Matlock, 415 U.S. 164 (1974) 14, 16, 17 0United States v. Mendenhall, 446 U.S. 544 (1980) 13@PUnited States v. MilanRodriguez, 759 F.2d 1558 (11th Cir.), cert.`denied, 474 U.S. 845 (1985), and cert. denied, 486 U.S. 1054 (1988) 12pUnited States v. Murrie, 534 F.2d 695 (6th Cir. 1976) 100United States v. Musson, 650 F. Supp. 525 (D. Colo. 1986) 53United States v. Patino, 830 F.2d 1413 (7th Cir. 1987), cert. denied, 490U.S. 1069 (1989) 11United States v. Price, 599 F.2d 494 (2nd Cir. 1979) 13United States v. Prout, 526 F.2d 380 (5th Cir.), cert. denied, 429 U.S. 840 (1976) 940@United States v. Ramsey, 431 U.S. 606 (1977), cert. denied, 434 U.S.1062P(1978) 12pUnited States v. Reed, 935 F.2d 641 (4th Cir.), cert. denied, 112 S. Ct.423 (1991) 10Fp( HFUnited States v. Remigio, 767 F.2d 730 (1Oth Cir.), cert. denied, 474U.S. 1009 (1985) 100United States v. Reyes, 798 F.2d 380 (1Oth Cir. 1986) 53United States v. Robinson, 287 F. Supp. 245 (N.D. Ind. 1968) 29 0United States v. Rodriguez, 968 F.2d 130, 51 CrL 1097 (2d Cir.), cert.@denied, 113 S. Ct. 140 (1992) 94P`United States v. Ruminer, 786 F.2d 381 (10th Cir. 1986) 101pUnited States v. Santarelli, 778 F.2d 609 (11th Cir. 1985) 60United States v. Santarsiero, 566 F. Supp. 536 (S.D.N.Y. 1983) 27, 39United States v. Sawyer, 799 F.2d 1494 (11th Cir. 1986), cert. deniedsubnom. Leavitt v. United States, 479 U.S. 1069 (1987) 56United States v. Scheer, 600 F.2d 5 (3d Cir. 1979) 12 United States v. Scott, 578 F.2d 1186 (6th Cir.), cert. denied, 439 U.S.0870 (1978) 13@PUnited States v. Sealey, 830 F.2d 1028 (9th Cir. 1987) 16`pUnited States v. Sinclair, 742 F. Supp. 688 (D.D.C. 1990) 101United States v. Sklaroff, 323 F. Supp. 296 (S.D. Fla. 1971) 96United States v. Snow, 919 F.2d 1458 (1Oth Cir. 1990) 57United States v. Stern, 225 F. Supp. 187 (S.D.N.Y. 1964) 28, 29, 38United States v. Stewart, 867 F.2d 581 (1Oth Cir. 1989) 102United States v. Taft, 769 F. Supp. 1295 (D. Vt. 1991) 108 0United States v. Talkington, 875 F.2d 591 (7th Cir. 1989) 9F@@p(P HFܿ`United States v. Tamura, 694 F.2d 591 (9th Cir. 1982) 58, 60, 100pUnited States v. Tropp, 725 F. Supp. 482 (D. Wyo. 1989) 84United States v. Truitt, 521 F.2d 1174 (6th Cir. 1975) 27, 30United States v. Turk, 526 F.2d 654 (5th Cir.), cert. denied, 429 U.S.823 (1976) 11United States v. Valenzuela, 596 F.2d 824 (9th Cir.), cert. denied, 441U.S. 965 (1979) 100 United States v. Viera, 569 F. Supp. 1419 (S.D.N.Y. 1983) 280@United States v. Villegas, 899 F.2d 1324, 47 CrL 1041 (2d Cir.), cert.Pdenied, 498 U.S. 991 (1990) 35, 36`pUnited States v. Whitten, 706 F.2d 1000 (9th Cir. 1983), cert. denied,465 U.S. 1100 (1984) 39United States v. Wuagneux, 683 F.2d 1343 (11th Cir. 1982), cert.denied,464 U.S. 814 (1983) 58 United States v. Wysong, 528 F.2d 345 (9th Cir. 1976) 102  Vaughn v. Baldwin, 950 F.2d 331 (6th Cir. 1991) 13   Voss v. Bergsgaard, 774 F.2d 402 (1Oth Cir. 1985) 530@Warden v. Hayden, 387 U.S. 294 (1967) 26, 28, 29, 37P`Yancey v. Jenkins, 638 F. Supp. 340 (N.D. Ill. 1986) 27pZurcher v. Stanford Daily, 436 U.S. 547 (1978) 72, 76StatutesFp( HF18 U.S.C. 1029 36, 7718 U.S.C. 1030 36, 77 18 U.S.C. 2510 86, 1310@18 U.S.C. 2701, et seq. 56, 71P `18 U.S.C. 2702 23, 50, 85!p"18 U.S.C. 2703 8588, 131#$18 U.S.C. 2711 85%&18 U.S.C. 3109 100'(26 U.S.C. 6103 66)*42 U.S.C. 2000aa 41, 42, 56, 7275, 7780, 8284+, -0Federal Rules.@/P124 F.R.D. 428 1070` 1pFed. R. Crim. P. 41 1, 2628, 30, 3537, 8689, 9296, 105110, 125, 126 2 3Fed. R. Evid. 16 69 4 5Fed. R. Evid. 501 4167Fed. R. Evid. 803(6) 113, 122, 12389Fed. R. Evid. 803(10) 121:;Fed. R. Evid. 901 115, 116, 119< =0Fed. R. Evid. 1001 108, 114, 115, 120>@?PFed. R. Evid. 1002 114F@``p(@p HFܿAFed. R. Evid . 1003 115BCFed. R. Evid. 1006 122DEFederal RegulationsFG28 C.F.R. 50.10 73 H!I28 C.F.R. 59.1.6 30, 41"J#K $L0Legislative History%M@&NPH.R. Rep. No. 647, 99th Cong., 2d Sess. 87'O`(PpH.R. Rep. No. 1064, 96th Cong., 2d Sess. 76, 79)Q*RS. Rep. No. 874, 96th Cong., 2d Sess. 73, 75, 76, 78+S,TTestimony of Richard J. Williams, Vice President, National District-UAttorney's Association, in Hearing before the Committee on theJudiciary,.WUnited States Senate, 96th Cong., 2d Sess. on S. 115, S. 1790, and S./X1816 (Mar. 28, 1980) Serial No. 9659, at 1523 760Y1Z2[ Reference Materials3\04]@Rose, Steve Jackson Games Decision Stops the Insanity, Boardwatch,May5_P1993 836`p7aThe American Heritage Dictionary, (2d ed. 1983) 928b9cW. LaFave, Search and Seizure: A Treatise on the Fourth Amendment(2d ed.:e1987) 15, 17;f<gWebster's Dictionary of Computer Terms (3d ed. 1988) 2, 139F=hp(h HFܿ>iWright & Miller, Federal Practice and Procedure: Criminal 2d (1982) 29?j .@k0