FEDERAL GUIDELINES 
FOR SEARCHING AND SEIZING COMPUTERS

This manual is the 1994 edition. For a more recent edition and additional resources, please visit www.cybercrime.gov/searching.html
 

TABLE OF CONTENTS


PREFACE 

INTRODUCTION    



I.  KEY TERMS AND CONCEPTS

A.   DEFINITIONS    

B.   LIST OF COMPUTER SYSTEM COMPONENTS    

C.   DETERMINING THE COMPUTER'S ROLE IN THE OFFENSE    



II.  GENERAL PRINCIPLES

A.   SEARCH WARRANTS    

B.   PLAIN VIEW    

C.   EXIGENT CIRCUMSTANCES    

D.   BORDER SEARCHES    

E.   CONSENT SEARCHES    

     1.   Scope of the Consent    
     2.   Third-Party Consent    
          a.   General Rules    
          b.   Spouses    
          c.   Parents    
          d.   Employers    
          e.   Networks:  System Administrators    
F.   INFORMANTS AND UNDERCOVER AGENTS    

G.   AGENCY ISSUES (NEW SECTION)

III.  SEIZING HARDWARE

A.   THE INDEPENDENT COMPONENT DOCTRINE    

B.   HARDWARE AS CONTRABAND OR FRUITS OF CRIME    
     1.   Authority for Seizing Contraband or Fruits of Crime    
     2.   Contraband and Fruits of Crime Defined    

C.   HARDWARE AS AN INSTRUMENTALITY OF THE OFFENSE    
     1.   Authority for Seizing Instrumentalities    
     2.   Instrumentalities Defined    

D.   HARDWARE AS EVIDENCE OF AN OFFENSE    
     1.   Authority for Seizing Evidence    
     2.   Evidence Defined    

E.   TRANSPORTING HARDWARE FROM THE SCENE    



IV.  SEARCHING FOR AND SEIZING INFORMATION

A.   INTRODUCTION    

B.   INFORMATION AS CONTRABAND    

C.   INFORMATION AS AN INSTRUMENTALITY    

D.   INFORMATION AS EVIDENCE   

     1.   Evidence of Identity    
     2.   Specific Types of Evidence    
          a.   Hard Copy Printouts    
          b.   Handwritten Notes    

E.   PRIVILEGED AND CONFIDENTIAL INFORMATION    
     1.   In General    
          a.   Doctors, Lawyers, and Clergy    
          b.   Publishers and Authors    
     2.   Targets    
     3.   Using Special Masters    

F.   UNDERSTANDING WHERE THE EVIDENCE MIGHT BE:  STAND-ALONE PCs, 
     NETWORKS AND FILE-SERVERS, BACKUPS, ELECTRONIC BULLETIN BOARDS,
     AND ELECTRONIC MAIL    
     1.   Stand-Alone PCs    
          a.   Input/Output Devices:  Do Monitors, Modems, Printers, and 
               Keyboards Ever Need to be Searched?    
          b.   Routine Data Backups    
     2.   Networked PCs    
          a.   Routine Backups    
          b.   Disaster Backups    

G.   SEARCHING FOR INFORMATION    

     1.   Business Records and Other Documents    
     2.   Data Created or Maintained by Targets    
     3.   Limited Data Searches    
     4.   Discovering the Unexpected    
          a.   Items Different from the Description in the Warrant    
          b.   Encryption    
          c.   Deleted Information (New Section)    

H.   DECIDING WHETHER TO CONDUCT THE SEARCH ON-SITE OR 
     TO REMOVE HARDWARE TO ANOTHER LOCATION    
     1.   Seizing Computers because of the Volume of Evidence    
          a.   Broad Warrant Authorizes Voluminous Seizure of Documents    
          b.   Warrant is Narrowly Drawn but Number of Document
                to be Sifted through is Enormous    
          c.   Warrant Executed in the Home    
          d.   Applying Existing Rules to Computers    

     2.   Seizing Computers because of Technical Concerns    
          a.   Conducting a Controlled Search to Avoid 
               Destroying Data    
          b.   Seizing Hardware and Documentation so the 
               System Will Operate at the Lab    

I.   EXPERT ASSISTANCE    
     1.   Introduction    
     2.   Finding Experts    
          a.   Federal Sources    
          b.   Private Experts    
               (1)   Professional Computer Organizations    
               (2)   Universities    
               (3)   Computer and Telecommunications Industry Personnel    
               (4)   The Victim    
     3.   What the Experts Can Do    
          a.   Search Planning and Execution    
          b.   Electronic Analysis    
          c.   Trial Preparation    
          d.   Training for Field Agents    

J.   DISKETTES AND OTHER "CONTAINERS" (NEW SECTION)



V.  NETWORKS AND BULLETIN BOARDS

A.   INTRODUCTION    

B.   THE PRIVACY PROTECTION ACT, 42 U.S.C.  2000aa    
     1.   A Brief History of the Privacy Protection Act    
     2.   Work Product Materials    
     3.   Documentary Materials    
     4.   Computer Searches and the Privacy Protection Act    
          a.   The Reasonable Belief Standard    
          b.   Similar Form of Public Communication    
          c.   Unique Problems:  Unknown Targets and Commingled 
               Materials    
     5.   Approval of Deputy Assistant Attorney General Required    
     6.   Liability Under the Privacy Protection Act (New Section)
C.   STORED ELECTRONIC COMMUNICATIONS    

D.   STORED WIRE COMMUNICATIONS (NEW SECTION)


VI.  DRAFTING THE WARRANT

A.   DRAFTING A WARRANT TO SEIZE HARDWARE    

B.   DRAFTING A WARRANT TO SEIZE INFORMATION    
     1.   Describing the Place to be Searched    
          a.   General Rule:  Obtain a Second Warrant    
          b.   Handling Multiple Sites within the Same District    
          c.   Handling Multiple Sites in Different Districts    
          d.   Information at an Unknown Site    
          e.   Information/Devices Which Have Been Moved    

     2.   Describing the Items to be Seized    
     3.   Removing Hardware to Search Off-Site: Ask the
          Magistrate for Explicit Permission.    
     4.   Seeking Authority for a No-Knock Warrant    
          a.   In General    
          b.   In Computer-Related Cases    


VII.  POST-SEARCH PROCEDURES

A.   INTRODUCTION    

B.   PROCEDURES FOR PRESERVING EVIDENCE   
     1.   Chain of Custody   
     2.   Organization   
     3.   Keeping Records   
     4.   Returning Seized Computers and Materials    
          a.   Federal Rules of Criminal Procedure:  Rule 41(e)   
          b.   Hardware   
          c.   Documentation   
          d.   Notes and Papers   
          e.   Third-Party Owners   


VIII.  EVIDENCE

A.   INTRODUCTION   

B.   THE BEST EVIDENCE RULE   

C.   AUTHENTICATING ELECTRONIC DOCUMENTS   
     1.   "Distinctive" Evidence   
     2.   Chain of Custody   
     3.   Electronic Processing of Evidence   

D.   THE HEARSAY RULE   


IX.  APPENDICES

APPENDIX A:   SAMPLE COMPUTER LANGUAGE FOR SEARCH WARRANTS   
     1.   Tangible Objects   
          a.   Justify Seizing the Objects   
          b.   List and Describe the Objects   
               (1)   Hardware   
               (2)   Software   
               (3)   Documentation   
               (4)   Passwords and Data Security Devices   

     2.   Information:  Records, Documents, Data   
          a.   Describe the Content of Records, Documents, 
               or other Information   
          b.   Describe the Form which the Relevant Information 
               May Take   
          c.   Electronic Mail:  Searching and Seizing Data 
               from a BBS Server under 18 U.S.C.  2703   
               (1)   If All the E-Mail is Evidence of Crime   
               (2)   If Some of the E-Mail is Evidence of Crime   
               (3)   If None of the E-Mail is Evidence of Crime   
          d.   Ask Permission to Seize Storage Devices when 
               Off-Site Search is Necessary   
          e.   Ask Permission to Seize, Use, and Return 
               Auxiliary Items, as Necessary   
          f.   Data Analysis Techniques   
     3.   Stipulation for Returning Original Electronic Data   

APPENDIX B:   GLOSSARY   

APPENDIX C:   FEDERAL EXPERTS FOR COMPUTER CRIME INVESTIGATIONS   

APPENDIX D:   COMPUTER SEARCH AND SEIZURE WORKING GROUP   

APPENDIX E:   STATUTORY POPULAR NAME TABLE   

APPENDIX F:   TABLE OF AUTHORITIES   
                Cases 
                Statutes 
                Federal Rules 
                Federal Regulations  
                Legislative History  
                Reference Materials

Go to . . . CCIPS Home Page || Justice Home Page 
Updated page April 24, 2000
usdoj-crm/mis/mdf