1 / 21

Digital Device Searches

This article provides an overview of digital device searches, including the types of devices involved, cloud searches, and the process followed by law enforcement. It also discusses the tools used by police, important case highlights, best practices for judicial oversight, and strategies for challenging digital device searches.

marvins
Download Presentation

Digital Device Searches

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Digital Device Searches A digital device search is an examination of data stored on a device that uses a computer or microcontroller to record information.

  2. Digital Device Searches Digital devices may include cell phones, tablets, laptops, desktop computers, and medical devices like pacemakers, hearing aids, heart-rate monitors, smartwatches, and smart meters. What do they include?

  3. Cloud Searches Digital device searches may sometimes involve cloud searches where the device is used as a portal for examining digital information and media stored outside the device itself, on remote servers known as the “cloud.”

  4. How do they work? Digital device searches (DDS) may be performed: • Manually – by looking through data on the device as a user would • Forensically – with assistance from other computers or software • Hybrid – using some combination of a manual and forensic search

  5. What do the cops do? • The DOJ’s Manual for Searching and Seizing Computers and Obtaining Evidence in Criminal Investigations (https://eff.org/DOJDSM2009) sets forth a 2-step process for digital device searches: • The “imaging” - where law enforcement makes a complete digital copy of all info on the device • The “analysis” – where govt uses forensic software to examine the digital copy, allowing it to organize, methodically search, and view data – including data the user may have believed was deleted

  6. What do the Cops Know? Review govt training materials: • 2011 - DOJ Guide on Admitting Electronic Evidence from 2011: https://eff.org/DOJOAEE • 2009 –DOJ CCIPS Criminal Division Manual on Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations. https://eff.org/DOJDSM2009

  7. What do the Cops Know? • 1994 –NIJ Special Report: Forensic Examination of Digital Evidence: A Guide for Law Enforcement. https://eff.org/DOJNIJ1994 • 1994 –NIJ Special Report: Electronic Crime Scene Investigation: A Guide for First Responders. https://eff.org/DOJNIJ1st

  8. Data Extraction Programs What do the Cops Use? • Police use a variety of extraction programs like: • Cellebrite • Securview • Oxygen • FTK Imager • Encase

  9. Data Extraction Programs What do the Cops Get? These extraction programs have the capacity to: • Collect metadata and content, • help bypass encryption, • classify images, • restore deleted data, • track GPS locations over time, • search for specific keywords, • map relationships

  10. What to look for? • Seizure of your client’s cell phone or other digital device, production of your client’s digital information, and no subpoenas or warrants directed at third party service providers. • Any mention of digital forensics software, like Cellebrite, Secureview, Oxygen, FTK Imager, Encase, MSAB XRY, or E-fense Helix3, or of “images” or “copies” of device contents. • Any mention of bypassed digital security, encryption, or passwords, or attempts to bypass these security features.

  11. DDS Case Highlights • Riley v. CA, 134 S.Ct. 2473, 2493 (2014) – digital device searches require a warrant, even incident to arrest • US v. Griffith, 867 F.3d 1265, 1272-73 (D.C. Cir. 2017) – threshold factors for device seizure • U.S. v. Comprehensive Drug Testing, Inc (CDT), 621 F.3d 1162, 1180 (9th Cir. 2010) – judicial oversight • Review our digital device search case inventory at https://www.eff.org/DDScases

  12. Best Practices for Judicial Oversight • Govt must waive reliance on the plain view doctrine • Forensic analysis should be done by an independent third party. • Govt must disclose actual risks of destruction & other avenues of access • search protocol must be designed to seize only info for which govt has PC • Govt must destroy or return non-responsive data • Time limit for device search execution

  13. How do I challenge DDS? • Advocate for ex-ante search protocol limits, such as: 1.     Keywords 2.     Date range 3.     Time range 4.     Specific user account 5.     Specific application 6.     Communications to/from specific actors 7.     File type 8.     File size

  14. How do I challenge DDS? • File a motion to suppress. • For warrantless device searches per Riley. • Even if a SW was obtained beforehand, there may still be grounds for suppression: • Failure to Authorize Search (v. Seizure) • Lack of Specificity/Particularity • Lack of Probable Cause • Overbreadth • Flagrant Disregard

  15. Lack of Specificity/Particularity • SW should be as specific as possible about the files to be searches and the locations on a device where those files are likely to be found. • Where the govt uses the device to access content stored remotely in the cloud, object if remote data is not specifically mentioned in the SW or isn’t within the scope of PC articulated

  16. Lack of Probable Cause • IP address alone ≠ PC • Membership in or attempt to access an online group suspected of illegal conduct alone ≠ PC • No Nexus between device and suspect or incident • Search exceeds Scope of SW

  17. Overbreadth • Object to overbroad seizure of: • “any and all” devices • “including, but not limited to” language • Object to initial seizure of device where govt fails to satisfy threshold factors from US v. Griffith: • That client own, use or possess a device • That device will be found at a particular place at a particular time (like client’s home) • That device contains incriminating evidence about the suspected offense

  18. How do I challenge DDS? • Refer to more privacy-protective state laws. • California’s CalECPA requires: • a search warrant (CA Penal Code §§ 1546.1) before obtaining content or location info • notice to the target (CA Penal Code section §§ 1546.2) • statutory suppression (CA Penal Code §§ 638.55, 1546.4) for violation of the state’s warrant requirement.

  19. How do I challenge DDS? • You can learn more about CalECPA by going through this Prezi presentation: https://www.eff.org/CalECPAPrezi • And for a peek at what California police are being told about CalECPA, take a look at this CA Peace Officers’ Association Fact Sheet on CalECPA. https://www.eff.org.CPOACalECPA

  20. Digital Device Searches Where do I learn more? • Visit:https://www.eff.org/criminaldefender/digital-device-searches

  21. Stephanie Lacambra Criminal Defense Staff Attorney 415-436-9333 x130 stephanie@eff.org

More Related