Chapter 10
Executing a Search Wa
ant for Digital Evidence
Chapter Outline
I. Once a search wa
ant is signed and the pre-planning phase is over, the planning for the actual
seizure can begin.
II. Investigators not familiar with computers seek out the assistance of someone who is familiar
with the latest in technology.
A. Local computer experts.
B. Colleges and universities’ computer sciences departments.
III. Properly powering down a computer and packaging the various components of the computer
system is as important to the successful prosecution of a case as are the other stages of
the criminal investigation.
I. The Steps of Executing a Search Wa
ant for Digital Evidence
A. Step One: Removing the Suspects from the Computer
1. Executing a search wa
ant for digital evidence is much like executing a
search wa
ant for any other contraband evidence.
2. There is a greater potential for the suspect to damage or completely
destroy any evidence when it is digital in nature.
a. Computers that are powered on can allow the suspect to use a
variety of software programs that will either encrypt evidence or
destroy evidence.
. Like any emergency preparedness plan, the best plans for handling
digital evidence are always prepared with the idea that such
programs will be encountered during the collection of digital
evidence.
3. Some have questioned whether “no-knock search wa
ants” should be
obtained when executing a wa
ant for digital evidence, but it is hard to
meet the criteria of officer safety for such a wa
ant.
4. There are two methods one could remove a suspect from a computer:
a. By asking the individual to shake your hand and preventing them
from returning to the computer.
. Through the use of physical force.
5. It is very important that the suspect not be allowed to return to the
computer for any reason.
B. Step Two: Securing the Scene
1. From the instant the suspect is removed from the computer, the focus
should be securing the scene and beginning the process of documenting
the crime scene.
2. Photographs may become an important part of the case later on should the
suspect decide to pursue a jury trial.
a. It is recommended that personnel use a digital camera to take these
pictures.
i. Saves money because there no need to buy film.
ii. Allows investigators to ensure good usable images while on
the scene.
3. One technique that has become much more commonly encountered as
video cameras have dropped in price is the use of a digital camera to
record the entire search.
a. Useful should the suspect attempt to claim that the digital evidence
was planted by law enforcement officers.
. Allows for a more thorough documentation process
i. Can provide a 360-degree view of the suspect’s
computer(s).
ii. Can provide a view any peripherals attached to the
computer(s).
4. It is important to take pictures of the suspect’s computer(s) at the time the
search wa
ant is executed.
a. Allows investigators to go back later and document exactly what
programs were operational at the time of its seizure.
. Used to counter a suspect’s argument that they were not engaged
in a particular activity.
5. In most cases it is also recommended that the photographer obtain a
picture of the time stamp located at the bottom right-hand side of most
computer screens.
a. Can be used in cases in which multiple people have access to the
machine to determine who was using the computer at the time of
the illegal activity.
. It is also recommended that investigators make note as to whether
the time is co
ect, so that if the time is inco
ect, forensic analysis
can reconcile any activity logs.
6. Investigators must be sure to provide a
ief training session with any
individuals who will be assisting with the search who may have limited
experience executing search wa
ants so that evidence is collected
properly.
C. Step Three: Disconnect any Outside Control Possibilities
1. When locating network connections within the residence, it should be
noted that wireless networks are more than likely to be encountered.
a. These wireless networks can be problematic in that there is a need
to immediately shut off any network connections in order to
remove the possibility of someone outside of the residence
damaging potential evidence.
. An investigator should familiarize himself/herself with the latest
wireless routers prior to executing a search wa
ant.
c. Network detector programs (such as those found in cellular
telephones) can be used to detect the presence of wireless
networks.
2. There is a chance that an investigator will also encounter a computer
connected to an Internet via a telephone line.
3. Regardless of whether the Internet connection is via a na
owband
or
oadband connection, an investigator should disconnect the Internet
connection as soon as possible.
4. Investigators should be aware that there is a possibility that the network
is not connected via the connection closest to the computer.
5. Following the te
orist attacks of September 11, 2001, there was a
movement among some companies to allow evidence to be stored at a
location different that where the computer normally operates such as:
a. Data storage services
. Intra-company networks
c. Data hosting services
d. This means that the digital evidence an investigator is searching for
may be stored on a computer across the street, across the city, or
across the country.
e. Digital evidence that the investigator is searching for can be stored
on a computer across the street, the city, or the country.
f. In ideal scenarios investigators would have knowledge of such off-
site storage of data prior to the development of the search wa
ant.
i. If such information is not available, then there will still
likely be some evidence on the seized computer showing
where the data is stored.
6. Before disconnecting a computer from the Internet or network, the
investigation should look for the presence of active downloads.
a. An investigator may make the decision to photograph or video
record the screen of the computer and include notations concerning
any programs or files that are cu
ently downloading or recently
downloaded.
. Investigators must be aware of the fact that any utilities running
can be minimized at the bottom of the screen, and if the decision is
made to maximum the screen, the investigator must ensure that his
or her actions are recorded in the search log; if possible, the entire
process should be videotaped.
D. Step Four: Powering Down the Computer
1. An investigator executing a search wa
ant for computer-related evidence
will have to consider which operating system, and version of the software,
the user is running on the computer.
a. Version and
and will determine the proper method of powering
down the computer.
i. Using the operating system’s shutdown features
ii. Unplugging the power cable from the back of the computer
. Pulling the plug from the back of the computer is considered the
most effective means of properly powering down the computer.
i. This prevents any malicious software or code launching
when the computer is shut down.
ii. There are software programs available that begin
formatting a computer’s hard drive if proper shut-down
protocols are not adhered to, but the use of such programs
is rare.
2. Before a decision is made to power down the computer, it is important to
examine the computer to determine whether there are any programs
running on the computer, because potential evidence could be damaged.
a. This requires familiarity with the various operating systems, which
helps an investigator determine whether there are any files open
and stored in the computer’s Random Access Memory (RAM).
i. Data that is stored in RAM memory will be lost when the
computer is powered down, and such data is not normally
recoverable.
ii. If programs are found, the decision to save the file or shut
down the computer and lose data can be made.
3. Microsoft Windows operating system is likely to be the most commonly
encountered operating system.
a. Software programs and files that are open and running can be
located by looking at the bottom of the computer screen.
. An investigator who chooses to save a copy of the file should
ensure that the file’s name is one that they can easily remember
and one that can easily be explained to a judge and a jury should
the need arise.
i. A note in the search log should be made of the file name
selected, as well as the time the file was discovered and the
time the file was saved to the external drive to prevent the
co
uption of evidence stored somewhere else on the
suspect’s hard disk.
4. If the suspect is running a version of Linux, then the method of
determining whether there are files running in RAM may be different.
a. Recently there have been Windows emulators (sometimes refe
ed
to as WINE) that