Digital Device Searches A digital device search is an examination of data stored on a device that uses a computer or microcontroller to record information.
Digital Device Searches What do they include? Digital devices may include cell phones, tablets, laptops, desktop computers, and medical devices like pacemakers, hearing aids, heart-rate monitors, smartwatches, and smart meters.
Cloud Searches Digital device searches may sometimes involve cloud searches where the device is used as a portal for examining digital information and media stored outside the device itself, on remote servers known as the “cloud.”
How do they work? Digital device searches (DDS) may be performed: Manually – by looking through data on the device as a user would Forensically – with assistance from other computers or software Hybrid – using some combination of a manual and forensic search Imaging - where law enforcement physically seizes a device for search and makes a complete digital copy or “image” of the entirety of its contents onto a separate external medium such as a hard drive Forensic Analysis - the government uses advanced forensic software to analyze the digital copy of the device contents; expanding its search and analysis capabilities and often allowing them to view deleted data that the software on the device itself wouldn’t be capable of displaying.
What do the cops do? The DOJ’s Manual for Searching and Seizing Computers and Obtaining Evidence in Criminal Investigations (https://eff.org/DOJDSM2009) sets forth a 2-step process for digital device searches: The “imaging” - where law enforcement makes a complete digital copy of all info on the device The “analysis” – where govt uses forensic software to examine the digital copy, allowing it to organize, methodically search, and view data – including data the user may have believed was deleted Imaging - where law enforcement physically seizes a device for search and makes a complete digital copy or “image” of the entirety of its contents onto a separate external medium such as a hard drive Forensic Analysis - the government uses advanced forensic software to analyze the digital copy of the device contents; expanding its search and analysis capabilities and often allowing them to view deleted data that the software on the device itself wouldn’t be capable of displaying.
What do the Cops Know? Review govt training materials: 2011 - DOJ Guide on Admitting Electronic Evidence from 2011: https://eff.org/DOJOAEE 2009 – DOJ CCIPS Criminal Division Manual on Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations. https://eff.org/DOJDSM2009 2009 – DOJ CCIPS Criminal Division Manual on Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations. https://eff.org/DOJDSM2009 2011 - DOJ Guide on admitting Electronic Evidence from 2011: https://eff.org/DOJOAEE
What do the Cops Know? 1994 – NIJ Special Report: Forensic Examination of Digital Evidence: A Guide for Law Enforcement. https://eff.org/DOJNIJ1994 1994 – NIJ Special Report: Electronic Crime Scene Investigation: A Guide for First Responders. https://eff.org/DOJNIJ1st NIJ Forensic Examination of Digital Evidence: The report guides law enforcement agents on how to properly handle and secure digital evidence during criminal investigations, along with suggestions on proper policies and procedures that law enforcement departments can adopt This report guides law enforcement and other first responders who may be responsible for preserving an electronic crime scene and for recognizing, collecting, and safeguarding digital evidence.
Data Extraction Programs What do the Cops Use? Police use a variety of extraction programs like: Cellebrite Securview Oxygen FTK Imager Encase Police use a variety of forensic extraction programs that have the capacity to collect metadata and content, help bypass encryption, classify images, restore deleted data, track GPS locations over time, search for specific keywords, and map relationships.
Data Extraction Programs What do the Cops Get? These extraction programs have the capacity to: Collect metadata and content, help bypass encryption, classify images, restore deleted data, track GPS locations over time, search for specific keywords, map relationships Metadata – info that relates to a piece of data Content – the substance of the data or electronic communication
What to look for? Seizure of your client’s cell phone or other digital device, production of your client’s digital information, and no subpoenas or warrants directed at third party service providers. Any mention of digital forensics software, like Cellebrite, Secureview, Oxygen, FTK Imager, Encase, MSAB XRY, or E-fense Helix3, or of “images” or “copies” of device contents. Any mention of bypassed digital security, encryption, or passwords, or attempts to bypass these security features. including, but not limited to, iPhones, Android phones, Apple Watches, Fitbit devices, iPads and tablets, and home assistants like the Amazon Echo and Google Home.
DDS Case Highlights Riley v. CA, 134 S.Ct. 2473, 2493 (2014) – digital device searches require a warrant, even incident to arrest US v. Griffith, 867 F.3d 1265, 1272-73 (D.C. Cir. 2017) – threshold factors for device seizure U.S. v. Comprehensive Drug Testing, Inc (CDT), 621 F.3d 1162, 1180 (9th Cir. 2010) – judicial oversight Review our digital device search case inventory at https://www.eff.org/DDScases
Best Practices for Judicial Oversight Govt must waive reliance on the plain view doctrine Forensic analysis should be done by an independent third party. Govt must disclose actual risks of destruction & other avenues of access search protocol must be designed to seize only info for which govt has PC Govt must destroy or return non-responsive data Time limit for device search execution See U.S. v. Comprehensive Drug Testing, Inc (CDT), 621 F.3d 1162, 1180 (9th Cir. 2010)
How do I challenge DDS? Advocate for ex-ante search protocol limits, such as: 1. Keywords 2. Date range 3. Time range 4. Specific user account 5. Specific application 6. Communications to/from specific actors 7. File type 8. File size
How do I challenge DDS? File a motion to suppress. For warrantless device searches per Riley. Even if a SW was obtained beforehand, there may still be grounds for suppression: Failure to Authorize Search (v. Seizure) Lack of Specificity/Particularity Lack of Probable Cause Overbreadth Flagrant Disregard Most affidavits submitted in support of a search warrant for a digital device or cloud storage platform are often boilerplate and lacking in specificity and particularity. Some do not even show a nexus between the device seized and the specific incident being investigated.
Lack of Specificity/Particularity SW should be as specific as possible about the files to be searches and the locations on a device where those files are likely to be found. Where the govt uses the device to access content stored remotely in the cloud, object if remote data is not specifically mentioned in the SW or isn’t within the scope of PC articulated
Lack of Probable Cause IP address alone ≠ PC Membership in or attempt to access an online group suspected of illegal conduct alone ≠ PC No Nexus between device and suspect or incident Search exceeds Scope of SW
Overbreadth Object to overbroad seizure of: “any and all” devices “including, but not limited to” language Object to initial seizure of device where govt fails to satisfy threshold factors from US v. Griffith: That client own, use or possess a device That device will be found at a particular place at a particular time (like client’s home) That device contains incriminating evidence about the suspected offense US v. Griffith, 867 F.3d 1265, 1272-73 (D.C. Cir. 2017)
How do I challenge DDS? Refer to more privacy-protective state laws. California’s CalECPA requires: a search warrant (CA Penal Code §§ 1546.1) before obtaining content or location info notice to the target (CA Penal Code section §§ 1546.2) statutory suppression (CA Penal Code §§ 638.55, 1546.4) for violation of the state’s warrant requirement.
How do I challenge DDS? You can learn more about CalECPA by going through this Prezi presentation: https://www.eff.org/CalECPAPrezi And for a peek at what California police are being told about CalECPA, take a look at this CA Peace Officers’ Association Fact Sheet on CalECPA. https://www.eff.org.CPOACalECPA
Digital Device Searches Where do I learn more? Visit: https://eff.org/defense/digital-device-search
Stephanie Lacambra Criminal Defense Staff Attorney 415-436-9333 x130 stephanie@eff.org