SANS Digital Forensics and Incident Response Blog

Searches and the US 4th Amendment

In much of the common law world (including the USA, UK, Canada, NZ and Australia), law enforcement needs to obtain a legal authorization in order to search and seize evidence. Generally, this power is granted through a request for a search warrant which states the grounds for the application including the law which has been broken. In the United States and the United Kingdom the requirements further require that the application describes the specific premises to be searched as well as the items being sought.

In the US, the Fourth Amendment and the Electronic Communications Privacy Act (ECPA) determine the lawfulness of a search. The Fourth Amendment only applies to government searches (such as those conducted by law enforcement officials). The ECPA applies to everyone (whether government or private) and prohibits the unlawful interception or access to electronic Communications.

In the physical world there is a real limit on the length of time during which a search can be conducted. This rule does not impose much of a limit on electronic searches. As the investigator is able to make a copy of the digital evidence (such as a hard drive), they are able to continue to search these files both for "strings" which are beyond the scope of the original warrant and also at their leisure.

Neither the fourth Amendment nor Federal rules of criminal procedure required the investigator to promptly search the evidence. In fact, US federal law provides little over the return of property seized pursuant to warrant. The suspect must file motion in court in which they either prove that this seizure was illegal or that the investigator no longer has any need to retain the evidence to either have the digital evidence returned or destroyed.

As a result, law enforcement officials can keep a copy of any digital evidence they had seized under a warrant and continue to search it without any effective time limit. Fourth Amendment rules do not provide useful guidelines for investigators conduct even in Digital forensic labs. There are no limitations of the regions of a hard drive that a forensic computer analyst may examine for evidence and the analyst may continue to look for evidence of other crimes.

The Fourth Amendment rule is that an investigator executing a warrant is able to look in any place listed on the warrant where evidence might conceivably be concealed. Traditionally, an investigator was precluded from looking into any location beyond the evidence they wish to seize. Electronic evidence however may be stored anywhere. The result is that an investigator can electronically look anywhere in search of digital evidence.

Katz v. United States stated that "the Fourth Amendment protects people, not places". The result is that the Fourth Amendment continues to be deeply tied to physical places.

Craig Wright, GFCA Gold #0265, is an author, auditor and forensic analyst. He has nearly 30 GIAC certifications, several post-graduate degrees and is one of a very small number of people who have successfully completed the GSE exam.


Posted October 10, 2010 at 9:14 PM | Permalink | Reply


If a computer crime case is dismissed without prejudice. After the dismissal the computer that was seized is searched and the case is recharged. My question is: Is the original search warrant still in affect if the case is dismissed?