SANS Digital Forensics and Incident Response Blog

Sweeping 9th Circuit Decision Regarding Law Enforcement Officer Computer Forensics

Reposted from Greg Haverkamp <> from the GIAC Certified Forensic Analysts [GCFA] Mailing list

The 9th Circuit released its en banc decision today in U.S. v Comprehensive Drug Testing. The case itself has ties to seizures made in relation to the Balco investigations. The most significant aspect of the decision, based on my initial reading, is the elimination of the "plain view" exception as it pertains to warranted searches of digital media. Specifically, it clobbers the widely held position that all files, including those not pertaining to the instant investigation, are in plain view and may be used as evidence of criminal activity beyond the scope of the original investigation. (Images of child pornography seem to be the most common instance of this.)

One of the dissenters makes it sound like a plus for forensic examiners:

"Setting aside the omission of supporting legal authority, this new ex ante restriction on law enforcement investigations also raises practical, cost-related concerns. With respect to using an in-house computer specialist to segregate data, the majority's guideline essentially requires that law enforcement agencies keep a 'walled-off,' non-investigatory computer specialist on staff for use in searches of digital evidence. To comply, an agency would have to expand its personnel, likely at a significant cost, to include both computer specialists who could segregate data and forensic computer specialists who could assist in the subsequent investigation. The alternative would be to use an independent third party consultant, which no doubt carries its own significant expense. Both of these options would force law enforcement agencies to incur great expense, perhaps a crushing expense for smaller police departments that already face tremendous budget pressures."

The meat comes during the concluding portion of the majority opinion:

"We accept the reality that such over-seizing is an inherent part of the electronic search process and proceed on the assumption that, when it comes to the seizure of electronic records, this will be far more common than in the days of paper records. This calls for greater vigilance on the part of judicial officers in striking the right balance between the gov- ernment's interest in law enforcement and the right of individ- uals to be free from unreasonable searches and seizures. The process of segregating electronic data that is seizable from that which is not must not become a vehicle for the govern- ment to gain access to data which it has no probable cause to collect. In general, we adopt Tamura's solution to the prob- lem of necessary over-seizing of evidence: When the govern- ment wishes to obtain a warrant to examine a computer hard drive or electronic storage medium in searching for certain incriminating files, or when a search for evidence could result in the seizure of a computer, see, e.g., United States v. Giberson, 527 F.3d 882 (9th Cir. 2008), magistrate judges must be vigilant in observing the guidance we have set out throughout our opinion, which can be summed up as follows:

"1. Magistrates should insist that the government waive reli- ance
upon the plain view doctrine in digital evidence cases. See p. 11876

"2. Segregation and redaction must be either done by spe- cialized
personnel or an independent third party. See pp. 11880-81 supra. If
the segregation is to be done by govern- ment computer personnel, it
must agree in the warrant appli- cation that the computer personnel
will not disclose to the investigators any information other than that
which is the tar- get of the warrant.

"3. Warrants and subpoenas must disclose the actual risks of
destruction of information as well as prior efforts to seize that
information in other judicial fora. See pp. 11877-78, 11886-87 supra.

"4. The government's search protocol must be designed to uncover only
the information for which it has probable cause, and only that
information may be examined by the case agents. See pp. 11878,
11880-81 supra.

"5. The government must destroy or, if the recipient may lawfully
possess it, return non-responsive data, keeping the issuing magistrate
informed about when it has done so and what it has kept. See p.
11881-82 supra."

Orin Kerr's has a series of posts analyzing this case on the Volokh



Posted August 27, 2009 at 7:52 PM | Permalink | Reply


Wired has a nice article on this too:
They also make it sound like this may be a boon for independent forensics companies'' assuming law enforcement agencies can pay for the services.
A few years ago I worked a case where the judge ordered that a system involved in the case be processed in camera and asked that the search be restricted to only relevant data for the case. When I indicated that the standard approach was to perform keyword searches of the entire drive, he ordered that the system be processed by an RCFL instead of me.
It will be interesting to see how this plays out.

Posted August 28, 2009 at 3:45 AM | Permalink | Reply


Wired's article mostly just rips off Orin Kerr's analysis (linked in my original email). For folks who are interested, his follow-on articles do a good job of breaking this analyzing this decision in an historical context. (The new stuff, including the stuff Wired cribbed, is nearer the bottom at the site linked above.)

Posted August 28, 2009 at 4:37 PM | Permalink | Reply

Larry McDonald

Was just looking at an article in Forensics Magazine about this subject