Search Warrant
A search warrant is a document which gives the authorities the right for searching a place for specific items. The permit is signed by a magistrate and should list the objects which the officers ought to look for. A warrant is based on an affidavit, a document signed by a witness or a police representative, providing proofs which support their belief about the location of the required items. Police can search only for the objects, specified in this document. Warrants can be given to trace a person or specific property. The laws of each state usually define reasons for which a search can be commenced.
For authorities, it is always beneficial to acquire a warrant, because it discards the responsibility of the officer. Search warrants have a short period of validity, and they usually must be executed within 10 days of issuance. However, there is a specific type, an anticipatory warrant, giving police officers a right for a search which becomes valid after certain future events (Shilling, 2016). Courts provide these documents in cases when police have reasons to assume that evidence in a designated location will become available in the future.
Sometimes, courts authorize so-called “sneak and peek” warrants without a requirement of providing notification that a search has been conducted. There is another similar type that is often used, a “no-knock” warrant. Generally, police are obliged to announce their presence during the search procedure and identify themselves. However, courts decide that in situations of danger for a police officer or a person, or when the evidence can be destructed, the announcement is not required.
In case a search for records or documents is required, the warrant usually authorizes confiscation of a computer or digital information. After that, it is recommended to receive a new warrant which would give permission to search the computer (Sammons, 2015). Specific problems can be found here, as computer evidence can be easily destroyed. Special technical expertise should be held in each case in order to provide advice for collecting evidence in the given circumstances.
Digital Items Holding Data
The forensic examination should commence with the item which is of the highest priority. If all the items are equal and need to be inspected, a mobile device is usually good to start with. The analysis of smartphones can help to obtain a big range of evidence. It permits accessing sent messages and saved files and provides means for receiving data which is not stored on the device. A smartphone can contain personal information which may reveal the personality of a suspect. Moreover, it can assist in finding the location of a person in case they have been using GPS on the device. When seizing mobile devices, such as smartphones, it is important to remember to block communication between the unit and its networks, as files can be removed by the owner using remote access.
Laptops may be as useful for investigations as well as mobile devices. They can contain much information about the identity of a suspect, as well as his Internet activity logs, pictures and videos, and other important data. Files on laptops are also latent, sometimes users think they have erased them, but even deleted information can often be recovered. In case no pictures or videos are found, one needs to examine additional options, such as installed applications, the registry, and shortcut files. The most efficient way to do it is to use Directory Browser filters.
USB-memory sticks, as well as other external devices for keeping data, should be considered in the process of investigation. They may contain information that could be useful for solving the crime, for example, address books, images, videos, Internet activity logs, and many other files. Searching through USB-memory sticks can be especially helpful in investigating computer and financial frauds, homicides, domestic violence, software piracy, identity theft, or child pornography cases.
Police must have a special search warrant which allows them to seize computers or other devices. In case an officer does not have this document, there is a plain view exception to the rule, permitting the confiscation of the required items, but not their search (U.S. Department of Homeland Security, 2015). There are universal principles concerning the crime scene where digital devices are involved, they are:
- To remember that it is always better if a specially trained Computer Forensic Analyst works with electronic technologies and collects the evidence
- To make sure there is a legal foundation for the confiscation
- To take prompt steps in order to save the evidence
- Not to turn on the device if it is off
- To secure the device and the data in case it is on
- To turn the device off immediately if it is destroying the files with evidence
- To document the location and state of the device
- To take photographs of the device, its location, and all the attached units (U.S. Department of Homeland Security, 2015).
Moreover, there are a few well-tried steps to be followed. The first one is evaluating possible danger, securing and documenting the crime location. The next step is putting on gloves not to leave additional fingerprints. When seizing computers, it is required to pull the power cable from it, put it in an evidence bag with a tag, documenting the date, the case number, and other information depending on the investigation. If the object to be seized is a laptop, it is necessary to remove the battery, and put it in an evidence bag. The next step is bagging and tagging computer peripherals, such as mice, keyboards, disks, memory sticks, and others. Disks and tapes should be removed from computers, and floppy disks need to be set to read-only. After that, phone and networking cables are to be removed, labeled, and bagged. All the cables and inputs must be marked with colored tapes in order to correctly put them back later.
Finally, it is essential to pack printouts and documentation as they often contain information about passwords or suspect’s plans. After all the steps are taken, the computer is to be transported. All the opening slots should be covered with tape, and the computer model and serial number need to be written on a tag. Then, the device is to be bagged and transported to the headquarters. It is essential to keep bags away from magnetic sources and always have it in possession.
The Differences in Acquisition of Data from Live and Turned off Systems
The process of obtaining information from a computer differs depending on the state of the device. In case it is turned on, there is much useful information, and switching it off may cause loss of a few processes, including network connections. However, it is important to ensure the data is safe, and not in the process of deletion. If an officer witnesses the files being damaged, they should immediately pull the power cable out. Another way is to use specific tools in order to extract volatile data from the device before turning it off. When the system is dead from the beginning, it is considered right to cut the power supply to retain the safety of the data. In both cases, as soon as the system is turned off, it is necessary to remove the hard drive and attach it to the forensic system without changing the data and make a copy of it.
References
Sammons, J. (2015). Digital forensics: Threatscape and best practices. Syngress.
Shilling, D. (2016). Lawyer’s desk book (2nd ed.). Wolters Kluwer
U.S. Department of Homeland Security & United States Secret Service. (2015). Best practices for seizing electronic evidence [PDF document]. Web.