Laws Affecting Forensic Investigations - Digital Archaeology (2014)

Digital Archaeology (2014)

2. Laws Affecting Forensic Investigations

One of the challenges facing a digital forensics investigator (DFI) in any case ever tackled is making sure that everything that is done is done within the parameters of the law. Even the internal corporate survey of a company-owned computer can be impacted by a variety of rules and regulations. Some are legislated regulations, and some fall under the category of constitutional law. The DFI does not need to be a lawyer to succeed. Legal counsel should be involved in every case an agency or organization undertakes. The investigator does, however, need to know enough law to keep out of trouble—and to prevent his or her case from being scrapped due to legal breaches. There are three areas this chapter will cover concerning the legal aspects of investigation:

• Constitutional rights and restrictions

• Legislated privacy regulations

• Working beneath the corporate shield

This chapter provides an overview of these topics, while the following chapters will go into more detail. The reader should keep in mind that the author is not a lawyer and this cannot be taken as legal counsel, but rather a survey of law. Always consult with legal counsel if there is any question about how to proceed with a specific case or situation.

Constitutional Implications of Forensic Investigation

When the United States was initially founded, the men who led the way to freedom realized that a formal statement of purpose was necessary to keep a fledgling nation from falling apart within a few generations. To this extent, they crafted what we now know as the Constitution of the United States. Knowing that nothing ever stays the same, they built into this document the mechanisms by which it could be modified. These modifications are known as amendments. To date, there are 27 amendments to the Constitution. Should the American people decide that they wanted to add a twenty-eighth, they would have to do two things (U.S. Constitution, Article V):

• A two-thirds majority of both houses of Congress would have to pass a proposal for the amendment.

• Three-fourths of the states would have to ratify the amendment in their state legislatures.

The first ten amendments are lumped together in what is popularly known as the Bill of Rights. Amendments One through Eight guarantee individual liberties, while Nine and Ten work together to assure that powers not specifically delegated under constitutional law remain with the states. The amendment that affects the DFI more than any other is the Fourth Amendment.

The Fourth Amendment

One of the abuses that enraged colonial citizens more than any other was the Writ of Assistance. While this sounds benign enough, a writ of assistance was a general warrant that allowed any government agent to enter a home or business without permission and rip it apart looking for any evidence that the residents were involved in undesirable behavior. Under British rule, the government agent didn’t need to specify what crime was being investigated or what evidence was the target of the search. The writ of assistance allowed general “fishing expeditions” and was frequently used by local officials indiscriminately—often simply as a means of demonstrating who was in charge.

The first paragraph of the Fourth Amendment clearly states the purpose of the document. The remaining pages clarify the intent and meaning of the amendment in very granular detail. The first paragraph says:

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated; and no Warrants shall issue but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized. (U.S. Constitution, Fourth Amendment)

There are two key phrases in this paragraph that surface repeatedly in the process of any criminal investigation. The phrases “unreasonable search and seizure” and “probable cause” have generated reams of legal documents defining what they mean and how they apply to specific cases. There are some notable exceptions to the Fourth Amendment, which will be discussed in the next chapter. However, for the most part, the amendment provides very specific guidelines to how investigations may be conducted.

Unreasonable Search and Seizure

Any time that there is a question about the legality of a search or the seizure of evidence, a judge will consider the answers to two questions:

• Was there actually a search, and was it by government agents?

• Was said search reasonable in all aspects?

The first question seems to be easy to answer, at least superficially. It is actually more difficult than it may appear. However, the mere fact that someone had their house, or their computer, rifled by an investigator does not necessarily fulfill the legal definition of a search. Under constitutional law only legal representatives of the government are implicated. So the judge will ask, “Was the search conducted by an agent of the government?” If not, the Fourth Amendment does not apply. Once again, the glass that covers this question can become cloudy. Who is an agent of the government? Obviously, a law enforcement official qualifies. But does a private investigator? That can depend on who hired the investigator and the circumstances by which that person came to conduct the search. If the federal government, or a state or local government, requested the services of the investigator, that person becomes an agent of the government and is subject to constitutional law.

In The United States v. Howard et al. (1985), both of these conditions were addressed. In Paragraph 24, the Judiciary states, “We agree with defendants that a consent clause in an insurance contract does not insulate from the Fourth Amendment a search by a private investigator who acts as an agent of the government to gather incriminating evidence for use in a criminal proceeding.” The point of this statement is that while a private investigator (PI) acting alone is not subject to Fourth Amendment restraints under normal circumstances, one working at the request of the government is. In this particular case, the court determined that the information collected by the PI was obtained prior to the government contacting the investigator. Therefore, at the time the information was gathered, the PI was not acting as a government agent, and therefore the information was admissible. The ruling states in Paragraph 25, “Nevertheless, where, as here, the intent of the private party conducting the search is entirely independent of the government’s intent to collect evidence for use in a criminal prosecution, we hold that the private party is not an agent of the government” (752 F.2d 220, 17 Fed. R. Evid. Serv. 383).

Once the existence of a search is confirmed, the judge must determine if the search was reasonable. He or she asks, “Did the subject of the search have a reasonable expectation of privacy regarding the object of the search?” This question also has two underlying concepts. Can the person who thinks his rights were violated demonstrate a reasonable expectation of privacy, either actual or subjective, regarding the object of the search? An actual expectation of privacy would be exemplified by a person’s wallet or purse or home. A subjective expectation is defined as one that society in general would recognize. That can be more difficult to determine, as evidenced by the plethora of cases going through the courts. As of this writing, there are cases regarding the transmission of text over an Internet connection, the right of employers to search their own computers, the use of video surveillance in schools, and so on and so forth. There are even cases involving convicted criminals serving time in jail.

Probable Cause

In order for a law enforcement official to obtain a warrant, there must first be a strong indication of probable cause. The USLegal dictionary defines probable cause as “the level of evidence held by a rational and objective observer necessary to justify logically accusing a specific suspect of a particular crime based upon reliable objective facts” (USLegal 2009).

Probable cause must exist before a judge will issue a warrant, but it can also be sufficient justification for performing a search without a warrant. In theory, probable cause is a reason for action known ex ante (meaning “before the fact”). An investigator cannot break into an apartment, discover a cache of drugs, and then claim probable cause for the search. Performing a warrantless search based on probable cause runs the risk of having all evidence obtained during the search disallowed and opens the door for civil litigation by the person whose rights were violated.

The Sequence of Search and Seizure

Typically, the routine execution of a search warrant goes something like this. The investigator requests a search warrant based on specific parameters (which will be discussed in the next chapter). A judge agrees the request is legitimate and reasonable and issues the warrant. It is a two-stage process. You search (and find), and then you seize. The investigators search the scene and confiscate any evidentiary material they may find. It doesn’t always work that way with digital evidence.

To the extent that you are authorized to search for certain items that are likely to contain evidence—such as computers, cell phones, digital media, and so on—this is the order in which a computer investigation is handled as well. However, most computer searches occur in four stages. An initial search locates computer equipment or media as defined in the subpoena. That material is seized and transported to another location. The actual search does not occur until the contents of the device are imaged, which is a process that generally occurs at the new location distant from the suspected scene of the crime. A logical search of the computer or media contents occurs, and any evidentiary digital information is located, copied, and archived. This extended process leaves open many legal challenges and arguments. Some of these will be addressed in the next chapter, and some have yet to be addressed by the courts.

The Fifth Amendment

When drafting the Fifth Amendment, the goal of the authors was to prevent the government from ever forcing a citizen to provide self-incriminating testimony. Too many years of having confessions beaten out of them by agents of the British crown left a bad taste in the mouths of our founding fathers. According to the amendment, no person should ever “be compelled in any criminal case to be a witness against himself.” (US Constitution, Amendment V).

So how does this impact the digital investigation? Virtually every resource on the network, all cloud resources, and any encrypted drive will be protected by a password. While courts have been somewhat divided on the issue of whether divulging a password is a form of testimony, the general consensus has been that it is. Therefore, in any criminal investigation, while it certainly won’t hurt to ask the suspect for a password, if the person refuses, they are likely to claim their rights under the Fifth Amendment.

Even if you have a warrant to search the computer, or even if the person has given his consent, extracted password-protected materials fall under the closed container rule. As such, if a password is not voluntarily provided, you will have to resort to other methods to gain access.

First Amendment Protections

Another level of privileged information is any material that might be protected under the First Amendment to the Constitution. The First Amendment is very short and to the point. It says the following:

Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances.

The amendment itself isn’t very descriptive about what part of free press is actually covered. Several Supreme Court cases have further defined the rights provided by the amendment. A pivotal case was decided in 1938 in Lovell v. City of Griffin [303 U.S. 444 (1938)]. The opinion written by Chief Justice Hughes offered the first official definition of what constituted “the press.” He defined the press as “every sort of publication which affords a vehicle of information and opinion.” That is a fairly wide description, and it did not define specifically what rights the press had.

Branzburg v. Hayes addressed that issue in 1972 when the court ruled that the First Amendment did not allow a journalist to refuse a subpoena issued by a grand jury. The fact that the case was a 5–4 split decision suggests just how divisive the issue was. At issue was whether or not a journalist had the right to refuse to testify before a grand jury based on First Amendment protections. The court said no.

The key lessons to be learned are twofold. One cannot get a search warrant to search a newspaper office or other publication. It just won’t happen. However, one can request and be granted a subpoena demanding that the publication hand over specifically defined information.

Your ISP and the First Amendment

Freedom of the press has been a given in American culture for so long that the phrase is part of the average citizen’s everyday vocabulary. First Amendment debates typically center around libel, threatening speech, and obscenity. Additionally, they focus on the government’s limited power to censor what the press offers to the public.

In today’s cyberworld, it is becoming more difficult to determine what is actually “press” and what is some everyday Joe spewing out libelous rants or issuing potentially criminal threats. Is a blog a valid part of “the press”? Assuming we agree that it is, when a blog does publish something libelous, who is responsible? The blogger, who could be considered the reporter and insulated from indemnification? Or the ISP, who could be considered the publisher and therefore responsible for all contents it manages?

Since there has been relative silence on the part of the courts in this regard, many service providers take it upon themselves to filter content in an effort to avoid potential prosecution. Others are far more lenient. Examples of this are YouTube and LiveJournal.

YouTube provides a platform for people to showcase videos they make. YouTube is relatively careful about monitoring videos for pornographic content, hate messages, and so forth. Any video deemed unsuitable may be deleted without the owner’s notification or consent. Conversely, LiveJournal had to face the threat of an advertising boycott before it purged its system of suspected pedophiles (Tushnet 2008). Then, when it did so, it deleted the accounts of many people who were members of a book club discussing Nabakov’s Lolita.

Another issue faced by ISPs is what to do when a subscriber is involved in the distribution of pirated intellectual property. The Digital Millennium Copyright Act (DMCA) basically provides the ISP a “safe harbor” from liability as long as it adopts and enforces specific policies regarding copyright infringement.

When faced with copyright infringement issues, the courts have frequently used the “dance hall proprietor versus landlord” argument. In the dance hall scenario, a dance hall owner hires a band to play. The band plays an entire mix of copyrighted songs without obtaining permission from the copyright holders of those songs. In this situation, both the band and the proprietor are considered to be in violation. This is because the band is committing the act, and the proprietor is vicariously involved because the proprietor has the control to stop the violation if he or she chooses. Additionally, the proprietor profits directly from the violation.

A landlord, on the other hand, is not held liable for such activities that occur inside of the premise where the violation occurs. The landlord does not have as much control over what occurs once the renter takes possession of the property. Landlords lack sufficient control over tenants to be able to enforce rules.

The Right to Privacy

Many people are surprised when they learn that the right to privacy is not guaranteed under the Constitution. Our legislature has filled this void by passing a number of laws protecting individuals from having their private lives exposed to anyone who cares to look. This is a sufficiently detailed subject that an entire chapter is devoted to it later in this book. For now it is only necessary to provide a general overview of the principles and list some of the key laws that affect the DFI.

The first legal precedence for privacy laws can be traced to an article written in 1890 by Warren and Brandeis entitled The Right to Privacy (Warren and Brandeis 1890). In this article, the authors note that “new inventions” and technology threaten the personal lives of individuals. The new inventions of which they wrote were film cameras and the ability to publish actual photographs of people instead of mere line drawings.

For many years, cases involving privacy rights bounced around the courts. The principle finally benefited from a formal definition when The California Law Review published the article entitled “Privacy” by William Prosser. In this article, Prosser defined four specific areas of law pertaining to individual privacy. To quote from his article, these areas are

• Intrusion upon a plaintiff’s seclusion or solitude, or into his private affairs

• Public disclosure of embarrassing private facts about the plaintiff

• Publicity which places the plaintiff in a false light in the public eye

• Appropriation, for the defendant’s advantage, of the plaintiff’s name or likeness (Prosser 1960, 389)

The discerning eye notes that there is no mention of “intrusion into the plaintiff’s hard disk or file system.” This, along with most other activities of the investigator, falls under the seclusion and solitude tort. Subsequent laws passed over the years have more precisely defined a person’s right to privacy. Among the prominent laws that contain privacy restrictions are

• The Fair Credit Reporting Act of 1970

• The Privacy Act of 1974

• The Equal Credit Opportunity Act of 1974

• The Electronic Communications Privacy Act of 1986

• Health Insurance Portability and Accountability Act of 1996

• The Gramm-Leach-Bliley Act of 1999

• Privacy of Consumer Financial Information; Final Rule (2000)

• The Fair Debt Collection Practices Act of 2006

• The Family Educational Rights and Privacy Act of 2008

This is just a small sampling of the myriad of laws governing the subject. In addition, many states have their own statutes that may be more restrictive than federal legislation. Another thing to be cautious of is that laws are revised constantly and new ones are passed.

The Expert Witness

An expert witness is “a person who is a specialist in a subject, often technical, who may present his/her expert opinion without having been a witness to any occurrence relating to the lawsuit or criminal case” (The People’s Law Dictionary 2010). Generally speaking, any testimony that relates material not actually witnessed by the speaker is covered under a tenet called the hearsay rule. Except under very specific mitigating circumstances, hearsay is not allowable as evidence. The expert witness is one of those notable exceptions.

There is no regulatory agency that monitors “expert status” or any such thing as an expert certification. Courts do, however, specify the types of witnesses who can give testimony and the types of evidence that are admissible. These rules are covered in the Federal Rules of Evidence in criminal cases and the Federal Rules of Civil Procedure in civil cases. The two types of witnesses defined are eyewitnesses and expert witnesses. Eyewitnesses are those who had firsthand experience with at least one aspect of the crime. Expert witnesses were never there, and cannot offer any firsthand information at all, but have been accepted by the court as being qualified to testify about a specific technical aspect of the case.

Rules 702 and 703 of the Federal Rules of Evidence provide the guidelines for expert testimony. Rule 702 dictates when it will be allowed, and Rule 703 explains the bases for providing such testimony. Rule 702 states that expert testimony is allowable when “scientific, technical, or other specialized knowledge will assist the trier of fact to understand the evidence or to determine a fact in issue” (FRE 2009). Three conditions apply to allowing expert testimony:

• The testimony is based on sufficient facts and data.

• The testimony is derived from reliable principles and methodology.

• The witness can demonstrate that the principles and methodology have been properly applied to the interpretation of facts.

There are two ways to become recognized as an expert witness. Either all parties involved in the case can agree in principle that the person being presented is an expert in the related field, or the judge can make a ruling determining that he or she recognizes the person as an expert. A key tool in determining a person’s qualifications as an expert is the curriculum vitae (CV). This Latin term means literally “course of life” and is a functional equivalent of a résumé.

In the final act, it is not the length of the alphabet behind a person’s name or the list of degrees boasted, and it is not even the CV that determines whether a person can sit an expert witness or not. It is the decision of the judge presiding over the case.

Then there is the question of expert witness neutrality. Jensen (1993) quoted an unidentified lawyer as saying, “I would go into court with an uncommitted, objective independent expert about as willingly as I would occupy a foxhole with a couple of noncombatant soldiers.” This statement infers that at least this particular attorney is unwilling to accept neutrality in an expert witness. Judges take a slightly different view. Bender (2002) quoted the Fifth Court of Appeals as having stated, “Experts whose opinions are available to the highest bidder have no place testifying in a court of law before a jury and with the imprimatur of the trial judge’s decision that he is an expert.” Perhaps the person hiring an expert witness should pay heed to another old quote, “Caveat emptor” (let the buyer beware).

Chapter Review

1. Three different amendments to the Constitution affect how the forensic analyst performs an investigation. List the three amendments and describe what individual rights each one impacts.

2. A man was brought to trial after employees at a computer repair shop discovered child pornography on his computer. He tried to get the evidence disqualified as the result of an illegal search, but the judge denied his motion. What was the reasoning behind the denial?

3. Why is it that the owner of a nightclub can be found liable for copyright infringement violations committed by the band playing on a Saturday night, but that the owner of the building from which the hall space is rented is not found liable?

4. Describe the hearsay rule in your own terms, and explain how it relates to the concept of an expert witness.

5. Which constitutional amendment guarantees an individual’s right to privacy, and how can those rights be enforced?

Chapter Exercises

1. Download and review Gramm-Leach-Bliley, HIPAA, and Sarbanes-Oxley. Each of these pieces of legislation have some commonalities and some major differences. What are the main commonly shared features, and how do they significantly differ?

2. Search Google Scholar for a legal case that involves a warrantless search that was accepted by the court. Briefly describe the case, and explain how the search may have been considered allowable under constitutional law.


Bender, R. 2002. Liability for the psychiatrist expert witness. American Journal of Psychiatry 159:1819–25.

Branzburg v. Hayes, 408 U.S. 665 (1972).

Federal Evidence Review (FRE). 2009. Federal rules of evidence. (accessed December 16, 2009).

Jensen, E. G. 1993. When “hired guns” backfire: The witness immunity doctrine and the negligent expert witness. University of Missouri at Kansas City Law Rev. 62:185–210.

Prosser, W. 1960. Privacy. California Law Review 48(3):389.

The People’s Law Dictionary. 2010. Expert witness. (accessed January 22, 2010).

The United States v. Howard et al., 752 F.2d 220 (6th Cir. 1985).

Tushnet, R. August 2008. Power without responsibility: Intermediaries and the First Amendment. George Law Faculty Working Papers.

U.S. Constitution, Amendment Four.

U.S. Constitution, Article V.

USLegal. 2009. Probable cause and legal definition. (accessed January 14, 2009).

Warren, S., and L. Brandeis. 1890. The right to privacy. The Harvard Law Review (4)3.