Digital Search Warrants

A search warrant may be issued to search a computer or electronic media if there is probable cause to believe that the media contains or is contraband, evidence of a crime, fruits of crime, or an instrumentality of a crime. For more information, see Fed. R. Crim. P. 41(c).

This section will very briefly address three important issues concerning search warrants for digital evidence: particularity, the permissible time period for examining seized electronic devices or storage media, and the retention of seized data.

Particularity

Search warrants must particularly describe the place to be searched and the things to be seized. “When electronic storage media are to be searched because they store information that is evidence of a crime, the items to be seized under the warrant should usually focus on the content of the relevant files rather than the physical storage media” (Searching and Seizing Computers and Obtaining Evidence in Criminal Investigations, Computer Crime and Intellectual Property Section, Criminal Division, U.S. Department of Justice, Washington, D.C (3rd ed 2009) at 72).

One approach “is to begin with an ‘all records’ description; add limiting language stating the crime, the suspects, and relevant time period, if applicable; include explicit examples of the records to be seized ; and then indicate that the records may be seized in any form, whether electronic or non-electronic” (Id. at 74-77).

In some jurisdictions, judges or magistrates may impose specific conditions on how the search is to be executed or require police to explain how they plan to limit the search before the warrant may be granted.

Permissible Time Period for Examining Seized Electronic Equipment

Courts have held that, while the Federal Rules of Criminal Procedure require a search warrant be executed within 10 days of issuance, the Fourth Amendment only requires the forensic analysis of a seized computer or electronic equipment be conducted within a reasonable time. United States v. Mutschelkaus, 564 F. Supp. 2d 1072, 1077 (D.N.D. 2008). (“Mutschelknaus contends that the forensic analysis of the computer and electronic storage media was in violation of Rule 41(e)(2)(A) of the Federal Rules of Criminal Procedure because it was conducted more than ten days after the issuance of the search warrant. Rule 41(e)(2)(A) establishes that a search warrant ‘must command the officer to execute the warrant within a specified time no longer than 10 days…’ In this case, the computer and electronic storage media were seized within the ten (10) day time limit established in the search warrant and the forensic analysis took place within the sixty (60) days granted by the magistrate judge… [T]he Federal Rules of Criminal Procedure do not require that the forensic analysis of computers and other electronic equipment take place within a specific time limit. Any subsequent search only needs to be conducted within a reasonable time.”)

”Whether a delay is unreasonable is determined ‘in light of all the facts and circumstances,’ and on a ‘case by case basis.’” (U.S. v. Mayomi, 384 F.2d 1049, 1054 n.6 (7th Cir. 1989)).

For example, in U.S. v. Mitchell, 565 F.3d 1347, 1351 (11th Cir. 2009), a 21-day delay in obtaining a search warrant for the defendant’s computer after the computer had been seized was held to be unreasonable under the circumstances. (The only reason Agent West gave for the twenty-one-day delay in applying for a search warrant was that he “didn’t see any urgency of the fact that there needed to be a search warrant during the two weeks that [he] was gone,” and that he “felt there was no need to get a search warrant for the content of the hard drive until [he] returned back from training.)

There may be compelling law enforcement reasons for delays, including waiting while a warrant can be secured or waiting for the completion of more pressing active investigations that required forensic examiner resources. Similarly, complicated forensic analysis because of the volume of files or the presence of encryption may provide compelling reasons for delay.

Unreasonable Retention of Seized Data

In United States v. Ganias, a panel of the United States Court of Appeals for the Second Circuit “consider[ed] . . . whether the Fourth Amendment permits officials executing a warrant for the seizure of particular data on a computer to seize and indefinitely retain every file on that computer for use in future criminal investigations. We hold that it does not.” See United States v. Ganias, 755 F.3d 125 (2d Cir. 2014). The Second Circuit ordered a rehearing en banc and decided “that the Government relied in good faith on the 2006 warrant, and that this reliance was objectively reasonable. Accordingly, we need not decide whether retention… violated the Fourth Amendment.” However the government recognized the complexity of the issue:

“[T]he Government plausibly argues that, because digital storage media constitute coherent forensic objects with contours more complex than—and materially distinct from—file cabinets containing interspersed paper documents, a digital storage medium or its forensic copy may need to be retained, during the course of an investigation and prosecution, to permit the accurate extraction of the primary evidentiary material sought pursuant to the warrant; to secure metadata and other probative evidence stored in the interstices of the storage medium; and to preserve, authenticate, and effectively present at trial the evidence thus lawfully obtained. To be clear, we do not decide the ultimate merit of this argument… Nor do we gainsay the privacy concerns implicated when the government retains a hard drive or forensic mirror containing personal information irrelevant to the ongoing investigation, even if such information is never viewed.”

United States v. Ganias, 824 F.3d 199 (2d Cir. 2016)