In our previous blog post of the “Understanding Search Warrants” series, persons search warrants, we discussed issues related to writing search warrants to both search and collect people. Today is all about technology.
Nearly every crime that law enforcement investigates has a second invisible crime scene made up of the digital evidence on phones, computers and in the cloud. In this blog post, we will delve into the intricacies of writing search warrants for technology-related investigations. We’ll explore the common devices that harbor digital evidence, the process of obtaining search warrants to collect and search digital devices, and the significance of including online records in search warrant applications. Before we start, let’s break down what we’ll be talking about. There are three big parts to this topic. The first part is about writing search warrants to collect digital devices, the second part is about searching the contents of digital devices, and the third part is about collecting online records.
Technology often holds valuable evidence, necessitating the need for search warrants to collect, search, and examine digital devices. Modern technology has integrated into our lives, offering a vast array of devices that hold potential digital evidence. Common devices include smartphones, tablets, computers, gaming consoles, external hard drives, and cloud storage services. These devices can house diverse forms of evidence, such as text messages, emails, photographs, videos, browsing history, and social media activity. When drafting search warrants, it is crucial to identify the devices and the specific evidence sought.
Perhaps one of the most confusing questions in technology investigations is determining where the crime scene is located. With most high-tech crimes, there are two; the physical location where the suspect committed the crime and the virtual crime scene within the device itself or online.
Lets examine three scenarios:
Drafting an effective search warrant to collect digital devices requires careful consideration of essential elements. Because our phones contain so much of our personal lives, special consideration has been given to them by the courts. Many states, like California, have Electronic Communication Privacy laws that require a separate search warrant to examine collected phones and computers.
There are three points to address when writing a warrant to collect a digital device:
Explaining to the court that a device was used in this crime is usually straightforward, but search warrants require particularity in their descriptions of things to be seized. If the investigation had an online component prior to searching the residence, common in cybercrime investigations, warrant returns may identify the specific device used during that crime. For example, companies like Google, Meta and Apple frequently record the model of device used by their customers like a Samsung SM-J700 or an iPhone 14 Pro (A2650). If the affiant knows this ahead of time, its always smart to add the description as an item to be seized. I would suggest expanding the scope of the warrant to include devices of similar capability; if the suspect damaged their SM-J700 and got a new phone, you wouldn’t want to be limited to only the Samsung phone.
What information do you have that the device you want to collect will actually be found at the place you are searching? Analysts project about 79 million desktop computers being sold in 2023; they also project 171 million laptops being sold. That means you have a higher chance of the digital device being portable, ie. a laptop, mobile phone or tablet.
Knowing what type of device you are looking for helps make a direct connection to the places that can be searched. Unless your suspect has some very big pockets, a desktop computer will not be on their person.
Some courts have ruled that authorization to search all computer devices on the premises will be implied if the warrant authorized a search for data that could have been stored digitally. However, it is recommended to consider the digital device as simply a locked container that holds the evidence you want to collect. Best practice is to particularly describe the data to be seized, then add language that authorizes a search for it in any form in which it could have been stored; e.g., devices capable of storing said data on electronic or magnetic media such as internal or external hard drives or optical discs.
Once the digital devices are lawfully obtained, the search warrant should provide guidance on conducting the search. It is recommended to clearly identify the authorized personnel, such as forensic experts, who will be involved in examining the devices.
Regarding the particularity requirements of search warrants, you don’t know what is in a phone until you look. The courts have agreed that it is reasonable in this case to identify categories of information, like messages or photos.
It is recommended that the scope of the warrant should limit the timeframe of records to a window that is relevant to the case. According to a poll conducted by the online consumer electronics magazine SlashGear, most phone owners (55.47%) choose to upgrade their phones once every two to three years. Surprisingly, 11.89% of respondents upgrade once a year, while 4.28% admitted to getting a new phone once every 6 months. Asking for two years of records from the examination of a device may not be practical as the phone simply may not be that old. Additionally, broad windows for records leads to accusations of the warrant being a fishing expedition. If the crime happened last Tuesday, why do you need a year’s worth of data? If the facts of the case require the year, you should certainly ask for it, but asking for more than you need could result in severance.
The virtual crime scene spans numerous online platforms and services, offering an abundance of potential evidence. The trick to understanding what records can be collected from a provider comes in answering three questions:
If the records you consider evidence can be viewed publicly, then they are inherently being stored by the provider. For example, a photo posted to an Instagram profile must be stored on their servers for people to see.
If the data you are looking for is a core component of the service itself, it has to be stored by the provider. For example, the dating app Tinder has a geographical component allowing you to only see other users within a radius of your location. That means that Tinder must collect location data in order to provide service.
If the company charges the user for a service, they track the customers usage. Telecommunications providers pro example charged per text message, so their billing system captured when text messages were sent and received. Most of Call Data Records (CDR) are due to the telecom needing to charge the customer.
Just because a company bills for or facilitates a service does not mean that they maintain the data. For example, very few phone service providers store text message content and iMessage to iMessage are not sent as SMS at all; they are data usage with the content held by Apple.
When writing for online records, it is recommended to avoid generic language and use those terms that are specific to the provider, like “Snaps” or “Tweets”. You may feel silly requesting records about pokes or winks, but using the companies terminology reduces the amount of warrant interpretation they have to do and ensures you get the records you requested.
Want to learn more about search warrants? Follow our blog series to learn more about how search warrants work, tips & tricks for writing great warrants, and insights on evidence that law enforcement can collect. There is a lot to learn, so rely on the experts at WarrantBuilder.com! Sign up for a free trial and learn why cops across the country trust Warrant Builder for fast, efficient, and complete search warrants.
Destin is a law enforcement professional and Digital Forensic Analyst with over 20 years experience. As the co-creator and CEO of Warrant Builder, Destin has unique insights into search warrants and online investigations. You can follow him on LinkedIn