Understanding Search Warrants: Technology search warrants

In our previous blog post of the “Understanding Search Warrants” series, persons search warrants, we discussed issues related to writing search warrants to both search and collect people. Today is all about technology.

Nearly every crime that law enforcement investigates has a second invisible crime scene made up of the digital evidence on phones, computers and in the cloud. In this blog post, we will delve into the intricacies of writing search warrants for technology-related investigations. We’ll explore the common devices that harbor digital evidence, the process of obtaining search warrants to collect and search digital devices, and the significance of including online records in search warrant applications. Before we start, let’s break down what we’ll be talking about. There are three big parts to this topic. The first part is about writing search warrants to collect digital devices, the second part is about searching the contents of digital devices, and the third part is about collecting online records.

1. The places and things to be searched.
2. The items or records that can be seized.

Technology often holds valuable evidence, necessitating the need for search warrants to collect, search, and examine digital devices. Modern technology has integrated into our lives, offering a vast array of devices that hold potential digital evidence. Common devices include smartphones, tablets, computers, gaming consoles, external hard drives, and cloud storage services. These devices can house diverse forms of evidence, such as text messages, emails, photographs, videos, browsing history, and social media activity. When drafting search warrants, it is crucial to identify the devices and the specific evidence sought.

Where is my crime scene?

Perhaps one of the most confusing questions in technology investigations is determining where the crime scene is located. With most high-tech crimes, there are two; the physical location where the suspect committed the crime and the virtual crime scene within the device itself or online.

Lets examine three scenarios:

• A gang conducts two drive-by shootings in nearby parts of your city. In this scenario there are two physical crime scenes where the shootings occurred, but digital evidence could be found in the shooters phone, within the vehicle infotainment system, and at the telephone company providing service for the phone.
• Students at a local high school receive begin sharing screenshots of an upcoming shooting threat posted on Instagram. A case like this may have dozens of digital devices that store the screenshot, but investigators should not forget the original source Instagram. A search warrant for basic subscriber information will lead to the physical residence or mobile phone responsible for the post.
• A Nigerian prince sends and email to a citizen in your area promising $50,000 for simply depositing a check and sending them the balance. In this scenario there are the physical crime scenes is the victim’s residence where they answered the email, the Western Union where the money order was purchased, with digital evidence located on the victim’s computer, in the form of records stored by Western Union, and within the victim’s email service provider. The location of the suspect’s computer is relevant in this case, wherever in the world that may be.

Technology Warrants: collecting digital devices

Drafting an effective search warrant to collect digital devices requires careful consideration of essential elements. Because our phones contain so much of our personal lives, special consideration has been given to them by the courts. Many states, like California, have Electronic Communication Privacy laws that require a separate search warrant to examine collected phones and computers.

There are three points to address when writing a warrant to collect a digital device:

• Articulating that a specific device, or a class of device, was used.
• The likelihood the device will be at the location you are searching.
• Where that device may be located.

Explaining to the court that a device was used in this crime is usually straightforward, but search warrants require particularity in their descriptions of things to be seized. If the investigation had an online component prior to searching the residence, common in cybercrime investigations, warrant returns may identify the specific device used during that crime. For example, companies like Google, Meta and Apple frequently record the model of device used by their customers like a Samsung SM-J700 or an iPhone 14 Pro (A2650). If the affiant knows this ahead of time, its always smart to add the description as an item to be seized. I would suggest expanding the scope of the warrant to include devices of similar capability; if the suspect damaged their SM-J700 and got a new phone, you wouldn’t want to be limited to only the Samsung phone.

What information do you have that the device you want to collect will actually be found at the place you are searching? Analysts project about 79 million desktop computers being sold in 2023; they also project 171 million laptops being sold. That means you have a higher chance of the digital device being portable, ie. a laptop, mobile phone or tablet.

Knowing what type of device you are looking for helps make a direct connection to the places that can be searched. Unless your suspect has some very big pockets, a desktop computer will not be on their person.

Some courts have ruled that authorization to search all computer devices on the premises will be implied if the warrant authorized a search for data that could have been stored digitally. However, it is recommended to consider the digital device as simply a locked container that holds the evidence you want to collect. Best practice is to particularly describe the data to be seized, then add language that authorizes a search for it in any form in which it could have been stored; e.g., devices capable of storing said data on electronic or magnetic media such as internal or external hard drives or optical discs.

Technology Warrants: searching digital devices

Once the digital devices are lawfully obtained, the search warrant should provide guidance on conducting the search. It is recommended to clearly identify the authorized personnel, such as forensic experts, who will be involved in examining the devices.

Regarding the particularity requirements of search warrants, you don’t know what is in a phone until you look. The courts have agreed that it is reasonable in this case to identify categories of information, like messages or photos.

It is recommended that the scope of the warrant should limit the timeframe of records to a window that is relevant to the case. According to a poll conducted by the online consumer electronics magazine SlashGear, most phone owners (55.47%) choose to upgrade their phones once every two to three years. Surprisingly, 11.89% of respondents upgrade once a year, while 4.28% admitted to getting a new phone once every 6 months. Asking for two years of records from the examination of a device may not be practical as the phone simply may not be that old. Additionally, broad windows for records leads to accusations of the warrant being a fishing expedition. If the crime happened last Tuesday, why do you need a year’s worth of data? If the facts of the case require the year, you should certainly ask for it, but asking for more than you need could result in severance.

Technology Warrants: collecting online records:

The virtual crime scene spans numerous online platforms and services, offering an abundance of potential evidence. The trick to understanding what records can be collected from a provider comes in answering three questions:

1. Can the data be viewed publicly.

If the records you consider evidence can be viewed publicly, then they are inherently being stored by the provider. For example, a photo posted to an Instagram profile must be stored on their servers for people to see.

2. Is the data required for the service to work.

If the data you are looking for is a core component of the service itself, it has to be stored by the provider. For example, the dating app Tinder has a geographical component allowing you to only see other users within a radius of your location. That means that Tinder must collect location data in order to provide service.

3. Does the company bill for that service.

If the company charges the user for a service, they track the customers usage. Telecommunications providers pro example charged per text message, so their billing system captured when text messages were sent and received. Most of Call Data Records (CDR) are due to the telecom needing to charge the customer.

Just because a company bills for or facilitates a service does not mean that they maintain the data. For example, very few phone service providers store text message content and iMessage to iMessage are not sent as SMS at all; they are data usage with the content held by Apple.

When writing for online records, it is recommended to avoid generic language and use those terms that are specific to the provider, like “Snaps” or “Tweets”. You may feel silly requesting records about pokes or winks, but using the companies terminology reduces the amount of warrant interpretation they have to do and ensures you get the records you requested.

Want to learn more about search warrants? Follow our blog series to learn more about how search warrants work, tips & tricks for writing great warrants, and insights on evidence that law enforcement can collect. There is a lot to learn, so rely on the experts at WarrantBuilder.com! Sign up for a free trial and learn why cops across the country trust Warrant Builder for fast, efficient, and complete search warrants.

Destin is a law enforcement professional and Digital Forensic Analyst with over 20 years experience. As the co-creator and CEO of Warrant Builder, Destin has unique insights into search warrants and online investigations. You can follow him on LinkedIn