Image via WikipediaOver on the SANS blog, Rob Lee posted a piece that he got from, "From Greg Haverkamp from the GIAC Certified Forensic Analysts [GCFA] Mailing list."
Sweeping 9th Circuit Decision Regarding Law Enforcement Officer Computer Forensics
It is a good summary of the opinion.
Before I get to what I have to say about this, you should also read John Barbara's article in Forensic Magazine about the Plain View Doctrine: Digital Insider: To Search or Not to Search…. the Search Continues
Also, if you are interested, here is a link to the full opinion form the 9th Circuit Court of Appeals:
11860 UNITED STATES v. COMPREHENSIVE DRUG TESTING, INC
This ruling could put a real pinch on the current practice of "find it, then get a warrant for it" approach to examining electronic media.
Basically what the court is saying is that the "plain view" doctrine isn't going to fly when law enforcement is examining a hard drive for one thing and discovers something unrelated to the investigation, then goes and gets a warrant for the new evidence."
As a new form of protection, the court is suggesting that a neutral 3rd party segregate the evidence and provide only the evidence named in the search warrant to law enforcement.
One of the dissenters in the opinion said that this was going to severely damage the ability of small police forces to do computer forensics since they cannot afford dedicated, non-investigative personnel to perform this work.
I have long held that I thought it was problematic for the investigator on a case to also be the forensic examiner, (in spite of what you see on CSI), since the investigator cannot separate what they see from what they are allowed to see. The nature of forensic examinations makes it virtually impossible to limit what the examiner sees. Only by having a third party perform the examination can evidence be properly segregated to protect the privacy of the individual, prior to the evidence being given over to law enforcement.
The burning question is will this court decision force law enforcement labs to start using third party labs, or at least, non-investigative personnel for forensic examinations?
In the example John Barbara gives in his excellent article on the plain view doctrine, he talks about how when the examiner sees the first child porn picture, they should stop and go get a warrant. Prior to this ruling, that has been the normal way of handling the discovery of new, unrelated evidence under the theory that since the examiner cannot look for pictures of one thing without looking at all the pictures, the contraband pictures are in "plain view."
That is a lot like saying that since you can't look for tax documents in a file cabinet without looking at all the documents, if you discover a document that details drug transactions that the document is in plain view once the examiner takes it out and looks at it.
This ruling changes the interpretation of what plain view is when it comes to over-seizing and examination evidence.
Bear in mind that this ruling is about government searches of digital evidence and not about private searches. Private searches are not covered by the 4th amendment and are subject to a different set of rules.
Of course, I am not an attorney and my writing is just my opinion on the matter. (My disclaimer.)