Table of Contents for

System Forensics, Investigation, and Response, 3rd Edition

The Privacy Act of 1974 establishes a code of information-handling practices that governs the collection, maintenance, use, and dissemination of information about individuals that is maintained in systems of records by U.S. federal agencies. A system of records is a group of records under the control of an agency from which information is retrieved by the name of the individual or by some identifier assigned to the individual.

The Privacy Protection Act (PPA) of 1980 protects journalists from being required to turn over to law enforcement any work product and documentary materials, including sources, before it is disseminated to the public. Journalists who most need the protection of the PPA are those who are working on stories that are highly controversial or about criminal acts because the information gathered may also be useful to law enforcement.

The Communications Assistance for Law Enforcement Act of 1994 is a federal wiretap law for traditional wired telephony. It was expanded to include wireless, voice over internet protocol (VoIP), and other forms of electronic communications, including signaling traffic and metadata.

The Electronic Communications Privacy Act of 1986 governs the privacy and disclosure, access, and interception of content and traffic data related to electronic communications.

The Computer Security Act of 1987 was passed to improve the security and privacy of sensitive information in federal computer systems. The law requires the establishment of minimum acceptable security practices, creation of computer security plans, and training of system users or owners of facilities that house sensitive information.

The Foreign Intelligence Surveillance Act of 1978 (FISA) is a law that allows for collection of “foreign intelligence information” between foreign powers and agents of foreign powers using physical and electronic surveillance. A warrant is issued by the FISA court for actions under FISA.

The Child Protection and Sexual Predator Punishment Act of 1998 requires service providers that become aware of the storage or transmission of child pornography to report it to law enforcement.

The Children’s Online Privacy Protection Act of 1998 (COPPA) protects children 13 years of age and younger from the collection and use of their personal information by websites. It is noteworthy that COPPA replaces the Child Online Protection Act of 1988 (COPA), which was determined to be unconstitutional.

The Communications Decency Act of 1996 was designed to protect persons 18 years of age and younger from downloading or viewing material considered indecent. This act has been subject to court cases that subsequently changed some definitions and penalties.

The Telecommunications Act of 1996 includes many provisions relative to the privacy and disclosure of information in motion through and across telephony and computer networks.

The Wireless Communications and Public Safety Act of 1999 allows for the collection and use of “empty” communications, which means nonverbal and nontext communications, such as GPS information.

The USA Patriot Act is the primary law under which a wide variety of Internet and communications information content and metadata is currently collected. Provisions exist within the Patriot Act to protect the identity and privacy of U.S. citizens.

The Sarbanes-Oxley Act of 2002 contains many provisions about recordkeeping and destruction of electronic records relating to the management and operation of publicly held companies.

This is one of the most widely used laws in hacking cases. It covers a wide range of crimes involving illicit access of any computer.

This is closely related to section 1030 but covers access devices (such as routers).

This controversial law was enacted in 1998. It makes it a crime to publish methods or techniques to circumvent copyright protection. It is controversial because it has been used against legitimate researchers publishing research papers.

As the name suggests, this law targets any crime related to identity theft. It is often applied in stolen credit card cases.

This law covers a range of child exploitation crimes and is often seen in child pornography cases. Related to this rather broad law are several others, such as:

• 18 U.S.C. § 2260: Production of sexually explicit depictions of a minor for importation into the United States.

• 18 U.S.C. § 2252: Certain activities relating to material involving the sexual exploitation of minors (possession, distribution and receipt of child pornography).

• 18 U.S.C. § 2252A: Certain activities relating to material constituting or containing child pornography.

According to the Supreme Court, a “seizure of property occurs when there is some meaningful interference with an individual’s possessory interests in that property” (United States v. Jacobsen, 466 U.S. 109, 113 [1984]). The Court also characterized the interception of intangible communications as a seizure, in the case of Berger v. New York (388 U.S. 41, 59–60 [1967]). Now that means that law enforcement need not take property in order for it to be considered seizure. Merely interfering with an individual’s access to his or her own property constitutes seizure. Berger v. New York extends that to communications. If law enforcement’s conduct does not violate a person’s “reasonable expectation of privacy,” then formally it does not constitute a Fourth Amendment “search” and no warrant is required. There have been many cases where the issue of reasonable expectation of privacy has been argued. To use an example that is quite clear, if you save a message in an electronic diary, you clearly have a reasonable expectation of privacy; however, if you post such a message on a public bulletin board, you can have no expectation of privacy. In less clear cases, a general rule is that courts have held that law enforcement officers are prohibited from accessing and viewing information stored in a computer if it would be prohibited from opening a closed container and examining its contents in the same situation.

Warrants are not needed when evidence is in plain sight. For example, if a detective is talking to someone about a string of burglaries in the neighborhood, and can clearly see child pornography on that person’s computer screen, no warrant is needed. Another exception to the need for a warrant is consent. If someone who is authorized to provide consent gives that consent to search, then no warrant is needed.

In computer crime cases, two consent issues arise particularly often. First, when does a search exceed the scope of consent? For example, when a person agrees to the search of a location, such as his or her apartment, does that consent authorize the retrieval of information stored in computers at the location? Second, who is the proper party to consent to a search? Can roommates, friends, and parents legally grant consent to a search of another person’s computer files? These are all very critical questions that must be considered when searching a computer. In general, courts have held that only the actual owner of a property can grant consent. For example, a parent of a minor child can grant consent to search the child’s living quarters and computers. However, a roommate who shares rent can grant consent to search only living quarters and computers co-owned by both parties. A roommate cannot grant consent to search the private property of the other person.

There are other cases where you don’t need a warrant. One such circumstance is border crossing. Anyone going through customs in any country may have their belongings searched. This can include a complete forensic examination of laptops, cell phones, and other devices. Another such instance where a warrant is not needed is if there is imminent danger that evidence will be destroyed. In the case of United States v. David, the court held that “When destruction of evidence is imminent a warrantless seizure of that evidence is justified if there is probable cause to believe that the item seized constitutes evidence of criminal activity.”

It is also important not to exceed the scope of a warrant. In United States v. Schlingloff, 2012 U.S. Dist. LEXIS 157272 (C.D. Ill. Oct. 24, 2012), Judge Shadid held that use of Forensic Toolkit’s (FTK) Known File Filter (KFF) to alert on child pornography files was outside the scope of a warrant issued to look for evidence of identity theft. In this case, the owner of the device was suspected of identity theft, and a warrant was issued so that police could search for evidence of that crime. However, the investigator used the Known File Filter to search for child pornography, and indeed found illegal images on the computer in question.