You probably won’t have unobstructed access to all evidence. Before you collect any evidence, make sure you have the right to either search or seize the evidence in question. This section briefly discusses options and restrictions that relate to searching and seizing evidence.
Voluntary Surrender
voluntary surrender
Permission granted by a computer equipment owner to search and/or seize equipment for investigative purposes.
The easiest method of acquiring the legal right to search or seize computer equipment is through voluntary surrender. This type of consent occurs most often in cases where the primary owner is different from the suspect. In many cases, the equipment owner cooperates with the investigators by providing access to evidence. You might want to consider obtaining written consent to search prior to beginning your evidence collection activities.
Be aware that evidence you want might reside on a business-critical system. Although the equipment owner may be cooperative, you must be sensitive to the impact your requests for evidence may have on the owner’s business. Although you might want to seize all the computers in the Human Resources department to analyze payroll activity, you can’t put the whole department out of operation for long.
If your activities will alter the business functions of an organization, you may need to change your plans. For example, you could make arrangements to create images of each drive from the Human Resources department computers during off-business hours. If you can image each drive overnight, you could get what you need without impacting the normal flow of operations.
You would also have voluntary consent in cases in which an employee signed a search and seizure consent agreement as a condition of employment. Such prior consent relieves you from having to get additional permission to access evidence. As in any investigation, the value of evidence often diminishes over time. The sooner you collect evidence, the higher the likelihood that such evidence will be useful. If no such consent exists, you must get a court involved.
Never assume you have consent to search or seize computer equipment. Always ensure that you are in compliance with all policies and laws when conducting an investigation. Few things are more frustrating than having to throw out good evidence because it was acquired without proper consent.
Subpoena
subpoena
A court order that compels an individual or organization to surrender evidence.
In cases where you lack voluntary consent to search or seize evidence, you must ask permission from a court. The first option for using a court order is a subpoena. A subpoena compels the individual or organization that owns computer equipment to surrender it.
A subpoena is appropriate when it is unlikely that notifying the computer equipment owner will result in evidence being destroyed. A subpoena provides the owner ample time to take malicious action and remove sensitive information. Make sure you are confident a subpoena will not allow a suspect to destroy evidence.
One common use for a subpoena is when a nonsuspect equipment owner is unwilling to surrender evidence. An owner could have many reasons for being unwilling to release evidence. The evidence could contain sensitive information and company policy could require a court order to release this type of information. Many times, a court order is required by policy or regulation to document that sufficient authority exists to release such information. In any case, where cooperation is based on proper authority, a subpoena may provide access to evidence you need.
Search Warrant
search warrant
A court order that allows law enforcement to search and/or seize computer equipment without providing advance warning to its owner.
When you need to search or seize computer equipment that belongs to a suspect in an investigation, it’s possible that evidence may be damaged or rendered useless if the suspect knows of the investigation. You must have a court grant law enforcement officers permission to search and/or seize the identified computer equipment without giving the owner any prior notice.
A search warrant allows law enforcement officers to acquire evidence from a suspect’s machine without giving a suspect any opportunity to taint the evidence. Resort to a search warrant only when a subpoena puts evidence at risk. If you are working as an independent investigator, you cannot execute a search warrant. This option is open only to law enforcement officials.
Because a search warrant is an extreme step, courts are reluctant to grant such a ruling without compelling reasons to do so. Make sure you are prepared to justify your request. If you are operating on a “hunch,” you are likely to be refused. Before asking for a search warrant, gather some preliminary evidence that points to the suspect and his or her machine as a crucial part of the evidence chain.