Digg this story   Add to del.icio.us   (page 1 of 2 ) next 
Just EnCase It's Not a Search
Mark Rasch, 2008-11-21

When is a search not really a search? If it’s done by computer, according to U.S. government lawyers.

In a recent case, U.S. prosecutors argued that as long as the search is done by a computer using pattern matching software, then it does not constitute a search. The U.S. District Court for the Middle District of Pennsylvania was unimpressed, and last month found that the examination of a hard drive using the EnCase forensic software was, in fact, a search for which a warrant was required.

The case revolves around the computer of Robert Crist. After falling behind on his rent, Crist’s landlord put his belongings out on the street, but decided to give the man’s computer to a friend. When that person examined the computer, he found a few movie files containing what he thought was child pornography and promptly deleted them. After reconsidering his actions, the landlord’s friend decided to call the police.

Meanwhile, Crist himself learned that the computer was missing -- but not what his landlord had done -- and filed a police report that the computer was stolen with the same police department.

The local police department passed the computer on to the Pennsylvania Attorney General's Office for forensics, specifying that it had been obtained "pursuant to consent of the owner," even though they already knew that Crist had reported it stolen. To figure out what was on the computer, the AG’s investigators ran EnCase's forensic software on the hard drive -- or mirror of the hard drive -- comparing MD5 hashes of each file with the hashes of known instances of child pornography and found numerous matches. Subsequently, they also displayed all the images on the computer and found over 1,600 images of child pornography. At no time, however, did anyone think to get a warrant for the examination of the computer.

On October 22, 2008, the United States District Court for the Middle District of Pennsylvania ruled (.pdf) that, because the EnCase searched revealed more to the police than what the landlord's friend had seen, a warrant was necessary to conduct the search.

So, does an EnCase search constitute a search, under the Fourth Amendment of the U.S. Constitution? Definitely. A search with EnCase intrudes on the privacy of a person in a way that would normally require the police to probable cause and to obtain a warrant. The landlord’s friend's search of Crist’s computers may have been unauthorized, but under U.S. law, it would not have violated the Fourth Amendment. Anything the friend discovered would be useable even by police investigators since it was a private search not conducted by the police.

Yet, what was did the friend find? Reportedly, not much. He found a couple of files, which he deleted. Of course, the police could have used what he found as probable cause, and obtained a warrant to search the rest of the computer. Any judge would have issued the warrant under those circumstances. The problem, of course, is that is not what they did. They just searched the computer.

A search or not?

The lack of a search warrant left prosecutors with two issues: What sort of searches can a government do when a computer just "falls into their laps," and can they have a computer program scan a hard drive without a warrant?

Two precedents speak to the first issue. In 1984, before the various anthrax scares, FedEx workers accidentally opened a FedEx tube and found nothing inside but white powder. They referred the case to the Drug Enforcement Agency, which conducted a "field test" and determined that the powder was cocaine. The court found that the DEA’s further examination revealed nothing that the FedEx employees’ look-see didn’t already show: The only thing in the tube was the white powder. However, the court concluded that:

The DEA agent's field test [of the drugs], although exceeding the scope of the private search, was not an unlawful "search" or "seizure" within the meaning of the Fourth Amendment. Governmental conduct that can reveal whether a substance is cocaine, and no other arguably "private" fact, compromises no legitimate privacy interest.

Simply put, since the field test only reveals that the stuff is cocaine, and you have no legitimate privacy interest in cocaine, further searches reveal nothing that you have a right to keep secret. It’s the same argument that allows cops to use drug sniffing dogs: Since they only reveal that you have drugs, drugs are contraband, and you have no legitimate interest in contraband. As I have pointed out previously, this precedent could be used to justify warrantless searches of electronic communications.

Story continued on Page 2 

Mark D. Rasch is an attorney and technology expert in the areas of intellectual property protection, computer security, privacy and regulatory compliance. He formerly worked at the Department of Justice, where he was responsible for the prosecution of Robert Morris, the Cornell University graduate student responsible for the so-called Morris Worm and the investigations of the Hannover hackers featured in Clifford Stoll’s book, "The Cuckoo’s Egg."
    Digg this story   Add to del.icio.us   (page 1 of 2 ) next 
Comments Mode:
Proposing name change 2008-11-27
Anonymous (3 replies)
Re: Proposing name change 2008-11-29
Anonymous (1 replies)
Re: Re: Proposing name change 2008-12-02
Anonymous (1 replies)
Re: Re: Re: Proposing name change 2008-12-05
Re: Proposing name change 2008-12-01
Re: Proposing name change 2008-12-17
Just EnCase It's Not a Search 2008-12-02
Just EnCase It's Not a Search 2008-12-04
Anonymous (1 replies)
Re: Just EnCase It's Not a Search 2008-12-10
one more reason not to rent 2009-01-06


Privacy Statement
Copyright 2010, SecurityFocus