This article describes the most common schema and basic procedure in which search warrants related to computer evidence are served in Spain from the expert witness perspective, and presents a guide, concrete tools, commands and recommendations oriented to maximize the effectiveness and validity of the action.

Glossary

Expert Witness

Procedural law in Spain allows the introduction of facts into a conflict in the form of “expert witnesses proof” (prueba de peritos). In the Spanish Legal System an expert witness is someone that has expert knowledge on a matter related to the case. They can be appointed by court or by the parties in conflict. They issue their results in writing and use to be questioned during the trial act.

Search Warrant

In Spain a search warrant is a court commission to search for evidence related to a case. They use to be produced in criminal procedures, but Spanish law also allows them as precautionary measures in intellectual property, patents or unfair competition cases.

“Comisión Judicial”

A group of persons leaded by the court clerk to serve a court commission is called a “Comisión Judicial”. In the case of search warrants it is constituted by the court clerk together with law enforcement personnel and/or the expert witness(es) if needed. The court clerk attests the action because he/she can act as a legal authority and takes detailed minutes of the whole procedure.

Introduction

Description

In Spain expert witnesses can be appointed by court to serve search warrants. In civil litigation these actions use to be precautionary measures derived from unfair competition actions. In penal prosecution they use to act in less serious crimes, as secrets' discovery and revelation.

When law enforcement specialized units (terrorism, drugs, economic crime, etc) are investigating more serious crimes, they don’t rely on expert witnesses but usually get coverage from their own units (scientific police). Depending on how the judge envisions the action, constrained on how the part or the attorney requests it, expert witnesses receive an assignment to act as assistants for law enforcement or instead they get the required coverage from them to guarantee the action effectiveness. In the first case it would correspond to a case in which there is a current investigation in place and the second could correspond to precautionary measures requested by the plaintiff. In any case it is advisable to let law enforcement do their job as long as it does not interfere with the court assignment.

Expert witnesses have to be and keep independent and impartial during the case. They must disclose any detail that may compromise its independency and/or impartiality and restrain to act in any action they may have any kind of interest in.

The court commission must specify in detail what is being searched and what are the means that can be used to serve it. It may include file names, examples of file contents, file hashes (MD5, SHA), if it allows the search and/or seizure of computers, optical media, etc.

An expert witness appointed to serve a search warrant will have to respond of the outcome of the action and needs to plan it well because these kinds of duties don’t forgive errors easily.

In non computer related actions, serving a search warrant is a one step activity. But in this case of study, computer evidence oriented search warrants, the action has to be performed in multiple steps:

1. Material acquisition in the place where the search warrant is served.
2. In-court storage media imaging.
3. Expert witness analysis and result presentation.

The reason why it is split in different steps is that media imaging and analysis are time intensive tasks and tactical and practical issues recommend agility in the service of search warrant.

Steps 1 and 2 are performed under the court clerk legal authority and control. After reviewing the results presentation, the court may require further iteration of step 3.

Structure

This article is structured as follows:

- Basic procedure. It explains how the action is performed.
- Recommendations. Some recommendations regarding how to serve the commission.
- Tools and commands. Review of some effective tools and commands. There are different good approaches to this, but it will focus on the use of a computer forensic distribution to boot the target computer and perform the cloning. The directory and file names in the proposed examples have been redacted but results come from real data.

Basic procedure

Search warrants use to be served in what is called a “commission judicial”. In the proposed scenario it consists of:

- A judicial clerk. He/she will inform those receiving the warrant and take detailed minutes of every action performed to serve it. S/he acts as legal authority and can attest the action.
- Law enforcement agents. Some of them are agents who have prepared the tactics of the action (identification of persons of interest and places, the best time to conduct the action, etc) and some are from specialized units conducting the investigation of the acts being prosecuted.
- One or more expert witnesses. At least one of the expert witnesses is appointed directly from court. The plaintiff may be allowed to appoint an expert witness himself/herself, but s/he has to be properly empowered to be allowed to attend the action. In any case s/he may raise concerns or questions that can get transcript to the minutes but will NOT be allowed to intervene directly in the action.

Action

The “commission judicial” gets constituted when all those appointed by the court are present and the judicial clerk starts taking the minutes.

Once in the place where the warrant is to be served, law enforcement gets access to the place and identifies the person of interest to receive it. The judicial clerk informs him/her about the circumstances that trigger the action, his/her rights, what is going to be searched and how the action is going to be deployed.

The person of interest is asked for computers, storage media or devices that may contain what is being searched. If s/he provides this information, in front of him/her and the judicial clerk, this fact is verified by the expert witness and all gets documented in the minutes. In any case all suspicious media, devices or computers are seized by the expert witness and documented in the minutes, always being proportional, observing the rights of the person receiving the action and obeying what the judge allowed in the search warrant.

All seized material is left in an in-court deposit.

In-court disk clone

Later, the expert witness makes an image copy of the seized material for analysis. The respondent is informed when the copy is being performed and allowed to get a copy at his/her own expense. The image copy is performed in front of the judicial clerk, who takes minutes of the actions performed.

Once the copy is finished all seized material returns to the in-court deposit.

Analysis and result presentation

The expert witness performs the required analysis of the imaged material and presents a report to the court that documents all the process, from the commission constitution to the final result, including all the details that may allow someone else to reproduce all his findings.

It is very important that no information unrelated to the search warrant is disclosed in the result presentation, as this may affect the rights of the person suffering the action. It is better to make indications regarding the possible outcome of further analysis and get confirmation from the court before conducting it than releasing information that may affect the rights of the person suffering the measure.

Recommendations

General

It is very important to always keep in mind what the assignment says and what doesn’t. It has to be clear and complete, and if it is not, it is better to seek clarification or raise any concerns to the court in writing.

Also, during the action and the results’ presentation, the rights of the person that receives the action have to be kept and the means, actions performed and possible consequences have to be proportional.