I am currently examining an individual’s hard drive who is suspected of possessing/distributing CP. As of now there is a mountain of evidence to support the possession/distribution claim. However, during my investigation I have also come across a number of evidentiary items (email conversions, suspicious executable programs, Microsoft Excel spreadsheets, etc.) which lead me to believe that the individual in question may also be committing some sort of credit card fraud.
While I have been able to find evidence of both unique crimes, I have yet to uncover anything which can implicate that the two are somehow connected and relevant to one another (keep in mind during my case briefing only the topic of child pornography was discussed, with no mention of any additional unrelated crime such as fraud.)
So my question basically boils down to this…. If you are investigating an individual for a certain offense and you uncover a completely new one, that by all accounts is unrelated to the offense you are currently investigating. Are you then as an investigator, obligated to mention this additional transgression in your case report/make your findings apparent to your supervisor and/or fellow investigators?
I am mostly conflicted because this lack of supporting evidence present on the drive to somehow link the two crimes. They seem to be completely unrelated to one another, aside from the obvious factor that they are both illegal.
I would normally have no problem including the fraud as evidence. But at the same time I feel the association to the CP offense is necessary for it to be deemed relevant in court, and again as of now there appears to be no such logical connection.
This scenario can also be applied to other hypothetical examples such as investigating a case of murder and uncovering evidence of grand theft auto or investigating a theft of intellectual property and finding evidence of illegal file sharing….. you get the idea.
Thanks in advance for the help
I don't see the dilemma, but then I wouldn't, I'm a simple police officer…
What would you do if you found your own credit card details amongst those on a spreadsheet?
Admittedly in the England and Wales it is fairly simple so long as we are lawfully in possession of evidence (in this case, a computer). Anything on that computer can be used as evidence of any offence that subsequently becomes apparent. I haven't a clue how you stand in respect of this issue across the pond.
Over here, he would be questioned about both matters and provided there was sufficient evidence he would go to court on both matters simultaneously (although they could be split later).
Paul
So my question basically boils down to this…. If you are investigating an individual for a certain offense and you uncover a completely new one, that by all accounts is unrelated to the offense you are currently investigating. Are you then as an investigator, obligated to mention this additional transgression in your case report/make your findings apparent to your supervisor and/or fellow investigators?
You did not say whether you are law enforcement or not and I am not a lawyer but I have been involved in such cases and the courts have been inconsistent in their interpretation of the "in plain view" doctrine with respect to digital evidence. Depending upon the scope of your authority, you may be on shaky ground.
To put it another way, you can report it, but whether it would be admissible as evidence will likely be subject to challenge.
For example, Alex Kozinski, Chief Judge of the Ninth Circuit Court of Appeals ruled in United States v. Comprehensive Drug Testing, Inc., 579 F.3d 989, (9th Cir. 2009) (en banc) that the Federal government was guilty of deliberate overreach when it attempted to seize all drug testing data related to the baseball doping scandal. In particular (and this ruling is controversial), he criticized the "wholsale seizure for later detailed examination of records not described in a warrant" which, effectively, nullified the "in plain view" doctrine by saying that the government had no right to the records to begin with.
So, even if you don't prove a link, your findings outside the CP evidence may not be admissible. That doesn't mean that you shouldn't report them.
As for the logical connection, that appears to be a little more straightforward in that stolen PCI is frequently used to traffic in CP. In fact, the Operation Ore screwup in the UK was due to the use of the Operation Landslide database which included credit card numbers used to purchase CP. The problem in Operation Ore was that the UK authorities failed to determine whether the CC information had been stolen (in many cases, it had), which led to the false arrests and accusations of innocent citizens.
So, there is a logical connection between CP and stolen PCI but, again, whether it is admissible will be up to the judge, I suspect.
If you not acting as law enforcement and your access to the media was permitted under the terms of discovery, things might be different.
I guess that in the US the point revolves about the "fruits of the poisoned tree"
http//
http//
So, it all depends on how it is worded EXACTLY the warrant AND your particular assignment/job.
The "in plain view" approach
http//
when applied to digital evidence is debatable and actually debated
http//
http//
jaclaz
As you noted, there is still debate about what constitutes "in plain view" when it is necessary to do a full forensic examination.
As an example, the standard for such things as child pornography (CP) was once limited to possession. If you found it, he had it, we're done. But with the advent of the "malware defense", it is not sufficient to demonstrate that CP was present. You also need to document that it could not have been placed there without the knowledge and consent of the user. This type of analysis requires a detailed examination of the entire media, including "live analysis" to exclude any factors which could contribute to reasonable doubt. Many law enforcement agencies are not prepared to do this. Those that are are likely to learn many other things about the user than just whether they knowingly possessed CP.
The type of analysis that we do to answer the question of whether we can say, to a reasonable degree of computer forensic certainty, that the user knowingly was in possession of and used these files, is pretty much standard across the board but it has the "side-effect" of reconstructing evidence of the user's other activities which may be unrelated to the issue at hand.
In this setting, it is almost impossible "to uncover ONLY the information for which it has probable cause" however, I don't think that this is at odds with the "plain view" doctrine since there exists no practical way to avoid such analysis while being assured that the examination was complete. Our purpose in doing the verification was not to discover things unrelated to the issue at hand and, one might argue, that which we discover which is unrelated should not be admissible.
There is also a grey area where the issue of "plain view" is not so clear cut. For example, are Internet history logs "in plain view"? Normally these are not used, directly, by the user but I can download tools which will parse these into a human readable form with which I can recreate the user's activities. Newer browsers use a weak "encryption" scheme to enhance privacy but, again, this encryption is easily thwarted using Windows libraries. If, in searching the user's Internet history for evidence of a particular type of activity, I discover a different activity was this discovery "in plain view"?
I would argue, "yes", because the Internet history is typically contained in one file or database and to find evidence of one type of activity I will, necessarily, find evidence of all activities.
If I have to use specialized hardware or software, or specialized knowledge or techniques to open a file that could not, otherwise, be opened by anyone but the file's creator or intended recipient, I don't see how what I discover could reasonably be construed as "in plain view".
However, to expand the Internet history example, suppose that in looking for evidence of crime A and I come across two encrypted Zip files in a directory marked "Personal". I manage to guess the user's password and unencrypt both files and find, instead, evidence of crime B. Is this an issue of "inevitable discovery" rather than "plain view"? After all, I can't know what was not in the archive unless I examine it.
While I generally agree with much of what Judge Kozinski wrote I found some of the opinion to be (like the RAM Copy Doctrine), an unfortunate judicial twist on technology.
In particular, there should be a distinction between making the forensic image and actually using it as evidence.
Making a forensic copy of the entire media is almost always preferable to doing a limited examination, as long as controls exist on what can be done with those forensic copies so as to protect the privacy of the individuals. I may seem naive but it would appear to me that a limited examination would be less likely to identify potentially exculpatory evidence and, as I said before, actually associating the evidence with the user's intents and actions can be problematic without a more detailed examination.
From what I understand….
If the scope of your warrant specifies that you are looking for evidence of a crime (or crimes) and you end up with evidence of a new crime that is not within the scope of your warrant, you need to supplement your original warrant to include this new crime and give you authority to search for evidence of it. I believe this is called the moment of new discovery or something like that.
You will need to demonstrate in your application how you got to the new evidence - basically linking (not the crimes) but your actions from doing an analysis for original offense(s) (in your case CP) to finding the new evidence which would be your basis for requesting the supplement.
If you continue gathering evidence on the new crime without the supplement, you would have overreached the scope of your initial warrant and the evidence will not be accepted.
I'm not an Attorney, never played one on tv, nor did I sleep at a Holiday Inn last night 😉 Mileage varies in different jurisdictions - contact your DA for proper advise.
My 3.5 cents worth.
Good luck!
-=Art=-
Assuming you're in law enforcement, then if in doubt, use the discovered evidence as the basis to get a further search warrant to cover the new material. I've heard of plenty of times people got in trouble for not having a SW, but never of them getting in trouble for getting a new one.
Not a lawyer, not legal advice, you really should put this question to your attorney.
Since the plain view doctrine hasn't been settled nationwide yet, if you are law enforcement, talk to your prosecutor.
If you aren't law enforcement, talk to your supervisor or lawyer.
Either way, I really don't think the matter of what to do with the additional evidence (regardless of whether it's connected to the child porn or not) should be left in your hands. That isn't a slight by any means, it's just that a lawyer will have a better idea of the shape of the law in your area than yourself or people on some web forums.
I'd like to question, although I admit complete ignorance of American law, why not just hand it all over to prosecution and let them make the decsision ?
Do you open yourself to prosecution for overstepping the mark if you do this and it is beyond the remit of the warrant ? Is there a question of being paid for time that it would take if this is outside the scope of your investigation ? Can you request an extension to your warrant easily given "probable cause" ?
As binarybod says, in the UK, tough luck - we'd investigate both matters and probably, given adequate evidence, prosecute both.
And as seanmcl points out, sometimes that evidence isn't always the best ( Operation Ore ) but is still fair game.
I'd like to question, although I admit complete ignorance of American law, why not just hand it all over to prosecution and let them make the decsision ?
The reason, as another poster noted, is that anything received by the prosecutor which could be considered outside the scope of the warrant was illegally obtained and no prosecutor would want to be contaminated with it.
The appropriate thing, as 4n6art noted, would be to halt the investigation and attempt to get a second warrant or expand the scope of the first, at which point, the judge will likely want probable cause, "in plain view" or inevitable discovery arguments.