Type of Search: How the Search Is Conducted

Digital information can be searched and organized much more quickly and with much more granularity than information in an analog (i.e., paper) form. Digital device searches are often categorized in the case law in a binary way as either “manual” or “forensic” searches, even though that distinction fails to account for the breadth of hybrid methods that law enforcement may use. 

  1. Manual search: A search done by looking through data on the device as a user would, like physically scrolling through a phone’s touch screen menus and applications.
  2. Forensic search: A search that uses additional tools such as a separate device (like a law enforcement laptop or other extraction hardware) or separate software (not originally present on the target device) to help law enforcement find and extract data. Forensic device searches typically employ far more intrusive searching techniques, and can help law enforcement bypass encryption, classify images, restore deleted data, track GPS locations over time, search for references to specific keywords, and map relationships among groups of people. Forensic device searches using automated algorithms can detect patterns and pattern deviations that can uncover insights that are potentially far more intrusive and revealing than what could have been gleaned from a non-digital search, at a fraction of the time and expense that would be necessary to review similar information in a physical format.

Generally speaking, the government uses a two-step process to execute forensic device searches:

  1. “Imaging”—making a complete digital copy, or “image,” of the entirety of the information stored on the device. This “image” is then stored on a separate external medium, such as a hard drive.
  2. “Forensic analysis”—using advanced forensic software to examine the digital image of the device, expanding the government's search and analysis capabilities. Forensic software may allow the government to organize, methodically search, and view deleted data that the software on the device itself wouldn’t be capable of displaying.

    Location of Data

    Data may be stored locally on the device in RAM, an internal hard drive, or on removable media storage like a USB flash drive or external hard drive. Or data may be stored remotely (as in “cloud” searches) where the device is used as a portal for examining information stored outside the device itself, on remote servers often known as the “cloud.” For example, a search of a user’s app, such as their Facebook account, could go beyond what is locally stored on the device if the device is connected to the Internet and the user is still logged into the application during the digital search. In this situation, the app could download data from Facebook's servers and show it to the forensic examiner.

    What to Look for

    Generally, it should be clear whether a client had their device searched because their device will have been seized, there should be a search warrant and supporting affidavit that you can challenge, and the government should have produced all information seized from the client’s device, along with a report documenting how the information was obtained.

    However, if the government has data about your client and there is no search warrant, how can you tell if the government obtained that data from a search of the client’s device, as opposed to some other way? Some factors that might indicate an warrantless device search include:

    1. Seizure of your client’s cell phone or other digital device, production of your client’s digital information, and no subpoenas or warrants directed at third party service providers.
    2. Any mention of digital forensics software, like Cellebrite, Secureview, Oxygen, FTK Imager, Encase, MSAB XRY, E-fense Helix3, or Magnet Axiom, or of “images” or “copies” of device contents.
    3. Any mention of bypassed digital security, encryption, or passwords, or attempts to bypass these security features.

    Even where a warrant was obtained, you may want to consider challenging the search, based on the manner and methods used. If so, you may need a computer forensics expert to examine any digital information attributed to your client to determine what, if anything, can be inferred from the manner and format in which the digital information was extracted.

    If you would like help in identifying a potential expert, email info@eff.org with the subject line: "Defender Toolkit Expert Needed by [date]" and include the following information:

    1. What jurisdiction are you in? Where are you located?
    2. What specific type of expertise are you looking for and what should the expert be able to explain?
    3. What is your timeline? When do you need the expert by? When is your hearing/trial date?
    4. Would the expert need to prepare a written report, testify in court, or both?

    EFF can reach out to our network of technologists and, if we find a potential expert, we will pass along their information to you along with any relevant details they’ve furnished. Please note that as a matter of policy EFF does not endorse any of these experts.