Last Friday the Ninth Circuit decided United States v. Cotterman, a case on the border search exception to the Fourth Amendment. The en banc court held that manually searching for files through a computer is allowed at the border, but that “forensic examination” at the border requires reasonable suspicion. As the Court put it, “a manual review of files on an electronic device” is permitted without reasonable suspicion but “application of computer software to analyze a hard drive” is not.
In Cotterman, the agents followed a law enforcement common procedure for searching the computer: They made an image of the hard drive and then used the popular forensic software EnCase to search the image. According to Footnote 8, the EnCase program “exhibit[s] the distinctive features of computer forensic examination.” Those distinctive features are listed as the following:
The program copied, analyzed, and preserved the data stored on the hard drive and gave the examiner access to far more data, including password-protected, hidden or encrypted, and deleted files, than a manual user could access.
Here it is helpful to reintroduce the distinction I have written about often between virtual and physical approaches to computer searches:
Digital evidence searches generally occur at both a “logical” or “virtual” level and a “physical” level. The distinction between physical searches and logical searches is fundamental in computer forensics: while a logical search is based on the file systems found on the hard drive as presented by the operating system, a physical search identifies and recovers data across the entire physical drive without regard to the file system.
Most users think of computer searches as occuring at the virtual level, because that’s the user experience. But computer forensic software works at the physical level: it treats the hard drive as a physical device that contains millions of zeros and one, not as a virtual “box” of information accessed through an operating system. User profiles and most password protection operate only at a virtual level, so a goverment forensic analyst operating at a physical level wouldn’t even notice the difference unless he was specifically looking for it.
One way to read Cotterman is that agents have to take a virtual approach. They are allowed to open the virtual box of the machine and look through it as a user would from a virtual perspective. On the other hand, they’re not allowed to make an image and search the image using forensic software, treating the hard drive as a physical machine with data readily available to the forensic analyst.
But whether that understand is correct, the Cotterman opinion raises some interesting questions about where the lines are here. In particular, here are four questions I have:
1) Are there any limits on how much manual searching agents can conduct without reasonable suspicion? Can the agents do anything as long as they do it manually? Or are they limited to only “reasonable” manual searches? And if the latter, what is the line between a “reasonable” manual search and an “unreasonable” manual search? Does the amount of time taken matter? The type of files viewed using the manual search?
2) Imagine the agents are conducting a manual search at the border and they come across password-protected files. They lack reasonable suspicion, and as a result they are not allowed to use forensic software to gain access to those password-protected files. But are they allowed to guess passwords to try to view the files? Imagine the electronic device is an iPhone that has a passcode lock on it. The agents guess the 4-digit code correctly — say, 1-2-3-4 — and they then view the information on the phone. Is that permitted without reasonable suspicion because it is still only a manual search? Or is that not permitted because password-protection usually blocks manual access?
3) Can law enforcement make an image of the hard drive and then mount the hard drive on a separate machine and then search it manually? The major reason investigators make images and search only the images is to maintain evidentiary integrity: Searching a computer can alter the evidence on it, so agents work off an image in order to retain the original as original. Are they still allowed to do that without reasonable suspicion? Or is making an image part of the “computer forensic examination” for purposes of the Fourth Amendment?
4) Can law enforcement run a forensic software program on the hard drive manually? Imagine a government agent has a thumb drive containing a copy of Recover Files, a free program that recovers deleted files available from hard drives. Can the agent insert the thumb drive and run the program to see the deleted files on the hard drive? Is that a manual search or a forensic examination? And what if the user happens to have such a program pre-installed on the hard drive? If the program is pre-installed, does using it count as a manual search or a forensic examination?
I’d be very interested in reader responses based on their read of the opinion (or, this being the Internet, their personal sense of justice and goodness). Also, I’d be particularly interested in hearing from readers about how extensive a search can be conducted using just manual search techniques. Are there ways that agents can conduct highly invasive manual searches? I assume a manual search can’t get into the slack space, for example, but I would think it can still be quite invasive.
UPDATE: I have added a fourth question. And a comment from the commenter Jim Byrne prompts a fifth question:
If law enforcement come across a flash drive or other storage device not connected to a computer, can they connect the drive to a computer and manually look through its contents? Is connecting the flash drive to the computer and searching it a “manual search,” or is it using software to analyze the drive that requies reasonable suspicion?