EFTA00227381

US. Department of Justice 
WaAington.. D.C. 20530 
Request for Financial Information (Authorization, 
Purchase Order, Receiving Report) 
T
 lora dal only be times alma .-.,.-
ns facet' nen of imetirdieb awl partnalibips of Ave or feta iodividials. 
I Purchase Order NumberiDCNII: 
11011.1961 
2 Date Order Prepared: 
08/02/2006 
3 Case Number (Optronab 
FGJ 05.02(WPB) NO.051-02 (01.31-02) 
Section A - Authorization and Purchase Order 
4 Names and Address of Financial Institution: Attn.: Custodian of Records 
5 Deliver To: Special Agent 
.deral Bureau of Investigation, 505 South Hagler Drive, 
Suite 500, Florida 33401, T 
6 Horurn I /ale 
08/1 8/2006 
7 Ranarks: 
FOR REIMBURSEMENT PLEASE RETURN THIS FORM THE RECORD OF 
SERVICES, AND A COPY OF THE SUBPOENA. 
8 Name of Re uesto
r Print 
10 Date of request: 
08/02/2006 
Section B - Financial Institution Invoice 
No Payment Shall 1k %lade Unless I.spanks Ate Itemized Below Or On Your torn To lic Arachct: 
II Service/Financial Records Provided: 
Quantity 
t n ; Pricc 
Amount 
Cott 
l'er 
Please note that reimbursement cannot be made for the records pertaining to 
corporations or large partnerships of six or more. 
IMPORTANT: The DCIA Mandates the use of EFT/DD. In order to receive 
payment complete the attached EFT enrollment Form. 
0.25 
Copy 
11.00 
Hour Clerical 
Tech 
17.00 
Hour Manager 
or Supervisor 
p9 aa4 pncecd with eitaitolinet If cost will faced 5300 without prior approval of 
Assistant US. Attorney/Badge Officer. 
PLEASE REFERENCE THE ABOVE DCVO ON YOUR INVOICE FOR PAYMENT. 
12a Signature of Financial Institution Official: 
12b Phone of Mnancial Institution Official: 
13 DateSigned: 
Total Amount Claimed 
By Financial Institution 
Section C - Receiving Report 
I6 Disallowance 
(See Attacked) 
14 I certify that the anicics and sconces listad were recc‘Cd 
18 Right 
(12 
to I-manual PM acy Act - Public LTV 95430 
U.S.C. 3401.3422) Request Pursuant To: (Check One Chu') 
OBJECT 
SECTION 
CLASS 
O 14°4 
Customer Authorization 
2540 
O 3405 
Administrative Subpoena or Summons 
2541 
o 
3406 
Seamh Warrant 
2540 
O 3407 
Judicial Subpoena 
2540 
Ei 3408 
Ramat Writtai Request 
2540 
O 3413 
I 
Grand Jury Subpoma 
2545 
O 3414 
Special Procedures 
2540 
19 Signature of Approval OfGaai 
-ie-oceeeenta,fielmorg+,Nee-----
ry 
PROJ 
21 Schedule and Voucher Number 
Dal 
2.2 tomuits 
I5 Dale Recast:2J 
17 Net to 
Financial 
Institution 
O Funds Available 
Date I 
FoniiOBD21 I 
APR Sa 
P-00043Q1c0
Budget Officer 
I 
I
 wit clormicuranY produced by Elie Fetal Form Inc. 
Case No. 08-80736-CV-MARRA 
EFTA00228321

GENERAL 
This is a multi-purpose form designed to save as an Authonzatimi. Purchase Order, Itemized Invoice. receiving Report and Payment voucher in 
conjunction with -requests for financial information,- pursuant to the Right to Financial Privacy Act of 1978. P.L. 95-630. Title XL, 12 Li S C 3415.
NOTE: 
Payments under this purchase or der will be due on the 3O calendar day after the (late of actual receipt of a proper invoice in the office designated to 
receive the ins oice. 
The Prompt Payment Act, Public Law 97-177,96 Stat. 85 (31 U.S.C. 180), Is applicable to payments under this purchase order and requires the payment 
to contractors of interest or overdue payments and improperly taken discounts. Determination of interest due will be made in accordance with the 
provision of the Prompt Pas ment Act and the Office of Management and Budge Circular A-125. 
PREPARATION INSTRUCTIONS 
ITEM I - A Purchase Order Nurrber will be preprinted on each form. This number will be used for reference purposes on any correspondence relating to this 
specific request for financial information. 
ITEM 2 • Self explanatory. 
ITEM 3 - This block may be used to identify the specific case for which the financial information is requited. This block may be left blank. 
SECTION A - AUTHORIZATION AND PURCHASE ORDER (To be completed by the requesting official). 
ITEM 4 - Enter the name and mulling address of the tin:axial insutution being requested to furnish financial information. 
ITEM 5 - Enter the and address to which the financial information is to be sent by the financial institution. This will normally he the name and the address of the 
requesting official. 
ITEM 6 - Enter the date the financial information is required. 
ITEM 7 - Include, if appropriate any pertinent information related to the purchase order not provided for elsewhere on the form 
ITEM 8, 9 and 10 - Self-explanatory. 
SECTION B - FINANCIAL INSTITUTION INVOICE (To be completed by the financial institution). 
REM II - Self-explanatory. Completion of dus block constitutes= itemized bill or lissome for reimbursement for the costs incurred in providing the information 
requested. The DCIA Mandates the use of EFT/DD. in order to receive payment complete the attached EFT enrollment Form. 
ITEM 12 and 13 - Self-explanatory. 
SECTION C - RECEIVING REPORT (To be completed by the requesting official. when the requested financial information has been delisered). 
ITEM 14 and 15 - Self-explanatory. 
ITEM 16 - This block should be used to reflect any differences between the amount claimed by the financial institution and the correct amount to be reimbursed. 
Differences may result formcomputation errors. or failure of the financial institution to deliver information requested. 
ITEM 17 - Enter the mount cernfied to be proper for payment. 
ITEM 18 - Check the box which identifies the appropnate procedure authorized by the Act, which necessitates the request for financial information. 
ITEM 19 and 20 • These blocks must be signed and dated by an official of the organization whose funds will be charged. His or her signature constitutes a 
statement that the records to which the invoice refers were required for official business and were provided by the financial institution in accordance with the 
ordering instrunent. 
ITEM 21 - The Schedule and Voucher Number will be entered by the office which actually schedules the approved amount for payment by the Treasury 
Department. 
ITEM 22 • Enter, if appropriate. any data not provided for elsewhere on the reiriving report. such as. reasons for any claim amounts disallowed. 
FOR24 ODD 211 
APR 44
Pop 2 of 3 
Case No. 08-80736-CV-MARRA 
P-000942 
EFTA00228322

VENDOR ELECTRONIC FUNDS TRANSFER (EFT) 
ENROLLMENT FORM 
I 
Please comply to this information if you have not done so already 
PAYEE/COMPANY INFORMATION: 
Vendor Company Name: 
Address: 1 
Taxpayer ID Number 
Contact Person Name 
Telephone Number 
Ernai Address (If you would 
like b be notified via e-mail) 
FINANCIAL INSTITUTION INFORMATION: 
Bank Name 
i 
Bank Address 
Bank Phone Number 
Nine Digit ABA Routing Transit Number 
Type of Account (Checking or Saving) 
Depositor Account Number 
Signature of Vendor's 
Authorizing Official 
Name & Title of Authorizing 
Official 
Please Return or Fax to: 
U.S. Attorney's Office 
Southern District of Florida 
99 NE 4 street, Suite 200 
Miami, FL. 33132 
Attention: 
Fax Number 
The Debt Collection Improvement Act of 1996 requires that payments made by the Federal government, including vendor 
payments, must be made by electronic funds transfer (EFT). A benefit of receiving payments by EFT is that your funds 
are directly deposited to your account at a financial institution and are available to you on the date of payment. 
If you have questions regarding the delivery of the remittance information, please contact the financial institution where 
your account is held. 
If you have any questions on the completion of this form, please contac 
FORM OBD-211 
MIL U 
Page 3 of 3 
Case No. 08-80736-CV-MARRA 
P-000943 
EFTA00228323

Case No. 08-80736-CV-MARRA 
0003 
P490614411 
EFTA00228324

Case No. 08-80736-CV-MARRA 
P-090*Itil 
EFTA00228325

ON 
ON
0 
9 
C.  
Rem “6/512iti/-00000! Fort WHUCK VAX &'UWCIVER 
PROV1 OT 
100582 8175241700 
WWNORIA, HUCKABY JR 
SKI' Id: 
thist dox: 
Ref 1. 
Ref 
Actual. U 
Target. 
inat 
SSF01220565-00006 IF NRM D NEXT 
446144592 
PROV1 
WAS 
2sH8819250201 
380 S. 
AR NGT 
-AR-01-1-20-0018-L-08-13 
SA
200RAHK
03LZELLEN
-I13:19/46/h
08/30/2006 6.20 AM CDT 
TEMP FILE 
DUP 
DAY 
08/31/2006 
5$00pM CDT DQ 
66758887-000007 
For. WHUCK 
N MUTUAL 
0100394177 
LLINS 
TX 76014 
100 
2 
446144592 
AR 
SSF01220565-00006 Return To IRON MOUNTAIN 
Personal Invitation 
I want my Visa Gold card quickly! 
I have read and agree to the Terms and 
Conditions on the reverse side of the letter. 
Social Security Number 
VISA GOLD 
Up to $3,000 credit 
No Savings Deposit 
YerlykaameioldIncom 
Do you haves ette
afr.-
1
nYei Bane S 
UN° 
Would you like your card sent by Express Mail after processing? El Yes I N° 
A 
I be billed to your first sta 
nt 
C981-5922-5428-9CS-P3981SN-DOIF 
VISA 
1 1 Place sticker here NOV: 
alUli 
Fill out and moil this invitation 
or call 1-800-665-7232 
Offer expires: November 23, 2001) 
Please cared i common below tt necessary. 
Customer 
Os 981-5922-5428-9-F100 
Product S. 3981514
-CE 
von 
Case No. 08-80736-CV-MARRA 
Sig 
old) 
EFTA00228326

Case No. 08-80736-CV-MARRA 
PANNE 
I 
EFTA00228327

Case No. 08-80736-CV-MARRA 
P-000948 
EFTA00228328

Attorney-client privileged material 
Law enforcement sensitive 
Issue 1: The quantum of seizure of electronic evidence 
We have been asked to address a basic question in computer forensic examination 
regarding the quantum of seizure of electronic evidence: if information within a computer 
file falls within the scope of the warrant, are agents justified in seizing the entire disk, or 
only the file, or may they seize some intermediate quantum of data, such as the smallest 
folder containing the file? The resolution of this question is relatively straightforward 
when the computer is contraband or an instrumentality: seizure of the entire computer is 
then permissible. However, when the computer serves as a storage container for 
evidence, most courts have treated the file as the basic quantum of seizure. Despite this 
distinction, most courts will allow the blanket seizure of entire computer storage media 
(hard drive, removable disk, server) for subsequent forensic examination to determine 
which data on the media that is subject to the warrant. 
While there are limits to analogizing computer searches to physical searches, and 
applying the law of physical searches to computer searches, we believe that if the warrant 
describes with particularity what information is being sought, the government has wide 
discretion in the use of computer forensics tools to search for evidence of a crime on 
electronic media, so long as the process is reasonable. So long as the process is. 
reasonable and the warrant language does not preclude it, such a search may commonly 
include conducting a full physical and logical review of all seized media for evidence of a 
crime described in the warrant. Such a review will involve not only "files" which are 
located on the computer, but logs, directories, file fragments, and other data that will 
allow the examiner to find hidden data, reconstruct deleted files, and identify other files 
which are "linked" to files found in the examination. Furthermore, pursuant to a properly 
worded warrant, forensic examiners should be allowed to review log records and meta 
data in order to determine ownership and control of the data on the computer, including 
who was sitting at the keyboard at the time the files were created, accessed, modified, 
transmitted or printed. We believe that this process, which is accomplished by a 
combination of automated review by forensic software and manual review by the forensic 
examiner, is consistent with the "brief perusal" of files in a file cabinet in a physical 
search. 
A. General considerations 
As an initial matter, it is worth noting that the propriety of removing an entire 
computer for off-site search is not in question. Courts have long accepted that large 
quantities of paper documents may be carried off-site for subsequent search. See United 
States'. Santarelli 778 F.2d 609 (11th Cir. 1985) (holding that agents acted reasonably 
when they removed documents for examination at another location where search of all 
documents for evidence falling within scope of warrant would have taken days)• United 
States,. Hargus, 128 F.3d 1358, 1363 (10th Cir.1997) (upholding seizure of an entire file 
cabinet when such seizure was motivated by the impracticability of on-site sorting). 
Courts have applied this same rule to computers. See. e.a., United States'. Hill No. 05-
50219, 2006 WL 2328721 (9th Cir. Aug. 11, 2006) (blanket seizure of all computer 
Case No. 08-80736-CV-MARRA 
P-000949 
EFTA00228329

Attorney-client privileged material 
Law enforcement sensitive 
media for offsite forensic analysis is appropriate when grounds for off-site analysis are 
set forth in the warrant). 
The fact that computers may be carried off-site for search does not obviate the 
need for the subsequent search, nor does it imply that the entire disk (or other storage 
medium) is the appropriate quantum for the subsequent seizure. In fact, the opposite is 
true — cases approving off-site search have implicitly or explicitly required that the off-
site search be directed towards finding particular files which fall within the scope of the 
warrant. For example, the Sixth Circuit in Guest'. Leis, 255 F.3d 325 (6th Cir. 2001), 
held: 
In the instant cases, when the seizures occurred, [investigators] were 
unable to separate relevant files from unrelated files, so they took the 
computers to be able to sort out the documents off-site. Because of the 
technical difficulties of conducting a computer search in a suspect's home, 
the seizure of the computers, including their content, was reasonable in 
these cases to allow police to locate the offending files. 
a at 335 (emphasis added). Thus, the court in Guest understood that the ultimate focus 
of the search is "the offending files," not disks containing some offending files. It should 
be noted that in computer forensics the term "file" has a broad scope and includes but is 
not limited to data files, log files, program files, text files, and directory files. 
A similar focus on files as the uantum of seizure can be found in a wide range of 
cases. For example in United States I. Gray 78 F. Supp. 2d 524, 529 (ED. Va. 1999), 
the court held that investigators were "entitled to examine all of the defendant's files to 
determine whether they contained items that fell within the scope of the warrant." The 
court's analysis presupposes that the file is the appropriate quantum of search. This 
conclusion is bolstered by the court's use of the plain view doctrine (rather than the 
notion that an entire disk was the appropriate quantum of seizure) in approving the 
seizure of files containing evidence of crime that fell outside the scope of the warrant. 
In two cases in which child porn was found pursuant to a warrant to search for 
drug records, the Tenth Circuit has al
 held that individual files are the appropriate 
quantum of seizure. In United States I. Carey, 172 F.3d 1268, 1273-75 (10th Cir. 1999), 
the court ruled that an agent exceeded the scope of a warrant to search for evidence of 
drug sales when he "abandoned that search" and instead searched for evidence of child 
pornography. The court mandated a file-based approach to computer searches: 
Where officers come across relevant documents so intermingled with 
irrelevant documents that they cannot feasibly be sorted at the site, the 
officers may seal or hold the documents pending approval by a magistrate 
of the conditions and limitations on a further search through the 
documents. The magistrate should then require officers to specify in a 
warrant which tvve of files are sought. 
2 
Case No. 08-80736-CV-MARRA 
P-000950 
EFTA00228330

Attorney-client privileged material 
Law enforcement sensitive 
a at 1275 (internal citations omitted and emphasis added). The file-based approach was 
confirmed in United States I. Walser 275 F.3d 981, 986 (10th Cir. 2001), in which the 
court explained: 
The underlying premise in Carey is that officers conducting searches (and 
the magistrates issuing warrants for those searches) cannot simply conduct 
a sweeping, comprehensive search of a computer's hard drive. Because 
computers can hold so much information touching on many different areas 
of a person's life, there is a greater potential for the "intermingling" of 
documents and a consequent invasion of privacy when police execute a 
search for evidence on a computer. 
The court concluded that officers must "conduct the search in a way that avoids searching 
files of types not identified in the warrant." IL Based on Carey and Walser, it is quite 
clear that the Tenth Circuit considers a file to be the appropriate quantum of seizure in 
search warrants for records.' 
This file-based approach is also being emphasized by some magistrates. See In re 
Search of 3817 W. West End, 321 F. Supp.2d 953, 958 (N.D. Iii. 2004) (noting "the 
substantial likelihood that the computer contains an 'intermingling' of documents 
evidencing the alleged tax fraud, with documents that the government has no probable 
cause to seize"). For example, one magistrate recently began to require returns to list 
specific computer files seized pursuant to the warrant. In our opinion, this is both unwise 
and impractical when a potential seizure could involve hundreds of thousands of files. 
It might be objected that a file-based approach to computer seizure conflicts with 
the rules for seizure of ledgers. When a ledger contains some information that falls 
within a scope of the warrant, law enforcement may seize the entire ledger, rather than 
individual responsive pages. Sm United States 
Beusch 596 F.2d 871, 876-77 (9th 
Cir.1979). The best authority for this argument comes from outside of the search warrant 
context, where there are cases suggesting that a folder or entire disk should be treated as a 
single container for Fourth Amendment purposes. In United States'. Runyan, 275 F.3d 
449, 464-65 (5th Cir. 2001), in which private parties had searched certain files and found 
child pornography, the Fifth Circuit held that the police did not exceed the scope of the 
private search when they examined additional files on any disk that had been, in part, 
privately searched. Analogizing a disk to a closed container, the court explained that 
"police do not exceed the private search when they examine more items within a closed 
container than did the private searchers." Id. at 464. In a subsequent case, the Fifth 
Circuit held that when a warrantless search of a portion of a computer and zip disk had 
It should be noted that neither Carey nor Walser involved a true forensic examination of the computer. In 
both cases, the investigator looked at files on the computer, using the software on the computer that was 
normally used to examine the files. Neither case involved a true forensic examination which involves a 
complete physical and logical examination of the entire hard drive. This examination is accomplished by 
both automated (computer software) and manual means. 
3 
Case No. 08-80736-CV-MARRA 
P-000951 
EFTA00228331

Attorney-client privileged material 
Law enforcement sensitive 
been justified under O'Connor'. Ortega, the defendant no longer retained any reasonable 
expectation of privacy in the remaining contents of the computer and disk, and thus a 
comprehensive search by law enLorcement personnel did not violate the Fourth 
Amendment. See United States I. Slanina, 283 F.3d 670, 680 (5th Cir.), vacated on other 
grounik, 537 U.S. 802 (2002), affd, 359 F.3d 356, 358 (5th Cir. 2004); see also New 
York I. Emerson 766 N.Y.S.2d 482, 488 (N.Y. Sup. Ct. 2003) (adopting intermediate 
position of treating folders rather than individual files as closed containers). 
Thus far, no other federal courts have adopted the Fifth Circuit's approach. In 
addition, it is not clear that the "container size" for purposes of determining the scope of 
a reasonable expectation of privacy is equivalent to the quantum of seizure in search 
warrant cases. Given the central importance of the particularity clause in evaluating the 
constitutionality of warrant based searches, it seems unlikely that courts would tend to 
adopt the approach of Runyan and Slanina in search warrant cases and there is a 
significant litigation risk in relying on these cases alone. 
J3. Applying the file-based rule to unallocated space. directories, and linked data 
The unallocated space of a computer, which can contain deleted and hidden files 
relevant to the warrant, can be reviewed, assuming it is reasonable under the 
circumstances and assuming that the warrant does not restrict the search. If the forensic 
process identifies fragments of non-logical-file material on the media and renders them 
into intelligible data which can now be examined, then this forensic process should be 
treated as a "brief perusal." This would include identifying the data on the computer and 
using automated and manual processes to reconstruct the data so that it can be read and 
understood. 
Under a file-based approach, the basic question that must be answered for each 
file during forensic analysis is whether the file falls within the scope of the warrant, as a 
file is subject to seizure if and only if it falls within the scope of some provision in the 
warrant. Pursuant to this principle, it should generally be permissible (pursuant to a well-
drafted warrant) to seize, examine, or reconstruct the directory tree and File Allocation 
Table of a computer in order to identify and reconstruct other seizable files that are stored 
on the computer. For example, assuming a typical search warrant authorizes seizure of 
records related to a particular crime, law enforcement can characterize a directory tree as 
a file containing information about whether such files exist and where they are stored on 
the computer, thereby making it subject to search and seizure under the warrant. 
This principle applies to any other file that is linked in some manner to other 
information falling within the scope of the warrant: in such cases, the agent or forensic 
analyst must be allowed to examine the linked file in order to determine whether the 
linked file falls within some provision of the warrant. For example, if an e-mail with an 
attachment is within the scope of the warrant, the attachment can also be reviewed. 
Following a brief perusal of the linked file, it can be seized if it is subject to the warrant. 
4 
Case No. 08-80736-CV-MARRA 
P-000952 
EFTA00228332

Attorney-client privileged material 
Law enforcement sensitive 
C. Files demonstrating ownership and control of the computer or files on the computer 
In general, a properly worded warrant should authorize a complete search of the 
computer to identify not only relevant files on the computer that are evidence of a crime, 
but any other evidence, such as meta data and print spool information, that might 
establish the identity of the person at the keyboard at the time the files subject to seizure 
were created, opened or modified. Since computers can be located in common areas or 
be otherwise subject to joint or remote access, it is often important to determine who 
created or used the files that are subject to the warrant. Forensically, this may involve a 
thorough examination of numerous programs and logs on the computer to determine who 
was at the keyboard. For example in a child pornography case, where possession of a file 
is an essential element of the crime, a forensic examination of Internet access logs on the 
computer may assist in determining which of multiple users was logged on to the Internet 
at the time the child pornography image was downloaded or viewed on the computer. 
Establishing who hit the "Enter" key is therefore within the quantum of information to be 
searched and seized, and should be set forth in the warrant. 
Evidence of ownership and control of a computer or data may not be easily 
recognizable or quickly found. Courts are increasingly recognizing that computer data 
relevant to a warrant calbe easily hidden, and may require an in depth forensic review. 
See, e.g., United States. Adjani, 452 F. 3d 1140 (9th Cir. 2006) (computer files are easy 
to disguise or misname). Furthermore, courts are increasingly recognizing that computer 
forensics is as much art as science. See United States'. Brooks, 427 F.3d 1246 (10th 
Cir. 2005) Thus, warrant applications for computer data seeking ownership and control 
evidence should be drafted in a manner that includes such information within the scope of 
the warrant. 
We have also been asked whether "ownership and control" provisions in 
computer search warrants should be phrased in "if/then" form. For example, a warrant 
could provide that if child pornography is found on the computer, then agents will also 
seize ownership and control information found on the computer. Such "if/then" language 
is unnecessary, as it is not used in non-computer search warrant "ownership and control" 
provisions. In addition, it would be unwise to suggest to magistrates that computer 
search warrants can be based on if/then or other conditions. Such provisions could 
suggest to the magistrates additional mechanisms for micromanaging the execution of 
search warrants. 
In the non-computer context, search warrants often seek items demonstrating 
ownership and control of relevant physical items or locations. For example, one of the 
categories of information sought in Walser was "records that show or tend to show 
ownership or control of the premises and other property used to facilitate the distribution 
and delivery [of) controlled substances." Walser, 275 F.3d at 984. Courts generally have 
approved seizure of such items, particularly in cases whe questions of ownership and 
control are likely to be disputed. See. e.g., United States I. Horn 187 F.3d 781, 787-88 
(8th Cir. 1999) (approving in child porn case a warrant provision authorizing seizure of 
"[r)ecords, documents, receipts, keys, or other objects showing access to, and control of, 
5 
Case No. 08-80736-CV-MARRA 
P-000953 
EFTA00228333

Attorney-client privileged material 
Law enforcement sensitive 
the residence"). United States'. Whitten, 706 F.2d 1000, 1008-09 (9th Cir. 1983) 
(approving in drug case warrant for "telephone books, diaries, photographs, utility bills, 
telephone bills, and any otker papers indicating the ownership or occupancy of said 
residence"); United States I. Reed, 726 F.2d 339, 342 (7th Cir. 1984) (approving warrant 
provision in drug case for "proof of residency"). 
D. Examination of all files in disk in search under warrant 
Even though there is consensus that the file is the basic quantum of seizure, the 
basic rules of search warrant suggest that it should be reasonable to examine each file in a 
computer to see if it falls within the scope of the warrant. Most, but not all, courts have 
adopted this approach. 
In general, "[a] container that may conceal the object of a search authorized by a 
warrant may be opened immediately; the individual's interest in privacy must give way to 
the magistrate's official determination of probable cause." United States,. Ross. 456 
U.S. 798, 823 (1982). In most circumstances, evidence that falls within the scope of a 
warrant to search a computer may be stored in any file on the computer, including hidden 
and deleted files. Moreover, to determine whether a computer file contains evidence that 
falls within the scoge of a warrant, there is no substitute for taking a look at the file. See, 
e.g. United States I. Upham, 168 F.3d 532, 536 (1st Cir. 1999). Thus, it should be 
generally permissible to look at all files on a computer to determine whether each falls 
within the scope of a warrant. 
Examination of all files stored on a computer was approved by the court in 
United States'. Gray 78 F. Supp.2d 524 (E.D. Va. 1999). The court noted that 
"documents, unlike illegal drugs or other contraband, may not appear incriminating on 
their face. As a result, in any search for records or documents, innocuous records must 
be examined to determine whether they fall into the category of those papers covered by 
the search warrant." Id. at 528 (citation and internal quotations omitted). The court in 
Gray further explained that "agents authorized by warrant to search a home or office for 
documents containing certain specific information are entitled to examine all files located 
at the site to look for the specified information." a This principle applied to computers 
as well, such that law enforcement "was entitled to examine all of defendant's [computer] 
files to determine whether they contained items that fell within the scope of the warrant." 
a at 529. In doing so, law enforcement was entitled to seize evidence of additional 
criminal activity under the plain view doctrine. Id. at 528. 
Prior to the commencement of a search of a computer, agents cannot know with 
certainty that computer files are accurately labeled, and the Fourth Amendment does not 
prohibit agents from looking anywhere that may reasonably contain information that falls 
within the scope of the warrant. As long as the warrant describes with particularity what 
evidence is being sought, a complete forensic examination of the computer should be 
authorized to find this evidence through whatever forensic methods are required. Since a 
properly conducted forensic examination will frequently entail a cursory physical and 
logical review of all otherwise unidentified data on the computer for evidence of the 
6 
Case No. 08-80736-CV-MARRA 
P-000954 
EFTA00228334

Attorney-client privileged material 
Law enforcement sensitive 
crime set forth in the warrant, nothing in the warrant should restrict such a scor of 
review. Furthermore, as recently noted by the Ninth Circuit in United States 
Hill, No. 
05-50219, 2006 WI. 2328721 (9th Cir. Aug. 11, 2006), if properly justified in the 
warrant, computer media may be seized in bulk for subsequent, thorough off-site forensic 
analysis. 
However, this review is not unlimited. In a case that predates widespread 
personal computers and Internet usage, the Supreme Court said that a search of "a 
person's papers" poses "[s]imilar dangers" to "executing a warrant for the 'seizure' of 
telephone conversations," because both searches involve the initial examination, "at least 
cursorily," of evidence in order to determine whether the warrant authorizes its seizure. 
The Court warned that "[i)n both kinds of searches, responsible officials, including 
judicial officials, must take care to assure that they are conducted in a manner that 
minimizes unwarranted intrusions upon privacy." Andresen I. Maryland, 427 U.S. 463, 
482 n.11 (1976). Courts have therefore sought to limit the intensity of agents' review of 
potentially nonresponsive documents. Courts impose this limit partly by limiting the 
amount of time for the review. The leading case is United States'. Heldt, which allows 
only a "brief perusal" of each document, and requires that "the perusal must cease at the 
point of which the warrant's inapplicability to each document is clear." United States'. 
iFlth, 668 F.2d 1238, 1267 (D.C. Cir. 1982); see also United States I. Rude 88 F.3d 
1538, 1552 (9th Cir. 1996). United States I. Slocum, 708 F.2d 587, 604 (11th Cir. 1983); 
United States,. Ochs, 595 F.2d 1247, 1258 (2d. Cir. 1979) ("some perusal, generally 
fairly brief"). If a document falls outside the warrant but nonetheless is incriminating, 
Heldt allows that document's "seizure" only if during that brief perusal the document's 
"otherwise incriminating character becomes obvious." 668 F.2d at 1267. 
Heldt and Andresen do not address computers, and their guidance of "brief 
perusal" and "minimization of invasions of privacy" to a complete physical and logical 
forensic examination of a computer may not always fit. Because part of the computer 
forensic review process is automated, we believe that a largely automated but thorough 
forensic examination of a computer that contains hundreds of thousands if not millions of 
files meets this requirement if the warrant describes with particularity the evidence that is 
being sought, and the search is confined to the evidence set forth in the warrant. 
Nevertheless, in light of Carey, a prudent approach by law enforcement is to proceed with 
a review of all files in a computer, but stop and seek a second warrant when evidence of 
another unrelated crime is discovered, and an additional search for evidence of this crime 
is now envisioned. 
E. Forfeiture. Instrumentalities, and Contraband 
We have also been asked to address whether the quantum of seizure of electronic 
evidence, or the scope of search of such evidence, would be affected by a number of 
factors: the legal forfeiture of the media to the government; the seizure of the media as 
an instrumentality of a crime; or the media's status as contraband. In general, the 
government's authority to search electronic media is significantly expanded when its 
original owner has lost any reasonable expectation of privacy because title has shifted to 
7 
Case No. 08-80736-CV-MARRA 
P-000955 
EFTA00228335

Attorney-client privileged material 
Law enforcement sensitive 
the government through forfeiture, or because the former owner has no reasonable 
expectation of privacy in electronic media that is contraband. 
If computer equipment has been forfeited and is in the possession of law 
enforcement, the Fourth Amendment does not prohibit law enforcement from searching 
data contained in that equipment without a warrant. In automobile forfeiture cases, 
courts have held that "where police have probable cause to believe a car is subject to 
forfeiture, or have validly seized aar for forfeiture, the police may search the car 
without a warrant." United States I. Pace, 898 F d 1218, 1245 (7th Cir. 1990) (citing 
numerous cases). For example, in United States'. Zaicek, 519 F.2d 412 (2d Cir. 1975), a 
defendant's car was seized by state police pursuant to a forfeiture statute that allowed 
seizure "when there is good reason to believe that [the car] has been stolen." Id. at 414. 
After seizure, police searched the car and found evidence of an unrelated crime—the theft 
of mail—located in an attaché case in the car's locked trunk. The Second Circuit reversed 
the district court's suppression of the evidence, holding that "once the police have 
properly seized a car pursuant to a statute because they have reasonable grounds for 
believing it has been s len, they have the authority to search the car without a warrant." 
See also United States 
Gaskin 364 F.3d 438, 458 (2d Cir. 2004) (reaffirming Zaicek).
Nothing in these cases limits their application to seized automobiles. Indeed, in 
Zaicek the Court let stand the district court's finding that neither the inventory search nor 
the search-incident-to-arrest exceptions applied, 519 F.2d at 413, and in Gaskin the court 
explicitly held that the "forfeiture exception" independently justified the search (in 
addition to the automobile exception), 364 F.3d at 458. Consequently, when a forfeiture 
statute gives law enforcement a possessory interest in computer equipment that is greater 
than the defendant's interest and the computer is seized and in law enforcement 
possession, we believe the Fourth Amendment does not require a warrant to search data 
stored in the computer equipment for any reason. 
Despite this supportive case law, dicta in one Ten Circuit decision involving a 
computer forfeiture contradicts this conclusion. In Davis I. Gracev, Ill F.3d 1472 (10th 
Cir. 1997), law enforcement seized, pursuant to a warrant, computer equipment being 
used to operate a bulletin board system that disseminated obscene material. Id. at 1479. 
Law enforcement also obtained civil forfeiture of the equipment a at 1476. The seized 
and forfeited equipment incidentally contained e-mail and material that plaintiffs claimed 
was protected by the Privacy Protection Act. The Tenth Circuit affirmed a grant of 
summary judgment to defendants in a subsequent lawsuit arising from the search, 
because "the computer equipment was more than merely a 'container' for the files; it was 
an instrumentality of the crime." Id. at 1480. The Davis court concluded that it could 
"find no legal or practical basis for requiring officers to avoid seizing a computer's 
contents in order to preserve the legality of the seizure of the computer hardware;" thus, 
"[t]he seizure of a container is not invalidated by the probability that some part of its 
'innocent' contents will be temporarily detained without independent probable cause." 
Id. 1480-81. 
8 
Case No. 08-80736-CV-MARRA 
P-000956 
EFTA00228336

Attorney-client privileged material 
Law enforcement sensitive 
However, going beyond the facts before it, the court in Davis did not give law 
enforcement a green light to search all files stored on a computer seized as an 
instrumentality. The court cautioned that "our conclusion that the seizure of the 
computer equipment pursuant to a warrant here allowed the incidental seizure of files 
stored therein should not be read as approval of any subsequent efforts by the police to 
search or retain the stored files without a warrant" Id. at 1481. This cautionary warning 
is odd: it implies that law enforcement can be justified in seizing an entire computer as an 
instrumentality, and can obtain title to the equipment through a civil forfeiture 
proceeding, but that the forfeited computers' original owner would still retain some 
reasonable expectation of privacy in the computer's contents. Davis did not have to 
address this issue, as there was no evidence in Davis that the files on the computer had 
been examined by law enforcement 
2 id. at 1481 n.6. Nevertheless, it suggests that 
there may be some litigation risk in relying solely on computer forfeiture to justify a full 
review of information stored on the computer. 
F. Law enforcement data-mining of previously seized and imaged data. 
As set forth in more detail below in Issue 2. B., the dissipation of probable cause 
also poses constitutional obstacles to using seized data as part of a data-mining system for 
review after the criminal investigation involving the seized data is complete. (We use the 
term "data-mining" generally to refer to computerized searches through multiple 
collections of data to extract implicit, previously unknown information or patterns). 
Although there may no longer be a reasonable expectation of privacy in particular files 
that were determined to fall within the scope of the initial search, the same cannot be said 
for entire seized hard drives. To data-mine a large set of seized data, agents must have a 
warrant supported by probable cause (or an exception to the warrant requirement) that 
covers all of the data that is to be mined. A warrant that authorizes searching a drive for 
specified information does not support copying the entire image into a database for 
unrestricted future use. Moreover, data mining is never appropriate if there is no longer 
probable cause to believe a particular drive contains contraband or evidence of a crime. 
Issue 2: Time limits on forensic review of computers 
We have been asked to address whether the Fourth Amendment or Rule 41 of the 
Federal Rules of Criminal Procedure places any limit on the time frame in which a 
forensic analysis of a seized computer must be completed. In general, we believe that 
neither the Fourth Amendment nor Rule 41 places any specific time limit upon the 
completion of forensic analysis, as long as that analysis has been completed in a 
"reasonable" time frame. 
Generally, magistrate-imposed time limits or methodologies for forensic analysis 
are unsupported by law and should be opposed. 
9 
Case No. 08-80736-CV-MARRA 
P-000957 
EFTA00228337

Attorney-client privileged material 
Law enforcement sensitive 
A. Constitutional requirements for forensic review 
When searching for digital evidence that falls within the scope of a warrant, 
investigators often seize computer data (either by seizing computers or imaging hard 
drives) when they execute search warrants. As part of the forensic review process, they 
later cull through that data to identify a smaller set of data that falls within the scope of a 
warrant. 
Courts have frequent  characterized this culling through a set of data as a search. 
For example, United States I. Svphers., 426 F.3d 461, 468 (1st Cir. 2005), and Triumph 
Capital 211 F.R.D. at 66, both referred to a review of data on a seized computer as a 
"search." Similarly, Commonwealth I. Ellis, a landmark state decision often cited in 
federal opinions, referred to a reviewer's techniques as "se 
h mechanisms" and 
referred to his activities as a "search." 
Commonwealth I. Ellis, 10 Mass. L. Rptr. 
429, 1999 WL 815818 at 4'10 (Mass. Super. 1999) ("[f]or most of the search, he worked 
alone"). However, not all examinations of data are Fourth Amendment searches. Once a 
file has been found to fall within thejcope of a warrant, subsequent forensic examination 
of that file is not a search. cf.State I. Petrone, 468 N.W.2d 676, 681 (Wis. 1991) 
(holding that seizing undeveloped film during a search and then later developing the film 
did not violate the Fourth Amendment because it was the use of "technological aids... to 
assist [law enforcement] in determining whether items within the scope of the warrant 
were in fact evidence of the crime alleged."); United States'. Maali, 346 F.Supp.2d 
1226, 1263 (M.D. Fla. 2004) (holding that foreign-language documents that appeared to 
be responsive to the warrant could appropriately be seized for off-site translation "to 
verify their responsiveness to the warrants."). 
When a review of seized data is a search, it is subject to the requirements of the 
Fourth Amendment. Either a warrant or an exception to the warrant requirement must 
support the search.2 Thus, even if a warrant satisfied the basic criteria of probable cause 
and particularity at the time of the initial search, any subsequent forensic analysis of the 
seized computer or image must continue to satisfy those constitutional requirements 
throughout the review. 
B. Timing and dissipation of probable cause 
On their face, neither the Fourth Amendment nor Rule 41 places explicit limits on 
the duration of any of these steps, so long as investigators obtain the data during the ten-
2 A new warrant is not required, even for forensic efforts, to recover hidden data or to decrypt data. "A 
defendant's attempt to secrete evidence of a crime is not synonymous with a legally cognizable expectation 
of privacy." Commonwealth 
Copenhefcr, 587 A.2d 1353, 1356 (Pa. 1991); les Orin S. Kerr The Fourth 
Amendment In Cyberspace; Can Encryption Create A "Reasonable Expectation Of Privacy? " 33 Conn. L. 
Rev. 503, 513 (2001). In Copenhefer the Pennsylvania Supreme Court held that the FBI's forensic efforts 
to recover "deleted" files from a hard drive did not require a second warrant, because the defendant's 
computer "was validly seized pursuant to a warrant." Id. See also United States'. Upham, 168 F.3d 532, 
537 (Ist Cir. 1999) ("recovery [by law enforcement of unlawful images] after attempted destruction, is no 
different than decoding a coded message lawfully seized or pasting together scraps of a tom-up ransom 
note."). 
10 
Case No. 08-80736-CV-MARRA 
P-000958 
EFTA00228338

Attorney-client privileged material 
Law enforcement sensitive 
day period required by Rule 41. 
R. 
 
So United States I. Hernandez, 183 F. Supp.2d 468, 
ti
480 (D.P. 
2002); United S t 
iies I. Habershaw 2001 WL 1867803, at *8 (D. Mass. 
May 13, 2001); United States 
Triumph Capital Grout), Inc. 211 F.R.D. 31, 66 (D. 
Conn. 2002); a: United States . New York Tel. Co. 434 U.S. 159, 169 n.16 (1977) 
(applying Fourth Amendment standards to pen registers before the enactment of the pen 
register act, holding that "the requirement ... that the search be conducted within 10 days 
of its issuance does not mean that the duration of a pen register surveillance may not 
exceed 10 days"). 
Case law does not provide a clear rule on when a delay in review would violate 
the Fourth Amendment or Rule 41. Although "the Fourth Amendment itself 'contains no 
requirements about when the searc or seizure is to occur or the duration,'" Svphers, 426 
I
F.3d at 469, quoting United States I. Gerber, 994 F.2d 1556, 1559-60 (11th Cir. 1993), 
"unreasonable delay in the execution of a warrant that results in the lapse of probable 
cause will invalidate a warrant" 
quoting United States'. Marin-Buitrazo 734 F.2d 
889, 894 (2d Cir. 1984). Thus, even if a warrant clearly supported the initial seizure of a 
computer, the probable cause showing supporting that warrant must remain valid 
throughout the forensic review of that hard drive or data. The Fourth Amendment 
therefore may constrain the government's ability to delay its initial forensic review or to 
resume forensic review after a period of inaction. 
Many courts treat the dissipation of probable cause as the chief measure of the 
"reasonableness" of a search's length under the Fourth Amendment. For example, the 
court in Ellis, 1999 WL 815818 at *10, stated that "the test of whether the time within 
which a search warrant was executed was reasonable revolves around the question of 
whether there continued to be probable cause for the search, or whether probable cause 
had dissipated." 
Typically, the government satisfies this requirement even if its review begins 
months after investigators acquire a computer or data, or if there was a break in the 
search's continuity. If there was probable cause to believe a hard drive contained 
contraband or evidence of a crime when agents acquired it, then there will often continue 
to be probable cause to believe the hard drive (or a copy of it) contains that contraband or 
evidence of the crime at any point in the nature. As the Ellis court put it, "the evidence 
was frozen in time" when it was copied to media owned by the investigators, and "[for 
that reason, probable cause continued to gist and allowed continual review of the stored 
information." a 
See also United States I. Svohers 296 F. Supp.2d 50, 58 (D.N.H. 
2003) ("just as probable cause existed to support a search of the CPU when the warrant 
issued ..., probable cause also existed to support the search at any time during [the .period 
specified in a warrant extension for forensic review], because the CPU was under the 
exclusive control of the police during that period."), affd on other grounds, 426 F.3d 
461, 469 (1st Cir. 2005). 
Similarly, in In the Matter of the Search of Scranton Housing Authority 436 F. 
Supp. 2d 714 (E.D. Pa. 2006) the court ruled that by forensically imaging a computer, the 
11 
Case No. 08-80736-CV-MARRA 
P-000959 
EFTA00228339

Attorney-client privileged material 
Law enforcement sensitive 
evidence was "frozen in time" and that a forensic analysis six months after the seizure of 
the image was appropriate. The court ruled that in order to successfully challenge the 
search, the owner of the property would have to establish that probable cause no longer 
existed and that prejudice had been suffered. Finally, the court held that neither the 
Fourth Amendment nor Rule 41 imposed any time limit for the completion of a forensic 
analysis. 
C. Specific limitations in the warrant language 
In a few cases, warrant language has been held to limit the time for review. One 
court held suppression was appropriate because the government failed to comply with 
time limits for reviewing se
 computers when those time limits were required by the 
warrant. See United States I. Brunette, 76 F. Supp.2d 30, 42 (D. Maine 1999), affd, 256 
F.3d 14 (1st Cir. 2001). Generally, time limits on computer forensic examinations set by 
issuing magistrates are not supported by law and should be opposed. Similarly, because 
neither the Fourth Amendment nor Rule 41 requires a specific computer search 
methodology to be used in forensic analysis, attempts by magistrates to require that such 
a methodology be set forth in the warrant should also be opposed. See, United States'. 
$111, No. 05-50219, 2006 WL 2328721 (9th Cir. Aug. 11, 2006); United States'. Brooks, 
427 F.3d 1246 (10th Cir. 2005). 
However, warrant language can justify a lengthy, or long-delayed, review. No 
warrant can authorize an "unreasonable" time to conduct a search, United States  I, 
Grimmett, 2004 WL 3171788.5 (D. Kan. 2004), yet when a lengthy review will be 
necessary, a magistrate's advance approval of that procedure (either in the original 
warrant or through an extension) can 
mbat later defense challenges to the search's 
length. For example, in United States. Svuhers, after state police seized a defendant's 
computer, prosecutors sought an additional warrant to authorize a forensic review of the 
computer. The same day they received that warrant, prosecutors moved for an additional 
twelve months to search the computer. Svnhers 426 F.3d at 463. The district court cited 
that extension, in part, as evidence that the police did not "act in bad faith" by delaying 
their search unreasonably. 296 F. Supp.2d at 58; affd, 426 F.3d at 469. 
Generally, creating et ante limitations on how a warrant is to be executed is 
inconsistent with the role for issuing magistrates that has been set forth by the Supreme 
Court. As set forth in Dalia I. United States 441 U.S. 238, 258 (1979), "It would extend 
the Warrant Clause to the extreme to require that, whenever it is reasonably likely that 
Fourth Amendment rights may be affected in more than one way, the court must set forth 
precisely the procedures to be followed by the executing officers. Such an interpretation 
is unnecessary, as we have held — and the Government concedes — that the manner in 
which a warrant is executed is subject to later judicial review as to its reasonableness." 
D. Difficulty of the search 
Lengthy reviews arc not "unreasonable" under the Fourth Amendment when the 
government can demonstrate that the review was complex. Commonwealth'. Ellis, 10 
12 
Case No. 08-80736-CV-MARRA 
P-000960 
EFTA00228340