Appendix E — Legal Frameworks Reference
Purpose. A keyboard-side map of the U.S. legal landscape that governs how digital evidence is searched, seized, preserved, authenticated, and admitted — plus the cross-border rules (CLOUD Act, MLATs, GDPR) you hit the moment data leaves the country.
This is education, not legal advice. The law changes, splits by circuit and state, and turns on facts this book cannot know. Nothing here creates an attorney–client relationship. Before you act on a hard question — a warrant's scope, a compelled-decryption order, a cross-border production, a litigation hold — get the prosecutor, agency counsel, or retaining attorney to put the authority in writing. Verify current law; several doctrines below are actively shifting in the courts. The book's standing rule applies: it is not "I searched it," it is "I had documented legal authority to search it, and I can prove what I did and that the data is unaltered." See Chapter 25 — The Legal Framework for the full treatment; this appendix is the condensed bench reference.
E.1 How to use this appendix
Find your situation in the master table, jump to the section, confirm the rule, and — when the stakes are real — confirm with counsel. Citations are given so you (or the attorney) can pull the source. Cases are cited briefly; the holding line is what you need at 2 a.m., not the full Bluebook history.
| If you are about to… | Governing framework | Section |
|---|---|---|
| Seize or search a device for law enforcement | Fourth Amendment; warrant + exceptions | E.3–E.5 |
| Rely on a person's consent to search | Consent doctrine | E.6 |
| Search a device at the border / airport | Border-search exception | E.7 |
| Compel a password or biometric unlock | Fifth Amendment; foregone conclusion | E.8 |
| Worry that evidence will be thrown out | Exclusionary rule | E.9 |
| Get stored email/records from a provider | ECPA / SCA; CLOUD Act | E.10 |
| Preserve/collect ESI in a lawsuit | FRCP 26/34/37(e); legal hold | E.11 |
| Get your findings admitted / testify | Daubert/Frye; FRE 702/901/902 | E.12 |
| Obtain data stored or held abroad | CLOUD Act agreements; MLATs | E.13 |
| Touch EU personal data | GDPR | E.14 |
| Work a case outside the U.S. | Foreign frameworks; ISO; Budapest | E.15 |
Why this matters. Forensics that is technically perfect and legally defective is worthless in court — worse than worthless, because a suppression order can sink an entire prosecution and a spoliation finding can lose a civil case outright. Legal awareness is one of the four tone principles of this book for a reason: every action you take is a future exhibit.
E.2 The two tracks: criminal vs. civil
The constitutional rules (Fourth/Fifth Amendments, exclusionary rule) bind government actors in criminal matters. The FRCP/eDiscovery rules govern civil litigation between parties. They overlap (a forensic image is a forensic image), but the authority, the standard, and the sanctions differ sharply.
| Criminal track | Civil track | |
|---|---|---|
| Primary authority | Fourth/Fifth Amendments, ECPA/SCA, state law | FRCP (federal) / state civil rules, FRE |
| How you get the data | Warrant, consent, subpoena, court order | Preservation duty, Rule 34 request, subpoena (Rule 45) |
| Who is constrained | Government + its agents | All parties to the litigation |
| Worst-case failure | Suppression (exclusionary rule) | Spoliation sanctions (Rule 37(e)) |
| Standard for experts | Daubert / Frye (jurisdiction-dependent) | Daubert / Frye |
| Privacy overlay | Constitutional + statutory | Statutory + GDPR/state privacy if applicable |
Legal Note. The Fourth Amendment generally does not restrain purely private actors. A private data-recovery technician who finds contraband on a client's drive is not conducting a "search" in the constitutional sense — but the private search doctrine (E.9) and mandatory-reporting duties (E.8 of Chapter 28 ethics) change everything the instant you encounter child sexual abuse material (CSAM). Stop, do not expand the search, preserve, and report under 18 U.S.C. § 2258A.
E.3 The Fourth Amendment — digital search and seizure
Text (core clause): "...no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."
A "search" occurs when the government (1) intrudes on a reasonable expectation of privacy (REP) — the two-prong Katz test: a subjective expectation that society accepts as reasonable — or (2) physically trespasses on a constitutionally protected area to obtain information (Jones).
The doctrines that decide digital cases
| Doctrine | One-line rule | Anchor case |
|---|---|---|
| Reasonable expectation of privacy | A search needs a subjective + objectively reasonable privacy expectation | Katz v. United States, 389 U.S. 347 (1967) |
| Trespass theory | Physically attaching a device to gather info is a search | United States v. Jones, 565 U.S. 400 (2012) (GPS on car) |
| Third-party doctrine | No REP in info voluntarily shared with a third party… | Smith v. Maryland, 442 U.S. 735 (1979); United States v. Miller, 425 U.S. 435 (1976) |
| …limited for digital location data | Historical cell-site location info (CSLI) is a search; get a warrant | Carpenter v. United States, 138 S. Ct. 2206 (2018) |
| Phones are different | Search-incident-to-arrest does not reach phone data — "get a warrant" | Riley v. California, 573 U.S. 373 (2014) |
| Home sense-enhancement | Using tech to learn the inside of a home is a search | Kyllo v. United States, 533 U.S. 27 (2001) |
Riley and Carpenter are the two cases to know cold. Riley (2014) ended the assumption that a phone seized during arrest could be browsed on the spot; the volume and intimacy of phone data demand a warrant. Carpenter (2018) cracked the third-party doctrine for the digital age: even though your carrier holds your location records, you retain a privacy interest in the comprehensive, sustained record of your movements. Together they signal the courts' direction — digital quantity and persistence change the constitutional calculus.
What this means at the keyboard
- A device lawfully seized is not automatically a device you may search. Seizure freezes the evidence; search requires its own authority (usually a warrant for the image).
- The privacy interest attaches to the data, not just the metal. Imaging is a search of everything on the medium — including deleted files you recover (deletion removed the pointer, not the data; that data is still the suspect's "papers").
- Cloud-synced data on a phone may reach servers outside the warrant's described "place." Carve cloud accounts out, or get separate authority (see Chapter 31 — Cloud Forensics).
E.4 Search-warrant requirements
A valid warrant has four pillars. For digital warrants, particularity is where most challenges live.
| Pillar | Requirement | Digital wrinkle |
|---|---|---|
| Probable cause | A fair probability that evidence of a crime will be found in the place | Must connect the device/account to the crime, not just the suspect |
| Oath/affirmation | Affidavit sworn before the magistrate | Affiant should explain the forensic process to justify off-site search |
| Particularity — place | Describe the place/device to be searched | Identify devices by make/model/serial where possible; account identifiers for cloud |
| Particularity — things | Describe the items/data to be seized | Limit by data category, time window, and offense; avoid "all data" |
| Neutral magistrate | Issued by a neutral, detached judge | — |
The two-stage digital search
Courts accept that you usually cannot fully search a device on scene. The standard model:
STAGE 1 — Seize + image STAGE 2 — Search the image (off-site, under the warrant)
+------------------------+ +-------------------------------------------+
| Seize device | | Search ONLY for data the warrant |
| Write-blocked image | ----> | describes (by category, keyword, date, |
| Hash (MD5+SHA-256) | | file type). Document the protocol. |
| Chain of custody | | Items outside scope -> do not exploit; |
+------------------------+ | get a second warrant if plain-view rules. |
+-------------------------------------------+
Tool Tip. Build the warrant's scope into your search plan literally — keyword lists, date ranges, file-type filters, target artifacts — and log every query you run. When the defense asks "did you go fishing through his whole life?", your tool's search history is the answer. Tie the technical workflow to Chapter 14 — Forensic Acquisition.
Plain view, narrowed for digital
The plain-view exception lets you seize obvious contraband encountered during a lawful search — but in digital searches, where "everything" is technically in view once imaged, courts police it hard. The influential United States v. Comprehensive Drug Testing, 621 F.3d 1162 (9th Cir. 2010) (en banc) urged search protocols, filter/taint teams, and limits on retaining non-responsive data. Practice: do not leverage out-of-scope discoveries; freeze, document, and seek a new warrant.
E.5 Warrant exceptions that matter in digital cases
| Exception | Scope | Digital caveat |
|---|---|---|
| Consent | Voluntary consent by someone with authority | See E.6; narrow for passworded data |
| Search incident to arrest | Person + area within reach | Does not reach phone data (Riley) |
| Exigent circumstances | Imminent danger, escape, evidence destruction | Remote wipe risk can justify seizing/Faraday-bagging a phone; usually not a full search |
| Plain view | Obvious evidence lawfully encountered | Narrowed for digital (CDT); don't exploit out-of-scope data |
| Automobile exception | Vehicle with probable cause | Reaches the car; a phone inside still gets Riley treatment |
| Inventory | Routine booking inventory | Inventory ≠ license to forensically search data |
| Border search | At the international border | See E.7 |
| Probation/parole | Reduced expectation by agreement | Conditions may authorize device searches |
Limitation — exigency is narrow. "The data might be remotely wiped" can justify seizing and isolating a device (Faraday bag, airplane mode, keep-alive power), but it rarely justifies a warrantless forensic search. Preserve now, search under a warrant. This is exactly why live/triage practice matters — see Chapter 15 — Live Response and Triage.
E.6 Consent searches
Consent is the most common — and most litigated — way examiners get access without a warrant. Two questions decide validity: was it voluntary, and did the person have authority.
- Voluntary — judged by the totality of the circumstances; no coercion. Schneckloth v. Bustamonte, 412 U.S. 218 (1973). Officers need not warn that consent can be refused, but a knowing/voluntary record is far stronger.
- Scope — limited to what a reasonable person would understand was authorized. "You can look at my photos" is not "image my entire phone."
- Withdrawal — consent can be revoked at any time; stop when it is.
Who can consent to what
| Situation | Can they consent? | Authority |
|---|---|---|
| The device's sole owner/user | Yes | Owner authority |
| Co-user with common authority over the device | Yes, as to shared areas | United States v. Matlock, 415 U.S. 164 (1974) |
| Apparent (not actual) authority, reasonably believed | Yes, if belief is objectively reasonable | Illinois v. Rodriguez, 497 U.S. 177 (1990) |
| Co-tenant present and objecting | No, over the objector's interest | Georgia v. Randolph, 547 U.S. 103 (2006) |
| Objector removed (e.g., arrested), remaining tenant consents | Yes | Fernandez v. California, 571 U.S. 292 (2014) |
| Password-protected files/accounts of another user | Often no common authority | Trulock v. Freeh, 275 F.3d 391 (4th Cir. 2001) |
| Employer over a company device (with policy) | Usually yes | Depends on policy + reduced employee REP |
Chain of Custody. Always capture consent in writing, signed and timestamped, with the scope stated. A consent-search form template is in E.16 and in Appendix F — Chain of Custody and Report Templates. Verbal consent evaporates on the witness stand; a signed scope statement does not.
E.7 Border searches
At the international border (and its functional equivalents — international airports), the border-search exception allows routine searches with no warrant and no individualized suspicion. United States v. Ramsey, 431 U.S. 606 (1977); United States v. Flores-Montano, 541 U.S. 149 (2004). Electronic devices are the contested frontier, and the circuits split on whether a forensic device search needs reasonable suspicion.
| Authority | Rule for device searches at the border |
|---|---|
| CBP/ICE policy | "Basic" (manual) search: no suspicion. "Advanced" (connect equipment to review/copy/analyze): reasonable suspicion or national-security concern, with supervisory approval |
| 9th Cir. — United States v. Cotterman, 709 F.3d 952 (2013) | Forensic search requires reasonable suspicion |
| 9th Cir. — United States v. Cano, 934 F.3d 1002 (2019) | Border device searches limited to searching for digital contraband; forensic search needs reasonable suspicion |
| 4th Cir. — United States v. Kolsuz, 890 F.3d 133 (2018) | Forensic search is non-routine; needs individualized suspicion |
| 11th Cir. — United States v. Touset, 890 F.3d 1227 (2018) | No suspicion required even for forensic device searches |
Why this matters. Where you cross matters. The same forensic image taken at LAX (9th Cir.) and Atlanta (11th Cir.) may face different suppression standards. For any border matter, confirm the governing circuit and the current CBP/ICE directive before you connect equipment — and document the suspicion basis if one is required.
E.8 The Fifth Amendment — compelled decryption
The Fifth Amendment bars compelling a person to give testimonial, incriminating communication. Encryption sits squarely on this line: can the government force a suspect to decrypt a device?
- Producing a passcode is testimonial — it reveals the contents of your mind. Compelling it implicates the Fifth.
- The foregone conclusion doctrine is the key exception. From Fisher v. United States, 425 U.S. 391 (1976): if the government already knows the existence, location, and authenticity of the material, the act of production conveys nothing new and testimonial, so it can be compelled. Applied to decryption, courts divide on what must be a foregone conclusion — the files on the device, or merely that the suspect knows the password.
The split, at a glance
| Court | Outcome | Foregone-conclusion theory |
|---|---|---|
| In re Boucher, 2009 WL 424718 (D. Vt. 2009) | Compelled | Existence of files already known |
| United States v. Fricosu, 841 F. Supp. 2d 1232 (D. Colo. 2012) | Compelled | Production not testimonial on these facts |
| In re Grand Jury Subpoena (Doe), 670 F.3d 1335 (11th Cir. 2012) | Protected | Government didn't show files existed/were accessible |
| Commonwealth v. Gelfgatt, 11 N.E.3d 605 (Mass. 2014) | Compelled | Defendant's knowledge of password was a foregone conclusion |
| Commonwealth v. Davis, 220 A.3d 534 (Pa. 2019) | Protected | Passcode is testimonial; foregone conclusion did not apply |
| State v. Andrews, 234 A.3d 1254 (N.J. 2020) | Compelled | Knowledge of passcodes was a foregone conclusion |
| Seo v. State, 148 N.E.3d 952 (Ind. 2020) | Protected | Act of production testimonial; state didn't meet the standard |
There is no Supreme Court ruling resolving this. Outcomes turn on the jurisdiction and on how much the government already knows.
Passcode vs. biometric — a critical practical distinction
| Unlock type | Traditional treatment | Trend |
|---|---|---|
| Passcode / password ("something you know") | Testimonial → more Fifth Amendment protection | Stable |
| Fingerprint / face ("something you are") | Like a physical key/blood draw → non-testimonial (Schmerber v. California, 384 U.S. 757 (1966)) → compellable | Contested — some courts now hold compelled biometric unlock is testimonial (e.g., In re Search of a Residence in Oakland, N.D. Cal. 2019) |
COMPELLED-DECRYPTION QUICK ANALYSIS (confirm with counsel; jurisdiction-dependent)
Is the unlock a PASSCODE (mind) or BIOMETRIC (body)?
| |
PASSCODE BIOMETRIC
| |
Testimonial. Historically non-testimonial (compellable),
Compellable ONLY if foregone but several courts now disagree. Move fast:
conclusion is met (gov't knows a device in AFU (After First Unlock) state
existence/control/authenticity). is far more tractable than BFU.
|
If not met -> Fifth Amendment bar.
Forensic takeaway. The law gives you a strong reason to act fast and correctly on seizure: a device that is alive and already unlocked (or in an AFU state), or a known passcode, can sidestep the whole compelled-decryption fight. Keep the device powered and isolated, document everything, and coordinate with counsel before requesting any order. Technical depth: Chapter 24 — Mobile Device Forensics and Chapter 29 — Encrypted Device Forensics.
E.9 The exclusionary rule
Evidence obtained in violation of the Fourth Amendment is generally inadmissible in the prosecution's case-in-chief. Mapp v. Ohio, 367 U.S. 643 (1961) (states); Weeks v. United States, 232 U.S. 383 (1914) (federal). Derivative evidence is also excluded — the fruit of the poisonous tree (Wong Sun v. United States, 371 U.S. 471 (1963)).
Exceptions and limits
| Doctrine | Effect | Anchor case |
|---|---|---|
| Good faith | Reasonable reliance on a later-invalidated warrant saves the evidence | United States v. Leon, 468 U.S. 897 (1984) |
| Independent source | Evidence also obtained via a lawful, independent route is admissible | Murray v. United States, 487 U.S. 533 (1988) |
| Inevitable discovery | Would have been found lawfully anyway | Nix v. Williams, 467 U.S. 431 (1984) |
| Attenuation | Connection to illegality too remote | Utah v. Strieff, 579 U.S. 232 (2016) |
| Standing | Only a person whose own rights were violated can suppress | Rakas v. Illinois, 439 U.S. 128 (1978) |
| Private search | A private party's search isn't government action; police may repeat it within the same scope | United States v. Jacobsen, 466 U.S. 109 (1984) |
Recovery vs. Forensics. This is the dual-lens at its sharpest. A recovery tech restoring a client's drive owes no Fourth Amendment duty — but the moment your work might enter a courtroom, the exclusionary rule and the private-search doctrine govern how far you may look. Same image, two worlds. When in doubt, stop expanding scope and call counsel before you turn a lawful recovery into a tainted search.
E.10 Stored and transmitted data: ECPA, SCA, and the CLOUD Act
When the data lives with a provider (email host, ISP, cloud, telco), the Electronic Communications Privacy Act (ECPA, 1986) governs, in three parts:
| ECPA title | Statute | Covers | Typical compulsion |
|---|---|---|---|
| Wiretap Act (Title I) | 18 U.S.C. § 2510 et seq. | Real-time interception of content | Super-warrant (Title III order) |
| Stored Communications Act (Title II) | 18 U.S.C. § 2701 et seq. | Stored content + records held by providers | See ladder below |
| Pen Register / Trap & Trace (Title III) | 18 U.S.C. § 3121 et seq. | Real-time non-content (dialing/routing/addressing) | Pen/trap order |
SCA compulsion ladder (stored data from a provider)
| You want… | Instrument |
|---|---|
| Basic subscriber/transactional records (§ 2703(c)(2)) | Subpoena |
| Other non-content records | § 2703(d) court order ("specific and articulable facts") |
| Content of communications | Search warrant — United States v. Warshak, 631 F.3d 266 (6th Cir. 2010) held email content has Fourth Amendment protection; DOJ policy now uses warrants for content nationwide |
The CLOUD Act (2018)
The Clarifying Lawful Overseas Use of Data Act (Pub. L. 115-141) did two things:
- Reach: A U.S. provider must produce data within its possession, custody, or control regardless of where it is stored. This resolved the dispute in Microsoft Corp. v. United States (the "Microsoft Ireland" case), which the Supreme Court dismissed as moot once the Act passed.
- Executive agreements: It authorizes the U.S. to sign agreements letting qualifying foreign governments request data directly from U.S. providers (and vice versa), bypassing the slow MLAT route, subject to rights safeguards. See E.13.
Legal Note. "Stored where?" stopped being the dispositive question for U.S. providers after the CLOUD Act — "who controls it?" is. But foreign blocking statutes and the GDPR (E.14) can still put a provider in a conflict of laws. That tension is the whole point of Chapter 31 — Cloud Forensics.
E.11 Civil litigation and eDiscovery (FRCP)
In civil cases, electronically stored information (ESI) is discoverable under the Federal Rules of Civil Procedure. The duty to preserve can arise long before a request is served. The 📜 Legal/eDiscovery track lives here.
The rules you cite most
| Rule | What it governs | Key point |
|---|---|---|
| Rule 16(b) | Scheduling order | Court may include ESI and clawback terms early |
| Rule 26(b)(1) | Scope of discovery | Relevant + proportional to the needs of the case (2015 amendment) |
| Rule 26(b)(2)(B) | Inaccessible ESI | Need not produce ESI that is not reasonably accessible due to undue burden/cost — must identify it |
| Rule 26(b)(5) | Privilege | Privilege log; clawback of inadvertently produced privileged ESI |
| Rule 26(f) | "Meet and confer" | Parties confer early on ESI: scope, forms, preservation |
| Rule 33(d) | Interrogatory answers from records | May produce ESI in lieu of a narrative answer |
| Rule 34 | Requests for production | Requesting party may specify the form; otherwise produce as kept or in a reasonably usable form |
| Rule 37(e) | Failure to preserve ESI | The spoliation sanctions framework (below) |
| Rule 45 | Subpoenas | Reaches ESI held by non-parties |
| FRE 502 | Privilege waiver | 502(b) inadvertent-disclosure protection; 502(d) orders make clawback bulletproof |
Rule 34 — forms of production
| Form | What it is | Trade-off |
|---|---|---|
| Native | Original file format (.xlsx, .pst, .docx) |
Preserves metadata; harder to Bates-stamp/redact |
| Near-native | Native + extracted metadata load file | Common compromise |
| Image (TIFF/PDF) | Page images + load file + extracted text | Easy to redact/Bates; loses dynamic metadata |
Rule 37(e) — the spoliation framework (2015)
Was ESI that SHOULD have been preserved LOST because a party
failed to take REASONABLE steps, and it can't be restored/replaced?
| |
NO -> no Rule 37(e) sanctions YES
|
+----------------+----------------+
| |
37(e)(1): on a finding of 37(e)(2): ONLY on a finding of
PREJUDICE, measures no INTENT TO DEPRIVE the other party,
greater than necessary to the court MAY:
cure the prejudice. (A) presume info was unfavorable
(B) adverse-inference instruction
(C) dismiss / default judgment
Intent is the dividing line. The harshest sanctions — adverse inference, dismissal, default — require a finding that the party acted with intent to deprive, not mere negligence. The 2015 amendment deliberately raised the bar and displaced the old "routine operation" safe harbor. Document your preservation steps; "reasonable steps" is your shield.
Litigation holds and the duty to preserve
The duty to preserve is triggered when litigation is reasonably anticipated — often before a complaint is filed. The seminal guidance is the Zubulake v. UBS Warburg line (S.D.N.Y. 2003–04), especially Zubulake IV (duty + scope) and Zubulake V (counsel's duty to monitor the hold).
A defensible hold:
- Identify the trigger and the date you knew or should have known.
- Scope custodians, systems, date ranges, and data types.
- Suspend auto-deletion (email retention, log rotation, backup recycling, ephemeral-messaging auto-purge).
- Notify custodians in writing; track acknowledgments.
- Reissue and monitor — holds are not "set and forget."
- Document every step (your future defense to a Rule 37(e) motion).
The original is sacred — civil edition. The same rule that makes you image before you touch a recovery drive makes you preserve before you process in litigation. Auto-deleting Slack/Teams messages and rotating logs after a hold attaches is the classic, avoidable spoliation. A legal-hold notice template is in E.16.
Tool Tip. The EDRM (Electronic Discovery Reference Model) stages — Information Governance → Identification → Preservation → Collection → Processing → Review → Analysis → Production → Presentation — are the standard mental model. Technology-assisted review (TAR / predictive coding) is judicially accepted; Da Silva Moore v. Publicis Groupe, 287 F.R.D. 182 (S.D.N.Y. 2012) was the first opinion to approve it.
E.12 Admissibility and expert testimony
Your findings reach the jury only if (a) the methodology clears the reliability gate and (b) the evidence is authenticated. As the examiner you are usually the expert witness — see Chapter 27 — Expert Testimony.
Frye vs. Daubert
| Frye (1923) | Daubert (1993) | |
|---|---|---|
| Test | "General acceptance" in the relevant scientific community | Judge as gatekeeper of reliability under FRE 702 |
| Source | Frye v. United States, 293 F. 1013 (D.C. Cir. 1923) | Daubert v. Merrell Dow Pharmaceuticals, 509 U.S. 579 (1993) |
| Used by | Federal courts before 1993; some states still (e.g., variants in IL, NY, PA, WA, CA's Kelly/Frye) | Federal courts + most states |
| Reach | Scientific evidence | Scientific and technical/specialized (Kumho Tire, 526 U.S. 137 (1999)) |
The Daubert factors (non-exclusive):
- Can the theory/technique be (and has it been) tested?
- Has it been subject to peer review and publication?
- What is the known or potential error rate?
- Are there standards controlling the technique's operation?
- Is it generally accepted (Frye, folded in as one factor)?
Two companions complete the trilogy: General Electric Co. v. Joiner, 522 U.S. 136 (1997) (abuse-of-discretion review; courts may exclude where there is too great an "analytical gap"); Kumho Tire Co. v. Carmichael, 526 U.S. 137 (1999) (gatekeeping extends to technical experts — i.e., to you).
FRE 702 was amended December 1, 2023. The amendment makes explicit that the proponent must show by a preponderance of the evidence that the reliability requirements are met, and that the expert's opinion reflects a reliable application of the methodology to the facts — pushing back on overstated conclusions. Translate this to practice: validated tools, documented methods, known error rates, no opinions beyond what your data supports. This is why tool validation (see Appendix C — Tool Reference) is a courtroom issue, not just a lab one.
Authentication — and the hashing that powers it
Before content comes in, you must show the item is what you say it is (FRE 901). Digital evidence is commonly authenticated through chain of custody plus hash verification. Two self-authentication rules (effective December 1, 2017) let you do this by written certification instead of live foundational testimony:
| Rule | Self-authenticates… | In plain terms |
|---|---|---|
| FRE 902(13) | Records generated by an electronic process/system, shown by a qualified person's certification | Logs/records a system produced |
| FRE 902(14) | Data copied from an electronic device/storage/file, authenticated by digital identification (hashing) | Your forensic image, proven unaltered by hash |
The hash you cite in a 902(14) certification is generated like this — capture it at acquisition and again before production:
# Linux/macOS — hash the acquired image (record both for legacy + strength)
md5sum evidence_disk1.dd
sha256sum evidence_disk1.dd
# Verify later (exit code 0 = match)
sha256sum -c evidence_disk1.dd.sha256
# Windows / PowerShell — hash and verify a forensic image
Get-FileHash -Algorithm SHA256 .\evidence_disk1.dd
# Compare an acquisition hash to a current hash (case-insensitive)
$acq = "9f2c...b3" # hash recorded at acquisition
$now = (Get-FileHash -Algorithm SHA256 .\evidence_disk1.dd).Hash
if ($acq -ieq $now) { "MATCH - image unaltered" } else { "MISMATCH - investigate" }
# Build a minimal authentication record for a 902(14) certification.
# Illustrative only; never executed in the sandbox.
import hashlib, datetime, json
def hash_evidence(path, algorithms=("md5", "sha256")):
hashers = {a: hashlib.new(a) for a in algorithms}
with open(path, "rb") as f:
for chunk in iter(lambda: f.read(1024 * 1024), b""):
for h in hashers.values():
h.update(chunk)
return {a: h.hexdigest() for a, h in hashers.items()}
record = {
"evidence_id": "2026-0142-HDD-01",
"image_file": "evidence_disk1.dd",
"acquired_utc": datetime.datetime.utcnow().isoformat() + "Z",
"examiner": "J. Rivera, GCFA",
"hashes": hash_evidence("evidence_disk1.dd"),
}
print(json.dumps(record, indent=2))
Chain of Custody. A matching hash is the technical heart of 902(14): it proves the data produced is bit-for-bit identical to what you acquired. "I found this" becomes "I can prove this image is unaltered since acquisition at 14:22 UTC, SHA-256
9f2c…." Pair the hash with an unbroken custody record — forms in Appendix F. Acquisition mechanics live in Chapter 14 — Forensic Acquisition.
E.13 Cross-border: CLOUD Act agreements and MLATs
When evidence sits abroad — or is held by a foreign provider — you have three principal routes, fastest to slowest:
| Route | What it is | Speed | Notes |
|---|---|---|---|
| CLOUD Act executive agreement | Direct provider requests between partner countries | Fastest | Requires a qualifying agreement (e.g., U.S.–U.K., U.S.–Australia) and rights safeguards |
| MLAT (Mutual Legal Assistance Treaty) | Formal government-to-government evidence request | Slow (months–years) | Routed through DOJ Office of International Affairs (OIA) |
| Letter rogatory | Court-to-court request where no MLAT applies | Slowest | Diplomatic channel; last resort |
MLAT REQUEST FLOW (simplified)
Investigator/Prosecutor ---> DOJ Office of International Affairs (OIA)
---> Foreign Central Authority ---> Foreign court/authority executes
---> Evidence gathered abroad ---> returned through the same channel
(Plan for MONTHS. Preserve first via a provider preservation request / 18 U.S.C. § 2703(f)
or the Budapest Convention's expedited-preservation mechanism so data survives the wait.)
Limitation — time is the enemy abroad. MLAT timelines routinely outrun data-retention windows. Send a preservation request immediately (domestically, 18 U.S.C. § 2703(f) lets you ask a U.S. provider to preserve for 90 days, renewable) and check whether a CLOUD Act agreement offers a faster lane. Don't let the formal process run while the data ages out.
E.14 GDPR for EU data
The EU General Data Protection Regulation (Regulation (EU) 2016/679, in force 25 May 2018) governs processing of personal data of people in the EU/EEA — and it reaches you even from the U.S. (Article 3 extraterritoriality) if you offer goods/services to, or monitor, EU data subjects. A forensic acquisition that ingests EU employees' or customers' data is "processing."
What you need at the keyboard
| Topic | Essentials |
|---|---|
| Personal data | Any info relating to an identified/identifiable person; special categories (Art. 9: health, biometrics, etc.) get heightened protection |
| Lawful basis (Art. 6) | Need one of: consent, contract, legal obligation, vital interests, public task, legitimate interests (the basis most cited for investigations — document the balancing test) |
| Core principles (Art. 5) | Lawfulness, purpose limitation, data minimization, accuracy, storage limitation, integrity/confidentiality, accountability |
| Data-subject rights | Access, rectification, erasure ("right to be forgotten"), restriction, portability, objection |
| Breach notification (Art. 33) | Notify the supervisory authority within 72 hours of becoming aware |
| Penalties | Up to €20 million or 4% of global annual turnover, whichever is higher |
The cross-border discovery conflict
GDPR Article 48 says a foreign court's or authority's order to transfer personal data is not, by itself, a lawful basis to transfer it out of the EU unless grounded in an international agreement (e.g., an MLAT). Combined with international-transfer rules (Chapter V — adequacy decisions, Standard Contractual Clauses (SCCs), Binding Corporate Rules), this routinely collides with U.S. discovery demands.
| U.S. side wants | GDPR side says | Bridge |
|---|---|---|
| Broad Rule 34 production of EU custodians' data | Data minimization + valid transfer basis required | Narrow scope; pseudonymize; process in-region; SCCs; protective order |
| Direct order to transfer | Art. 48: foreign order ≠ sufficient basis | Use MLAT / international agreement |
| Speed | 72-hour breach clock; DPA oversight | Plan early; involve EU counsel + DPO |
U.S. courts resolve the clash through a comity analysis (Société Nationale Industrielle Aérospatiale v. U.S. District Court, 482 U.S. 522 (1987) and the Restatement factors). The Sedona Conference International Principles are the standard practitioner guidance.
Schrems II changed the transfer rules. Data Protection Commissioner v. Facebook Ireland & Schrems (CJEU, Case C-311/18, 2020) invalidated the EU–U.S. Privacy Shield and tightened SCC use. The EU–U.S. Data Privacy Framework (adequacy decision, 2023) restored a transfer mechanism for certified U.S. organizations — but confirm current status before you rely on it; this area keeps moving.
E.15 A note on non-U.S. jurisdictions
Everything above is U.S.-centric. The instant a case crosses a border, assume the rules differ and engage local counsel. Some anchors that recur worldwide:
| Instrument / standard | What it gives you |
|---|---|
| Budapest Convention on Cybercrime (CoE, ETS 185, 2001) | First international cybercrime treaty; harmonized offenses, expedited preservation, and mutual assistance. The Second Additional Protocol (CETS 224, 2022) adds enhanced cooperation and direct disclosure of e-evidence |
| ISO/IEC 27037 | Identification, collection, acquisition, preservation of digital evidence (the international analogue to this book's process chapters) |
| ISO/IEC 27041 / 27042 / 27043 | Investigation assurance / analysis & interpretation / incident investigation principles |
| ISO/IEC 27050 | Electronic discovery |
| ACPO / NPCC Principles (UK) | Four widely cited principles: don't change the data; if you must access original data, be competent and explain it; keep an audit trail; the case officer is responsible for compliance |
Other privacy/data regimes you may meet:
| Jurisdiction | Law |
|---|---|
| United Kingdom | UK GDPR + Data Protection Act 2018 |
| Canada | PIPEDA |
| Brazil | LGPD |
| Japan | APPI |
| China | PIPL + Data Security Law (strict data-export controls) |
| South Africa | POPIA |
| California (U.S.) | CCPA / CPRA |
Why this matters. Admissibility standards, warrant requirements, data-localization rules, and what even counts as a lawful search all vary by country. Common-law systems (U.S., U.K.) and civil-law systems differ on procedure and on the role of the expert. Technology changes, principles don't — image first, hash, document, preserve scope — but the legal authority is intensely local. Never assume a U.S. workflow is lawful abroad.
E.16 Templates and checklists
Reference forms you can lift to the keyboard. Adapt to your jurisdiction and have counsel review. Companion evidence forms are in Appendix F — Chain of Custody and Report Templates.
Pre-acquisition legal-authority checklist
BEFORE YOU IMAGE — LEGAL AUTHORITY CHECK
[ ] What is my authority? ( ) Warrant ( ) Consent ( ) Subpoena/Court order
( ) Civil preservation/Rule 34 ( ) Owner request (recovery)
[ ] Authority is IN WRITING and attached to the case file
[ ] SCOPE is defined: devices/accounts, data categories, date range, offense/matter
[ ] The data/device is WITHIN the described scope (no out-of-scope exploitation)
[ ] Cloud/remote accounts: separately authorized or carved out
[ ] Cross-border data implicated? -> MLAT / CLOUD Act / GDPR path identified
[ ] Privilege/special-category data anticipated? -> filter/taint plan in place
[ ] Chain of custody started; write-blocker confirmed; hash plan set (MD5 + SHA-256)
[ ] If in doubt about authority -> STOP and confirm with counsel (documented)
Warrant-scope review checklist (digital)
[ ] Probable cause connects THIS device/account to the offense
[ ] Particularity — PLACE: device(s)/account(s) identified (make/model/serial/identifier)
[ ] Particularity — THINGS: data categories + time window + offense stated
[ ] Two-stage search contemplated (seize/image on scene, search off-site)
[ ] Search protocol limits: keywords, file types, dates, target artifacts
[ ] Plain-view discipline: out-of-scope contraband -> freeze + seek new warrant
[ ] Return/inventory and any retention limits noted
Consent-to-search form (skeleton)
CONSENT TO SEARCH ELECTRONIC DEVICE(S)
I, ____________________ (printed name), am the ( ) owner ( ) authorized user of:
Device(s): __________________________________ (make/model/serial)
I understand I have the right to refuse, and may withdraw consent at any time.
I authorize ____________________ (examiner/agency) to:
( ) image and forensically search the device(s)
( ) search ONLY: ______________________________ (limited scope)
This consent ( ) does / ( ) does not extend to cloud accounts linked to the device.
Signature: ___________________ Date/Time: __________ Witness: ___________________
Legal-hold notice (skeleton)
TO: [Custodians / IT] DATE: __________ MATTER: __________
A legal hold is now in effect. You must PRESERVE and must NOT delete, alter,
or overwrite the following, effective immediately and until further notice:
Scope: [custodians, systems, repositories]
Data types: [email, files, chat/Teams/Slack, mobile, backups, logs, databases]
Date range: [____ to present]
ACTION REQUIRED:
- Suspend auto-deletion / retention purges / backup recycling / ephemeral auto-delete
- Do not wipe or reassign departing-employee devices in scope
- Reply to acknowledge by [date]
Questions -> [counsel]. Reissued/monitored per Zubulake V duty.
FRE 902(14) certification (skeleton — declaration under 28 U.S.C. § 1746)
CERTIFICATION OF DATA COPIED FROM AN ELECTRONIC DEVICE (FED. R. EVID. 902(14))
I, ____________________, declare:
1. I am qualified to make this certification (training/experience: ____________).
2. On [date/time UTC] I acquired a forensic image of [device, make/model/serial]
using [tool + version] with [write-blocker model].
3. The image file is "[filename]". Its hash values are:
MD5: ________________________________
SHA-256: ________________________________________________________________
4. The data produced was copied from that image and authenticated by digital
identification (hash comparison); the verification hash MATCHES the value above,
establishing the data is identical to the source as acquired.
I declare under penalty of perjury that the foregoing is true and correct.
Executed on __________. Signature: ____________________
E.17 Quick citation index
| Topic | Primary authority |
|---|---|
| Phone search incident to arrest | Riley v. California, 573 U.S. 373 (2014) |
| Cell-site location data | Carpenter v. United States, 138 S. Ct. 2206 (2018) |
| Reasonable expectation of privacy | Katz v. United States, 389 U.S. 347 (1967) |
| GPS tracking / trespass | United States v. Jones, 565 U.S. 400 (2012) |
| Voluntariness of consent | Schneckloth v. Bustamonte, 412 U.S. 218 (1973) |
| Border forensic search (9th Cir.) | United States v. Cotterman, 709 F.3d 952 (2013) |
| Foregone conclusion | Fisher v. United States, 425 U.S. 391 (1976) |
| Exclusionary rule (states) | Mapp v. Ohio, 367 U.S. 643 (1961) |
| Good-faith exception | United States v. Leon, 468 U.S. 897 (1984) |
| Email content needs a warrant | United States v. Warshak, 631 F.3d 266 (6th Cir. 2010) |
| Expert reliability gatekeeping | Daubert v. Merrell Dow, 509 U.S. 579 (1993); FRE 702 (am. 2023) |
| General acceptance | Frye v. United States, 293 F. 1013 (D.C. Cir. 1923) |
| Litigation-hold duty | Zubulake v. UBS Warburg (S.D.N.Y. 2003–04) |
| Spoliation of ESI | Fed. R. Civ. P. 37(e) (am. 2015) |
| Stored data from providers | ECPA / SCA, 18 U.S.C. §§ 2510, 2701, 3121 et seq. |
| Overseas data control | CLOUD Act, Pub. L. 115-141 (2018) |
| EU personal data | GDPR, Regulation (EU) 2016/679 |
| EU transfer rules | Schrems II, CJEU C-311/18 (2020); EU–U.S. DPF (2023) |
| International cybercrime cooperation | Budapest Convention, ETS 185 (2001); 2nd Protocol (2022) |
E.18 Cross-references
Chapters: - Chapter 5 — The Forensic Process — preservation, hashing, and chain of custody that these rules presuppose. - Chapter 14 — Forensic Acquisition — imaging/write-blocking/hashing that underpin FRE 902(14). - Chapter 15 — Live Response and Triage — exigency, device isolation, AFU/BFU timing. - Chapter 24 — Mobile Device Forensics — Riley, passcode vs. biometric in practice. - Chapter 25 — The Legal Framework — the full narrative treatment (this appendix condenses it). - Chapter 26 — The Forensic Report — documenting authority and method for admissibility. - Chapter 27 — Expert Testimony — surviving a Daubert/Frye challenge and cross-examination. - Chapter 28 — Ethics — mandatory reporting (18 U.S.C. § 2258A), scope discipline, examiner well-being. - Chapter 29 — Encrypted Device Forensics — the technical side of compelled decryption. - Chapter 31 — Cloud Forensics — SCA/CLOUD Act in operation; cross-border data. - Chapter 33 — Cryptocurrency Investigation — subpoenas to exchanges, cross-border records.
Appendices: - Appendix C — Tool Reference — tool validation supporting Daubert reliability. - Appendix D — Forensic Artifact Locations — what your warrant scope must reach. - Appendix F — Chain of Custody and Report Templates — the forms that prove integrity. - Glossary — definitions of the legal terms used here.
Final reminder. This appendix is a map, not the territory. The doctrines on compelled decryption, border searches, and cross-border production are unsettled and circuit-dependent, and statutes/rules are amended (FRE 702 in 2023, the DPF in 2023). Treat every entry as a prompt to verify current law and confirm authority with counsel before you act. Get it in writing, hash it, document it — then you can prove not just what you found, but that you were allowed to find it.