Appendix E — Legal Frameworks Reference

Purpose. A keyboard-side map of the U.S. legal landscape that governs how digital evidence is searched, seized, preserved, authenticated, and admitted — plus the cross-border rules (CLOUD Act, MLATs, GDPR) you hit the moment data leaves the country.

This is education, not legal advice. The law changes, splits by circuit and state, and turns on facts this book cannot know. Nothing here creates an attorney–client relationship. Before you act on a hard question — a warrant's scope, a compelled-decryption order, a cross-border production, a litigation hold — get the prosecutor, agency counsel, or retaining attorney to put the authority in writing. Verify current law; several doctrines below are actively shifting in the courts. The book's standing rule applies: it is not "I searched it," it is "I had documented legal authority to search it, and I can prove what I did and that the data is unaltered." See Chapter 25 — The Legal Framework for the full treatment; this appendix is the condensed bench reference.


E.1 How to use this appendix

Find your situation in the master table, jump to the section, confirm the rule, and — when the stakes are real — confirm with counsel. Citations are given so you (or the attorney) can pull the source. Cases are cited briefly; the holding line is what you need at 2 a.m., not the full Bluebook history.

If you are about to… Governing framework Section
Seize or search a device for law enforcement Fourth Amendment; warrant + exceptions E.3E.5
Rely on a person's consent to search Consent doctrine E.6
Search a device at the border / airport Border-search exception E.7
Compel a password or biometric unlock Fifth Amendment; foregone conclusion E.8
Worry that evidence will be thrown out Exclusionary rule E.9
Get stored email/records from a provider ECPA / SCA; CLOUD Act E.10
Preserve/collect ESI in a lawsuit FRCP 26/34/37(e); legal hold E.11
Get your findings admitted / testify Daubert/Frye; FRE 702/901/902 E.12
Obtain data stored or held abroad CLOUD Act agreements; MLATs E.13
Touch EU personal data GDPR E.14
Work a case outside the U.S. Foreign frameworks; ISO; Budapest E.15

Why this matters. Forensics that is technically perfect and legally defective is worthless in court — worse than worthless, because a suppression order can sink an entire prosecution and a spoliation finding can lose a civil case outright. Legal awareness is one of the four tone principles of this book for a reason: every action you take is a future exhibit.


E.2 The two tracks: criminal vs. civil

The constitutional rules (Fourth/Fifth Amendments, exclusionary rule) bind government actors in criminal matters. The FRCP/eDiscovery rules govern civil litigation between parties. They overlap (a forensic image is a forensic image), but the authority, the standard, and the sanctions differ sharply.

Criminal track Civil track
Primary authority Fourth/Fifth Amendments, ECPA/SCA, state law FRCP (federal) / state civil rules, FRE
How you get the data Warrant, consent, subpoena, court order Preservation duty, Rule 34 request, subpoena (Rule 45)
Who is constrained Government + its agents All parties to the litigation
Worst-case failure Suppression (exclusionary rule) Spoliation sanctions (Rule 37(e))
Standard for experts Daubert / Frye (jurisdiction-dependent) Daubert / Frye
Privacy overlay Constitutional + statutory Statutory + GDPR/state privacy if applicable

Legal Note. The Fourth Amendment generally does not restrain purely private actors. A private data-recovery technician who finds contraband on a client's drive is not conducting a "search" in the constitutional sense — but the private search doctrine (E.9) and mandatory-reporting duties (E.8 of Chapter 28 ethics) change everything the instant you encounter child sexual abuse material (CSAM). Stop, do not expand the search, preserve, and report under 18 U.S.C. § 2258A.


E.3 The Fourth Amendment — digital search and seizure

Text (core clause): "...no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."

A "search" occurs when the government (1) intrudes on a reasonable expectation of privacy (REP) — the two-prong Katz test: a subjective expectation that society accepts as reasonable — or (2) physically trespasses on a constitutionally protected area to obtain information (Jones).

The doctrines that decide digital cases

Doctrine One-line rule Anchor case
Reasonable expectation of privacy A search needs a subjective + objectively reasonable privacy expectation Katz v. United States, 389 U.S. 347 (1967)
Trespass theory Physically attaching a device to gather info is a search United States v. Jones, 565 U.S. 400 (2012) (GPS on car)
Third-party doctrine No REP in info voluntarily shared with a third party… Smith v. Maryland, 442 U.S. 735 (1979); United States v. Miller, 425 U.S. 435 (1976)
limited for digital location data Historical cell-site location info (CSLI) is a search; get a warrant Carpenter v. United States, 138 S. Ct. 2206 (2018)
Phones are different Search-incident-to-arrest does not reach phone data — "get a warrant" Riley v. California, 573 U.S. 373 (2014)
Home sense-enhancement Using tech to learn the inside of a home is a search Kyllo v. United States, 533 U.S. 27 (2001)

Riley and Carpenter are the two cases to know cold. Riley (2014) ended the assumption that a phone seized during arrest could be browsed on the spot; the volume and intimacy of phone data demand a warrant. Carpenter (2018) cracked the third-party doctrine for the digital age: even though your carrier holds your location records, you retain a privacy interest in the comprehensive, sustained record of your movements. Together they signal the courts' direction — digital quantity and persistence change the constitutional calculus.

What this means at the keyboard

  • A device lawfully seized is not automatically a device you may search. Seizure freezes the evidence; search requires its own authority (usually a warrant for the image).
  • The privacy interest attaches to the data, not just the metal. Imaging is a search of everything on the medium — including deleted files you recover (deletion removed the pointer, not the data; that data is still the suspect's "papers").
  • Cloud-synced data on a phone may reach servers outside the warrant's described "place." Carve cloud accounts out, or get separate authority (see Chapter 31 — Cloud Forensics).

E.4 Search-warrant requirements

A valid warrant has four pillars. For digital warrants, particularity is where most challenges live.

Pillar Requirement Digital wrinkle
Probable cause A fair probability that evidence of a crime will be found in the place Must connect the device/account to the crime, not just the suspect
Oath/affirmation Affidavit sworn before the magistrate Affiant should explain the forensic process to justify off-site search
Particularity — place Describe the place/device to be searched Identify devices by make/model/serial where possible; account identifiers for cloud
Particularity — things Describe the items/data to be seized Limit by data category, time window, and offense; avoid "all data"
Neutral magistrate Issued by a neutral, detached judge

Courts accept that you usually cannot fully search a device on scene. The standard model:

STAGE 1 — Seize + image            STAGE 2 — Search the image (off-site, under the warrant)
+------------------------+         +-------------------------------------------+
| Seize device           |         | Search ONLY for data the warrant          |
| Write-blocked image    |  ---->  | describes (by category, keyword, date,    |
| Hash (MD5+SHA-256)     |         | file type). Document the protocol.        |
| Chain of custody       |         | Items outside scope -> do not exploit;    |
+------------------------+         | get a second warrant if plain-view rules. |
                                   +-------------------------------------------+

Tool Tip. Build the warrant's scope into your search plan literally — keyword lists, date ranges, file-type filters, target artifacts — and log every query you run. When the defense asks "did you go fishing through his whole life?", your tool's search history is the answer. Tie the technical workflow to Chapter 14 — Forensic Acquisition.

Plain view, narrowed for digital

The plain-view exception lets you seize obvious contraband encountered during a lawful search — but in digital searches, where "everything" is technically in view once imaged, courts police it hard. The influential United States v. Comprehensive Drug Testing, 621 F.3d 1162 (9th Cir. 2010) (en banc) urged search protocols, filter/taint teams, and limits on retaining non-responsive data. Practice: do not leverage out-of-scope discoveries; freeze, document, and seek a new warrant.


E.5 Warrant exceptions that matter in digital cases

Exception Scope Digital caveat
Consent Voluntary consent by someone with authority See E.6; narrow for passworded data
Search incident to arrest Person + area within reach Does not reach phone data (Riley)
Exigent circumstances Imminent danger, escape, evidence destruction Remote wipe risk can justify seizing/Faraday-bagging a phone; usually not a full search
Plain view Obvious evidence lawfully encountered Narrowed for digital (CDT); don't exploit out-of-scope data
Automobile exception Vehicle with probable cause Reaches the car; a phone inside still gets Riley treatment
Inventory Routine booking inventory Inventory ≠ license to forensically search data
Border search At the international border See E.7
Probation/parole Reduced expectation by agreement Conditions may authorize device searches

Limitation — exigency is narrow. "The data might be remotely wiped" can justify seizing and isolating a device (Faraday bag, airplane mode, keep-alive power), but it rarely justifies a warrantless forensic search. Preserve now, search under a warrant. This is exactly why live/triage practice matters — see Chapter 15 — Live Response and Triage.


Consent is the most common — and most litigated — way examiners get access without a warrant. Two questions decide validity: was it voluntary, and did the person have authority.

  • Voluntary — judged by the totality of the circumstances; no coercion. Schneckloth v. Bustamonte, 412 U.S. 218 (1973). Officers need not warn that consent can be refused, but a knowing/voluntary record is far stronger.
  • Scope — limited to what a reasonable person would understand was authorized. "You can look at my photos" is not "image my entire phone."
  • Withdrawal — consent can be revoked at any time; stop when it is.
Situation Can they consent? Authority
The device's sole owner/user Yes Owner authority
Co-user with common authority over the device Yes, as to shared areas United States v. Matlock, 415 U.S. 164 (1974)
Apparent (not actual) authority, reasonably believed Yes, if belief is objectively reasonable Illinois v. Rodriguez, 497 U.S. 177 (1990)
Co-tenant present and objecting No, over the objector's interest Georgia v. Randolph, 547 U.S. 103 (2006)
Objector removed (e.g., arrested), remaining tenant consents Yes Fernandez v. California, 571 U.S. 292 (2014)
Password-protected files/accounts of another user Often no common authority Trulock v. Freeh, 275 F.3d 391 (4th Cir. 2001)
Employer over a company device (with policy) Usually yes Depends on policy + reduced employee REP

Chain of Custody. Always capture consent in writing, signed and timestamped, with the scope stated. A consent-search form template is in E.16 and in Appendix F — Chain of Custody and Report Templates. Verbal consent evaporates on the witness stand; a signed scope statement does not.


E.7 Border searches

At the international border (and its functional equivalents — international airports), the border-search exception allows routine searches with no warrant and no individualized suspicion. United States v. Ramsey, 431 U.S. 606 (1977); United States v. Flores-Montano, 541 U.S. 149 (2004). Electronic devices are the contested frontier, and the circuits split on whether a forensic device search needs reasonable suspicion.

Authority Rule for device searches at the border
CBP/ICE policy "Basic" (manual) search: no suspicion. "Advanced" (connect equipment to review/copy/analyze): reasonable suspicion or national-security concern, with supervisory approval
9th Cir. — United States v. Cotterman, 709 F.3d 952 (2013) Forensic search requires reasonable suspicion
9th Cir. — United States v. Cano, 934 F.3d 1002 (2019) Border device searches limited to searching for digital contraband; forensic search needs reasonable suspicion
4th Cir. — United States v. Kolsuz, 890 F.3d 133 (2018) Forensic search is non-routine; needs individualized suspicion
11th Cir. — United States v. Touset, 890 F.3d 1227 (2018) No suspicion required even for forensic device searches

Why this matters. Where you cross matters. The same forensic image taken at LAX (9th Cir.) and Atlanta (11th Cir.) may face different suppression standards. For any border matter, confirm the governing circuit and the current CBP/ICE directive before you connect equipment — and document the suspicion basis if one is required.


E.8 The Fifth Amendment — compelled decryption

The Fifth Amendment bars compelling a person to give testimonial, incriminating communication. Encryption sits squarely on this line: can the government force a suspect to decrypt a device?

  • Producing a passcode is testimonial — it reveals the contents of your mind. Compelling it implicates the Fifth.
  • The foregone conclusion doctrine is the key exception. From Fisher v. United States, 425 U.S. 391 (1976): if the government already knows the existence, location, and authenticity of the material, the act of production conveys nothing new and testimonial, so it can be compelled. Applied to decryption, courts divide on what must be a foregone conclusion — the files on the device, or merely that the suspect knows the password.

The split, at a glance

Court Outcome Foregone-conclusion theory
In re Boucher, 2009 WL 424718 (D. Vt. 2009) Compelled Existence of files already known
United States v. Fricosu, 841 F. Supp. 2d 1232 (D. Colo. 2012) Compelled Production not testimonial on these facts
In re Grand Jury Subpoena (Doe), 670 F.3d 1335 (11th Cir. 2012) Protected Government didn't show files existed/were accessible
Commonwealth v. Gelfgatt, 11 N.E.3d 605 (Mass. 2014) Compelled Defendant's knowledge of password was a foregone conclusion
Commonwealth v. Davis, 220 A.3d 534 (Pa. 2019) Protected Passcode is testimonial; foregone conclusion did not apply
State v. Andrews, 234 A.3d 1254 (N.J. 2020) Compelled Knowledge of passcodes was a foregone conclusion
Seo v. State, 148 N.E.3d 952 (Ind. 2020) Protected Act of production testimonial; state didn't meet the standard

There is no Supreme Court ruling resolving this. Outcomes turn on the jurisdiction and on how much the government already knows.

Passcode vs. biometric — a critical practical distinction

Unlock type Traditional treatment Trend
Passcode / password ("something you know") Testimonial → more Fifth Amendment protection Stable
Fingerprint / face ("something you are") Like a physical key/blood draw → non-testimonial (Schmerber v. California, 384 U.S. 757 (1966)) → compellable Contested — some courts now hold compelled biometric unlock is testimonial (e.g., In re Search of a Residence in Oakland, N.D. Cal. 2019)
COMPELLED-DECRYPTION QUICK ANALYSIS  (confirm with counsel; jurisdiction-dependent)
  Is the unlock a PASSCODE (mind) or BIOMETRIC (body)?
        |                                   |
   PASSCODE                            BIOMETRIC
        |                                   |
   Testimonial.                       Historically non-testimonial (compellable),
   Compellable ONLY if foregone       but several courts now disagree. Move fast:
   conclusion is met (gov't knows      a device in AFU (After First Unlock) state
   existence/control/authenticity).    is far more tractable than BFU.
        |
   If not met -> Fifth Amendment bar.

Forensic takeaway. The law gives you a strong reason to act fast and correctly on seizure: a device that is alive and already unlocked (or in an AFU state), or a known passcode, can sidestep the whole compelled-decryption fight. Keep the device powered and isolated, document everything, and coordinate with counsel before requesting any order. Technical depth: Chapter 24 — Mobile Device Forensics and Chapter 29 — Encrypted Device Forensics.


E.9 The exclusionary rule

Evidence obtained in violation of the Fourth Amendment is generally inadmissible in the prosecution's case-in-chief. Mapp v. Ohio, 367 U.S. 643 (1961) (states); Weeks v. United States, 232 U.S. 383 (1914) (federal). Derivative evidence is also excluded — the fruit of the poisonous tree (Wong Sun v. United States, 371 U.S. 471 (1963)).

Exceptions and limits

Doctrine Effect Anchor case
Good faith Reasonable reliance on a later-invalidated warrant saves the evidence United States v. Leon, 468 U.S. 897 (1984)
Independent source Evidence also obtained via a lawful, independent route is admissible Murray v. United States, 487 U.S. 533 (1988)
Inevitable discovery Would have been found lawfully anyway Nix v. Williams, 467 U.S. 431 (1984)
Attenuation Connection to illegality too remote Utah v. Strieff, 579 U.S. 232 (2016)
Standing Only a person whose own rights were violated can suppress Rakas v. Illinois, 439 U.S. 128 (1978)
Private search A private party's search isn't government action; police may repeat it within the same scope United States v. Jacobsen, 466 U.S. 109 (1984)

Recovery vs. Forensics. This is the dual-lens at its sharpest. A recovery tech restoring a client's drive owes no Fourth Amendment duty — but the moment your work might enter a courtroom, the exclusionary rule and the private-search doctrine govern how far you may look. Same image, two worlds. When in doubt, stop expanding scope and call counsel before you turn a lawful recovery into a tainted search.


E.10 Stored and transmitted data: ECPA, SCA, and the CLOUD Act

When the data lives with a provider (email host, ISP, cloud, telco), the Electronic Communications Privacy Act (ECPA, 1986) governs, in three parts:

ECPA title Statute Covers Typical compulsion
Wiretap Act (Title I) 18 U.S.C. § 2510 et seq. Real-time interception of content Super-warrant (Title III order)
Stored Communications Act (Title II) 18 U.S.C. § 2701 et seq. Stored content + records held by providers See ladder below
Pen Register / Trap & Trace (Title III) 18 U.S.C. § 3121 et seq. Real-time non-content (dialing/routing/addressing) Pen/trap order

SCA compulsion ladder (stored data from a provider)

You want… Instrument
Basic subscriber/transactional records (§ 2703(c)(2)) Subpoena
Other non-content records § 2703(d) court order ("specific and articulable facts")
Content of communications Search warrantUnited States v. Warshak, 631 F.3d 266 (6th Cir. 2010) held email content has Fourth Amendment protection; DOJ policy now uses warrants for content nationwide

The CLOUD Act (2018)

The Clarifying Lawful Overseas Use of Data Act (Pub. L. 115-141) did two things:

  1. Reach: A U.S. provider must produce data within its possession, custody, or control regardless of where it is stored. This resolved the dispute in Microsoft Corp. v. United States (the "Microsoft Ireland" case), which the Supreme Court dismissed as moot once the Act passed.
  2. Executive agreements: It authorizes the U.S. to sign agreements letting qualifying foreign governments request data directly from U.S. providers (and vice versa), bypassing the slow MLAT route, subject to rights safeguards. See E.13.

Legal Note. "Stored where?" stopped being the dispositive question for U.S. providers after the CLOUD Act — "who controls it?" is. But foreign blocking statutes and the GDPR (E.14) can still put a provider in a conflict of laws. That tension is the whole point of Chapter 31 — Cloud Forensics.


E.11 Civil litigation and eDiscovery (FRCP)

In civil cases, electronically stored information (ESI) is discoverable under the Federal Rules of Civil Procedure. The duty to preserve can arise long before a request is served. The 📜 Legal/eDiscovery track lives here.

The rules you cite most

Rule What it governs Key point
Rule 16(b) Scheduling order Court may include ESI and clawback terms early
Rule 26(b)(1) Scope of discovery Relevant + proportional to the needs of the case (2015 amendment)
Rule 26(b)(2)(B) Inaccessible ESI Need not produce ESI that is not reasonably accessible due to undue burden/cost — must identify it
Rule 26(b)(5) Privilege Privilege log; clawback of inadvertently produced privileged ESI
Rule 26(f) "Meet and confer" Parties confer early on ESI: scope, forms, preservation
Rule 33(d) Interrogatory answers from records May produce ESI in lieu of a narrative answer
Rule 34 Requests for production Requesting party may specify the form; otherwise produce as kept or in a reasonably usable form
Rule 37(e) Failure to preserve ESI The spoliation sanctions framework (below)
Rule 45 Subpoenas Reaches ESI held by non-parties
FRE 502 Privilege waiver 502(b) inadvertent-disclosure protection; 502(d) orders make clawback bulletproof

Rule 34 — forms of production

Form What it is Trade-off
Native Original file format (.xlsx, .pst, .docx) Preserves metadata; harder to Bates-stamp/redact
Near-native Native + extracted metadata load file Common compromise
Image (TIFF/PDF) Page images + load file + extracted text Easy to redact/Bates; loses dynamic metadata

Rule 37(e) — the spoliation framework (2015)

Was ESI that SHOULD have been preserved LOST because a party
failed to take REASONABLE steps, and it can't be restored/replaced?
        |                                   |
       NO  -> no Rule 37(e) sanctions      YES
                                            |
                           +----------------+----------------+
                           |                                 |
                   37(e)(1): on a finding of        37(e)(2): ONLY on a finding of
                   PREJUDICE, measures no            INTENT TO DEPRIVE the other party,
                   greater than necessary to         the court MAY:
                   cure the prejudice.                 (A) presume info was unfavorable
                                                       (B) adverse-inference instruction
                                                       (C) dismiss / default judgment

Intent is the dividing line. The harshest sanctions — adverse inference, dismissal, default — require a finding that the party acted with intent to deprive, not mere negligence. The 2015 amendment deliberately raised the bar and displaced the old "routine operation" safe harbor. Document your preservation steps; "reasonable steps" is your shield.

Litigation holds and the duty to preserve

The duty to preserve is triggered when litigation is reasonably anticipated — often before a complaint is filed. The seminal guidance is the Zubulake v. UBS Warburg line (S.D.N.Y. 2003–04), especially Zubulake IV (duty + scope) and Zubulake V (counsel's duty to monitor the hold).

A defensible hold:

  1. Identify the trigger and the date you knew or should have known.
  2. Scope custodians, systems, date ranges, and data types.
  3. Suspend auto-deletion (email retention, log rotation, backup recycling, ephemeral-messaging auto-purge).
  4. Notify custodians in writing; track acknowledgments.
  5. Reissue and monitor — holds are not "set and forget."
  6. Document every step (your future defense to a Rule 37(e) motion).

The original is sacred — civil edition. The same rule that makes you image before you touch a recovery drive makes you preserve before you process in litigation. Auto-deleting Slack/Teams messages and rotating logs after a hold attaches is the classic, avoidable spoliation. A legal-hold notice template is in E.16.

Tool Tip. The EDRM (Electronic Discovery Reference Model) stages — Information Governance → Identification → Preservation → Collection → Processing → Review → Analysis → Production → Presentation — are the standard mental model. Technology-assisted review (TAR / predictive coding) is judicially accepted; Da Silva Moore v. Publicis Groupe, 287 F.R.D. 182 (S.D.N.Y. 2012) was the first opinion to approve it.


E.12 Admissibility and expert testimony

Your findings reach the jury only if (a) the methodology clears the reliability gate and (b) the evidence is authenticated. As the examiner you are usually the expert witness — see Chapter 27 — Expert Testimony.

Frye vs. Daubert

Frye (1923) Daubert (1993)
Test "General acceptance" in the relevant scientific community Judge as gatekeeper of reliability under FRE 702
Source Frye v. United States, 293 F. 1013 (D.C. Cir. 1923) Daubert v. Merrell Dow Pharmaceuticals, 509 U.S. 579 (1993)
Used by Federal courts before 1993; some states still (e.g., variants in IL, NY, PA, WA, CA's Kelly/Frye) Federal courts + most states
Reach Scientific evidence Scientific and technical/specialized (Kumho Tire, 526 U.S. 137 (1999))

The Daubert factors (non-exclusive):

  1. Can the theory/technique be (and has it been) tested?
  2. Has it been subject to peer review and publication?
  3. What is the known or potential error rate?
  4. Are there standards controlling the technique's operation?
  5. Is it generally accepted (Frye, folded in as one factor)?

Two companions complete the trilogy: General Electric Co. v. Joiner, 522 U.S. 136 (1997) (abuse-of-discretion review; courts may exclude where there is too great an "analytical gap"); Kumho Tire Co. v. Carmichael, 526 U.S. 137 (1999) (gatekeeping extends to technical experts — i.e., to you).

FRE 702 was amended December 1, 2023. The amendment makes explicit that the proponent must show by a preponderance of the evidence that the reliability requirements are met, and that the expert's opinion reflects a reliable application of the methodology to the facts — pushing back on overstated conclusions. Translate this to practice: validated tools, documented methods, known error rates, no opinions beyond what your data supports. This is why tool validation (see Appendix C — Tool Reference) is a courtroom issue, not just a lab one.

Authentication — and the hashing that powers it

Before content comes in, you must show the item is what you say it is (FRE 901). Digital evidence is commonly authenticated through chain of custody plus hash verification. Two self-authentication rules (effective December 1, 2017) let you do this by written certification instead of live foundational testimony:

Rule Self-authenticates… In plain terms
FRE 902(13) Records generated by an electronic process/system, shown by a qualified person's certification Logs/records a system produced
FRE 902(14) Data copied from an electronic device/storage/file, authenticated by digital identification (hashing) Your forensic image, proven unaltered by hash

The hash you cite in a 902(14) certification is generated like this — capture it at acquisition and again before production:

# Linux/macOS — hash the acquired image (record both for legacy + strength)
md5sum    evidence_disk1.dd
sha256sum evidence_disk1.dd

# Verify later (exit code 0 = match)
sha256sum -c evidence_disk1.dd.sha256
# Windows / PowerShell — hash and verify a forensic image
Get-FileHash -Algorithm SHA256 .\evidence_disk1.dd

# Compare an acquisition hash to a current hash (case-insensitive)
$acq = "9f2c...b3"   # hash recorded at acquisition
$now = (Get-FileHash -Algorithm SHA256 .\evidence_disk1.dd).Hash
if ($acq -ieq $now) { "MATCH - image unaltered" } else { "MISMATCH - investigate" }
# Build a minimal authentication record for a 902(14) certification.
# Illustrative only; never executed in the sandbox.
import hashlib, datetime, json

def hash_evidence(path, algorithms=("md5", "sha256")):
    hashers = {a: hashlib.new(a) for a in algorithms}
    with open(path, "rb") as f:
        for chunk in iter(lambda: f.read(1024 * 1024), b""):
            for h in hashers.values():
                h.update(chunk)
    return {a: h.hexdigest() for a, h in hashers.items()}

record = {
    "evidence_id": "2026-0142-HDD-01",
    "image_file": "evidence_disk1.dd",
    "acquired_utc": datetime.datetime.utcnow().isoformat() + "Z",
    "examiner": "J. Rivera, GCFA",
    "hashes": hash_evidence("evidence_disk1.dd"),
}
print(json.dumps(record, indent=2))

Chain of Custody. A matching hash is the technical heart of 902(14): it proves the data produced is bit-for-bit identical to what you acquired. "I found this" becomes "I can prove this image is unaltered since acquisition at 14:22 UTC, SHA-256 9f2c…." Pair the hash with an unbroken custody record — forms in Appendix F. Acquisition mechanics live in Chapter 14 — Forensic Acquisition.


E.13 Cross-border: CLOUD Act agreements and MLATs

When evidence sits abroad — or is held by a foreign provider — you have three principal routes, fastest to slowest:

Route What it is Speed Notes
CLOUD Act executive agreement Direct provider requests between partner countries Fastest Requires a qualifying agreement (e.g., U.S.–U.K., U.S.–Australia) and rights safeguards
MLAT (Mutual Legal Assistance Treaty) Formal government-to-government evidence request Slow (months–years) Routed through DOJ Office of International Affairs (OIA)
Letter rogatory Court-to-court request where no MLAT applies Slowest Diplomatic channel; last resort
MLAT REQUEST FLOW (simplified)
Investigator/Prosecutor ---> DOJ Office of International Affairs (OIA)
        ---> Foreign Central Authority ---> Foreign court/authority executes
        ---> Evidence gathered abroad ---> returned through the same channel
(Plan for MONTHS. Preserve first via a provider preservation request / 18 U.S.C. § 2703(f)
 or the Budapest Convention's expedited-preservation mechanism so data survives the wait.)

Limitation — time is the enemy abroad. MLAT timelines routinely outrun data-retention windows. Send a preservation request immediately (domestically, 18 U.S.C. § 2703(f) lets you ask a U.S. provider to preserve for 90 days, renewable) and check whether a CLOUD Act agreement offers a faster lane. Don't let the formal process run while the data ages out.


E.14 GDPR for EU data

The EU General Data Protection Regulation (Regulation (EU) 2016/679, in force 25 May 2018) governs processing of personal data of people in the EU/EEA — and it reaches you even from the U.S. (Article 3 extraterritoriality) if you offer goods/services to, or monitor, EU data subjects. A forensic acquisition that ingests EU employees' or customers' data is "processing."

What you need at the keyboard

Topic Essentials
Personal data Any info relating to an identified/identifiable person; special categories (Art. 9: health, biometrics, etc.) get heightened protection
Lawful basis (Art. 6) Need one of: consent, contract, legal obligation, vital interests, public task, legitimate interests (the basis most cited for investigations — document the balancing test)
Core principles (Art. 5) Lawfulness, purpose limitation, data minimization, accuracy, storage limitation, integrity/confidentiality, accountability
Data-subject rights Access, rectification, erasure ("right to be forgotten"), restriction, portability, objection
Breach notification (Art. 33) Notify the supervisory authority within 72 hours of becoming aware
Penalties Up to €20 million or 4% of global annual turnover, whichever is higher

The cross-border discovery conflict

GDPR Article 48 says a foreign court's or authority's order to transfer personal data is not, by itself, a lawful basis to transfer it out of the EU unless grounded in an international agreement (e.g., an MLAT). Combined with international-transfer rules (Chapter V — adequacy decisions, Standard Contractual Clauses (SCCs), Binding Corporate Rules), this routinely collides with U.S. discovery demands.

U.S. side wants GDPR side says Bridge
Broad Rule 34 production of EU custodians' data Data minimization + valid transfer basis required Narrow scope; pseudonymize; process in-region; SCCs; protective order
Direct order to transfer Art. 48: foreign order ≠ sufficient basis Use MLAT / international agreement
Speed 72-hour breach clock; DPA oversight Plan early; involve EU counsel + DPO

U.S. courts resolve the clash through a comity analysis (Société Nationale Industrielle Aérospatiale v. U.S. District Court, 482 U.S. 522 (1987) and the Restatement factors). The Sedona Conference International Principles are the standard practitioner guidance.

Schrems II changed the transfer rules. Data Protection Commissioner v. Facebook Ireland & Schrems (CJEU, Case C-311/18, 2020) invalidated the EU–U.S. Privacy Shield and tightened SCC use. The EU–U.S. Data Privacy Framework (adequacy decision, 2023) restored a transfer mechanism for certified U.S. organizations — but confirm current status before you rely on it; this area keeps moving.


E.15 A note on non-U.S. jurisdictions

Everything above is U.S.-centric. The instant a case crosses a border, assume the rules differ and engage local counsel. Some anchors that recur worldwide:

Instrument / standard What it gives you
Budapest Convention on Cybercrime (CoE, ETS 185, 2001) First international cybercrime treaty; harmonized offenses, expedited preservation, and mutual assistance. The Second Additional Protocol (CETS 224, 2022) adds enhanced cooperation and direct disclosure of e-evidence
ISO/IEC 27037 Identification, collection, acquisition, preservation of digital evidence (the international analogue to this book's process chapters)
ISO/IEC 27041 / 27042 / 27043 Investigation assurance / analysis & interpretation / incident investigation principles
ISO/IEC 27050 Electronic discovery
ACPO / NPCC Principles (UK) Four widely cited principles: don't change the data; if you must access original data, be competent and explain it; keep an audit trail; the case officer is responsible for compliance

Other privacy/data regimes you may meet:

Jurisdiction Law
United Kingdom UK GDPR + Data Protection Act 2018
Canada PIPEDA
Brazil LGPD
Japan APPI
China PIPL + Data Security Law (strict data-export controls)
South Africa POPIA
California (U.S.) CCPA / CPRA

Why this matters. Admissibility standards, warrant requirements, data-localization rules, and what even counts as a lawful search all vary by country. Common-law systems (U.S., U.K.) and civil-law systems differ on procedure and on the role of the expert. Technology changes, principles don't — image first, hash, document, preserve scope — but the legal authority is intensely local. Never assume a U.S. workflow is lawful abroad.


E.16 Templates and checklists

Reference forms you can lift to the keyboard. Adapt to your jurisdiction and have counsel review. Companion evidence forms are in Appendix F — Chain of Custody and Report Templates.

BEFORE YOU IMAGE — LEGAL AUTHORITY CHECK
[ ] What is my authority?  ( ) Warrant  ( ) Consent  ( ) Subpoena/Court order
                           ( ) Civil preservation/Rule 34  ( ) Owner request (recovery)
[ ] Authority is IN WRITING and attached to the case file
[ ] SCOPE is defined: devices/accounts, data categories, date range, offense/matter
[ ] The data/device is WITHIN the described scope (no out-of-scope exploitation)
[ ] Cloud/remote accounts: separately authorized or carved out
[ ] Cross-border data implicated?  -> MLAT / CLOUD Act / GDPR path identified
[ ] Privilege/special-category data anticipated?  -> filter/taint plan in place
[ ] Chain of custody started; write-blocker confirmed; hash plan set (MD5 + SHA-256)
[ ] If in doubt about authority -> STOP and confirm with counsel (documented)

Warrant-scope review checklist (digital)

[ ] Probable cause connects THIS device/account to the offense
[ ] Particularity — PLACE: device(s)/account(s) identified (make/model/serial/identifier)
[ ] Particularity — THINGS: data categories + time window + offense stated
[ ] Two-stage search contemplated (seize/image on scene, search off-site)
[ ] Search protocol limits: keywords, file types, dates, target artifacts
[ ] Plain-view discipline: out-of-scope contraband -> freeze + seek new warrant
[ ] Return/inventory and any retention limits noted
CONSENT TO SEARCH ELECTRONIC DEVICE(S)
I, ____________________ (printed name), am the ( ) owner ( ) authorized user of:
  Device(s): __________________________________ (make/model/serial)
I understand I have the right to refuse, and may withdraw consent at any time.
I authorize ____________________ (examiner/agency) to:
  ( ) image and forensically search the device(s)
  ( ) search ONLY: ______________________________ (limited scope)
This consent ( ) does / ( ) does not extend to cloud accounts linked to the device.
Signature: ___________________  Date/Time: __________  Witness: ___________________
TO: [Custodians / IT]            DATE: __________      MATTER: __________
A legal hold is now in effect. You must PRESERVE and must NOT delete, alter,
or overwrite the following, effective immediately and until further notice:
  Scope: [custodians, systems, repositories]
  Data types: [email, files, chat/Teams/Slack, mobile, backups, logs, databases]
  Date range: [____ to present]
ACTION REQUIRED:
  - Suspend auto-deletion / retention purges / backup recycling / ephemeral auto-delete
  - Do not wipe or reassign departing-employee devices in scope
  - Reply to acknowledge by [date]
Questions -> [counsel]. Reissued/monitored per Zubulake V duty.

FRE 902(14) certification (skeleton — declaration under 28 U.S.C. § 1746)

CERTIFICATION OF DATA COPIED FROM AN ELECTRONIC DEVICE (FED. R. EVID. 902(14))
I, ____________________, declare:
1. I am qualified to make this certification (training/experience: ____________).
2. On [date/time UTC] I acquired a forensic image of [device, make/model/serial]
   using [tool + version] with [write-blocker model].
3. The image file is "[filename]". Its hash values are:
     MD5:    ________________________________
     SHA-256: ________________________________________________________________
4. The data produced was copied from that image and authenticated by digital
   identification (hash comparison); the verification hash MATCHES the value above,
   establishing the data is identical to the source as acquired.
I declare under penalty of perjury that the foregoing is true and correct.
Executed on __________.        Signature: ____________________

E.17 Quick citation index

Topic Primary authority
Phone search incident to arrest Riley v. California, 573 U.S. 373 (2014)
Cell-site location data Carpenter v. United States, 138 S. Ct. 2206 (2018)
Reasonable expectation of privacy Katz v. United States, 389 U.S. 347 (1967)
GPS tracking / trespass United States v. Jones, 565 U.S. 400 (2012)
Voluntariness of consent Schneckloth v. Bustamonte, 412 U.S. 218 (1973)
Border forensic search (9th Cir.) United States v. Cotterman, 709 F.3d 952 (2013)
Foregone conclusion Fisher v. United States, 425 U.S. 391 (1976)
Exclusionary rule (states) Mapp v. Ohio, 367 U.S. 643 (1961)
Good-faith exception United States v. Leon, 468 U.S. 897 (1984)
Email content needs a warrant United States v. Warshak, 631 F.3d 266 (6th Cir. 2010)
Expert reliability gatekeeping Daubert v. Merrell Dow, 509 U.S. 579 (1993); FRE 702 (am. 2023)
General acceptance Frye v. United States, 293 F. 1013 (D.C. Cir. 1923)
Litigation-hold duty Zubulake v. UBS Warburg (S.D.N.Y. 2003–04)
Spoliation of ESI Fed. R. Civ. P. 37(e) (am. 2015)
Stored data from providers ECPA / SCA, 18 U.S.C. §§ 2510, 2701, 3121 et seq.
Overseas data control CLOUD Act, Pub. L. 115-141 (2018)
EU personal data GDPR, Regulation (EU) 2016/679
EU transfer rules Schrems II, CJEU C-311/18 (2020); EU–U.S. DPF (2023)
International cybercrime cooperation Budapest Convention, ETS 185 (2001); 2nd Protocol (2022)

E.18 Cross-references

Chapters: - Chapter 5 — The Forensic Process — preservation, hashing, and chain of custody that these rules presuppose. - Chapter 14 — Forensic Acquisition — imaging/write-blocking/hashing that underpin FRE 902(14). - Chapter 15 — Live Response and Triage — exigency, device isolation, AFU/BFU timing. - Chapter 24 — Mobile Device ForensicsRiley, passcode vs. biometric in practice. - Chapter 25 — The Legal Framework — the full narrative treatment (this appendix condenses it). - Chapter 26 — The Forensic Report — documenting authority and method for admissibility. - Chapter 27 — Expert Testimony — surviving a Daubert/Frye challenge and cross-examination. - Chapter 28 — Ethics — mandatory reporting (18 U.S.C. § 2258A), scope discipline, examiner well-being. - Chapter 29 — Encrypted Device Forensics — the technical side of compelled decryption. - Chapter 31 — Cloud Forensics — SCA/CLOUD Act in operation; cross-border data. - Chapter 33 — Cryptocurrency Investigation — subpoenas to exchanges, cross-border records.

Appendices: - Appendix C — Tool Reference — tool validation supporting Daubert reliability. - Appendix D — Forensic Artifact Locations — what your warrant scope must reach. - Appendix F — Chain of Custody and Report Templates — the forms that prove integrity. - Glossary — definitions of the legal terms used here.


Final reminder. This appendix is a map, not the territory. The doctrines on compelled decryption, border searches, and cross-border production are unsettled and circuit-dependent, and statutes/rules are amended (FRE 702 in 2023, the DPF in 2023). Treat every entry as a prompt to verify current law and confirm authority with counsel before you act. Get it in writing, hash it, document it — then you can prove not just what you found, but that you were allowed to find it.