59 min read

> Where you are: Part IV, Chapter 25 of 40. Parts II and III taught you to get the data back and to find and preserve the evidence — logical recovery, carving, acquisition, Windows and mobile artifacts, timelines, memory. This part governs whether...

Chapter 25: The Legal Framework — Warrants, Consent, Corporate Authority, and When You're Allowed to Look

Where you are: Part IV, Chapter 25 of 40. Parts II and III taught you to get the data back and to find and preserve the evidence — logical recovery, carving, acquisition, Windows and mobile artifacts, timelines, memory. This part governs whether any of it counts. Chapter 5 warned, in a single sentence, that the cleanest image and the most flawless chain of custody are worthless — and may be illegal — if you lacked the authority to look in the first place. This chapter is that warning turned into working knowledge: the Fourth and Fifth Amendments and their digital application, search warrants and their limits, consent, border searches, corporate authority, civil eDiscovery under the Federal Rules of Civil Procedure, the international tangle of MLAT/CLOUD Act/GDPR, the exclusionary rule, and the standard — Daubert/Frye — that decides whether your method even gets through the courtroom door. The courtroom anchor case returns here in its legal dimension, and the corporate IP-theft thread (your progressive-project case) gets its authority analysis.

Learning paths: 📜 Legal/eDiscovery — this is your chapter; every section is load-bearing. 🔍 Forensic Examiner — know it cold, because the cross-examination in Chapter 27 is built on it and a single authority misstep can suppress an entire case. 🛡️ Incident Response — focus on corporate authority, the state-action line, and preservation/litigation holds; you operate inside policy, not warrants. 💾 Data Recovery — you may think the law is for other people, but the state-action line decides whether the Fourth Amendment touches you at all, and the "when a recovery becomes a case" sections are exactly the moments that have ended careers. Read those.


"Can I look at this?" — the question that comes before the tools

Picture two examiners, each technically perfect. Both write-block. Both image to E01. Both compute SHA-256 of the source and the copy and show they match. Both keep a contemporaneous chain of custody with a signature for every transfer. Both recover the same deleted files, read the same registry hives, and build the same timeline. By every standard in Chapter 5 and Chapter 14, their work is indistinguishable.

One of them put a guilty person in prison. The other got every byte of their work thrown out — suppressed, excluded, gone — because they examined a device they had no lawful authority to examine. The drive was seized without a valid warrant, or the search ranged far beyond what the warrant allowed, or "consent" came from someone who had no right to give it. The method preserved and proved; it could not manufacture authority. And authority, not technique, is what the law checks first.

This is the hardest lesson for technically-minded people to internalize, because it offends the engineer's instinct that a correct procedure produces a correct result. In forensics, a procedure can be correct in every measurable way and still produce nothing — because the question the law asks is not "did you do it right?" but "were you allowed to do it at all?" The most pristine image in the world, acquired without authority, is not evidence. It is a liability.

So this chapter is about the question that comes before the write-blocker: what is my lawful basis for examining this device or this data? There are only a few good answers — a warrant, valid consent, corporate authority over a company asset, or civil legal process — and a great many ways to get it wrong. We will work through each, ground each in the cases that define it, and end where every honest treatment of this subject must end: with the single most professional instinct you can develop, which is knowing the moment to stop, set down the keyboard, and call a lawyer.

Legal Note. This chapter is education, not legal advice. It is U.S.-centric because the U.S. produces the most developed digital-evidence case law and because the four anchor cases are set there; it notes other jurisdictions where it matters, but it cannot cover them all. The law in this area is unusually unsettled — the Supreme Court has resolved only a handful of digital questions, the circuits split on others, and statutes and rules change. Nothing here substitutes for advice from a licensed attorney in the relevant jurisdiction about a specific matter. When this chapter says "call a lawyer," it means exactly that. The reference companion is Appendix E — Legal Frameworks Reference; use it as a cheat sheet, not a substitute for counsel.

The Fourth Amendment: the government, "searches," and the expectation of privacy

The Fourth Amendment to the U.S. Constitution is two sentences written in 1791, long before anyone imagined a 4-terabyte solid-state drive:

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

Three ideas in that text run the whole show. First, it protects against unreasonable searches and seizures — reasonableness, not perfection, is the standard. Second, the default mechanism for a reasonable search is a warrant, issued by a neutral magistrate on probable cause, and particularly describing what may be searched and seized. Third — and this is the part that controls whether the Amendment applies to you — it constrains the government. The Fourth Amendment is a limit on state action. It does not, by its own force, restrain a private citizen, a corporation, or a data-recovery shop. Hold that thought; it returns in a moment and it is the single most important idea in this section for the recovery and corporate audience.

Why This Matters. Authority is the foundation under the foundation. Chapter 5 called the forensic process "the spine" of the book, but the spine rests on something: the legal right to do the examination at all. You can build a perfect evidentiary structure on top of an unlawful search and the whole thing collapses, because the unlawful search poisons everything that flows from it (the exclusionary rule, below). This is theme four — technology changes, principles don't — in its most literal form: an 18th-century principle about "papers and effects" now governs whether you may read someone's text messages, and courts have spent the last decade mapping the old words onto the new realities.

What counts as a "search": Katz and the expectation of privacy

For most of the twentieth century, a "search" meant a physical trespass. That changed in Katz v. United States (1967), where the government bugged a public phone booth. The Court held that the Fourth Amendment "protects people, not places," and that a search occurs when the government violates a person's reasonable expectation of privacy. Justice Harlan's concurrence gave us the two-part test still used today: (1) the person exhibited an actual, subjective expectation of privacy, and (2) that expectation is one society is prepared to recognize as reasonable. "What a person knowingly exposes to the public," Katz said, "is not a subject of Fourth Amendment protection. But what he seeks to preserve as private... may be constitutionally protected."

Digital storage is the purest imaginable case of "seeking to preserve as private." A modern phone or laptop holds, as the Supreme Court itself observed, the "privacies of life" — every photo, message, location, search query, financial record, and medical detail a person has. That intuition produced the single most important digital Fourth Amendment case to date.

Riley, Carpenter, and the digital line of cases

Riley v. California (2014) is the case every examiner must know. Police arrested Riley and, under the long-standing "search incident to arrest" exception (which lets officers search an arrestee and the area within reach without a warrant), went through the data on his smartphone. A unanimous Supreme Court said no: searching the digital contents of a cell phone seized incident to arrest generally requires a warrant. Chief Justice Roberts explained why the analog exceptions do not transfer — a phone is not a cigarette pack. Its storage capacity is immense, it aggregates many distinct types of sensitive information, it reaches back in time for years, and it is a window into data that is not even on the device (cloud-synced content). The Court's memorable instruction to officers who want to search a phone: "Get a warrant."

Carpenter v. United States (2018) extended the privacy intuition to data held by third parties. For decades, the third-party doctrine (from Smith v. Maryland, 1979, on dialed numbers, and United States v. Miller, 1976, on bank records) held that information you voluntarily hand to a third party carries no reasonable expectation of privacy — the government can get it without a warrant. Carpenter carved a major exception: accessing a week or more of historical cell-site location information (CSLI) — the records of which towers a phone connected to, held by the carrier — is a Fourth Amendment search requiring a warrant, because that location trail is so revealing and so inescapably generated that it is not meaningfully "voluntary." Carpenter is narrow on its face but enormous in implication: it signals that the third-party doctrine does not automatically swallow the cloud era, and litigators now test its edges against email metadata, IP logs, smart-device telemetry, and more (relevant to Chapter 31, Cloud Forensics).

Two more anchor decisions round out the line. United States v. Jones (2012) held that physically attaching a GPS tracker to a vehicle and monitoring it is a search (decided on a trespass theory, with a five-Justice concurrence emphasizing the Katz privacy theory for long-term tracking). Kyllo v. United States (2001) held that using a thermal-imaging device to detect heat patterns inside a home is a search, because it reveals details of the home's interior that would previously have required physical entry — a principle that resonates every time a new sensing technology lets the government learn what used to be private without crossing the threshold. Together these cases teach the examiner a usable rule of thumb: the more comprehensive, revealing, and effortless the digital collection, the more likely a court treats it as a search requiring a warrant — regardless of how the old categories would have classified it.

The line that decides whether the Fourth Amendment touches you: state action

Return to the idea flagged earlier. The Fourth Amendment restrains the government. A private party who searches someone's property and turns the results over to police has not violated the Fourth Amendment, because there was no state action — and under the private-search doctrine (United States v. Jacobsen, 1984), the government may then re-examine to the extent of the private search without a warrant, because the private search already frustrated any expectation of privacy in what was exposed. This matters enormously to the 💾 recovery audience and to corporate examiners, and it cuts two ways.

It protects you: when a client brings a drive to your shop and asks you to recover their files, your examination is not a Fourth Amendment "search," because you are a private actor working at the owner's request. If, in the course of that lawful recovery, you stumble onto evidence of a crime (the wedding-photos job that turns up something it shouldn't have), your discovery is not tainted by the Fourth Amendment.

But it also traps you: the moment you start acting as an agent or instrument of the government — the police ask you to "look a little further," or to search areas the client never authorized, or you're effectively doing the government's investigating for it — you can be transformed into a state actor, and from that moment forward the Fourth Amendment binds you. Courts assess agency by asking whether the government knew of and acquiesced in the search and whether the private party intended to assist law enforcement. The practical lesson is sharp: the instant law enforcement gets involved in your private recovery or corporate matter, the legal ground shifts under your feet. That is a "stop and call a lawyer" moment, covered at length below.

Recovery vs. Forensics. The same act — opening a client's files — is a routine, lawful recovery when you do it at the owner's request as a private actor, and a Fourth Amendment search the moment you do it at the government's direction. The technique never changed; the legal character did, because the actor changed. This is the signature dual-lens of the whole book applied to law instead of artifacts: identical bytes, different consequences. A recovery engineer who does not understand this line can convert their client's evidence — and their own conduct — into a constitutional problem without touching a single new sector.

Search warrants for digital evidence

When the government wants to search a device and no exception applies, it needs a warrant. Warrants for digital evidence raise problems the framers never faced, and three of them — particularity, over-seizure, and plain view — are where examinations live or die.

Probable cause and particularity

A valid warrant requires probable cause (a fair probability that evidence of a crime will be found) and particularity — it must describe the place to be searched and the things to be seized with enough specificity that the executing officer's discretion is meaningfully cabined. The particularity requirement exists to prevent the "general warrant" the colonists despised: a license to rummage through everything looking for anything.

Digital media strain particularity to the breaking point. A warrant can name a place easily ("the residence at 14 Elm Street; all digital devices found therein"). Describing the things to be seized is harder, because the responsive data — say, "records of financial fraud" — is intermixed, on the same drive, with gigabytes of utterly irrelevant and deeply private material. A well-drafted warrant therefore describes the categories of information sought and ties them to the suspected offense and, often, a time window. Compare a vague, constitutionally vulnerable command ("seize all computers and examine all files") with a particular one:

ATTACHMENT B — PROPERTY TO BE SEIZED (digital)
  Evidence, for the period 01 JAN 2025 through 14 JUN 2026, of violations of
  [18 U.S.C. § ____], consisting of:
    1. Records, communications, and documents concerning [the specific scheme];
    2. Financial spreadsheets, invoices, and accounting files relating to [X];
    3. Records showing transfer of the above to removable media or cloud storage;
    4. Evidence of user attribution (which account/person controlled the device).
  Digital devices capable of storing items 1–4 may be seized and imaged.

SEARCH PROTOCOL
  Seized media may be imaged and reviewed OFF-SITE. The Government shall employ
  search methodology (keyword, file-type, and date-range filtering) reasonably
  designed to locate the items above, and shall route potentially privileged
  material to a separate FILTER (TAINT) TEAM walled off from the case team.

For the examiner, the warrant is not background paperwork — it is your scope. Read it before you image, and read it again before you analyze. Attachment B is the boundary of what you may look for. Everything inside it is fair game; everything outside it is, presumptively, off limits. The discipline this imposes — searching for what you are authorized to find and not wandering — is the scope discipline introduced in Chapter 5, and it is enforced not by good intentions but by method, as the tool demonstration below shows.

Seize-now, search-later, and the over-seizure problem

You cannot meaningfully search a 4 TB drive on a suspect's kitchen counter at 6 a.m. during a warrant execution. The practical reality of digital evidence is two-step: agents seize (or on-site image) the device, take it back to the lab, and conduct the painstaking forensic search later. Federal Rule of Criminal Procedure 41(e)(2)(B) explicitly blesses this: a warrant for electronically stored information authorizes seizing or copying the media and a later review, and the Rule clarifies that the 14-day execution window in Rule 41(e)(2)(A) refers to the on-site seizure or copying — not to the off-site review, which reasonably takes longer.

The cost of this convenience is over-seizure. To find the responsive 0.1% of a drive, the government takes 100% of it — including everything private and irrelevant. Courts tolerate this as a practical necessity but watch it warily, because an unrestricted forensic search of an entire drive looks uncomfortably like the general rummaging the particularity requirement forbids. Judges have responded with tools: insisting on search protocols, limiting retention of non-responsive data, requiring return or deletion of irrelevant material, and scrutinizing searches that conveniently "stumble" into evidence of unrelated crimes. The examiner's defense against an over-seizure challenge is to show restraint on the record: filter by the warrant's date range, search the warrant's keywords and file types, document what you searched and what you deliberately did not open, and stay inside Attachment B.

The plain-view doctrine lets an officer who is lawfully present seize an object whose incriminating character is immediately apparent, even if it wasn't named in the warrant (Horton v. California, 1990, which also held the discovery need not be "inadvertent"). In a physical search this is intuitive: while executing a fraud warrant in a living room, an officer who sees a kilo of cocaine on the coffee table may seize it.

Digital plain view is a minefield, because a hard drive is not a room you can take in at a glance. To "see" a file you typically must open it — and opening it is itself a search. If every file an examiner opens while looking for fraud records can be justified as "plain view" the moment it turns out to contain something else incriminating, then the particularity requirement evaporates and every digital warrant becomes general. The most influential judicial wrestling-match with this problem is United States v. Comprehensive Drug Testing (9th Cir. 2010, en banc — the "BALCO" steroids case), in which Judge Kozinski's opinion proposed aggressive limits on digital plain view (the most stringent version, later softened to guidance rather than a binding rule, even suggested the government should forswear reliance on plain view as a condition of getting these warrants). Courts have not adopted a single national rule, and the doctrine's digital application remains genuinely unsettled — which is precisely why the disciplined examiner does not bet a case on it.

The safe practice — the one that protects both the prosecution's case and the rights of the accused — is the second-warrant discipline: if, while searching within scope, you encounter apparent evidence of a different crime, you stop, do not expand the search, document exactly what you saw and how you came to see it (which file, what you were doing, what term or filter surfaced it), and obtain expanded authorization — a new or amended warrant — before going further into the new area. Charging ahead on a plain-view theory risks suppressing the very evidence you found, which serves no one.

Legal Note. The second-warrant reflex is the operational core of scope discipline. It is not timidity; it is how evidence survives. An examiner who pauses to get a fresh warrant after spotting something outside scope produces evidence that stands up; an examiner who keeps clicking "to be sure" hands the defense a suppression motion and may taint the entire examination under the fruit-of-the-poisonous-tree doctrine (below). When in doubt about whether something is in scope, treat it as out of scope and escalate.

The courtroom anchor, analyzed legally

Return to the anchor case introduced clinically in Chapter 5: a laptop submitted in a criminal matter under a warrant. Suppose the warrant authorizes a search for evidence of a specific offense — say, financial records relating to a fraud — and, while running the authorized keyword and date-range search, you encounter a file that appears to be child sexual abuse material (CSAM). We treat this strictly as procedure, law, and ethics; we never describe content.

The legal questions stack up fast. Is the file within the warrant's scope? Almost certainly not, if the warrant named financial fraud. Does plain view save it? Maybe, maybe not — and you do not get to decide that under cross-examination pressure at 2 a.m. So you follow the discipline: stop the search, do not open further similar files, preserve the state exactly, document precisely how the file came into view, and immediately escalate — to your supervisor and to the case agent/prosecutor, who will seek an expanded warrant. There is also an overriding, independent obligation: apparent CSAM triggers mandatory handling and reporting duties. Federal law imposes reporting obligations on covered electronic communication service providers under 18 U.S.C. § 2258A (reports to the NCMEC CyberTipline), and possession/distribution offenses under 18 U.S.C. §§ 2252 / 2252A mean you must not create additional copies beyond what is lawfully necessary and authorized. A private or in-house examiner's personal duty arises from state mandatory-reporter statutes and standing lab policy, which uniformly require you to stop, preserve, minimize your own exposure, and escalate — not to "keep looking to be sure." The deep ethics of this — the victim, the accused, mandatory reporting, and the very real secondary trauma to the examiner — is owned by Chapter 28. The legal point here is narrow and crucial: doing it right protects the case (no suppression) and protects the accused's rights, and the same disciplined chain that convicts the guilty is what clears the innocent.

Ethics Note. "Stop and escalate" is sometimes merely good practice; with apparent CSAM it is a non-negotiable legal and moral imperative, and it applies even on a routine corporate or recovery job where you never expected it. You stop. You preserve. You minimize exposure. You escalate to the proper authority. You do not "confirm by looking more," you do not copy it for your own files, and you do not handle it casually. This is the point at which the book's recurring theme — the human cost is real — stops being a phrase. Chapter 28 treats the duty and the toll in full.

The most common exception to the warrant requirement is consent. If a person with authority over a device voluntarily agrees to a search, no warrant is needed. Simple to state; full of traps.

Voluntariness. Consent must be voluntary, not coerced. Schneckloth v. Bustamonte (1973) holds that voluntariness is judged by the totality of the circumstances, and — importantly — the government need not prove the person knew they had a right to refuse, though that knowledge is one factor. Consent extracted by a show of force, a false claim of a warrant, or a threat is not voluntary.

Scope. Consent searches are bounded by the scope of the consent given, measured objectively — what would a reasonable person have understood the consent to include (Florida v. Jimeno, 1991)? "Sure, look at my email" does not authorize imaging the whole drive and carving unallocated space. Smart practice is to obtain written consent that states the scope explicitly, because a clean form ends the "what did you agree to?" fight before it starts:

CONSENT TO SEARCH — DIGITAL DEVICE / DATA
  I, ____________________, am the owner / authorized user of the device(s)
  described below and have authority to consent to their search.

  Device(s):  Dell XPS 13, S/N ABC123; one (1) 64 GB USB flash drive.
  Scope of consent (what may be searched):  Email and documents related to
     the [subject] project, dated 2025-01 through 2026-06. [  ] ENTIRE device.
  I understand I MAY REFUSE and MAY WITHDRAW this consent at any time.
  Signature: ____________________   Date/Time: ________   Witness: ________

Withdrawal. Consent can be withdrawn at any time. Once withdrawn, the search must stop as to anything not already lawfully searched. This is operationally awkward in forensics — if you have already imaged the drive under valid consent and the person withdraws consent mid-analysis, the legal effect of the withdrawal on the existing image is a question for counsel (and often turns on whether the acquisition was already complete). The clean lesson: document the moment consent is given and the moment it ends, and when it ends, you stop and ask a lawyer what you may still do with what you already have.

Authority to consent. The consenter must actually have authority over the thing searched — actual authority, or apparent authority (a reasonable, if mistaken, belief that they have it; Illinois v. Rodriguez, 1990). For shared devices this gets subtle. A person with common authority over property may consent to its search (United States v. Matlock, 1974) — a spouse can usually consent to a search of a shared family computer. But a co-user generally cannot consent to another user's password-protected, separate account or files: in Trulock v. Freeh (4th Cir. 2001), a live-in partner could consent to a search of the shared computer but not to the defendant's password-protected files, in which he retained a reasonable expectation of privacy. And under Georgia v. Randolph (2006), when two people with authority are both present and one consents while the other expressly objects, the objection wins (at least for the shared premises). Encryption and per-user accounts (from the file-system mechanics of Chapter 4) are therefore not just technical boundaries — they are legal boundaries on who can consent to what.

Recovery vs. Forensics. Consent looks different in the two disciplines, but the authority question is identical. In recovery, your "consent" is the client's authorization to access their drive — usually airtight when the client owns the data. But ask the question the client may not have: do they have authority over all of it? A client recovering a shared family drive, a business partner's drive in a dispute, or a former employee's old laptop may not own — and may not be able to consent to your reading — every file on it. Same drive, same recovery technique, but the scope of authority can be narrower than the scope of the hardware. When that gap appears, you have a 📜 legal question wearing a 💾 recovery costume, and you treat it as one.

Border searches: different rules at the edge

The ordinary Fourth Amendment rules weaken dramatically at the international border (and its "functional equivalents," such as international airport arrival areas). Under the border-search exception, the sovereign's interest in controlling what enters the country lets agents conduct routine searches of people and belongings without a warrant and without any individualized suspicion (United States v. Ramsey, 1977; United States v. Flores-Montano, 2004). For luggage and ordinary effects, that rule is well settled.

Digital devices are the live frontier, and the courts split. The question is whether searching a phone or laptop at the border is "routine" (no suspicion needed) or "non-routine" (some justification required), and whether a deep forensic search differs from a quick manual scroll. The 9th Circuit in United States v. Cotterman (2013) held that a forensic search of a laptop at the border is non-routine and requires reasonable suspicion. The 4th Circuit (United States v. Kolsuz, 2018) likewise required individualized suspicion for a forensic device search. The 11th Circuit (United States v. Touset, 2018) went the other way — no suspicion required even for a forensic search. The 1st Circuit (Alasaad v. Mayorkas, 2021) rejected a reasonable-suspicion requirement but limited border device searches to locating contraband on the device itself. The Supreme Court has not resolved the split. Meanwhile, CBP Directive No. 3340-049A (2018) distinguishes a "basic" search (an officer manually reviewing what's on the device — no suspicion required under the policy) from an "advanced" search (connecting external equipment to review, copy, or analyze — which the policy says requires reasonable suspicion or a national-security concern).

BORDER DEVICE SEARCH — the unsettled landscape (illustrative summary)
  ROUTINE (luggage, effects) ......... no warrant, no suspicion (Ramsey/Flores-Montano)
  DEVICE — "basic" / manual .......... CBP policy: no suspicion needed
  DEVICE — "advanced" / forensic ..... CBP policy: reasonable suspicion (or nat-sec)
  COURTS ........... 9th & 4th Cir.: reasonable suspicion for forensic
                     11th Cir.: none required even for forensic
                     1st Cir.: no RS requirement, but limited to on-device contraband
                     SCOTUS: UNRESOLVED

For the practicing examiner this is not academic. If you carry case data, client data, or your own forensic tooling across a border, it may be subject to search under rules far more permissive than apply inland — and privileged or confidential material can be exposed. The professional response is planning: minimize what you carry, use clean travel devices, store sensitive case data in counsel-controlled cloud locations rather than on the laptop in your bag, understand that you may be asked to unlock the device, and get advice from counsel before you travel internationally with sensitive material. Encryption raises a separate, hard question — whether you can be compelled to unlock it — which is the Fifth Amendment problem we reach below.

Legal Note. Border rules are genuinely different and genuinely unsettled; what is lawful for the government to do to a device at JFK differs from what is lawful in a suspect's home, and it differs by circuit. If your work takes confidential or privileged data across a national border, that is a "plan ahead and ask counsel" matter, not a "wing it" matter.

Corporate investigations: authority on someone else's hardware

A large share of digital forensics happens with no warrant in sight, inside a company, on devices the company owns. This is the home of the employee-IP-theft anchor case and of your progressive-project matter. The authority here is not a warrant and not (only) consent — it is the employer's authority over its own assets, bounded by a thicket of privacy statutes that the Fourth Amendment's "no state action" carve-out does not eliminate.

Public vs. private employers — and the privacy floor

For public-sector employers (government agencies), the Fourth Amendment does apply, but in a softened form: in O'Connor v. Ortega (1987), the Court held that the "operational realities of the workplace" reduce a public employee's expectation of privacy, and work-related searches by the employer are judged by reasonableness, not by warrant-and-probable-cause. In City of Ontario v. Quon (2010), a police department's review of an officer's text messages on a department-issued pager was upheld: the Court assumed (without deciding) that the officer had some expectation of privacy, but found the search reasonable because it was justified at its inception by a legitimate work purpose and reasonable in scope.

For private-sector employers, the Fourth Amendment does not apply at all (no state action). But "the Fourth Amendment doesn't apply" is not the same as "anything goes," because several federal and state statutes restrain private employers regardless:

  • The Stored Communications Act (SCA), 18 U.S.C. § 2701 et seq., prohibits unauthorized access to stored electronic communications held by a provider — which is how reading an employee's personal webmail or private social-media content can become a crime even on a company laptop.
  • The Wiretap Act (Title I of ECPA, 18 U.S.C. § 2511) prohibits intercepting communications in transit (real-time monitoring), subject to consent and business-use exceptions.
  • The Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030, penalizes access that exceeds authorization.
  • State law adds two-party (all-party) consent recording statutes (California, Illinois, and others), state computer-crime and privacy laws, and sometimes constitutional or statutory employee-privacy protections stronger than federal law.

So the analysis for a private employer is: we own the device and have broad authority over what's on it — but we must not cross into the employee's protected personal communications and accounts, or we trade a clean internal investigation for our own statutory liability.

Acceptable-use policies and login banners

The mechanism that makes corporate authority clean is notice that defeats the expectation of privacy. A well-drafted acceptable-use policy (AUP), acknowledged in writing by the employee, plus a login banner the user sees and clicks past at every logon, together establish that the device is company property, that its use may be monitored, logged, and audited, and that the user has no reasonable expectation of privacy in their activity on it. When Katz's second prong — an expectation society recognizes as reasonable — is knocked out by clear, repeated notice, the employer's examination of its own device stands on firm ground.

LOGIN BANNER (illustrative)
  This is a Meridian Health Analytics information system, provided for
  authorized business use only. Usage may be MONITORED, RECORDED, and
  AUDITED. You have NO REASONABLE EXPECTATION OF PRIVACY in any data
  stored on or transmitted through this system. By logging in, you
  CONSENT to such monitoring. Unauthorized use may result in discipline,
  civil liability, and criminal prosecution.

The decisive word is before. The AUP and banner must exist and be acknowledged before the incident, not drafted afterward. This is theme four again — the technology and the misconduct change, but the principle is constant: authority over an employee device is built in advance, in policy, not improvised after you find something. The IP-theft investigation — the USB device history in the registry, the $FILE_NAME timestamps that betray timestomping, the browser history showing cloud uploads, the Prefetch/AmCache traces left by the very anti-forensic tool the employee ran (Chapter 30) — is examinable because the authority is clean: a company-owned laptop, a signed AUP, a monitoring banner. Take away the policy and the same artifacts become a privacy fight.

BYOD and the personal-data problem

Bring-Your-Own-Device (BYOD) wrecks the clean picture, because now the employee owns the hardware and the company data sits commingled with the employee's photos, personal email, banking, and family life. The employer's authority extends to the company's data, not to the device wholesale. Several principles govern:

  • Reading the employee's personal accounts can violate the SCA. In Pietrylo v. Hillstone Restaurant Group (D.N.J. 2009), managers who accessed an employee's password-protected, invite-only social-media group were found to have violated the SCA's analog. Cached credentials do not equal authorization.
  • Privilege can survive on personal webmail even on a company device. In Stengart v. Loving Care Agency (N.J. 2010), an employee used her personal, password-protected webmail (via a company laptop) to communicate with her attorney; the New Jersey Supreme Court held the attorney-client privilege survived and the employer could not read those messages — the company's policy did not put her on notice that personal webmail would be captured. If your collection ingests a user's personal webmail or attorney communications, you may be holding privileged material you are not entitled to read.

The defensible BYOD approach is built before the incident: a written BYOD policy and consent, Mobile Device Management (MDM) that containerizes corporate data so it can be collected (and remotely wiped) separately from personal data, and a collection methodology that segregates and minimizes — you collect the corporate container and the artifacts within scope, and you do not vacuum up the employee's personal life. When personal data or apparent privileged material surfaces, you stop touching it and route it to counsel.

Ethics Note. The fact that you can technically access something does not mean you are authorized to. A forensic image of a BYOD phone contains the employee's intimate life; an employer's investigation does not grant you a license to read it. "Could I open this?" and "Am I permitted to open this?" are different questions, and the gap between them is where careers and cases are lost. Minimize. Segregate. Document what you deliberately did not examine.

Civil litigation and eDiscovery: the Federal Rules of Civil Procedure

Outside the criminal world, a vast amount of forensic and recovery work serves civil litigation, where the governing framework is not the Fourth Amendment but the Federal Rules of Civil Procedure (FRCP) (and state analogs). Here the questions are about preservation, production, and proportionality — and the examiner is frequently a neutral or party-retained expert, not an investigator with a badge. This is the natural home of the 📜 Legal/eDiscovery path and of your progressive-project civil matter.

The duty to preserve and the litigation hold

The keystone is the duty to preserve. It attaches when litigation is reasonably anticipated — which can be well before a complaint is filed (a threatening demand letter, a serious internal dispute, a credible claim). The seminal explanations come from Judge Scheindlin's Zubulake v. UBS Warburg opinions (S.D.N.Y. 2003–04), especially Zubulake IV (the duty to preserve once litigation is anticipated) and Zubulake V (counsel's affirmative obligations to locate, preserve, and collect relevant ESI and to monitor compliance).

The operational tool is the litigation hold (legal hold): a written directive that suspends routine destruction and instructs custodians to preserve relevant materials. A defensible hold identifies the matter, the relevant time period, the custodians and data sources, and — critically — suspends auto-deletion (email retention purges, log rotation, ephemeral-messaging auto-delete, reformat/reissue of departing employees' devices). It is issued promptly and re-issued/monitored over the life of the matter.

LITIGATION HOLD NOTICE (illustrative)
  TO: [custodians]      RE: Anticipated litigation — Meridian v. [competitor]
  You must PRESERVE all documents and electronically stored information (ESI)
  relating to [subject], from 2025-01-01 to present, including: email, files,
  chats/IM, mobile data, cloud storage, and backups.
  DO NOT delete, alter, or overwrite any such ESI. Auto-delete and routine
  destruction are SUSPENDED for these materials. Do not reformat or reissue
  the subject laptop. Questions -> Legal. This hold remains in effect until
  Legal lifts it in writing.

Preservation is where the forensic discipline of this book and civil procedure converge. The most defensible way to preserve a key custodian's device is exactly the Chapter 14 workflow: a verified forensic image, hashed, with a chain of custody. "Self-collection" by custodians dragging files to a share is risky — it changes metadata and misses unallocated space — which is why counsel increasingly insists on forensically sound collection. In the cloud, preservation is a few commands: for a Microsoft 365 mailbox, an examiner or admin places a litigation hold that prevents even user-"deleted" items from being purged:

# Microsoft 365 / Exchange Online: place a custodian mailbox on Litigation Hold.
# (Illustrative — not executed here; requires the Exchange Online module + rights.)
Connect-ExchangeOnline
Set-Mailbox -Identity "j.okafor@meridian-health.example" `
            -LitigationHoldEnabled $true `
            -LitigationHoldDuration 2555 `          # days (~7 years); or 'Unlimited'
            -LitigationHoldOwner  "legal@meridian-health.example"

# Verify the hold is in force:
Get-Mailbox -Identity "j.okafor@meridian-health.example" |
    Select-Object DisplayName, LitigationHoldEnabled, LitigationHoldDate

Chain of Custody. A litigation hold is a preservation obligation, and the forensic image is the gold-standard way to meet it. The same chain-of-custody apparatus you learned for criminal evidence — verified hashes, sealed originals, signed transfers (Appendix F) — makes a civil collection defensible when the other side challenges it. "We told people to save their stuff" is a hope; "we forensically imaged the custodian's laptop on this date, hash X, chain attached" is a defense.

FRCP 26 — scope, proportionality, and the meet-and-confer

Rule 26(b)(1) defines the scope of civil discovery: parties may obtain discovery of any non-privileged matter relevant to a claim or defense and proportional to the needs of the case. The proportionality language (strengthened in the 2015 amendments) lists six factors courts weigh: the importance of the issues, the amount in controversy, the parties' relative access to the information, the parties' resources, the importance of the discovery in resolving the issues, and whether the burden or expense outweighs the likely benefit. Proportionality is the brake on the otherwise crushing cost of ESI discovery: you do not get to demand a forensic image of every device a 10,000-person company owns in a $50,000 dispute.

Rule 26(f) requires the parties to meet and confer early and to develop a discovery plan that, for modern cases, includes an ESI protocol: which sources will be searched, what search terms or technology-assisted review will be used, the form of production, and how privilege will be handled — often backed by a Rule 502(d) order (Federal Rule of Evidence 502(d)) that lets parties claw back inadvertently produced privileged material without waiving privilege. Rule 26(a) governs initial disclosures, and Rule 26(b)(5) governs privilege logs and claw-back of privileged ESI.

FRCP 34 — production and the form of ESI

Rule 34 governs requests for production of documents and ESI. A recurring forensic issue is the form of production: native files (with their metadata intact — usually what an examiner wants), or images/TIFFs with a load file and extracted text, or PDFs. Metadata — the MACB timestamps and authorship fields you learned to read in Chapter 21 — is often the whole point of forensic eDiscovery, and parties fight over whether it must be produced. The examiner's job is to collect and produce in a form that preserves the evidentiary value, which usually means native-with-metadata, not flattened printouts.

FRCP 37(e) — spoliation and sanctions

What happens when ESI that should have been preserved is not? Rule 37(e) (substantially rewritten in 2015) is the controlling federal standard for failure to preserve ESI, and its structure is essential to understand because it sets a deliberately high bar for the harshest sanctions. The rule applies when ESI that should have been preserved is lost because a party failed to take reasonable steps to preserve it, and it cannot be restored or replaced through additional discovery. If so:

  • 37(e)(1) — upon a finding of prejudice to another party, the court may order measures no greater than necessary to cure the prejudice.
  • 37(e)(2)only upon a finding that the party acted with the intent to deprive another party of the information may the court impose the severe sanctions: a presumption that the lost information was unfavorable, an adverse-inference jury instruction, or dismissal/default judgment.

The dividing line is intent. Negligent loss can be cured (e(1)); only intentional destruction unlocks the case-ending sanctions (e(2)). This is where forensics becomes the proof of spoliation, and where two of the book's themes click together. Deleted ≠ destroyed (theme one): a custodian who "deletes" incriminating files has often not destroyed them, and the examiner recovers them from MFT remnants and unallocated space, undermining the spoliation in the first place. And every action leaves a trace (theme three): the act of wiping — running a disk-cleaner, mass-deleting on the eve of a hold, timestomping — leaves its own artifacts (the Prefetch/AmCache entry for the wiping tool, the gap in the logs, the inconsistent $STANDARD_INFORMATION` vs. `$FILE_NAME timestamps), and those artifacts are exactly how an examiner proves the intent that Rule 37(e)(2) demands. Anti-forensics rarely beats a thorough examiner; it usually just supplies the evidence of intent (Chapter 30).

Why This Matters. In civil litigation the examiner is often retained not to find the smoking-gun document but to prove that someone destroyed it — and to characterize the destruction as negligent (37(e)(1)) or intentional (37(e)(2)). That characterization can decide the case, and it rests entirely on technical artifacts you now know how to find. The legal standard (intent to deprive) and the forensic method (proving intent from traces) are two halves of one skill.

The Fifth Amendment: can they make you give up the password?

The Fourth Amendment governs searches; the Fifth Amendment governs compelled self-incrimination — "No person... shall be compelled in any criminal case to be a witness against himself." Encryption (Chapter 29) makes this concrete and unsettled: can the government compel a suspect to decrypt a device or produce a password?

The doctrine turns on whether the compelled act is testimonial. Producing the contents of a mind — a memorized passcode — looks testimonial, because it reveals the contents of the suspect's thoughts. But the "foregone conclusion" doctrine (from Fisher v. United States, 1976, refined in United States v. Hubbell, 2000) holds that the act of production is not meaningfully testimonial when the government already knows, with reasonable particularity, that the evidence exists, that the suspect possesses/controls it, and that it is authentic — so producing it "adds little or nothing" to the government's case. Courts have split badly on how this applies to passwords and devices:

  • Some courts treat a passcode as testimonial and protected, because it is the "contents of the mind" (e.g., Commonwealth v. Davis, Pa. 2019, holding compelled disclosure of a password violated the Fifth Amendment).
  • Others apply the foregone-conclusion exception to compel a passcode or decryption when the government's pre-existing knowledge is strong enough (e.g., Commonwealth v. Gelfgatt, Mass. 2014; State v. Andrews, N.J. 2020), echoing earlier district-court rulings (In re Boucher; United States v. Fricosu).
  • Many courts distinguish biometrics (fingerprint, face unlock) from passcodes, reasoning that compelling a fingerprint is like compelling a physical key or a blood sample — non-testimonial — whereas a passcode is testimonial. Other courts reject that distinction. The law here is in active flux and varies by jurisdiction.

The examiner's takeaway is not to resolve the split but to recognize it: whether you can obtain a decryption key by legal compulsion is a live legal question, not a technical one, and it is decided by counsel and the court, not at the keyboard. Plan your acquisition assuming you may not get the key (live capture of keys from memory, exploiting an unlocked state — Chapter 15, Chapter 29), and let the lawyers fight the Fifth Amendment battle.

International considerations: data has no borders, the law does

Cloud storage and global business mean the data you need is frequently somewhere else — on a server in Ireland, in a service controlled from California, belonging to a person protected by EU law. Three frameworks dominate.

MLAT — the slow formal channel. A Mutual Legal Assistance Treaty is a government-to-government agreement for obtaining evidence located abroad: U.S. authorities ask the treaty partner's authorities to collect and transmit the evidence under the partner's law. MLAT is the proper channel for much cross-border criminal evidence — and it is famously slow, often taking many months, which created pressure for faster mechanisms.

The CLOUD Act. The Clarifying Lawful Overseas Use of Data Act (2018) addressed a question that reached the Supreme Court in United States v. Microsoft Corp. (where Microsoft resisted a warrant for email stored in Ireland; the case was mooted when the Act passed). The CLOUD Act establishes that U.S. providers must produce data within their "possession, custody, or control" in response to lawful U.S. process regardless of where the data is physically stored. It also authorizes executive agreements with qualifying foreign governments (the U.S.–U.K. Data Access Agreement is the first) that let each country's law enforcement request data directly from the other's providers, bypassing the slow MLAT route for covered requests. For the examiner, the practical upshot: where the bytes physically sit matters less than who controls them.

GDPR and the EU. The EU's General Data Protection Regulation (Regulation 2016/679) protects the personal data of people in the EU and constrains how it may be processed and transferred — and it frequently collides with U.S.-style discovery. Key points for an examiner handling EU-related data:

  • Processing personal data needs a lawful basis (Art. 6), and data minimization (Art. 5) requires collecting only what is necessary — the opposite instinct from "image everything."
  • Article 48 provides that a foreign court or authority's judgment or order is not, by itself, a lawful basis to transfer personal data out of the EU; transfers should run through MLAT or an international agreement. This is the heart of the conflict between broad U.S. discovery and EU data protection.
  • Cross-border transfer mechanisms are restricted: after Schrems II (2020) invalidated the EU–U.S. Privacy Shield, transfers typically rely on Standard Contractual Clauses plus supplementary safeguards (and, more recently, the EU–U.S. Data Privacy Framework).
  • Some countries have blocking statutes that criminalize producing certain data for foreign proceedings outside official channels.

The defensible approach for EU data in U.S. litigation is to work with counsel and follow frameworks like The Sedona Conference's International Principles on Discovery, Disclosure & Data Protection — minimize, process in-region where possible, anonymize/pseudonymize, and use proper transfer mechanisms. This is not a do-it-yourself area.

Limitation. No technical skill overcomes a jurisdictional wall. You can image a server in seconds and still be legally barred from doing so — or from exporting what you imaged. "I can technically reach the data" never answers "am I legally permitted to collect, transfer, and use it across these borders?" That question belongs to counsel, and the cost of getting it wrong ranges from suppressed evidence to your client's exposure under foreign privacy law.

A note on other jurisdictions

This chapter is U.S.-centered, but the principle travels even where the rules differ. The United Kingdom polices digital evidence handling through the Police and Criminal Evidence Act (PACE) and the ACPO/NPCC good-practice principles (Chapter 5), and surveillance/interception under the Investigatory Powers Act. Canada applies the Charter of Rights and Freedoms (s. 8, against unreasonable search). Civil-law systems handle investigation and evidence differently again. The constant across all of them — theme four — is that an examiner must establish lawful authority appropriate to the jurisdiction before examining, and must understand that the same artifact carries different legal requirements in different places. When the data, the device, or the people sit under another country's law, find out what that law requires before you act.

Putting it together: the authority decision and the "stop" reflex

You now have the pieces. In practice they collapse into a single habit you run at the start of every matter and re-run whenever something surprises you: establish your authority, define your scope, and stay inside it — and the moment authority is unclear or scope is exceeded, stop.

            ┌────────────────────────────────────────────────────────┐
            │  BEFORE YOU IMAGE OR ANALYZE ANYTHING:                  │
            │  "What is my lawful authority to look HERE, for THIS?"  │
            └───────────────────────────┬────────────────────────────┘
                                         │
      ┌───────────────┬─────────────────┼────────────────┬───────────────────┐
      ▼               ▼                 ▼                ▼                   ▼
   WARRANT?        CONSENT?        CORPORATE          CIVIL              NONE / UNSURE
  (LE, criminal)  (voluntary,     AUTHORITY?        PROCESS?           ──────────────
  ───────────     by someone w/   (company-owned    (subpoena, court   ► STOP.
  Read it. Scope  ACTUAL/apparent device + AUP +    order, FRCP        ► Do not touch.
  = Attachment B. authority)      banner, signed    discovery)         ► Call a lawyer.
  Stay inside it. ─────────────   BEFORE incident)  ──────────────
                  Note scope;     ─────────────     Confirm hold,
                  it can be       Confirm ownership scope, and
                  WITHDRAWN.      & policy in       PROPORTIONALITY.
                                  writing.
      │               │                 │                │
      └───────────────┴────────┬────────┴────────────────┘
                               ▼
              AUTHORITY CONFIRMED → proceed, but STAY IN SCOPE,
              minimize, and document what you did NOT examine.
                               │
            Find something OUTSIDE scope (other crime, privileged,
            personal, foreign data, apparent CSAM)?  ───────────────► back to STOP.

When to stop and call a lawyer

This is the heart of the chapter, and the place where theme five — know your limitations — is most consequential. You are an examiner, not an attorney. Recognizing the moment to pause for legal guidance is not a weakness in your skills; it is one of your skills, and it protects the case, the client, the accused, and you. Stop and get legal advice when:

  • You are unsure of your authority. No warrant, no clear consent, no confirmed corporate ownership/policy, no civil process you can point to — do not image, do not analyze. Uncertain authority is no authority.
  • You find evidence of a crime outside your scope — and immediately and without exception if you encounter apparent CSAM, in any matter, including a routine recovery. Stop, preserve, minimize exposure, escalate.
  • Consent is withdrawn, or the person who gave it turns out to lack authority.
  • You encounter apparent privileged material (attorney-client communications, work product) or a flood of an individual's personal data on a corporate/BYOD device.
  • The data, the device, or the people are in another country, or you are about to take case data across a border.
  • A routine recovery reveals a dispute or a crime — a business-partner conflict, a divorce, illegal content, anything that means a courtroom might be in the future. Upgrade to the forensic workflow and start a chain of custody from now, honestly documenting the transition (Chapter 5).
  • Anyone asks you to exceed scope, to delete, to alter, or to "make something go away." That request is itself a red flag, and your answer is to stop and consult counsel — never to comply quietly.
  • Legal process is served on you — a subpoena for your work, a warrant for your lab, a preservation demand. Do not respond off the cuff; call counsel.

War Story. An IT contractor was asked by a manager to "see what's on" a departing employee's personal phone that had been left charging at a desk, looking for proof the employee was steering clients to a competitor. No policy covered the personal phone; no consent was obtained; the contractor pulled the phone's messages, including the employee's communications with their own lawyer. The "evidence" was not only useless — it exposed the company to Stored Communications Act and state-privacy claims, and the privileged messages created a disqualification fight that derailed the actual case. The contractor's mistake was not technical; the extraction was flawless. The mistake was answering "can I get the data?" instead of "am I authorized to look at this device, for this purpose?" One phone call to counsel before touching the phone would have produced the right answer: don't.

The exclusionary rule: the cost of getting it wrong

What actually happens when a search exceeds its authority? In criminal cases, the primary consequence is the exclusionary rule: evidence obtained in violation of the Fourth Amendment is generally inadmissible in the prosecution's case-in-chief (Weeks v. United States, 1914, for federal cases; Mapp v. Ohio, 1961, applying it to the states). The rule's purpose is to deter unlawful government conduct by denying it the fruits.

Worse for the careless examiner, the taint spreads. Under the fruit of the poisonous tree doctrine (Wong Sun v. United States, 1963), evidence derived from an illegal search is also excluded — so an unlawful initial search can poison every downstream discovery that flowed from it. An examiner who exceeds the warrant's scope can therefore lose not just the out-of-scope file but everything the unlawful search led to.

There are important exceptions that sometimes save evidence, and you should know them so you neither despair nor overrely on them:

  • Good-faith exception (United States v. Leon, 1984): evidence obtained in objectively reasonable reliance on a warrant later found defective may still be admissible.
  • Independent source (Silverthorne Lumber; Murray v. United States): evidence also obtained through a genuinely independent, lawful route is not excluded.
  • Inevitable discovery (Nix v. Williams, 1984): evidence that would inevitably have been found lawfully anyway may be admitted.
  • Attenuation: when the connection between the illegality and the evidence is sufficiently weakened.

Two caveats keep this in perspective. First, the exclusionary rule is primarily a criminal-case, government-conduct doctrine; in civil litigation and in private investigations the rule generally does not apply — but that is cold comfort, because a private actor who searches unlawfully faces direct liability (SCA, CFAA, privacy torts, state wiretap crimes) instead. Second, the exceptions are escape hatches a prosecutor argues after something went wrong; no competent examiner plans to rely on them. The professional plan is to never need them — establish authority, stay in scope, and the exclusionary rule never has anything to bite.

Getting it admitted: authentication and the Daubert/Frye standard

Authority gets your evidence lawfully obtained; two more doors stand between it and the jury. The evidence must be authenticated, and your methods must meet the standard for reliable expert/scientific evidence. Chapter 1 and Chapter 5 promised these standards live here; this is where the standards are defined. Surviving them on the stand is Chapter 27.

Authentication under Federal Rule of Evidence 901 requires evidence sufficient to support a finding that the item is what its proponent claims. For digital evidence, this is precisely what your hashes and chain of custody provide. The 2017 additions make the link explicit: FRE 902(13) allows records generated by an electronic process to be self-authenticating with a qualified person's certification, and FRE 902(14) allows data copied from an electronic device to be self-authenticating when a qualified person certifies it by its hash value — the SHA-256 you computed in Chapter 5 is the mechanism the rules use to let your image in without you authenticating every byte by hand. The best-evidence rules (FRE 1001–1003) treat an accurate duplicate as admissible as an original — and a verified forensic image is exactly that.

Reliability of method is governed, in federal court and most states, by the Daubert standard (Daubert v. Merrell Dow Pharmaceuticals, 1993, extended to technical and other specialized knowledge in Kumho Tire Co. v. Carmichael, 1999, and codified in FRE 702). Under Daubert, the trial judge is a gatekeeper who assesses whether an expert's methodology is reliable, weighing factors such as: whether the technique can be and has been tested; whether it has been subject to peer review and publication; its known or potential error rate; the existence and maintenance of standards controlling its operation; and whether it enjoys general acceptance in the relevant community. A minority of states still follow the older Frye standard (Frye v. United States, 1923), which asks only whether the technique is generally accepted in its field.

This is why the whole forensic process of this book is built the way it is. Write-blocking validated against the NIST CFTT specification (Chapter 14), tools with documented error characteristics, hashing with published algorithms, methods you can describe step-by-step so an independent examiner reproduces your result — every one of those choices exists to satisfy Daubert's "tested, peer-reviewed, error-characterized, standardized, generally accepted" gate. Method is admissibility. Sloppy, undocumented, unvalidated technique is not just bad craft; it is inadmissible craft. You will defend exactly these points under cross-examination in Chapter 27.

Tool demonstration: documenting authority and enforcing scope in code

A legal chapter still has a "tool," because scope discipline should not live only in your good intentions — it should live in your workflow and your logs. The point of these illustrations (not executed here, per the book's rule) is to make authority and scope provable the same way you make data integrity provable: with artifacts. Recall theme three — every action leaves a trace — and turn it to your advantage: a log that records every file you opened, and every file you declined to open because it was out of scope, is your best answer to "did you rummage?"

First, encode the authority boundary as data, derived from the warrant/consent/engagement letter — not chosen ad hoc by the examiner — and gate every file access through it, logging the decision:

import json, fnmatch
from datetime import datetime, timezone
from pathlib import Path

# Scope parameters come FROM THE AUTHORITY (warrant Attachment B / consent form /
# court-ordered ESI protocol) — never invented by the examiner mid-search.
AUTHORIZED_AFTER  = datetime(2025, 1, 1,  tzinfo=timezone.utc)   # warrant date window
AUTHORIZED_BEFORE = datetime(2026, 6, 14, tzinfo=timezone.utc)
KEYWORDS          = ["patient-analytics", "*.sql", "*.ipynb", "exfil", "okafor"]
AUDIT_LOG         = Path("/cases/MHA-2026-001/scope-audit.jsonl")

def in_scope(path: Path, mtime: datetime) -> bool:
    """A file is in scope only if BOTH the date window AND a term matches."""
    if not (AUTHORIZED_AFTER <= mtime <= AUTHORIZED_BEFORE):
        return False
    hay = path.as_posix().lower()
    return any(fnmatch.fnmatch(path.name.lower(), t) or t in hay for t in KEYWORDS)

def examine(path: Path) -> bytes | None:
    """Open a file ONLY if in scope; log EVERY decision either way."""
    mtime = datetime.fromtimestamp(path.stat().st_mtime, tz=timezone.utc)
    decision = in_scope(path, mtime)
    with AUDIT_LOG.open("a") as log:
        log.write(json.dumps({
            "ts": datetime.now(timezone.utc).isoformat(),
            "file": path.as_posix(),
            "mtime": mtime.isoformat(),
            "in_scope": decision,                 # False entries PROVE restraint
        }) + "\n")
    if not decision:
        return None                                # out of scope: do not open
    return path.read_bytes()                        # reached only for in-scope items

The in_scope == False lines in that audit log are as valuable as the True ones: they document, contemporaneously, every place you could have looked and deliberately did not — the record that defeats an over-seizure or scope-creep argument. For civil preservation, the parallel discipline is a defensible, metadata-preserving collection with a verifiable manifest:

# Preserve a custodian collection without altering metadata, then HASH everything
# so any later change is provable (better still: a full forensic image, Ch.14).
rsync -a --info=progress2 /custodian/share/ /cases/MHA-2026-001/preserved/   # -a keeps mtimes
hashdeep -c sha256 -r /cases/MHA-2026-001/preserved/ > preserved.sha256.manifest
#   ... later, audit that nothing changed in our custody:
hashdeep -c sha256 -r -a -k preserved.sha256.manifest /cases/MHA-2026-001/preserved/
#   hashdeep: Audit passed

And when potentially privileged material is in play, route it to a walled-off filter (taint) team so the case team never sees it — the structure courts increasingly expect:

   SEIZED IMAGE ──> FILTER / TAINT TEAM ──> privilege review ──┐
                    (walled off from the                       ├─► PRIVILEGED  -> log,
                     investigative team)                       │   withhold, court if disputed
                                                               └─► NON-PRIVILEGED -> release
                                                                   to CASE TEAM for analysis
   The case team analyzes ONLY what the filter team releases. The wall is the point.

Tool Tip. Make your scope provable, not just intended. Pin the authority parameters (date window, search terms, file types) to the warrant or ESI protocol in writing before you search, drive the search from those parameters, and keep the access log. When opposing counsel asks "how do we know you didn't go fishing through my client's private life?", the answer is a timestamped log showing exactly what you searched and what you passed over — and the parameters showing it all traces to the authority. That is the difference between saying you stayed in scope and proving it.

Worked example: the MHA matter — establishing authority before you analyze

Return to your progressive-project case from Chapter 5: Meridian Health Analytics (MHA) retained you after data engineer "J. Okafor" resigned, joined a competitor, and allegedly copied a proprietary patient-analytics dataset and source code to removable media or a personal cloud account before leaving. You verified the delivered image and wrote an investigation plan. Now apply this chapter's lens — authority — before a single artifact is analyzed.

Step 1 — Identify the legal framework. This is a civil matter (trade-secret/breach-of-duty), not criminal. There is no warrant and no Fourth Amendment search, because MHA is a private actor examining its own property — unless law enforcement later becomes involved and directs the work, which would shift the ground (state action). Your authority flows from corporate ownership plus policy, and the governing procedural rules, if litigation is filed, are the FRCP.

Step 2 — Confirm corporate authority on paper. Verify, in writing, that the laptop is company-owned, that Okafor signed an acceptable-use policy acknowledging the device is monitored and not private, and that a login banner put that notice in front of the user. With those in hand, the company's examination of the laptop — the USB device history in the registry, file-access timestamps, browser history, document metadata, the timeline (Chapter 21) — rests on clean authority, because Okafor had no reasonable expectation of privacy in activity on the company machine.

Step 3 — Define scope, in and out. In scope: artifacts of file access, removable-media use, and cloud/webmail upload of MHA proprietary data, within the relevant time window (the weeks before resignation), on this image. Out of scope: Okafor's personal devices not before you; their personal cloud or webmail accounts; and — the trap — any personal, password-protected content that happens to sit on the company laptop. If your analysis surfaces Okafor's personal Gmail or, worse, communications with Okafor's own attorney (the Stengart problem), you stop touching it and call MHA's counsel: reading it could violate the Stored Communications Act and could ensnare privileged material, converting a clean investigation into MHA's own liability.

Step 4 — Preserve and observe the hold. If litigation is reasonably anticipated (it is), a litigation hold must be in force: the laptop is not reformatted or reissued, auto-deletion is suspended, and the custodian's cloud mailbox is placed on hold (the PowerShell above). Your verified forensic image is the defensible preservation. Note the spoliation angle: if Okafor wiped files before leaving, deleted ≠ destroyed — you recover what you can — and the traces of the wiping (the disk-cleaner's Prefetch/AmCache entry, timestomping inconsistencies) become evidence of intent to deprive under Rule 37(e)(2) (Chapter 30).

Step 5 — Mind proportionality and production. Under Rule 26(b)(1), your collection and analysis must be proportional — image and analyze the subject laptop and the custodian's accounts, not every device MHA owns. Under Rule 34, plan to produce responsive ESI in a form that preserves metadata (native-with-metadata), because the timestamps are the case.

How it would differ if the facts changed. If this were criminal (Okafor charged with theft of trade secrets), you would need a warrant (or consent), your scope would be Attachment B, and an unlawful search could trigger the exclusionary rule. If Okafor used a BYOD personal phone for work, MHA's authority would shrink to the corporate container, and reaching the personal side would risk the SCA. If the proprietary data sat in an EU region or involved EU employees' personal data, GDPR (Art. 48, transfer restrictions) and possibly MLAT/CLOUD Act considerations would enter, and you would not export anything without counsel. Same evidence, same technical skills — wildly different authority depending on the legal frame. That sensitivity to the frame is the competence this chapter builds.

Common mistakes

  • Confusing technical access with legal authority. "I can get the data" never answers "am I permitted to look at this, for this purpose, here?" The most common and most damaging error in the field is answering the engineering question and skipping the legal one.
  • Treating the Fourth Amendment as someone else's problem. Recovery and corporate examiners assume the Constitution doesn't touch them — until they become a government agent (private-search/agency doctrine) and suddenly it does. Know the state-action line.
  • Ignoring or exceeding the warrant's scope. The warrant's Attachment B is your boundary, not a suggestion. Searching beyond it — or relying on a shaky "plain view" theory for out-of-scope finds — risks suppression and can taint the whole examination. Stop and get a second warrant.
  • Accepting consent from someone without authority, or ignoring its limits. A roommate can't consent to your password-protected files; consent can be limited and withdrawn. Get it in writing, note the scope, and stop when it ends.
  • Improvising corporate authority after the incident. An AUP and login banner must exist and be acknowledged before the misconduct. Authority drafted after you find something is authority a court distrusts.
  • Vacuuming up personal/BYOD data or privileged material. Reading an employee's personal webmail or attorney communications can violate the SCA and destroy privilege protections (Stengart, Pietrylo). Minimize, segregate, and route privileged material to a filter team.
  • Forgetting the duty to preserve. The hold attaches when litigation is reasonably anticipated, not when the complaint is served. Letting auto-deletion run, or reformatting the custodian's laptop, is spoliation — and on a finding of intent, it can end the case (Rule 37(e)(2)).
  • Carrying sensitive case data across a border without planning. Border rules are far more permissive and vary by circuit; your privileged and confidential data can be searched. Plan, minimize, and ask counsel first.
  • Assuming U.S. rules govern foreign data. GDPR, blocking statutes, and Article 48 mean you can be legally barred from collecting or exporting data you can technically reach. Use MLAT/CLOUD Act channels and counsel.
  • Believing strong technique cures a weak legal foundation. A flawless image acquired without authority is inadmissible; a method that can't meet Daubert doesn't reach the jury. Method serves the law — it cannot replace it.

Limitations: knowing when to stop

The honest edges of this chapter are sharper than most, because the limitations here are not about what a tool can't do — they are about what you are not. You are an examiner, and the most important limitation in this entire book may be this one: you are not the lawyer, and you are not the judge. Your job is to recognize the legal question, not to answer it.

The law in this domain is unsettled and jurisdiction-specific. The Supreme Court has decided only a handful of the digital questions; the circuits split on border searches, on digital plain view, and on compelled decryption; states divide between Daubert and Frye and between conflicting Fifth Amendment results. An examiner who states the law with false confidence ("the rule is X") is as dangerous as one who overstates a technical finding. The correct posture is "here is the question; counsel must answer it for this jurisdiction and these facts."

Authority is also fragile and revocable. Consent can be withdrawn mid-examination; a warrant can be invalidated; corporate authority can be undermined by a defective policy or a privileged communication you should not have read. You cannot retroactively cure an unlawful seizure — the exclusionary rule's exceptions are arguments a prosecutor makes after the fact, not a plan you rely on. And no technical rigor manufactures authority you never had.

Finally, the most professional limitation of all, the twin of Chapter 5's "the evidence is insufficient to reach a conclusion": "I do not have sufficient authority to proceed" is a valid, complete, professional finding. The pressure to do the examination is real, and the temptation to look just a little further is constant. Resisting it — stopping, documenting why, and asking for legal guidance — is not a gap in your competence. It is the competence. The human cost of getting this wrong is real on every side: the suspect whose rights are violated, the victim whose case is suppressed, the employee whose private life is exposed, and you, who answers for all of it under oath.

Progressive project: the Authority and Scope Memo

Add the legal foundation to your Forensic Case File before you analyze another artifact in the MHA matter. Real examiners do this first; you are doing it now.

Deliverable 1 — A one-page Authority and Scope Memo. Write it with these sections:

  • Legal framework. State that MHA is a civil matter, that MHA examines its own property as a private actor (no Fourth Amendment search), and that the FRCP govern if litigation is filed. Note the contingency that law-enforcement involvement would shift the analysis (state action).
  • Basis of authority. Identify the documents that establish it: proof of company ownership of the laptop, the signed acceptable-use policy, and the login-banner text. State explicitly that these pre-date the incident.
  • Scope — in and out. List what is in scope (removable-media artifacts, file-access timeline, cloud/webmail upload evidence, within the relevant window, on this image) and out of scope (personal devices, personal cloud/webmail, personal password-protected content, anything privileged). Pin the date window and search terms you will use — the same parameters that drive your scope-guard log.
  • Preservation/hold. Confirm the litigation hold is in force, that the laptop will not be reformatted or reissued, and that the custodian mailbox is on hold. Identify your verified image as the preservation of record.

Deliverable 2 — A "Stop and Escalate" decision card. On a single index card (or its digital equivalent), list the three to five triggers that will make you pause and call MHA's counsel in this matter — at minimum: (1) surfacing Okafor's personal webmail or attorney communications; (2) finding evidence of a different crime, and immediately if apparent CSAM appears; (3) any request to exceed scope, delete, or alter; (4) any indication the data or accounts reach outside the U.S. Keep the card where you work the case.

Save both to your case folder. You built the technical spine of this investigation across Parts II–III; you have now built its legal spine. In Chapter 26 you turn all of it into the deliverable that a court reads.

Summary

The legal framework is the authority that must exist before the forensic method has anything to preserve. The Fourth Amendment restrains the government, requiring warrants on probable cause that particularly describe what may be searched and seized — and its modern digital application (Riley, Carpenter, Jones, Kyllo, all built on Katz's reasonable expectation of privacy) treats comprehensive, revealing digital collection as a search needing a warrant. The state-action line decides whether the Amendment touches you at all: private recovery and corporate examiners usually fall outside it, until they act as a government agent, at which point everything changes. Digital warrants strain particularity, force a seize-now-search-later practice that risks over-seizure, and make plain view dangerous — so the disciplined examiner stays inside Attachment B and gets a second warrant for anything outside it. Without a warrant, authority comes from consent (voluntary, scoped, withdrawable, from someone with actual or apparent authority), from corporate authority (company-owned device + an AUP and banner that defeat the expectation of privacy, with the SCA/privilege limits that survive even then, and the BYOD minefield), or, in civil cases, from FRCP process — where the duty to preserve triggers a litigation hold, Rule 26 demands proportionality and a meet-and-confer, Rule 34 governs the form of ESI, and Rule 37(e) punishes spoliation (severely only on a finding of intent to deprive, which forensic traces are uniquely able to prove). The Fifth Amendment makes compelled decryption an unsettled, jurisdiction-split question for counsel, not the keyboard. Across borders, MLAT is the slow formal channel, the CLOUD Act reaches data U.S. providers control wherever it sits, and GDPR constrains EU personal data so tightly that you can be legally barred from collecting what you can technically reach. Getting authority wrong invokes the exclusionary rule and fruit of the poisonous tree in criminal cases, and direct statutory liability in private ones; getting method wrong fails authentication (FRE 901/902(14)) and the Daubert/Frye reliability gate. Above every detail sits one habit: establish authority, define scope, stay inside it — and the moment authority is unclear or scope is exceeded, stop and call a lawyer. That instinct, not any tool, is what makes your flawless technical work count.

You can now: - Explain the Fourth Amendment's warrant, probable-cause, and particularity requirements and how Riley, Carpenter, Jones, and Katz apply them to digital evidence — including the state-action line that determines whether the Amendment binds a private examiner. - Analyze the authority for an examination across the four bases — warrant, consent, corporate authority, and civil process — and identify the limits, scope, and withdrawal conditions of each. - Apply civil eDiscovery obligations under the FRCP: the duty to preserve, litigation holds, Rule 26 proportionality, Rule 34 form-of-production, and Rule 37(e) spoliation (and prove intent from forensic traces). - Recognize the special regimes — border searches, the Fifth Amendment compelled-decryption split, and the international tangle of MLAT/CLOUD Act/GDPR — and know they are counsel's questions, not the keyboard's. - Describe the consequences of getting it wrong (the exclusionary rule and fruit of the poisonous tree; private statutory liability) and the standards for getting evidence admitted (authentication and Daubert/Frye). - Identify, every time, the moment to stop and call a lawyer — and document scope so that you can prove, not merely assert, that you stayed inside your authority.

What's next. Chapter 26 — The Forensic Report — takes everything you have lawfully acquired, recovered, and analyzed and turns it into the deliverable that a non-technical judge, jury, attorney, or executive can actually act on: a report that separates fact from opinion, ties each finding to its evidence, states its methods and limits, and survives the cross-examination you will face in Chapter 27.


Practice in exercises.md, test yourself with the quiz, apply it in the case studies, review the key takeaways, and go deeper with further reading.