Chapter 25 — Exercises

A mix of concept checks, document-drafting labs, and hard judgment calls — because the law is not learned by memorizing case names but by applying them to the device on your bench. Most of the hands-on work here is "read this warrant and mark the scope," "draft the consent form / litigation hold / authority memo," "classify this loss under Rule 37(e)," "verify the preservation hash," and "decide whether to stop and call a lawyer," not "run this tool." Groups A–G follow the arc of the chapter: who the Fourth Amendment binds → warrants and their digital limits → consent → corporate authority and civil eDiscovery → the special regimes of border, Fifth Amendment, and international → the consequences of getting it wrong and the standards for getting it admitted → judgment and the progressive project. Answer the judgment questions the way you would answer them on the stand: state the question, state the rule, apply it to the facts, and — when that is the honest answer — say "this is a question for counsel." (answer in Appendix) marks problems with a worked solution in Answers to Selected Exercises. ⭐ marks a stretch problem. The reference companion is Appendix E — Legal Frameworks Reference; the templates you will draft live in Appendix F.


Group A — The Fourth Amendment and who it binds

25.1 State the two-part Katz test for whether something is a Fourth Amendment "search," then apply it to one concrete act: imaging the internal storage of a locked smartphone. Identify the subjective prong and the objective prong, and explain why the Supreme Court in Riley treated a phone's contents as the purest case of "what a person seeks to preserve as private." Then, in two sentences, contrast the third-party doctrine (Smith v. Maryland; United States v. Miller) with Carpenter's exception for historical cell-site location information, and state why Carpenter matters for the cloud-era artifacts you will meet in Chapter 31. (answer in Appendix)

25.2 The single most important idea in this chapter for the recovery and corporate audience is the state-action line. For each of the following, decide whether the Fourth Amendment applies and name the doctrine that controls: (a) a client brings a drive to your shop and asks you to recover their files; (b) midway through that lawful recovery, the police call and ask you to "look a little further" into areas the client never authorized; (c) a private citizen searches a neighbor's discarded laptop, finds apparent evidence of a crime, and hands it to police, who then re-examine exactly what the citizen already saw. (answer in Appendix)

25.3 ⭐ Match each case to its holding and then extract the rule of thumb the chapter draws from the line of cases: Riley v. California, Carpenter v. United States, United States v. Jones, Kyllo v. United States. State the one-sentence usable rule ("the more comprehensive, revealing, and effortless the digital collection…"), then apply it to a fact the Supreme Court has not squarely decided — government acquisition of a week of a person's smart-doorbell clips from the vendor's cloud — and predict how a court applying this rule of thumb would likely analyze it.


Group B — Warrants for digital evidence

25.4 A draft warrant commands officers to "seize all computers at the premises and examine all files." Explain why this fails the particularity requirement and risks being condemned as a general warrant. Then rewrite it as a proper Attachment B for a suspected wire-fraud investigation, including a date window, enumerated categories of responsive data tied to the offense, and a short search protocol (keyword/file-type/date filtering plus a filter/taint-team provision). (answer in Appendix)

25.5 Read the warrant; mark the scope. Your Attachment B authorizes, for 01 JAN 2025 – 14 JUN 2026, evidence of wire fraud consisting of financial spreadsheets, invoices, and communications about "the Halversen contract," plus evidence of user attribution. During the authorized keyword/date search you encounter each of the following. Mark each IN scope or OUT of scope and justify in one line: (a) an invoice spreadsheet dated 2025-09 referencing Halversen; (b) a 2024-03 email (before the window) about an unrelated vendor; (c) a folder of family photos with 2025 timestamps; (d) a MountedDevices registry entry showing a USB device connected in 2026-02; (e) a document whose thumbnail suggests it is apparent child sexual abuse material (CSAM); (f) a 2025-11 spreadsheet with no Halversen reference but a filename suggesting a different fraud against a different victim. Then state which of (a)–(f) require you to invoke the second-warrant discipline before going further, and which you simply pass over without comment.

25.6 Explain the seize-now, search-later reality of digital warrants and the rule that blesses it. State what Federal Rule of Criminal Procedure 41(e)(2)(B) authorizes, and explain precisely what the 14-day execution window in 41(e)(2)(A) does and does not limit. Then describe the over-seizure tension this creates — "to find the responsive 0.1%, the government takes 100%" — and list three concrete things an examiner does to show restraint on the record against an over-seizure challenge. Finally, name two judicial tools courts use to police over-seizure after the fact (think limits on retention of non-responsive data, and required return or deletion of irrelevant material), and explain why an examiner who keeps a full image forever, "just in case," invites exactly the challenge these tools answer. (answer in Appendix)

25.7 ⭐ Digital plain view is "a minefield." (a) Explain why opening a file to "see" it is itself a search, and why an unrestricted plain-view theory would make every digital warrant a general warrant. (b) Name the influential en-banc case (the BALCO steroids matter) where the Ninth Circuit wrestled with this, and note that no single national rule has emerged. (c) Write the four-step second-warrant discipline an examiner follows on encountering apparent evidence of a different crime while searching in scope. (answer in Appendix)


25.8 Draft the consent form. A client consents to your examining email and documents "related to the Pinewood project, 2025 onward" on a single laptop — not the whole drive. Draft a written consent-to-search form in the chapter's style that fixes the four things that decide a consent search: voluntariness, an explicit scope, the right to refuse and withdraw, and a statement of the consenter's authority. Then explain in two sentences why getting scope in writing "ends the 'what did you agree to?' fight before it starts" (Florida v. Jimeno).

25.9 Decide who may consent in each scenario, naming the controlling principle: (a) a spouse offers the shared family desktop for search; (b) the same spouse offers to open the other spouse's separate, password-protected user account on that desktop; (c) two roommates with common authority are both present at the door and one consents while the other expressly refuses; (d) the manager of a building hands officers a key, reasonably but mistakenly believing she has authority over a tenant's unit. Tie each to Matlock, Trulock, Randolph, or Rodriguez. (answer in Appendix)

25.10 Consent is withdrawable. You have already completed a full, verified forensic image of a drive under valid written consent. Mid-analysis, the person withdraws consent. What must stop immediately, what is the unsettled question about the already-acquired image, and what is the single correct professional move at that moment? Explain why "I'll just keep analyzing — I already have the image" is exactly the wrong instinct.


Group D — Corporate authority and civil eDiscovery

25.11 Distinguish the authority analysis for a public-sector employer from a private-sector one. For the public employer, name the case and the standard that replaces warrant-and-probable-cause (O'Connor v. Ortega; reasonableness — and Quon as the digital application). For the private employer, explain why "the Fourth Amendment doesn't apply" is not the same as "anything goes," and name the three federal statutes that still constrain it. (answer in Appendix)

25.12 Write the banner. The mechanism that makes corporate authority clean is notice that defeats the Katz expectation of privacy. (a) Draft a login banner that establishes company ownership, monitoring/logging/auditing, no reasonable expectation of privacy, and consent-by-login. (b) Explain why the AUP and banner must exist and be acknowledged before the incident, not drafted after. (c) State exactly which prong of the Katz test a properly noticed banner knocks out, and why that is what makes the employee-IP-theft artifacts examinable.

25.13BYOD trap. Your collection from a company matter ingests, from an employee's personal device, their personal password-protected webmail, including messages with their own attorney. (a) Identify the two statutes/doctrines you have just collided with (think Stengart, Pietrylo, and the Stored Communications Act). (b) State what you do the instant you realize this. (c) Describe the pre-incident architecture that prevents the problem entirely (BYOD policy + MDM containerization + a segregate-and-minimize collection methodology), and explain the difference between "could I open this?" and "am I permitted to open this?"

25.14 Write the litigation hold. Litigation is reasonably anticipated after a competitor poaches your company's lead engineer. Draft a litigation-hold notice in the chapter's style that identifies the matter and time period, lists the data sources, suspends auto-deletion and routine destruction, and forbids reformatting/reissuing the custodian's laptop. Then state when the duty to preserve attached (cite the Zubulake idea) and why it can be before any complaint is filed. (answer in Appendix)

25.15 Classify the spoliation. For each, decide whether it falls under FRCP 37(e)(1) (curative measures on a finding of prejudice) or 37(e)(2) (severe sanctions — adverse inference, dismissal/default) and state why: (a) a custodian, after a hold issued, runs a disk-wiping tool the night before surrendering the laptop, and Prefetch/AmCache record its execution; (b) IT's ordinary 90-day email purge ran on a non-custodian's mailbox before anyone flagged it, losing some relevant messages that cannot be restored. Then explain how forensic artifacts prove the "intent to deprive" that (e)(2) requires, tying it to themes one and three. (answer in Appendix)

25.16 Apply proportionality under Rule 26(b)(1). A plaintiff in a $50,000 contract dispute demands a forensic image of every device owned by a 10,000-employee defendant. List the six proportionality factors the court weighs and explain, factor by factor, why this demand likely fails. Then state, under Rule 34, why an examiner usually wants production in native-with-metadata form rather than flattened PDFs — and tie it to why "the timestamps are the case" (Chapter 21).

25.17Calculate and verify the hash — defensible preservation. You preserved a custodian collection and generated a hashdeep SHA-256 manifest. The recorded acquisition hash of the container is b7e0c3f6a9d2b5e8a3f5c9d2b8e14f6079c2d5a8b1e4f7c0d3a6b9e2c5f8a1d4. Two months later you re-audit:

[manifest, 2026-06-25]  b7e0c3f6a9d2b5e8a3f5c9d2b8e14f6079c2d5a8b1e4f7c0d3a6b9e2c5f8a1d4
[re-audit,  2026-08-30]  b7e0c3f6a9d2b5e8a3f5c9d2b8e14f6079c2d5a8b1e4f7c0d3a6b9e2c5f8a1d4
[exhibit list cited in the brief]  b7e0c3f6a9d2b5e8a3f5c9d2b8e14f6079c2d5a8b1e4f7c0d3a6b9e2c5f8a1d2

(a) Does the custody audit pass? (b) There is a discrepancy somewhere — find it and explain why a one-character difference is "a cross-examination gift." (c) Explain how a matching hash plus a qualified person's certification lets the image come in as self-authenticating under FRE 902(14), and write the one hashdeep audit command that proves nothing changed in your custody. (answer in Appendix)


Group E — Border, the Fifth Amendment, and international

25.18 Border searches. Summarize the unsettled landscape: the routine-search rule for luggage (Ramsey/Flores-Montano), the circuit split on forensic device searches (9th and 4th Circuits vs. the 11th; the 1st Circuit's contraband limit), and the CBP directive's "basic" vs. "advanced" distinction. Then advise an examiner who must fly internationally carrying client and case data: list four concrete precautions and the one thing they should do before traveling. (answer in Appendix)

25.19 The Fifth Amendment and compelled decryption. Explain why producing a memorized passcode "looks testimonial," then state the foregone-conclusion doctrine (Fisher/Hubbell) and the way courts split on applying it to devices. Note the biometric-vs-passcode distinction some courts draw and others reject. Finally, state the examiner's actual takeaway: what you plan for at acquisition time given that you may never lawfully obtain the key (Chapter 29).

25.20International. A U.S. civil matter needs email belonging to an EU-resident custodian, stored on a provider's servers in Ireland. (a) Distinguish the three frameworks: MLAT, the CLOUD Act, and GDPR. (b) Explain why GDPR Article 48 and Schrems II make "just export it to the U.S." a serious legal problem, and what Article 5 (minimization) demands that runs opposite to "image everything." (c) Outline the defensible approach (work with counsel; minimize and process in-region; pseudonymize; use proper transfer mechanisms) and state the one-sentence Limitation the chapter draws: "no technical skill overcomes a jurisdictional wall."


Group F — Consequences and admissibility

25.21 The exclusionary rule. State what the exclusionary rule does, name the two foundational cases (Weeks; Mapp), and explain the fruit of the poisonous tree doctrine (Wong Sun) and why it is so dangerous to a careless examiner. Then name and one-line each of the four exceptions — good faith (Leon), independent source, inevitable discovery (Nix), and attenuation — and explain why no competent examiner plans to rely on any of them. (answer in Appendix)

25.22 The exclusionary rule is "cold comfort" in the private and civil worlds. Explain why a private actor who searches unlawfully generally does not benefit from the exclusionary rule's narrow scope — and instead faces a worse problem. Name the direct liabilities a private overreach can trigger (SCA, CFAA, privacy torts, state two-party wiretap crimes) and connect this to the corporate/BYOD lessons of Group D.

25.23 Getting it admitted. Authority gets evidence lawfully obtained; two more doors remain. (a) Map FRE 901, FRE 902(13), FRE 902(14), and FRE 1001–1003 to what each does for digital evidence, and explain how the SHA-256 you computed in Chapter 5 becomes the mechanism that lets your image in. (b) Contrast the Daubert standard (the five gatekeeping factors; Kumho Tire; FRE 702) with the older Frye "general acceptance" test, and explain why "method is admissibility" — i.e., why write-blocking validated against NIST CFTT, documented error rates, and reproducible steps are not craft niceties but admissibility requirements. (answer in Appendix)


Group G — Judgment and the progressive project

25.24 Stop, or proceed? For each, decide whether you stop and call counsel or may proceed, and give the one-line reason: (a) no warrant, no clear consent, no confirmed ownership, but the manager "really needs to know what's on this laptop today"; (b) a routine photo-recovery job reveals what appears to be evidence of a crime between a divorcing couple; (c) consent was given by someone you now learn does not own the device; (d) you encounter apparent CSAM on any matter, including a routine recovery; (e) opposing counsel serves a subpoena on your lab for your work; (f) a manager asks you to "make a few files go away."

25.25 Scope discipline as code. Re-read the chapter's in_scope() scope-guard and its JSON-Lines audit log. (a) Explain why the "in_scope": false lines are "as valuable as" the true ones. (b) The warrant from 25.5 authorizes 2025-01-01 through 2026-06-14 and the terms "Halversen", "invoice", ".xlsx". Rewrite the AUTHORIZED_AFTER, AUTHORIZED_BEFORE, and KEYWORDS parameters to match — and explain why those parameters must come from the authority*, never be invented by the examiner mid-search. (c) State the one sentence you can give opposing counsel because this log exists.

25.26Progressive project — the Authority and Scope Memo. For your Meridian Health Analytics (MHA) matter (departed engineer "J. Okafor"; alleged copying of a proprietary patient-analytics dataset to removable media or personal cloud; image mha-laptop.E01), write the one-page Authority and Scope Memo the chapter's progressive project requires, with four sections: (1) Legal framework — civil matter; MHA examines its own property as a private actor (no Fourth Amendment search); FRCP govern if filed; note the state-action contingency. (2) Basis of authority — proof of company ownership, signed AUP, login-banner text, all pre-dating the incident. (3) Scope, in and out — in: removable-media artifacts, file-access timeline, cloud/webmail-upload evidence within the relevant window on this image; out: personal devices, personal cloud/webmail, personal password-protected content, anything privileged (the Stengart trap). Pin your date window and search terms. (4) Preservation/hold — hold in force, no reformat/reissue, custodian mailbox on hold, your verified image as the preservation of record. Save it to your case folder. (answer in Appendix)

25.27 Progressive project — the "Stop and Escalate" decision card. On a single index card (or its digital equivalent), list the three-to-five triggers that will make you pause and call MHA's counsel in this matter — at minimum: (1) surfacing Okafor's personal webmail or attorney communications; (2) finding evidence of a different crime, and immediately if apparent CSAM appears; (3) any request to exceed scope, delete, or alter; (4) any indication the data or accounts reach outside the U.S. For each trigger, write the action in three words or fewer (e.g., "stop · preserve · call"). Keep the card where you work the case.


Self-check. You have mastered this chapter when you can, without notes: state who the Fourth Amendment binds and the exact moment a private recovery becomes a government search; read an Attachment B and mark any file in or out of scope; run the second-warrant discipline on reflex when something out-of-scope appears; draft a consent form, a login banner, and a litigation hold that would survive a hostile reading; classify an ESI loss under 37(e)(1) versus (e)(2) and explain how forensic traces prove intent; recognize the border, Fifth Amendment, and international questions as counsel's, not the keyboard's; and — above all — name, every time, the moment to stop and call a lawyer and prove with a scope log that you stayed inside your authority. If you can establish your authority, define your scope, and stop the instant either is unclear, you are ready for Chapter 26 — The Forensic Report, where everything you lawfully acquired becomes the document a court actually reads.