Chapter 25 — Quiz
14 questions: 10 multiple choice, 2 true/false, 2 short answer. Answers and a scoring band are at the bottom — try the whole set before you look. This is education, not legal advice; the goal is to recognize the questions, not to render verdicts.
Multiple choice
Q1. The Fourth Amendment, by its own force, restrains: - A) Everyone who handles a digital device - B) The government (state actors) — not private citizens, corporations, or a data-recovery shop acting for its client - C) Only federal law enforcement, never state police - D) Anyone who signs an acceptable-use policy
Q2. In Riley v. California (2014), the Supreme Court held that: - A) Police may always search a phone found on an arrestee - B) Phones have no Fourth Amendment protection because data is exposed to carriers - C) Searching the digital contents of a cell phone seized incident to arrest generally requires a warrant — "get a warrant" - D) A warrant is needed only for phones that are locked
Q3. Under the Katz reasonable-expectation-of-privacy test, a "search" occurs when the government violates an expectation that is: - A) Written down in a statute - B) Both subjectively held by the person and one society is prepared to recognize as reasonable - C) Recognized by at least one federal circuit - D) Stronger than the government's investigative interest
Q4. A client brings a drive to your shop and asks you to recover their files. Your examination is: - A) A Fourth Amendment search requiring a warrant - B) Not a Fourth Amendment search — you are a private actor working at the owner's request — unless you begin acting as an agent or instrument of the government - C) Illegal unless the client signs a consent form - D) Governed by the exclusionary rule
Q5. For an examiner working a criminal warrant, the warrant's Attachment B (the description of property to be seized) functions as: - A) Optional background paperwork - B) A suggestion the examiner may exceed with good cause - C) The examiner's scope — the boundary of what may be searched for, read before imaging and again before analysis - D) A list of tools the examiner must use
Q6. While searching in scope for fraud records, you encounter apparent evidence of a different crime. The safe, case-preserving practice is to: - A) Keep searching to "be sure" before reporting it - B) Rely on the plain-view doctrine to seize whatever you find - C) Stop, not expand the search, document exactly how the item came into view, and obtain a new or expanded warrant before going further - D) Delete it to avoid contaminating the case
Q7. A live-in partner with common authority over a shared computer generally cannot consent to a search of the other user's separate, password-protected account or files. This principle is illustrated by: - A) United States v. Leon - B) Trulock v. Freeh (and the reasonable expectation of privacy a per-user password preserves) - C) Carpenter v. United States - D) Daubert v. Merrell Dow
Q8. What makes a private-sector employer's examination of a company-owned device stand on firm ground? - A) The Fourth Amendment does not apply, so anything goes - B) An acceptable-use policy and login banner — acknowledged before the incident — that defeat the employee's reasonable expectation of privacy - C) A verbal instruction from a manager at the time of the investigation - D) The employee's later, after-the-fact agreement
Q9. Under FRCP 37(e), the severe sanctions for lost ESI — an adverse-inference instruction, or dismissal/default — are available only upon a finding that the party: - A) Was negligent in its retention practices - B) Failed to issue a litigation hold - C) Acted with the intent to deprive another party of the information - D) Lost more than 100 gigabytes of data
Q10. The CLOUD Act (2018) established that U.S. providers must produce data within their possession, custody, or control in response to lawful U.S. process: - A) Only if the data is physically stored within the United States - B) Regardless of where the data is physically stored - C) Only after an MLAT request is exhausted - D) Only with the data subject's consent
True/False
Q11. Because the Fourth Amendment does not apply to private-sector employers, a private employer may freely read anything on or accessed through a company device, including the employee's personal, password-protected webmail and attorney communications. (True / False)
Q12. A verified forensic image, supported by a qualified person's certification of its SHA-256 hash value, can be admitted as self-authenticating under Federal Rule of Evidence 902(14). (True / False)
Short answer
Q13. Name the four bases of lawful authority to examine a device covered in this chapter, and give one limit of each.
Q14. In two or three sentences, explain the difference between FRCP 37(e)(1) and 37(e)(2), and explain how forensic artifacts bear on which one applies.
---
Answer key
Q1 — B. The Fourth Amendment is a limit on state action. It does not, by its own force, restrain a private citizen, a corporation, or a recovery shop. This carve-out is the single most important idea in the chapter for the recovery and corporate audience — and it is also the trap, because a private actor can become a state actor by acting as the government's agent.
Q2 — C. Riley (unanimous) held that searching the digital contents of a cell phone seized incident to arrest generally requires a warrant; a phone "is not a cigarette pack." Its immense, aggregated, time-deep, cloud-connected storage holds the "privacies of life," so the analog search-incident-to-arrest exception does not transfer. Chief Justice Roberts's instruction: "get a warrant."
Q3 — B. Katz (via Justice Harlan's concurrence) requires (1) an actual, subjective expectation of privacy that (2) society is prepared to recognize as reasonable. "What a person knowingly exposes to the public" is not protected; "what he seeks to preserve as private" may be — and digital storage is the purest case of seeking to preserve as private.
Q4 — B. A recovery at the owner's request is not a Fourth Amendment search because you are a private actor (no state action). That protection evaporates the moment you act as an agent or instrument of the government — e.g., police direct you to "look further" or you are effectively doing the government's investigating. The technique never changes; the legal character does, because the actor changes.
Q5 — C. The warrant is your scope. Attachment B describes the things that may be seized; everything inside it is fair game and everything outside it is presumptively off limits. You read it before you image and again before you analyze — scope discipline is enforced by method, not good intentions.
Q6 — C. This is the second-warrant discipline. Opening a file is itself a search, so an aggressive plain-view theory for out-of-scope finds would turn every digital warrant into a general warrant (and digital plain view is genuinely unsettled, per the BALCO en-banc case). Stop, do not expand, document precisely how the item surfaced, and get expanded authorization — charging ahead risks suppressing the very evidence and may taint the whole exam.
Q7 — B. Trulock v. Freeh (4th Cir. 2001): a live-in partner could consent to the shared computer but not to the defendant's password-protected files, in which he retained a reasonable expectation of privacy. Per-user passwords and encryption are not just technical boundaries — they are legal boundaries on who can consent to what. (Matlock allows common-authority consent to shared property; Randolph lets a present, objecting co-tenant override.)
Q8 — B. Notice that defeats the expectation of privacy. A signed acceptable-use policy plus a login banner the user clicks past at every logon establish company ownership, monitoring, and no reasonable expectation of privacy — knocking out Katz's second prong. The decisive word is before: the policy and banner must pre-date the incident, not be drafted after you find something.
Q9 — C. Rule 37(e)(2) unlocks the case-ending sanctions only on a finding of intent to deprive. Negligent loss is addressed by 37(e)(1) with curative measures no greater than necessary to cure the prejudice. The dividing line is intent — which is exactly what forensic artifacts (a wiping tool's Prefetch/AmCache entry, timestomping inconsistencies) are uniquely able to prove.
Q10 — B. The CLOUD Act provides that U.S. providers must produce data within their "possession, custody, or control" regardless of where it is physically stored (resolving the question raised in United States v. Microsoft Corp.). For the examiner: where the bytes physically sit matters less than who controls them. It also authorizes executive agreements (the U.S.–U.K. Data Access Agreement is the first) that bypass slow MLAT for covered requests.
Q11 — False. "The Fourth Amendment doesn't apply" is not "anything goes." The Stored Communications Act can make reading an employee's personal webmail a crime even on a company laptop (Pietrylo), and attorney-client privilege can survive on personal, password-protected webmail used on a company device (Stengart). Minimize, segregate, and route privileged material to a filter team.
Q12 — True. FRE 902(14) (added 2017) allows data copied from an electronic device to be self-authenticating when a qualified person certifies it by its hash value — the SHA-256 from Chapter 5 is the mechanism. FRE 902(13) does the same for records generated by an electronic process, and FRE 1001–1003 treat an accurate duplicate (a verified image) as admissible as an original.
Q13. (1) Warrant — limited by particularity/Attachment B scope (and the second-warrant rule for out-of-scope finds). (2) Consent — must be voluntary, is bounded by the scope given, can be withdrawn, and requires actual or apparent authority over the thing searched. (3) Corporate authority — over a company-owned device with an AUP + banner, but bounded by the SCA/Wiretap/CFAA and surviving privilege (the BYOD/Stengart limits). (4) Civil process — FRCP discovery/litigation hold, bounded by proportionality (Rule 26) and the duty to preserve. (Full credit for naming all four bases with one correct limit each.)
Q14. 37(e)(1) applies when ESI that should have been preserved is lost because a party failed to take reasonable steps and it can't be restored; on a finding of prejudice, the court orders curative measures no greater than necessary. 37(e)(2) authorizes the severe sanctions (adverse-inference instruction, dismissal/default) only on a finding of intent to deprive. Forensic artifacts decide which applies: recovering "deleted" files (deleted ≠ destroyed) and finding the traces of deliberate wiping or timestomping (every action leaves a trace) is how an examiner establishes the intent that (e)(2) demands — or shows its absence.
Scoring: Count the 12 objective questions (Q1–Q12) plus your self-graded short answers. 13–14: authority-ready — you can analyze the legal basis of an exam across all four bases and know exactly when to stop. 10–12: solid; re-read "Search warrants for digital evidence" and "Corporate investigations." 7–9: review the state-action line, the second-warrant discipline, and FRCP 37(e) before the case studies. Below 7: re-read the chapter, especially "The Fourth Amendment," "Consent searches," and "Putting it together: the authority decision and the 'stop' reflex," then retake. Remember the meta-lesson: the right answer is often "that is a question for counsel."