Monday, September 29, 2008

Encase and Consent to Search a Computer

EnCase, as you may know, is the leading software police officers (and others) use in conducting a computer forensics analysis of a computer. It’s routinely employed by law enforcement; if you're not familiar with it, you can read about it here.

In an earlier post I wrote about consent as an exception to the 4th Amendment’s requirement that police obtain a warrant to search a place or a thing, like a computer.

The underlying premise of the consent exception to the search warrant requirement is, essentially, that your right under the 4th Amendment belongs to you and you can waive it, i.e., you can decide not to exercise it.

So you do that by consenting to a search: If an officer has stopped you to give you a ticket and he says, “Can I search your car, just check to see if there’s anything there that shouldn’t be?”, you can either assert your 4th Amendment right by saying “no” or waive it by saying “yes.” (If you say no, the officer can’t search unless he or she has probable cause to believe there’s evidence of a crime in the vehicle, and the same is true of any place or container.)

In that earlier post I explained that the consent exception has two dimensions: In the example above, the person who happens to be driving the car is asked to consent and it’s up to that person to allow the search or refuse to allow it. For the person’s consent to be valid, though, they must have had the authority to consent to a search of the property in question.

As I also explained in that earlier post, in United States v. Matlock, 415 U.S. 164 (1974), the U.S. Supreme Court held that co-users of property can each consent to the search or seizure of that property. The Matlock Court held that the authority to consent derives not only from sharing ownership of property (though that works, too), but also from sharing the use of property. The obvious example of that is roommates: A roommate can consent to a search of the areas commonly used by those who share the apartment or house; a roommate probably will not have authority to consent, say, to a search of a bedroom belonging exclusively to another roommate, especially if that roommate keeps the others out of his/her bedroom. There’s no common access to the property in this instance.

As I explained in a more recent post, the Supreme Court held, in Frazier v. Cupp, 394 U.S. 731 (1969) that this common access = authority to consent rationale applies even to relatively trivial matters. Frazier let his cousin Rawls use his duffle bag; when Rawls was arrested, he had the duffel bag and he consented to police’s searching it. They found evidence that was used in a criminal prosecution against Frazier, which he tried to suppress by arguing that Rawls didn’t have authority to consent to the search. Frazier said Rawls was only allowed to use certain compartments in the duffel bag and the evidence was found in other compartments; according to Frazier, that meant Rawls did not have authority to consent to a search of the whole bag. He lost: As I explained in the earlier post, the Supreme Court essentially said that if you give someone access to your property, however large or small it is, you assume the risk they’ll betray you by consenting to a search of that property.

That brings us to People v. Brown, 279 Mich. App. 116, 2008 WL 2151725 (Mich. App. 2008). Here are the basic facts in the case:
[Craig Brown] was [an] officer with the . . . Brown City Police Department. Lieutenant Timothy Donnellon. . . was investigating . . . Officer Albert Geoit for anabolic-steroid use. . . . Geoit told the police that Brown supplied him anabolic steroids.

Donnellon asked Michael Winters, an inspector with the Postal Inspection Service, to intercept any suspicious parcels addressed to . . . [a] post office box registered to Brown. . . . On February 28, 2003, a parcel arrived for [the] post office box. Winters [obtained] a federal search warrant . . . [and] executed the search. The parcel contained ten packages of Finaplix-H, which . . . contained Trenbolone. . . .

On March 1, 2003, Donnellon executed a warrant to search Brown's residence. The owner of the building, Gladys Graves, lived on the second story and Brown rented the first floor. . . . In the only first-floor bedroom . . . police found a magazine, `Anabolics 2000’ lying on the bed. In the first-floor kitchen, the police found a topical anabolic steroid, Testosterone Androgel, which is available by prescription. The police discovered additional anabolic steroid-related magazines. The police also found Brown's credit-card statements reflecting purchases from Websa Co., the source of the Finaplix-H in the parcel, and Finafarm, a company that sells a kit that makes possible the human consumption of anabolic steroids. Lapeer County Sheriff Detective Nancy Stimson recovered such a kit . . . from Brown's house. . . . .

Graves had a computer upstairs that Graves allowed the police to search.
People v. Brown, supra. It’s this computer that we’re concerned with. Detective Stimson
brought the computer to Robert Gottschalk, an expert in electronic-data retrieval, for investigation. Gottschalk removed the hard drive and used EnCase forensic software to make a copy of the hard drive. Gottschalk testified that EnCase software allows reproduction of all files that have not been overwritten, including Internet files. In particular, he testified that `it created-it created the image, which is . . . an exact copy of everything that's on the hard drive; not only the data but everything else that's there. Maybe a file that was deleted at one time. It copies all of the data off of it.’ Gottschalk searched the copied hard drive for anabolic-steroid-related terms, and found numerous e-mails relating to defendant's purchases of anabolic steroids.
People v. Brown, supra.

Brown argued that the search of his files on the Graves computer violated his rights under the 4th Amendment: He said Graves did not have the authority to consent to a search of his email and other files.

Graves owned the computer, and let her children and grandchildren use it. According to the Michigan Court of Appeals, although Brown “was allowed access to the computer, there is no evidence” he had a right to use it or that he could “regulate others’ access to the computer.” People v. Brown, supra.

If that was all we had, it would be clear Ms. Graves had authority to consent to a search of the computer. She owned it, and she presumably used it, as well; the fact that she let Brown use it on some terms in no way eliminates her authority over, and ownership, of the computer. But there’s a wrinkle.

Brown also claimed “Graves's consent was invalid because his e-mail account was protected by a password. He . . . argues that `even though the files were allegedly accessed using the computer of Ms. Graves the police had no right to enter those password protected files without a search warrant.’” People v. Brown, supra. That’s a pretty good argument, because he’s not challenging the police’s obtaining emails from an Internet Service Provider. He’s saying, which seems to be correct, that the police searched for, found and seized them from the computer hard drive. He’s also saying he had a legitimate 4th Amendment expectation of privacy in those files because they were password-protected.

That’s a good argument because in Trulock v. Freeh, 275 F.3d 391 (4th Cir. 2001), the U.S. Court of Appeals for the Fourth Circuit held that Conrad, Trulock’s roommate,
lacked authority to consent to the search of Trulock's files. Conrad and Trulock both used a computer located in Conrad's bedroom and each had joint access to the hard drive. Conrad and Trulock, however, protected their personal files with passwords; Conrad did not have access to Trulock's passwords. Although Conrad had authority to consent to a general search of the computer, her authority did not extend to Trulock's password-protected files.

The Michigan court, though, didn’t buy Brown’s argument, and it’s all because the police used EnCase. Here is how the court resolved this issue:
Few cases have yet discussed the propriety of EnCase software. In United States v. Andrus, 483 F.3d 711 (C.A.10, 2007), the defendant's father consented to the search of a computer in the defendant's bedroom. The police used EnCase . . . to access the hard drive without first determining the need for a user name or password. There was testimony that someone without forensic equipment would need the defendant's user name and password to access files stored within the defendant's user profile.

The court indicated that `[t]he critical issue . . . is whether. . . these officers could reasonably have believed [the father] had authority to consent to a search of the computer. . . . The court noted that, “[i]f the circumstances reasonably indicated [the father] had mutual use of . . . over the computer, the officers were under no obligation to ask clarifying questions.” Here, . . . Graves had control, if not exclusive control, over the computer. Accordingly, the officers were under no obligation to ask whether defendant's files were protected by a password. Thus, defendant's claim that his Fourth Amendment rights were violated must be rejected.
People v. Brown, supra.

Personally, I disagree with this decision because it effectively means you have no way to secure files on a computer you share with anyone else. The Trulock court analogized the use of a password to protect files to using a lock to protect a footlocker; in each instance you’ve done what you can to keep others out. No court would find police’s breaking a lock to get into a footlocker to be a valid consent search, even if the owner of the locker’s father/wife/roommate/whomever consented to their doing so. I don’t see why the outcome should be different when it’s a computer program being used to achieve essentially the same end.


Unknown said...

IANAL...just a computer forensics professional who enjoys reading your posts.
The only reference to password protection in this post is to Brown's online e-mail account. This suggests that there wasn't an individual password protected user account on the computer for Brown, i.e. anyone who used the computer probably did so using the same account.
If that was indeed the case then the locked footlocker analogy is inaccurate. This sounds more like a situation where you keep documents in a safe deposit box at the bank but there are copies in the glove compartment of your friends car. (Whether or not you know that those copies exist is another story).

Keep up the good work.

Susan Brenner said...

Thanks for the clarification . . . I wondered if my locked footlocker analogy went too far.

I did pick up on the fact that, unlike the computer in Trulock v. Freeh, this one did not have password protected files, just the email files. Would EnCase let an examiner read regular password protected files (too)?

Unknown said...

The short answer to your question is yes, EnCase and the other computer forensic packages would allow an examiner to read password protected files.

If you would like the long answer let me know :-)

Susan Brenner said...

Thanks for the short answer . . . I don't know if we need the long one here.

But, if this is true, doesn't it mean that the holding in Trulock v. Freeh -- that by password-protecting one's files you achive a 4th Amendment expectation of privacy in them -- can be overriden with the use of EnCase or similar programs? If that is true, then how could one ever achieve a solid 4th Amendment expectation of privacy in files?

That's a bit of a ramble. I think I should do a post on this (any thoughts on the topic welcome). It seems to me maybe we have a Kyllo issue here.

Thanks again.

Unknown said...

I think that the expectation of privacy in password protected files still holds.

The following brief lays out the argument supporting an expectation of privacy in password protected files in the context of the Andrus case:

From a technical perspective I have only one unresolved question keeping me from completely agreeing with the arguments made in the brief and that is that Windows account passwords don't typically prevent someone from gaining access to the contents of a hard drive. These passwords are an operating system level protection mechanism. If you were to use a different operating system then you would not encounter this lock and would have direct access to the contents of the drive. To take the footlocker analogy it's as if there is a hidden panel through which the contents could be accessed. Again, I only raise this issue with my technical hat on and I doubt that it would have much impact on a court concluding that the user, not knowing that the hidden panel exists, does have an expectation of privacy in their password protected files.

It appears as though the decision in the Andrus case could have gone the other way if facts had been presented to "demonstrate a high incidence of password protection among home computer users."

It's all very interesting and I'm sure we haven't heard the last of it.