In United States v. Schlingloff, 2012 U.S. Dist. LEXIS 157272 (C.D. Ill. Oct. 24, 2012), Judge Shadid held that use of Forensic Toolkit's (FTK) Known File Filter (KFF) to alert on child pornography files was outside the scope of a warrant issued to look for evidence of identity theft.
The defendant in this case lived at a location that was searched pursuant to a valid warrant; the warrant was issued to find evidence of identity theft. During the search of the residence, multiple media devices and computers were retrieved, including a computer and external storage device belonging to the defendant. When the items were sent for forensic analysis, the computer forensic analyst did a search of the devices not only for identity theft (likely image and string searches), but also for child pornography using FTK's KFF option.
A short explanation on KFF. To make forensic analysis easier, files that are known to be valid (system files, DLLs, etc.) are hashed, and those hash values are compared against a disk image to exclude known valid files from further forensic analysis. Conversely, known malicious or illegal files are also hashed, and if those files are found on the computer, the KFF alerts on those hashes, indicating to the investigator that those files should definitely be investigated further. Per FTK's own literature, the KFF can be pared to certain file lists (i.e. hashes of child porn files, virus-related files, etc.) relevant to the current investigation. Additionally, the forensic investigator does not have to use KFF - it is merely an option.
Here, the investigator chose to use the KFF, and within its alerts were hashes of child pornography. While searching the defendant's computer, child porn alerts generated by the KFF showed up. The analyst took the next step and (to confirm the files were in fact CP), opened a few to confirm the results. As the court stated:
The search here did not end with flagging the child pornography files during preprocessing, however. After the KFF alerted to the two files in question, [the agent] believed that he recognized them to be part of the "Vicky" series of child pornography based on their hash values and his experience. Rather than stopping at this point to obtain a warrant to search for images of child pornography, [the agent] briefly opened each file in order to confirm his suspicions before stopping any further processing. . . .Based on this evidence, the defendant was charged with possession of child pornography. The defendant filed a motion to suppress the evidence, arguing that it was outside the scope of the warrant. The initial motion was denied because the court was under the impression that KFF was an all-or-nothing option. Upon learning that the KFF can be turned on and off in a motion to reconsider, the court granted the motion to suppress.
The court justified its decision as follows:
The Court of Appeals has recognized that where the KFF alert flags a file as child pornography, an agent could be acting outside the scope of the warrant if he opens the flagged files without obtaining a new warrant. . . .
By opening the "Vicky" files flagged by the KFF alert, McNamee knew or should have known that those files would be outside the scope of the warrant to search for evidence of passport fraud or identity theft, particularly as the warrant did not specifically refer to evidence found in video files. . . .
. . . the Court finds that Agent McNamee took an affirmative additional step to enable the KFF alerts that would identify known child pornography files as part of his search for evidence of passport fraud or identity theft. In a case where the professed subject matter sought in the search bore no resemblance to child pornography, it is difficult to construe this as anything other than a deliberate expansion of the scope of the warrant, or at the very least, an affirmative step that effectively did so.Holding that use of a method like KFF to search a computer which was not suspected of child pornography at the outset, is the correct outcome. As the court said, that was an affirmative step. The government argued that the evidence would have inevitably been found (which is likely true if they had just done a straight image search and ran through those images), but the court was unpersuaded by that argument, stating that it missed the point. And to the extent that the government intertwined the inevitability of file discovery to the plain view doctine, the court was still unpersuaded. The court stated that the KFF had placed the officer somewhere he wasn't supposed to be (by bringing the files directly to his attention) and that is different in kind from other cases where CP found in the course of an investigation is allowed because it is discovered inadvertently - often under plain view doctrine. The court noted that "the suggestion that the agent inadvertently came across a file when that same agent specifically set up the situation to find and highlight this type of file by 'clicking' to enable the KFF alert is untenable."
The court summed up the holding stating that each step in the process may not have violated the Fourth Amendment, but (1) the knowing use of the KFF with CP values, (2) the alerts on the CP, and (3) the choice to open the files to confirm their contents combined to lead to only one permissible outcome: suppression.
The court correctly noted that this problem is not going away, and that evidence from computers must be dealt with differently because of its permanence, and the unlikeliness of a staleness argument. The courts offered that:
Given the ever increasing state of technology and consequently, technology related crimes, the Court finds that this issue is not going to go away, and in fact, will likely become more prevalent and finely contoured. Digital images or files can be located nearly anywhere on a computer and "may be manipulated to hide their true contents." . . . Accordingly, more comprehensive and systematic searches have been found to be reasonable. . . . Nevertheless, it is also important to note that there is normally no fear of degradation or dissipation of evidence or a rapidly evolving situation requiring the need to "shoot from the hip" in examining seized computer files without a proper warrant. . . . In fact, Judge Posner recently noted that the doctrine of staleness has taken on new contours as a result of technological advancements and the importance of employing a "realistic understanding of modern computer technology" when evaluating Fourth Amendment challenges to computer searches.