Tuesday, November 6, 2012

Federal court holds police exceed scope of warrant by intentionally searching for child porn during ID theft case

In United States v. Schlingloff, 2012 U.S. Dist. LEXIS 157272 (C.D. Ill. Oct. 24, 2012), Judge Shadid held that use of Forensic Toolkit's (FTK) Known File Filter (KFF) to alert on child pornography files was outside the scope of a warrant issued to look for evidence of identity theft.

The defendant in this case lived at a location that was searched pursuant to a valid warrant; the warrant was issued to find evidence of identity theft. During the search of the residence, multiple media devices and computers were retrieved, including a computer and external storage device belonging to the defendant. When the items were sent for forensic analysis, the computer forensic analyst did a search of the devices not only for identity theft (likely image and string searches), but also for child pornography using FTK's KFF option.

A short explanation on KFF. To make forensic analysis easier, files that are known to be valid (system files, DLLs, etc.) are hashed, and those hash values are compared against a disk image to exclude known valid files from further forensic analysis. Conversely, known malicious or illegal files are also hashed, and if those files are found on the computer, the KFF alerts on those hashes, indicating to the investigator that those files should definitely be investigated further. Per FTK's own literature, the KFF can be pared to certain file lists (i.e. hashes of child porn files, virus-related files, etc.) relevant to the current investigation. Additionally, the forensic investigator does not have to use KFF - it is merely an option.

Here, the investigator chose to use the KFF, and within its alerts were hashes of child pornography. While searching the defendant's computer, child porn alerts generated by the KFF showed up. The analyst took the next step and (to confirm the files were in fact CP), opened a few to confirm the results.  As the court stated:

The search here did not end with flagging the child pornography files during preprocessing, however. After the KFF alerted to the two files in question, [the agent] believed that he recognized them to be part of the "Vicky" series of child pornography based on their hash values and his experience. Rather than stopping at this point to obtain a warrant to search for images of child pornography, [the agent] briefly opened each file in order to confirm his suspicions before stopping any further processing. . . . 
Based on this evidence, the defendant was charged with possession of child pornography. The defendant filed a motion to suppress the evidence, arguing that it was outside the scope of the warrant. The initial motion was denied because the court was under the impression that KFF was an all-or-nothing option. Upon learning that the KFF can be turned on and off in a motion to reconsider, the court granted the motion to suppress.

The court justified its decision as follows:
The Court of Appeals has recognized that where the KFF alert flags a file as child pornography, an agent could be acting outside the scope of the warrant if he opens the flagged files without obtaining a new warrant. . . .
By opening the "Vicky" files flagged by the KFF alert, McNamee knew or should have known that those files would be outside the scope of the warrant to search for evidence of passport fraud or identity theft, particularly as the warrant did not specifically refer to evidence found in video files. . . .
. . . the Court finds that Agent McNamee took an affirmative additional step to enable the KFF alerts that would identify known child pornography files as part of his search for evidence of passport fraud or identity theft. In a case where the professed subject matter sought in the search bore no resemblance to child pornography, it is difficult to construe this as anything other than a deliberate expansion of the scope of the warrant, or at the very least, an affirmative step that effectively did so. 
Holding that use of a method like KFF to search a computer which was not suspected of child pornography at the outset, is the correct outcome. As the court said, that was an affirmative step. The government argued that the evidence would have inevitably been found (which is likely true if they had just done a straight image search and ran through those images), but the court was unpersuaded by that argument, stating that it missed the point. And to the extent that the government intertwined the inevitability of file discovery to the plain view doctine, the court was still unpersuaded. The court stated that  the KFF had placed the officer somewhere he wasn't supposed to be (by bringing the files directly to his attention) and that is different in kind from other cases where CP found in the course of an investigation is allowed because it is discovered inadvertently - often under plain view doctrine. The court noted that "the suggestion that the agent inadvertently came across a file when that same agent specifically set up the situation to find and highlight this type of file by 'clicking' to enable the KFF alert is untenable."

The court summed up the holding stating that each step in the process may not have violated the Fourth Amendment, but (1) the knowing use of the KFF with CP values, (2) the alerts on the CP,  and (3) the choice to open the files to confirm their contents combined to lead to only one permissible outcome: suppression.

The court correctly noted that this problem is not going away, and that evidence from computers must be dealt with differently because of its permanence, and the unlikeliness of a staleness argument. The courts offered that:
Given the ever increasing state of technology and consequently, technology related crimes, the Court finds that this issue is not going to go away, and in fact, will likely become more prevalent and finely contoured. Digital images or files can be located nearly anywhere on a computer and "may be manipulated to hide their true contents." . . . Accordingly, more comprehensive and systematic searches have been found to be reasonable. . . . Nevertheless, it is also important to note that there is normally no fear of degradation or dissipation of evidence or a rapidly evolving situation requiring the need to "shoot from the hip" in examining seized computer files without a proper warrant. . . . In fact, Judge Posner recently noted that the doctrine of staleness has taken on new contours as a result of technological advancements and the importance of employing a "realistic understanding of modern computer technology" when evaluating Fourth Amendment challenges to computer searches.


  1. Computer searches are being run in a consistently over broad manner, and judges are commonly influenced by the most ubiquitous and influential subject matter (CP) to these cases, along with the DoJ line on needing to search every file on a computer for evidence.

    I'm glad to see at least one agent acknowledge that government agents using hash filters is "standard procedure" when searching a computer, and that they are using hashes (or not using hashes like in US v Farlow) to justify a general rummaging through people's personal documents and pictures. Whether or not a hash search is like a "drug dog" search for contraband hasn't really had any discussion outside of the law journal commentary, it's nice to see a court holding that standard procedure contraband searches are overbroad. The KFF alert - > search warrant hinted at as being allowable by other courts not only fails to acknowledge that the use of hashes is a search, but also illustrates the failings of Horton to address plain view in the digital context.

  2. I completely agree. Additionally, returning to the bedrock of the Fourth Amendment - reasonableness - I find it completely unreasonable to do such rummaging. Warrants must state with particularity what is to be searched, which serves to define the scope of the warrant. In the computer context, warrants to search computers should be held insufficient (in certain cases) if the general grant is to search the entire computer. Particularity in the computer context cannot be that vague, given the complexity of computers/file systems/file types, etc.

  3. Hi, we are taking about Child porn not playboy pictures. Children being abused and people taking pictures.... Whiskey Tango Foxtrot people?
    This isnt about smoking a little pot or speeding.

  4. The nature of the crime has nothing to do with the rights of a United States citizens to be protected from unreasonable government searches. We don't dissect these cases because we are "for" child pornography, I find fascinating what behavior people are fine with because "its only sex offenders". It's only a communist. It's only a witch. It's only a homosexual.

    What affects one unpopular group with regards to the Fourth Amendment affects ALL citizens of the United States, as history has shown. Most computer search and seizure law deals with this subject matter, and the prejudicial nature of the offense can lead to law enforcement apathy to their constitutional edicts. The judiciary is supposed to be a reminder of that, and it is nice to see the system work correctly.

    I am not unsympathetic to the needs of law enforcement. I am unsympathetic when they use CP to justify unreasonable forensic searches, simply because of what they found. Many, many pieces of evidence have been tossed to protect the Fourth Amendment, and while that trend has slowed down due to Leon, Gates, and Herring, reasonableness remains the touchstone. Ignore it at your own peril.

  5. I should also mention that if I was retained as an expert for the government, I would attack any pseudo science in the defenses argument with the same zeal. Judges cannot have complete understanding of how forensics work, so they must have the best information possible.

    Bad science is the real enemy, not law enforcement.

  6. This is just an example of having an inexperienced examiner doing the exam, with no supervision by someone who actually is or has been a cop for any length of time.

    Agent McNamee ("agent" = idiot, as in not a real cop) is a disgrace to the computer forensic community.

    Any real cop computer forensic examiner would have "searched for images of checks, pictures of atm's, photo's of financial documents, photo's of personal identifying info, etc.

    During that search of images, found two files with titles suggestive of child pornography and recognized as titles seen previously on a child porn examination. Then, immediately alert the lead investigator of the presense of these files, got an amended warrant, images admitted, suspect found guilty.

    This is just an example of a lazy examiner, running an automated process instead of taking the time to use keywords related to ID Theft and manual exam of pictures for ID theft related items.

    During that type of exam, he would have came across these pictures anyway, but LEGALLY.

    1. Actually, "real cops" in my experience are the worst offenders for going on what's known as fishing expeditions, and their sense of impartiality is sadly lacking in too many cases.
      Most LE CF units will work to policies and procedures, and it may be that it was their policy to include searches for CP. I certainly don't think he is a disgrace, and you may find that this is more common than you think.
      If you had to get an amended warrant every time you came across files with "titles suggestive of child pornography", then you would be doing it all day long. Even a relatively inexperienced examiner will know that most computers with 'normal' porn on will also have files with names that suggest that their content is CP but the actual content is something different. Just because a file is called 'picture of a cat.jpg' doesn't mean it can't be a picture of a dog.