United States v. Cote, AFCCA, Misc. Dkt. No. 2009-15, 6 Apr 2010 deals with lawful search of a computer device. Appellee was investigated by the North Dakota Bureau of Criminal Investigation (NDBCI) when nine files of suspected child pornography were linked to his IP address in a peer-to-peer (P2P) investigation.
The NDBCI got a search warrant from a federal magistrate to search appellee's on-base dormitory room. The warrant authorized seizure of all electronic devices and storage media, but the search had to be completed by 19 July 2008, and an addendum to the warrant required that any electronic device seized in the search must be searched within 90 days. The investigator seized a Sony laptop, an HP laptop, and a WD external hard drive. The investigators made forensic copies of the Sony and HP hard drives within the 90-day time limit.
The Sony contained two suspected child pornography images, but the HP drive was scrambled and unreadable. The investigators were not able to copy or analyze the WD drive. In July 2009, one year later, military trial counsel requested another review of the Sony and HP drives. Using the forensic copies, the investigators found three suspected child pornography images on the HP drive that appeared to match the initial nine images found in the P2P investigation, and on the Sony drive they found Internet search histories related to child pornography. In August 2009, DCFL repaired the WD drive. In October 2009, the NDBCI found 22 video files of suspected child pornography on the WD drive. The military judge suppressed all evidence from searches after the 90-day deadline, whether the searches were of the actual devices or copies of information from them.
The court held that searches of all three devices in this case were lawful, using an abuse of discretion standard to review the military judge's ruling. The lawfulness of a digital device search occurring after a warrant's time-limit depends on the precise language of the warrant, and the purpose of the time limit. If the time limit only applied to digital devices, the time limit does not apply to forensic copies of data made from the devices before the time limit. If the time-limit has constitutional considerations, such as the probable cause decision, violating the time limit could lead to suppression.
Because computer searches involve two steps, the physical seizure of devices and the later search of those devices, the language of any time limit in a warrant must be closely examined. In this case, the time limit only applied to seized devices and media, not forensic copies of information from those devices and media. Even though appellee had a reasonable expectation of privacy in data on his computers, he did not have an expectation of privacy in forensic copies of that data that were created pursuant to the lawful warrant.
Because the forensic copy of the WD drive was made outside the 90-day time limit, the search of data from the WD drive violated the scope of the warrant. The relevant question is whether the time violation "violates the fundamental requirements of the Fourth Amendment." In this case, the time limit had nothing to do with probable cause, which would be a "fundamental requirement of the Fourth Amendment," but simply dealt with the return of non-contraband items to the owner. Because the child pornography on the Sony and HP drives gave investigators probable cause to believe there was child pornography on the WD drive, investigators could not return it as non-contraband. There was therefore no constitutional violation in the search of the WD drive.