The Plain View Doctrine

Sometimes a forensics examiner will discover electronic evidence that may implicate the suspect in a separate crime than the one currently being investigated.

The plain view doctrine states that evidence found without violating the Fourth Amendment can be admissible and used to seek a warrant. So, if an examiner is conducting a search based on legal authorization (e.g., warrant) and runs across evidence of a crime unrelated to the crime being investigated and/or falls outside of the examiner’s authorization, then that evidence can be seized. 

Can the search continue for the evidence related to this newly discovered (alleged) crime? Not without authority—another warrant. By doing so, an investigator would exceed the scope of the current warrant. That would be problematic. Not only will everything that was found outside the scope of the warrant be probably suppressed (and possibly anything found within the scope), but this would be an “illegal search."

Anytime that an investigator finds evidence in “plain view” outside the scope of the warrant, that investigator should seek another warrant. 

As an example, consider an investigator who examined a computer system that was alleged to have been used in computer intrusions. The investigator found ncriminating evidence such as a photograph of the suspect appearing to be engaged in criminal conduct in “plain view.” 

The investigator immediately stopped the examination and sought another warrant.

If you think about it, if the investigator continued the examination, under the original scope of the initial warrant, and found other photographs of alleged criminal conduct involving the suspect in plain view, the defense at trial would say that the investigator was actually searching outside the scope of the warrant and was on a “fishing expedition” that led to the additional photographs of the suspect engaged in additional criminal conduct not specified in the warrant. 

Here are some other hypothetical situations to consider:

What is the proper action, if as a digital forensics examiner, you discover photographs of apparent drug dealing while investigating email messages related to a bank fraud case? How might the situation differ if the original investigation was a murder case involving digital images? Should the digital forensics examiner have been examining image files in all scenarios that could be located on the computer? Imagine that the suspect had attempted to disguise one of the drug dealing photos with an image file name like familyreunion.txt. In this instance, the digital forensics examiner investigating the case would likely participate in an “inevitable discovery” of the familyreunion.txt. file during the bank fraud investigation, and thereby discover evidence for a separate crime.

Some courts have ruled that the defendant has no right to privacy for the remainder of the electronic device when evidence pursuant to the warrant is discovered. In addition, it is often necessary to review all files on an electronic device to find evidence that falls within the scope of the warrant. The examiner must be conscious of what is and is not plain view, and must be prepared to defend his or her examination process based upon the specific authority granted to law enforcement to conduct a specific digital forensics examination search.

In some instances, a digital forensics examiner may need to be aware of the manner in which certain digital forensics examination tools operate to parse evidence file artifacts, or may need to use a command line approach to file carve evidence files, to ensure that the examiner does not violate court limitations that may be placed on the computer search.

References

Jarrett, H. M., Bailie, M. W., Hagen, E., Judish, N. (n.d.). Searching and seizing computers and obtaining electronic evidence in criminal investigations. https://www.justice.gov/sites/default/files/criminal-ccips/legacy/2015/01/14/ssmanual2009.pdf 

Resources

Check Your Knowledge

Choose the best answer to each question:

Question 1
While searching electronic evidence related to a bank fraud crime, you the investigator accidentally discovers child exploitation images. Which of the following could result in admissible evidence for the new crime? 
Search the rest of the device for more evidence of this new crime. 
Ignore the new possible evidence because it is not covered by the current warrant and continue the search that is within scope. 
Continue the search within the scope of current warrant, then seek an additional warrant for this crime. 
Stop the search, record location, descriptions, and proof, then seek a warrant. 
Question 2
It is usually necessary to review all files on a computer to find evidence that falls within the scope of a warrant, so the plain view doctrine is often invoked by investigators. 
True
False