Criminal acts are those acts offending society as a whole. Should an individual be the victim of a criminal act, it is deemed to be a criminal act against society. Interestingly, it is possible that criminal acts may also form the basis for civil suits. So the offender may suffer a criminal sentence for violating criminal statutes and may be sued, resulting in financial awards for victims. Criminal laws are found on federal, state, and local levels with many overlapping one another, resulting in jurisdiction controversies.
The primary distinction between criminal law and civil law is the degree and type of punishment. Criminal laws vary widely in their penalties, including fines, restitution, asset forfeiture, incarceration, and supervised probation. Because the nature of criminal punishment is so potentially devastating, there are many safeguards protecting the defendant's rights. Defendants have the right to be faced by their accusers, they have the right to competent legal counsel, they have the right against self-incrimination, they have the right to their possessions from unwarranted search and seizure, they have a right to have a jury of their peers decide their case, and they have the right to legal appeal.
Distinguishing criminal proceedings from civil actions is the assumption that defendants are not guilty, with the burden of proof resting on the prosecution. As criminal laws are found on multiple levels, so it is with prosecution. It is important to note that although there are different levels of prosecution, the steps taken by prosecutors are basically the same. Cases are characterized, regardless of venue, on the establishment of probable cause, with convictions proved beyond a reasonable doubt.
Allegations
In their most basic form, these are the steps of a criminal investigation and conviction.
Most cases start with an allegation. This allegation may be a factual statement made by a witness, a logical conclusion based on a credible witness' experience, a series of news reports, the findings of an audit, or something similar.
Two prongs must generally be present before starting an investigation: (1) are the allegations reasonable? and (2) are the allegations corroborable?
Investigations cannot be motivated by personal or political reasons; they must be based on articulated facts and circumstances. Law enforcement officers, agents, prosecutors, and the courts have many levels of supervisory, appellate, citizen, legislative, and legal safeguards. Administrative and legal penalties face law enforcement investigators if they engage in prohibited conduct, ranging from censure, dismissal, civil suit, and incarceration.
The Investigation
Investigators are tasked with evidence collection. The most valuable evidence comes from those who have direct knowledge of the criminal act supported by physical evidence. Of course, what a witness has observed or heard determines direct knowledge. If a witness sees someone committing a criminal act, that is direct knowledge. However, if the systems administrator tells her supervisor about an alleged criminal act committed by the help desk manager, that is considered hearsay and, depending on a number of circumstances, may or may not be admissible. Just because overheard statements may be hearsay does not necessarily diminish their value. For example, in most jurisdictions, statements made by defendants that are overheard by third parties are admissible as hearsay statements in legal proceedings. Hearsay should be documented as part of the investigator's interview report but only after documenting their direct knowledge. Investigators must separate what is direct knowledge from hearsay when interviewing witnesses.
Witnesses
For the most part, witnesses are divided into several categories. They may be witnesses of fact; they may possess specialized experience, training, and expertise and be called as expert witnesses; or they may be witnesses that may testify about a defendant's history, character, or credibility.
If witnesses or other people having material facts or evidence are reluctant to provide these facts, or it is deemed important to generate a transcript of testimony, these individuals may receive a summons or subpoena to appear before a grand jury or a judge. During such appearances, the witnesses are examined while a recording of their testimony is made. Such proceedings may be open to the public or in the case of a grand jury, they are held in secret.
Grand Juries
Grand juries are bodies of common persons empaneled for a period of a year or more who have the job of reviewing evidence and deciding the existence of probable cause. Prosecutors with supervision and oversight conduct grand jury proceedings by a presiding judge. Defense lawyers may not enter the chambers representing their client's interests. However, if a witness so desires, she may stop the proceeding and consult with her attorney outside the grand jury chambers. Grand juries listen to witness examinations conducted by prosecutors, review physical evidence, and listen to arguments from prosecutors. Defense attorneys are rarely allowed to address grand juries. This may seem unfair, but the task of the grand jury is merely that of deciding the existence of probable cause; they are not charged with deliberating the defendant's guilt or innocence. Grand juries decide whether sufficient probable cause exists that a crime has been committed and whether there is sufficient probable cause to believe that the defendant committed that crime. Grand juries are generally chosen from voter rolls or similar lists. Selection is random and the term of service may vary from one year to more than 18 months. Depending on the nature of the case under investigation, it is possible that a grand jury might be named to hear only one case. Depending on the matters before them, they may meet monthly or more often.
In most cases, grand jury proceedings are secret. Grand jurors, prosecutors, and reporters suffer criminal prosecution if they reveal the content of the proceedings; however; witnesses generally are free to discuss their testimony and the proceedings without sanction.
Experience Note | Probable cause is a term that has vexed many people and is defined by legal terms that can become overly entwined. For argument's sake, consider that probable cause is defined by a set of facts and circumstances that lead reasonable people to believe that it is probable that an alleged event actually happened. |
Grand juries have the task of deciding probable cause. Based on testimony and evidence:
-
Is there probable cause to believe a crime has taken place?
-
Is there probable cause to believe that a person, named or unnamed, committed that crime?
Grand juries may not be persuaded by conversations heard outside their deliberations or by news reports; they may only consider the case by the evidence and arguments presented in their chambers.
Transcripts of their proceedings include the examination of witnesses, introduction and examination of evidence, and statements made by the prosecutors. Grand jury deliberations are not recorded and are not subject to discovery. After hearing testimony, reviewing evidence, and hearing argument, grand juries deliberate. At this time, the prosecutor is not permitted to participate in their deliberations and is excused along with the recorder. Prosecutors present them with an indictment. Basically, an indictment is a formal document where a defendant is charged with violating the law. If grand jurors arrive at a decision, there are two paths: true bill and no bill. True bills result in indictments. Indictments mean the grand jury has decided there is sufficient probable cause to charge the defendant with a crime. Traditionally, indictments are divided by the number of times the defendant allegedly violated the law. In many jurisdictions, defendants are not invited to the grand jury and they do not have the opportunity to deliver evidence or testimony that would show that the evidence is not sufficient to accuse them. There are jurisdictions that send "target letters" to potential defendants who are subjects of grand jury investigations. They are invited to deliver any exculpatory evidence to the grand jury before they deliberate.
In the true bill, the grand jury decided there was probable cause and the prosecutor takes the indictment to the presiding judge, requesting either a warrant to arrest the defendant or a summons for the defendant to appear. In the case of a no bill, the prosecutor has the grand jury's decision and she must decide whether all the evidence has been presented and the matter is closed, or seek more evidence and present the matter again for further consideration.
In jurisdictions not having grand juries, the accusatory process is similar, except the matter is presented to a single judge listening to the witness testimony and reviewing physical evidence. In this case, the proceedings are recorded as they are before the grand jury. The judge is responsible for making the probable cause decision. This decision also results in either an arrest warrant or a summons to appear.
Arrest warrants are documents commanding law enforcement officers to arrest individuals, assuring their appearance before the court of jurisdiction, meaning the court where they are accused. If defendants are arrested outside the originating venue, then it becomes a matter of whether prosecutors will seek extradition of the defendant, wherever he may be found. Extradition may be waived or pursued at the pleasure of the defendant, as there are certain rights that attach. The defendant has the right to dispute whether he is the person named in the arrest warrant and to be represented during those proceedings. Summons are similar to invitations in that they command an individual to appear before the court; however, if they fail to do so, the judge will dismiss the summons to appear and issue an arrest warrant.
Arrest warrants can be executed by law officers and, depending on the circumstances, by ordinary citizens. They are enforceable at any hour on any day.
Subpoenas and Summons
Subpoenas may be issued by the grand jury and are basically predicated on investigative need. They are demands for a witness to appear or evidence to be brought before the grand jury. A summons is a document issued by judges demanding a witness appearance or evidence. Subpoenas may be quashed (dismissed) if the person named provides sufficient cause contesting the subpoena, validity of the subpoena, or the demands made by it.
Experience Note | A person receiving a grand jury subpoena is commanded to appear at the grand jury for testimony. She is not the same person as named in the subpoena and advises the court of the matter. The prosecutor is convinced she is the correct person and refuses to withdraw the subpoena, so her attorney files a motion to quash the subpoena triggering a hearing. At the hearing, the presiding judge hears testimony and argument, deciding if the subpoena should be enforced. |
If there is sufficient cause to quash, then the court of jurisdiction withdraws the subpoena or summons. Failing to file a motion to quash, or sufficient other reason, the person must comply with the subpoena or summons, or the court issues an arrest warrant to have the named person arrested and brought before the court.
If a person is taken before the examining body, either a grand jury or judge, he retains his rights. In these proceedings, he has a right to legal counsel (although his lawyers may not appear before the grand jury, the proceedings may be stopped and they may consult with their client outside the grand jury room for advice), and he has the right against self-incrimination in his testimony. There have been many cases where an individual who received a subpoena and was commanded to appear before a grand jury invoked his Fifth Amendment rights when questioned. But he appeared because if he failed to do so, he would have been arrested.
There are generally two types of subpoenas: one resulting from a grand jury investigation and the other being issued by a judge. Both are documents based on need carrying the weight of the court. Judge-issued subpoenas are issued for witnesses and evidence to be presented before them at judicial proceedings, usually trials.
Search Warrants
Only law enforcement officers may obtain search warrants, as these documents carry the force of law in their execution. These are instruments that allow the search and seizure of evidence, persons in the case of third-party residences, assets to be seized, and instrumentalities or fruits of a crime. Because they carry force of law, force may be used in their execution should there be any impediment. However, if the executing officers fail to follow the law as well as their department's policies and procedures then they may be successfully sued.
Search warrants are not valid for civil and administrative actions and may not be executed to obtain evidence for these actions. Under the Fourth Amendment to the U.S. Constitution and subsequent case law, a law officer must provide a judge or magistrate with a sworn affidavit detailing the facts and circumstances surrounding the alleged crime. The information delivered by the affidavit must be complete, and the search warrant can only be weighed by its content. Search warrants usually contain the case's allegations, citations of criminal statute violations, a description of the area to be searched, and the reason there is probable cause to search the area. The presiding judge may ask questions by way of clarification, but the affidavit must be a document that stands on its own.
Basically, the judge is going to apply the following test to the affidavit:
-
Is there probable cause to believe that a crime has been committed?
-
Is there probable cause to believe that a person (named or not) committed that crime?
-
Does this court have jurisdiction over the specified crime?
-
Is there probable cause to believe that these fruits or instrumentalities are at that specified location now?
Search warrants are composed of two separate documents: the actual warrant and the affidavit. The search warrant is composed of a formal document describing in detail the area to be searched, the items to be seized, and the court of jurisdiction. Affidavits are statements of facts and circumstances supporting the search warrant.
Search warrants must specify what it is that is going to be seized. The actual area to be searched must be specified on the warrant and may not be expanded by the officers without obtaining another search warrant. Officers may use their observations in the currently valid search warrant to obtain probable cause for another search warrant to expand the area not covered in the first warrant. However, if an item of evidence or contraband is located "in plain sight" while legitimately executing the current search warrant, it may be seized even though the item was not specified on the warrant. This "plain sight seizure" may be used as predication for a second search warrant expanding the original one.
Experience Note | While officers were executing a search warrant for electronic evidence, they ventured into a cabinet looking for storage media and relevant documentation. The cabinet was within the bounds of the warrant. One of the officers located a bag, weighing approximately one pound, of what appeared to be cocaine. The officer administered a commercially available field test for cocaine, returning a positive reaction. The bag was seized and, based on this discovery and other evidence, the cabinet's owner was charged with criminally distributing cocaine. The court ruled at a suppression hearing that the cocaine seizure was a "plain sight seizure" and was executed within the confines of the search warrant. The cocaine was admitted as evidence. |
Any legal challenges to the search warrant such as the reliability of the affidavit's information, the freshness of the information, and the truthfulness of the information, must be addressed through formal hearings and may result in the exclusion of the seized evidence from proceedings or trial.
Experience Note | It is unwise to impede the execution of a search warrant in any way. Such actions will generally result in the arrest of the person who is obstructing. In most jurisdictions, impeding or obstructing a search warrant is a felony and receives a commensurate sentence. However, persons legally present during a search warrant are well within their rights to ask for the identities of the executing officers, they may make notes or photographs of any officer conversations or actions that they witness, they may also leave the search area. Officers executing a search warrant secure the area, meaning they are going to look for persons or things that may be harmful or capable of evidence destruction. |
Persons found at the location of a search warrant are to be told to move away from equipment, workstations, and media. It is also within the officer's purview to pat down the occupants, looking for weapons or devices that might destroy evidence. Once occupants have departed the search area, it is unlikely the officers will allow them to return, and this is a legal act on their part until the search warrant is completed. In some cases, officers may answer telephones and ask details of the callers.
Search warrants are valid only during daylight hours, meaning from 6 a.m. until 10 p.m., unless the officers have established that there are special circumstances that must be stated and justified to the court. Additionally, all search warrants must be executed by knocking and announcing the officers' identities and intentions at the door. Officers may provide special circumstances to the court relieving them of these knock-and-announce obligations. These are the infamous "no-knock" search warrants that have been widely publicized. If the executing officers can provide sufficient cause to the court that knocking and announcing will result in the destruction of evidence or place lives in peril, then the court may be moved to grant this type of warrant. Similarly, justification must be made to the court when officers want to execute the search warrant outside the daylight-hours provision.
Experience Note | The fact that search warrants must be executed during daylight hours does not mean they must be completed in that time frame. It means the warrant must be started during that time frame. |
When officers are executing search warrants, they are in control of the area, meaning they control people's comings and goings, telephone calls, computer activities, etc. If there are any objections to the fashion in which the search warrant was executed, the time and place for contesting a search warrant is in the courts, not during the search warrant execution.
Experience Note | Search warrant execution has the goal of obtaining evidence or fruits of a crime. There cannot be another purpose such as using a search warrant to seize a business' computer network, resulting in the closure of the business. |
The law enforcement agency is required to take every reasonable step to return the business to normal operation as soon as is reasonably possible. Officers must copy data and documentation and return the equipment necessary for the business to continue operation. Search warrants are not analogous to injunctions or cease-and-desist orders. Allegations of outrageous government conduct are often made regarding the fashion in which search warrants are executed or the reason for the warrant.
Experience Note | Subpoenas and summons are based on "investigative need" and not probable cause. Obtaining a search warrant in place of a subpoena is basically at the discretion of the officer and prosecutor commensurate with the amount of probable cause. |
If allegations of outrageous conduct have sufficient merit, they may trigger sanctions by the presiding court, evidence exclusion, civil suits against the officers and their agency as well as administrative actions against the offending officers.
Experience Note | Search warrants are required in the case of third-party residence and if an officer wants to search for a person she wants to arrest. Also, search warrants must be obtained if an officer wants to search a location for assets to be seized pursuant to forfeiture actions. |
When the search warrant is executed, whether anything was seized or not, a copy of the search warrant must be deposited at the location where it was executed along with an inventory of seized items. This search warrant is the document describing the area to be searched and the items to be taken. It does not include the supporting affidavit.
The second part of the search warrant is the affidavit constituting a sworn statement by the officer swearing to the truthfulness of the matter. The officer swearing to the warrant is known in legal terms as the affiant. The law does not require the affiant to have first-hand knowledge of the details of the statement, merely that he has reliable knowledge.
Court Orders
Court orders are issued by a court of jurisdiction and may be requested by law enforcement officers and non-law enforcement officers, depending on the nature of the case. Federal court orders may be filed for a wide variety of actions. For example, an officer installing a video camera on a public building to monitor the area below might require a court order. Court orders are also two-part documents with an application stating the facts and circumstances to the judge justifying the order and the second document being the actual court order.
Testimony
Witness testimony is obtained through interviews, depositions, and examinations. Remember that interviewing is a conversation directed toward specific events. Interrogations are different from interviews; they are deemed coercive, are conducted in a much more hostile atmosphere with the administration of advice of rights, and usually contemporaneous to an arrest. Interviews may be recorded in audio and video form or the investigator may take notes that serve as the basis for a written report of interview.
Experience Note | Recording media and all forms of notes are considered evidence and must be retained along with a chain of custody schedule. |
In the case of the report of interview, this document is not considered a verbatim transcript of the interview; rather, it is a synopsis of the witness statement and serves to deliver information to the prosecutor and defense, and may serve to refresh the witness' memory at trial.
Depositions are formal examinations attended by attorneys, parties to the action, and persons responsible for generating a formal record of the proceedings. Attorneys ask questions of the witnesses, attempting to ask questions that will cause the witness to provide testimony or evidence favorable to their side.
When a judge or magistrate judge examines a person, witnesses are sworn to tell the truth and the judge asks questions with the proceedings recorded. Attorneys representing their clients are present during these hearings along with the prosecution.
Expert Testimony
Typically, expert witnesses are people who are known for their expert knowledge in specific matters. Such knowledge may be technical, scientific, or by virtue of their experience. Federal Rules of Evidence, Rule 702, indicates that if scientific, technical, or other specialized knowledge will assist the trier of fact, then a witness qualified as an expert may testify in the form of an opinion. The U.S. Supreme Court expanded this rule (Daubert v. Merrell Dow Pharmaceuticals, Inc.) in that FRE Rule 702 requires an obligation from trial judges ensuring that expert testimony is reliable and relevant. In this decision, the Court ruled that there is a "gate keeping" obligation placed on judges applicable to all other types of expert testimony.
While it is common to label expert witnesses as people with advanced college degrees, many experts are people who are experienced systems administrators, help desk operators, or risk managers. It is possible to qualify someone as an expert witness just because the individual possesses great knowledge about a particular information technology system or a specific application. The advantage in using such expertise is that it brings a sense of honesty and sincerity to the courtroom.
The basic definition of an expert witness is someone who knows more about a particular topic than the jury and someone who can materially contribute to the jury's task. Nothing is specifically required in terms of background, training, knowledge, or education, other than a sufficient understanding of the relevant subject, contributing to the jury's ability to understand the truth of the matter at hand.
Expert witnesses might participate in grand jury proceedings, judicial hearings, trials, and sentencing.
Defense Arguments Relative to Expert Witnesses
While the expert witness may be someone who advertises or is well known among legal firms as available to testify, too often she is a person that regards herself as able to testify about almost everything.
It is important to note that these so-called experts base their abilities on an engineering background and education. Such experts are vulnerable to vigorous cross-examination by using their previous testimony or depositions. Usually a cross-examination enumerates the various cases that the expert witness has testified, showing that this person claims to be an expert on almost any subject. This activity has the effect of canceling her credibility.
There is an art to delivering expert testimony and not giving away the case. Many inexperienced witnesses tend to believe that the purpose of cross-examination is to discover the truth. The actual purpose of cross-examination might be to make the witnesses appear to be saying something different than what they are trying to say or have said previously. By contradicting themselves, they appear to be less credible to the jury. Experienced expert witnesses think carefully before they answer questions and tend to deliver answers that are exactly responsive to the question.
The Supreme Court further ruled that FRE Rule 702 does not distinguish between scientific, technical, and other specialized knowledge that might be the subject of expert testimony. The Court also highlighted that the essential function of gate keeping is to ensure the reliability of expert and experience-based testimony, and the trial court should consider tests where there are reasonable measures of reliability.
The simplest way of providing valuable testimony is to listen to the question; answer the question sincerely, truthfully, and completely; avoid incomplete responses; do not talk to the jury; and do not address matters outside your knowledge or expertise.
Computer Evidence
For more information, there is an article authored by Orin S. Kerr, Trial Attorney, Computer Crime and Intellectual Property Section, U.S. Department of Justice, written in March 2001. [13] His article is well documented, citing case law and addressing electronic evidence, its authenticity and reliability. There are many urban legends about electronic evidence and Mr. Kerr's article dispels many popular misconceptions.
In executing a search warrant, these are the usual steps by law officers ensuring credible testimony. Law enforcement officers should be trained in the legal and correct methods to collect evidence, ensuring its admissibility at the time of their testimony. If evidence is not gathered in accordance with the greatest attention of detail, it is likely that the evidence will be excluded from further use and may render the case impotent.
Law officers will gather evidence using a process similar to the following:
-
Secure the area where potential evidence is stored, and remove anyone from equipment that could cause the alteration or destruction of the evidence.
-
Ensure there are no devices or weapons that could be used to harm the officers or destroy evidence.
-
Determine if the environment is networked to the outside in an effort to determine if all information is being obtained within the boundaries described by the search warrant. Search warrants are valid for very specific areas and may not be extended. If other potential evidence is discovered outside the scope of the search warrant, officers will secure the area and another search warrant sought to expand the search area. If officers expand the area to be searched without a superceding search warrant, any seized item will likely be rendered inadmissible when attempting to introduce it in court.
-
An officer or examiner with technical forensic training will begin to conduct interviews in order to determine the types of equipment, software, network topology, location of network equipment, network connectivity, and location of backup media.
-
Investigators will photograph and document the search site. This allows them to have a reference for evidence seizures as well as an inventory of seized items.
-
Investigators will generally conduct interviews at this time.
-
Depending on the search warrant, the investigators will seize the target machines or forensically copy the hard drives. Also depending on the search warrant, investigators will either forensically copy the removable media or seize it and copy it later.
-
Investigators will likely seize documentation and media associated with the target machines. Documentation will likely include notes, scraps of paper, user documentation, calendars, diaries, "Post-Its," and items located in the trash.
-
The investigators will initial, date, and tag all the seized items. Seized items will be entered on the seizure inventory. A chain-of-custody schedule will be made, documenting the discovery, location, and anyone who has custody of the evidence.
-
Upon completing the search, the officers will deposit a copy of the search warrant, not including the affidavit, and a copy of the seized-item inventory.
-
Within five days of the executed search warrant, the search warrant return must be made to the court that issued the search warrant. This return is the information that the search warrant was executed, when and where it was executed, and is accompanied by the seized-item inventory. Depending on the case, the search warrant, affidavit, and the inventory may be sealed and may not available until a motion for unsealing is filed.
Experience Note | The Privacy Protection Act of 1980, 42 U.S. Code 2000aa, requires law enforcement officers to obtain a subpoena, rather than a search warrant, when acquiring materials that are reasonably believed to relate to publication, broadcast, or similar communication to the public. |