Writing A Search Warrant Application for a Mobile Device

March 3, 2015
The takeaway: get as narrow as possible with dates you need, and be prepared to justify broader searches. Witnesses, surveillance camera video, carrier call detail records, business transactions, and other information can all help.

Search warrants for mobile devices are in the news again. This time, the issue isn’t whether a warrant is needed; it’s how specific the warrant needs to be. Last June, Riley v. California, 573 U.S. ___ (2014) required police to demonstrate probable cause for search incident to arrest by showing where and how they believe a mobile device contains evidence of a crime. This month, the court in United States v. Winn, __ F.Supp.3d __, 2015 WL 553286 (S.D.Ill. February 09, 2015) took Riley one step further by focusing on particularity: the need for police to specify what evidence they are looking for within a subject’s mobile device.

The problem was that investigators searching Winn’s mobile device used an “overbroad” search warrant, and therefore, intruded into private data that had nothing to do with the case under investigation. The evidence was suppressed, and the court ruled that not only data types, but also time frames should have been specified in the search warrant.

The case came from a federal district court, so while you should always work with the prosecutors in your jurisdiction to develop your search warrant templates and guidelines, here are some general suggestions on how to approach mobile device search warrants.

Use good interview techniques to determine the data and time frame you need.

The original complaint offered a specific date -- June 18, 2014 -- on which Winn, an adult male, used his cell phone to photograph or videotape a group of young teen girls in swimsuits without permission at a local public pool. The following Monday, detectives interviewed 11 witnesses, none of whom appeared to indicate that they had seen Winn on days other than June 18.

Using that information, a well-written search warrant would have limited investigators’ search only to that one day and only to images and videos. Even if investigators had an indication that Winn had previously exhibited similar behavior at the pool, they still would have needed to limit search of the phone to the period of weeks in which it was reported to happen.

The takeaway: get as narrow as possible with dates you need, and be prepared to justify broader searches. Witnesses, surveillance camera video, carrier call detail records, business transactions, and other information can all help. Use the data you obtain as part of timeline-building for your case, to identify data to search in your warrant.

When possible, use victim and suspect interviews to secure consent to search -- and make sure the consent form you use is particularized (with, say, check boxes) to certain data types. Also specify timeframes on the form when you can.

Good search warrants can be as simple as Who, What, Where, When, and Why.

Once your interviews and other evidence-gathering have helped you to establish probable cause to search a device, articulate it:

  • Whose phone is it, and what data needs to be reviewed to tie the device to the suspect?
  • What information, relevant to the crime being investigated, are you looking for: pictures, SMS, indicators of ownership, etc.?
  • Where would the information be located: galleries, contacts, calendars, communications such as SMS/email/voicemail, location data, elsewhere?
  • When/ in what time frame of data are you looking (one minute, one day, one week, one month, one year)?
  • Why do you think the information sought will exist in the categories to be searched during the relevant time frame?

Use a search warrant template, but modify it to fit each case.

The search warrant template detectives used to search Winn’s phone permitted them to search “...any or all files contained on said cell phone and its SIM Card or SD Card to include but not limited to the calendar, phonebook, contacts, SMS messages, MMS messages, emails, pictures, videos, images, ringtones, audio files, all call logs, installed application data, GPS information, WIFI information, internet history and usage, any system files on phone, SIM Card, or SD Card, or any data contained in the cell phone, SIM Card or SD Card to include deleted space.”

Yet, out of that list, only images and videos were clearly relevant to the crime under investigation.

Using the “who, what, where, when, and why” outlined above, if investigators wanted additional data, they might have argued:

  • To authenticate that Winn was indeed the device owner, detectives might have wanted to look at messages or calendar items.
  • If Winn or witnesses led the investigator to believe that Winn had appeared on other days and times, GPS or other geolocation data might have been valuable.
  • Geolocation data could also have exonerated Winn if it showed that he was not, in fact, at the pool on the date and time specified.
  • If a witness said Winn had communicated with her via SMS, the text messages during a time frame she specified would be relevant.
  • If investigators thought that Winn had deleted evidence of his conduct, then they could have specified the need for deleted data. (Note: the process of extracting deleted data from unallocated space on a device’s memory doesn’t allow for particularity. It’s up to you to limit the data you look at after this type of search.)

If you aren’t sure why, get a specialist’s take.

Draw on the expertise of local investigators who specialize in certain types of cases. Gang investigators, narcotics investigators, burglary investigators, and in this type of case, child pornography investigators can all be in a position to offer expert opinion on why certain types of data matter.

In this type of case, an investigator specializing in crimes against children may be able to offer opinion as to how child predators use mobile devices to approach and groom their victims, save and share material, and communicate with victims as well as one another. This can substantiate reasoning behind the “who, what, where, when, and why” of your search warrant. If your case is likely to go to trial, be sure the expert is available and willing to testify.

Also don’t forget that forensic examiners can be experts, too. If the search warrant lists only a few types of data and the examiner -- based on his or her experience with mobile devices in general, or this particular device -- believes that relevant data might be found in another location in the device’s memory, they should be sure to let you know so that you can obtain a new search warrant.

Help others understand the case you’re trying to build.

The investigator asked a forensic examiner for a full dump of everything on Winn’s phone, despite having no probable cause to believe that other data from a longer timeline contained evidence of the crime under investigation.

Told only that the device was believed to contain evidence of public indecency, the examiner initially found no pool pictures, but did uncover unrelated child pornography. A later, manual search uncovered Kik Messenger chats and the pool pictures. By then, the court ruled, the “impossibly overbroad” search had already violated the Fourth Amendment, so the pictures could not have been in plain view.

Good communication with both prosecutors and forensic examiners can reduce these risks. That communication should include documentation of the initial complaint and the probable cause to search. It may also include documentation of an initial search, perhaps done with consent, using a previous warrant, or as the result of another exception to the Fourth Amendment.

It’s also worth reviewing forensic examination results as a team. If you expected to see evidence that isn’t in an extraction report, or results are present that you didn’t expect, find out why. Keep in mind that if you or the forensic examiner finds evidence of a different crime -- even if it appears, as in Winn’s case, to be related to the original complaint -- the search must stop so that you, or they, can obtain a different warrant.

The ideal, particularized search warrant should eliminate a lot of the headaches around a search for “everything on the device.” Having one indicates that you did your due diligence in building your case, and helps the forensic examiner to help you – and your prosecutor – build the strongest possible case.

Further reading:

Court invalidates cell phone warrant as overbroad

Warrants for Cell Phone Searches

3 Questions About Mobile Device Evidence

About the Author

Christa M. Miller

Christa M. Miller is Director of Mobile Forensics Marketing for Cellebrite USA. Christa has worked for more than 10 years as a journalist, specializing in digital forensics and other high tech topics for public safety trade magazines including Law Enforcement Technology and Officer.com. Christa is based in South Carolina.

Sponsored Recommendations

Voice your opinion!

To join the conversation, and become an exclusive member of Officer, create an account today!